Cyber Incident Victim: Islamic State
Date:
Nov 2015
Location:
United Kingdom
Summary
Hackers affiliated with the Anonymous collective, operating under the name Ghost Sec, compromised and replaced an Islamic State propaganda website hosted on the dark web via the Tor network with an advertisement for an online pharmacy selling Prozac and a message urging visitors to "enhance your calm." The takedown marked the first instance of Anonymous targeting a dark web site associated with the group, exploiting vulnerabilities attributed to operational security failures during the site's setup. The action occurred amid broader criticism of Anonymous-affiliated operations for indiscriminately disrupting online platforms potentially useful for intelligence gathering by counter-terrorism authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In November 2015, hackers affiliated with Ghost Sec—a faction of the Anonymous collective unaffiliated with the counter-terrorism Ghost Security Group—compromised and defaced an Islamic State (ISIS) propaganda website hosted on the Tor dark web network. The targeted site, Isdarat, had been operational for less than a week before its content was replaced with a satirical message urging ISIS supporters to "enhance your calm" and an advertisement for an online bitcoin pharmacy selling medications like Prozac and Viagra. The defacement message criticized the proliferation of ISIS content while humorously soliciting ad revenue to fund infrastructure upgrades for future ISIS material. This marked the first documented instance of Anonymous or its subgroups successfully disrupting an ISIS-affiliated dark web site, which relied on Tor's onion routing to obscure user locations and evade conventional takedowns. Security analysts noted ISIS's apparent shift toward dark web platforms to protect propaganda from hacktivist interference following mass takedowns of its surface web assets.
The operation exposed technical vulnerabilities in the Isdarat site's setup, which security researcher Scot Terban described as "rookie stupid" mistakes enabling potential tracking of its operators. Terban's analysis suggested the site's backend infrastructure contained flaws that could expose user identities or facilitate further attacks without requiring direct compromise of the Tor hidden service. Concurrently, Anonymous's broader #OpParis campaign—launched after the November 2015 Paris attacks—faced criticism from counter-terrorism officials like Michael Smith of Kronos Advisory, who argued that indiscriminate hacking of ISIS social media accounts and websites destroyed valuable intelligence streams. Smith emphasized that Anonymous's unilateral actions lacked coordination with law enforcement agencies, potentially hindering investigations and inadvertently benefiting terrorist groups by erasing operational data. Despite these concerns, Ghost Sec's defacement of Isdarat demonstrated hacktivists' ability to disrupt ISIS dark web operations, albeit temporarily, while highlighting ongoing tensions between vigilante cyber-activism and intelligence-gathering priorities.