Cyber Incident Victim: 5elafa Book
Date:
Mar 2015
Location:
United States of America
Summary
A pro-ISIS social media platform mimicking Facebook, named "5elafa Book," was rapidly taken offline following its launch, with conflicting claims attributing the shutdown to hacktivist intervention or operational precautions by the site's operators. The platform, built using DIY hosting tools and falsely registered to locations including Mosul and Egypt, promoted extremist propaganda glorifying martyrdom and global Islamic rule while denying direct affiliation with ISIS. Its creators aimed to counter perceptions of the group's primitive image amid increasing content removals on mainstream platforms, reflecting broader cyber activities by ISIS supporters who previously breached U.S. military social media accounts to disseminate pro-ISIS messages.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The pro-ISIS social media platform "5elafa Book" (also referred to as Khelafabook, meaning "CaliphateBook") launched on a Sunday in March 2015, presenting itself as a Facebook clone for Islamic State supporters. The site featured a near-identical login interface to Facebook, with promotional text urging visitors to "stay ahead of the world," monitor trends, and connect with relevant contacts. Initial technical analysis indicated the platform was constructed using Socialkit, a do-it-yourself social networking toolkit, while registration records listed conflicting operational details—a U.S.-based GoDaddy hosting account alongside declared headquarters in ISIS-controlled Mosul, Iraq, and Egypt as its home country. Within 24 hours of going live, the site became inaccessible, with competing explanations emerging for its disappearance. Members of the Anonymous hacktivist collective publicly claimed responsibility through Twitter posts asserting they had executed the takedown, while the 5elafa Book operators simultaneously displayed an on-site message attributing the shutdown to voluntary measures aimed at protecting member data and safety.
The platform's operators denied formal affiliation with the Islamic State in their closure notice, framing the project as an image-rehabilitation effort to counter perceptions that ISIS supporters "only carry guns and live in caves." Despite this stated objective, the site disseminated content consistent with ISIS propaganda, including glorification of martyrdom and assertions about establishing global Islamic rule. The initiative reflected ongoing attempts by ISIS sympathizers to circumvent content moderation on mainstream platforms like Facebook and Twitter, which had intensified removals of pro-ISIS material. This incident followed earlier demonstrations of cyber capabilities by ISIS-aligned actors, including the January 2015 compromise of U.S. Central Command's social media accounts by entities claiming to represent the "CyberCaliphate," during which pro-ISIS messages and allegedly sensitive documents were posted. No verifiable data breaches or technical infiltration methods were confirmed in relation to 5elafa Book's brief operation or termination.