PLEASE SUPPORT OUR SUMMER 2020 CAMPAIGN
Note to media and government: For a full copy of this report, send an email with the title of the report in the subject line to me...@memri.org. Please include your name, title, and organization in your email.
(To view this report in full, you must be a paying member of the JTTM; for membership information, send an email to jttm...@memri.org with "Membership" in the subject line.)
Table Of Contents
-
Introduction
-
I. Statements By WhatsApp
-
II. Terror Arrests Involving WhatsApp
-
III. Government Pressure On WhatsApp Over Jihadi Use Of Its Services
-
IV. Jihadis Warn About WhatsApp, Alleging Security Issues
-
V. ISIS And Pro-ISIS Groups and Individuals Using WhatsApp
-
VI. Al-Qaeda And Affiliated Groups Using WhatsApp
-
VII. Hay'at Tahrir Al-Sham (HTS) Using WhatsApp
-
VIII. Other Syria Jihadis Using WhatsApp
-
IX. Hizbullah Using WhatsApp
-
X. Jihadis Using WhatsApp To Share Tech, Weapons Info
-
XI. Fundraising For Jihad Via WhatsApp
-
XII. Fundraising For Jihadi Charity Via WhatsApp
-
XIII. Palestinians: Hamas Military Wing Al-Qassam Brigades, PIJ Using WhatsApp
-
XIV. Taliban Using WhatsApp
-
XV. Turkestan Islamic Party (TIP) Using WhatsApp
-
XVI. Individual Jihadis Using WhatsApp
Introduction
WhatsApp, the most widely used messaging app worldwide – with over two billion active users worldwide, as of this writing – is also very popular among jihadi groups and individuals and their supporters, including the Islamic State (ISIS), Al-Qaeda, Hizbullah, the Taliban, and others. On a daily basis, the MEMRI Jihad and Terrorism Threat Monitor (JTTM) is tracking jihadis who are communicating, planning, and fundraising on the platform. This report highlights in detail the wide range of ways in which they are using it.
With its end-to-end encryption and ease of use on both smartphones and computers, WhatsApp is regularly used by these extremists not only for exchanging messages, but also for disseminating jihadi news and other publications, media productions, and photos, as well as recruitment and fundraising. In their communications, they also regularly use images denoting jihad and martyrdom. Jihad fighters on the front communicate via WhatsApp with sympathizers in other countries who are eager for news on the ground, interested in joining up, or supporting the organization or individual financially or in other ways at home. Jihadis are also closely monitoring WhatsApp as it rolls out new features and developments, and are quick to adopt and implement them.
On September 11, 2017, MEMRI published its major report Jihadi Use of Encrypted Messaging App WhatsApp, which detailed how WhatsApp is being used in planning terror attacks, in terrorist recruiting and fundraising, and for group chats. Beginning with the earliest arrests in 2014 in cases involving WhatsApp use in years prior to the arrests and moving through expanding jihadi communications on WhatsApp in 2014, its use in the deadly November 2015 Paris and the March 2016 Brussels attacks and in the disrupted plans for attacks on the July 2016 Olympic Games in Rio de Janeiro, it concludes with recruitment on WhatsApp of Muslim teens to carry out the June 2017 London Bridge attack and the indictment in August 2017 of Jamaican pro-ISIS sheikh Abdullah Al-Faisal, on charges of recruiting would-be terrorists on the platform.
The following report, Part II, details the MEMRI JTTM team's findings from its monitoring of WhatsApp over the past two years – both content found on the platform and what jihadis are saying about using it – since the publication of the first MEMRI report on WhatsApp. It includes how jihadi groups and individuals are using the platform for various purposes, including:
-
Recruiting fighters, including specialists for anti-tank, anti-aircraft, armored vehicles, air surveillance, fortification digging, mortars, sniper, and explosives divisions as well as for medical professionals;
-
Sharing cybersecurity information, including instructions on how to open WhatsApp accounts using fake phone numbers;
-
Sharing warnings about alleged WhatsApp security issues
-
Announcing religious courses and courses and summer camps for children
-
Fundraising for equipping fighters and for supporting fighters' families.
