Cyber Incident Victim: WauchulaGhost
Date:
Nov 2015
Location:
United Kingdom
Summary
Hacktivists affiliated with Ghost Sec, a faction of Anonymous, compromised an ISIS propaganda website hosted on the dark web via the Tor network, replacing its content with an advertisement for a bitcoin-based pharmacy selling medications like Prozac and a satirical message urging supporters to "enhance your calm." The targeted site, vulnerable due to operational security flaws described as "rookie stupid" mistakes by analysts, represented the first dark web takedown by Anonymous-linked groups. Concurrently, Anonymous's broader #OpParis campaign faced criticism from counter-terrorism experts for indiscriminately removing online content, potentially obstructing intelligence-gathering efforts against extremist networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In November 2015, members of Ghost Sec—a faction of the hacktivist collective Anonymous—compromised and defaced an Islamic State (ISIS) propaganda website hosted on the Tor dark web network. The site, named Isdarat, had been operational for less than a week before being replaced with a message mocking ISIS supporters and an advertisement for a bitcoin-based online pharmacy selling Prozac and other medications. The defacement message stated, "Too Much ISIS. Enhance your calm. Too many people are into this ISIS-stuff. Please gaze upon this lovely ad so we can upgrade our infrastructure to give you ISIS content you all so desperately crave." This marked the first documented instance of Anonymous or its affiliates successfully targeting a dark web site, as previous operations had focused on clearnet platforms. Security analyst Scot Terban noted that the ISIS site operators made "rookie stupid" configuration errors, leaving it vulnerable to takeover. The attack occurred amid Anonymous’ broader #OpParis campaign, which aimed to disrupt ISIS online activities following the November 13 Paris attacks.
The incident highlighted ISIS’s shift toward dark web infrastructure to evade hacktivist interference, though the technical flaws in Isdarat’s implementation undermined these efforts. Counterterrorism experts criticized Anonymous’ tactics, arguing that indiscriminate takedowns of jihadist platforms erased potential intelligence sources. Michael Smith, a U.S. Congress advisor and Kronos Advisory co-founder, stated that Anonymous’ unilateral account and site closures lacked coordination with government agencies, inadvertently aiding ISIS by disrupting surveillance opportunities. Ghost Sec’s affiliation with Anonymous was clarified in the article, distinguishing it from the unrelated counterterrorism organization Ghost Security Group. No technical details about the attack methodology were disclosed, though Terban suggested the site’s operational security failures could have allowed tracking of its operators without requiring direct compromise of the Tor hidden service. The defacement remained active at the time of reporting, with no mention of ISIS restoring the original content.