Cyber Incident Victim: sgtbilko420
Date:
Nov 2015
Location:
United Kingdom
Summary
Hacktivists from Ghost Sec, an Anonymous-affiliated group, compromised an Islamic State dark web propaganda site hosted on the Tor network, replacing its content with an advertisement for a bitcoin-based pharmacy selling Prozac and a satirical message urging visitors to "enhance your calm." The attackers exploited security vulnerabilities in the site's infrastructure, which a security analyst described as "rookie stupid" configuration errors that exposed operational weaknesses. This marked the first takedown of an ISIS-affiliated dark web platform by hacktivists, though critics argued such unilateral actions could obstruct intelligence gathering by permanently removing potentially valuable counter-terrorism data sources.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In November 2015, the hacktivist group Ghost Security (Ghost Sec), a faction of Anonymous, executed a takedown of the Islamic State (ISIS) propaganda website Isdarat on the Tor dark web network. The site had appeared on the anonymity network the previous week, distributing ISIS content to users accessing it through specialized Tor browser software. Ghost Sec replaced Isdarat’s original content with a satirical message stating, "Too Much ISIS. Enhance your calm. Too many people are into this ISIS-stuff. Please gaze upon this lovely ad so we can upgrade our infrastructure to give you ISIS content you all so desperately crave." The defaced page redirected visitors to an advertisement for a bitcoin-based online pharmacy promoting medications like Prozac and Viagra. This action marked the first documented instance of Anonymous-affiliated hackers successfully targeting a dark web site, as previous operations had focused on clearnet platforms. Security analyst Scot Terban noted that the ISIS site operators made "rookie stupid" configuration errors during setup, leaving vulnerabilities that enabled the attack. Terban further suggested the site’s infrastructure exposed enough data to potentially identify its administrators without requiring direct attacks on the Tor onion service itself.
The incident occurred amid Anonymous’ broader #OpParis campaign, launched after the November 13 Paris attacks, which aimed to disrupt ISIS online operations through mass takedowns of propaganda sites and social media accounts. However, counterterrorism officials criticized these efforts for compromising intelligence-gathering opportunities. Michael Smith, a congressional adviser and Kronos Advisory co-founder, stated that Anonymous’ unilateral account closures interfered with law enforcement investigations and inadvertently benefited terrorist networks by eliminating surveillance channels. The Isdarat takedown specifically highlighted ISIS’s growing reliance on dark web platforms to evade hacktivist interference, though technical missteps undermined this strategy. Ghost Sec’s replacement of extremist content with dark humor and commercial advertising exemplified the group’s unconventional tactics, contrasting with more systematic counterterrorism operations conducted by formal agencies. The defacement lasted less than a week after Isdarat’s initial launch, demonstrating both the vulnerabilities of hastily assembled dark web infrastructure and the persistent targeting of ISIS networks by decentralized hacktivist collectives.