The report also summarizes the company's statements on the subject of encryption, terrorism arrests for crimes in which WhatsApp was found to be used, and government pressure on the company over jihadi use of its services.
I. Statements By WhatsApp
The perpetrator of the March 2017 Westminster terror attack in London, Khalid Masood, had communicated via WhatsApp prior to the attack, but the contents of the message and the identity of the recipient could not be accessed by police because of WhatsApp's encryption. Whatsapp said in a statement that the company was "horrified at the attack" and was cooperating with the investigation. It also stressed that protecting private communication is one of its "core beliefs." WhatsApp is also known to have been used by June 2017 London Bridge attacker Khuram Butt three days prior to carrying out his attack.
Masood, fatally shot by police following the Westminster Bridge attack (USA Today, March 26, 2017)
During the summer of 2017, WhatsApp published on its website "Information for Law Enforcement Authorities." It stated: "WhatsApp appreciates the work that law enforcement agencies do to keep people safe around the world. We are prepared to carefully review, validate and respond to law enforcement requests based on applicable law and policy" and added operational guidelines for law enforcement officials seeking records from WhatsApp, for example in emergencies such as a terrorist attack or threat of an attack.
Faq.whatsapp.com/en/general/26000050, accessed March 20, 2020
It was reported in May 2019 that the London Bridge attackers' use of WhatsApp may have prevented authorities from identifying the plot.
WhatsApp CEO Will Cathcart stressed in February 2020 that the platform's users demanded end-to-end encryption. Insisting that private communications were vital in a modern society, he vowed to defend WhatsApp's encryption against mounting threats from governments around the world: "For all of human history, people have been able to communicate privately with each other. And we don't think that should go away in a modern society." Building back doors into WhatsApp's system as governments have requested, he said, would pose an inherently unacceptable risk.
Cathcart added that WhatsApp was committed to helping law enforcement by providing metadata that could be useful in investigations, but that end-to-end encryption was necessary to keep users safe. Declining to say how his company would react if ordered to either create a back door or lose access to a major market, he added that he did not want to "get into playing out every hypothetical,” but that his company has a history of standing up for encryption.
In March 2020, it was reported that the company was working on increasing security by enabling password protection for conversations even after old messages are moved from the user's phone to Google Drive. In April 2020, WhatsApp announced that messages forwarded many times, which it said "can contribute to the spread of misinformation," could now only be forwarded to one chat at a time – preventing mass sharing and to "constrain virality" – down from the previous limit of five chats set in January 2019.
II. Terror Arrests Involving WhatsApp
Numerous terrorist cases worldwide have been found, as Part I of this series highlighted, to have involved the use of WhatsApp in a variety of ways: Imprisoned Jamaican pro-ISIS sheikh Abdullah Al-Faisal – believed to have inspired terrorists ranging from shoe bomber Richard Reid and 9/11 plotter Zacarias Moussaoui to London bombers Muhammad Sidique Khan and Germaine Lindsay and Christmas Day bomber Umar Farouq Abdulmutullab – used it for communicating with his followers.
It has been used by ISIS recruiters, including ISIS cyber terrorist Junnaid Hussain, who used it to recruit young UK Muslims to carry out attacks. Additionally, terrorist Khalid Masood used WhatsApp moments before carrying out his attack outside Houses of Parliament, London; a UK elementary school teacher was arrested and charged for distributing terrorist material via WhatsApp; in a case related to an ISIS training manual including step-by-step methods for recruiting via WhatsApp, a UK and an Australian teen were sent to prison for plotting an ANZAC Day terror attack; and Runa Khan of the UK was sentenced to prison for spreading ISIS ideology online.
UK terror suspect Taha Hussain used WhatsApp to send pro-ISIS and pro-jihad content; terror suspect Arafat Nagi, of Buffalo, NY, was found to have used WhatsApp to plan travel to ISIS territory; ISIS recruiter Mufid Elfgeeh, of Rochester, NY, was found to have communicated with other jihadis using WhatsApp; Heather Elizabeth Coffman, of Virginia, sentenced to prison for attempting to aid ISIS, had communicated with an ISIS facilitator via WhatsApp.
Also, Syria-based Belgian jihadi Abdelhamid Abaaoud, a major figure in the November 2015 Paris attacks, had instructed those he recruited for attacks across in Europe in using WhatsApp and other secure communications; Najim Laachroui, coordinator for November 2015 Paris attacks and a suicide bomber in the March 2016 Brussels attacks, used WhatsApp with his terror cell and with ISIS in Syria; Belgian police arrested terror suspects after infiltrating their communications on WhatsApp; Brazilian authorities arrested 10 members of pro-ISIS groups plotting attacks during the Olympics in Rio de Janeiro via WhatsApp; Israeli police arrested 18 members of a WhatsApp group spreading extremist ideology that had planned that month's stabbing attack outside the Old City of Jerusalem; Malaysian terror suspects were found to have discussed plans for jihad in extremist WhatsApp groups.
In Pakistan and India, Pakistani police arrested men and women recruiting for ISIS found to have been using WhatsApp and in possession of weapons, explosives, and ISIS literature; terror suspects arrested in Kerala State, India, allegedly planned attacks in the country and operated at least two WhatsApp groups with hundreds of members for recruitment to ISIS; and messages from jihadis before they are killed went viral in India, including via WhatsApp.
Since then, terror cases found to involve the use of WhatsApp (see below) in 2020 have included, in April, the arrest of two ISIS supporters in the UK for sending funds to jihadis abroad; in March, the arrest of a suspected handler for Lashkar-e-Taiba and of four members of The Resistance Front, an LeT-linked terrorist group; and in February, a former Uber driver from Luton, UK and a student who was shot dead after stabbing two people in south London.
In November 2019, Indian authorities arrested three suspected ISIS-inspired terrorists who had plotted mass attacks, and a suspect pleaded guilty plea in the Manchester, UK New Year's Eve 2018 stabbing. In October 2019, a father and son in Bali were arrested on suspicion of plotting terror attacks, and a British student was identified as the masked Al-Qaeda operative who delivered a militant speech in Syria in 2013; additionally, three suspects were arrested in India in India in connection with the assassination of a politician. Earlier that year, there was the July 2019 arrest of two Sydney, Australia men over their alleged connection to ISIS plans for a terrorist attack; the May 2019 circulation of photos of alleged ISIS members; Sri Lanka's shutdown of WhatsApp countrywide following the 2019 Easter Sunday 2019 bombings; Turkey's arrest in April 2019 of over 200 ISIS terrorists; the March 2019 arrest in Indonesia of a suspected terrorist; the September 2018 infiltration of a terrorist WhatsApp group in India and the subsequent arrest of a suspect in September 2018; and the January 2018 sentencing of a UK shop assistant in a terror plot.
The following are the details of these cases:
India's National Investigation agency arrested Tania Parvin in Kolkata, on March 20, 2020, for alleged links with Lashkar e-Taiba (LeT) operatives based in Pakistan, and for trying to honey-trap Indian soldiers. According to reports, she was suspected of being a handler for the organization, and to have been associated with it for over two years. She was found to have been part of several WhatsApp groups. LeT is responsible for the 2008 Mumbai terror attack.
Tania Parvin
ISIS supporters Ayub Nurhussein, of London, and Said Mohammed, of Manchester, were sentenced to prison in April 2020 for sending thousands of pounds to jihadis last year, after failing to travel abroad to fight for ISIS themselves. Their contact in Iraq was an individual known as "Wassim" who is connected to "central figures" in ISIS. Nurhussein was charged with sharing graphic ISIS propaganda via WhatsApp.
Mohammed and Nurhussein
On March 23, 2020, four terrorists from "The Resistance Front," a new Pakistan-sponsored terror group in Kashmir, which is a front for the terror organization Lashkar-e-Taiba, were arrested and a huge quantity of arms was seized from them. They revealed during interrogation that they had been working under an individual known as "Khan Bilal" on WhatsApp.
In February 2020, Mohiussunnath Chowdhury, 28, a former Uber driver from Luton, UK, was convicted of planning to attack tourist hotspots in London, including Madame Tussaud's, the Pride parade, and an open-top tour bus. Previously, in December 2018, he was acquitted in relation to his 2017 attack outside the Queen’s London residence, in which he brandished a three-foot-long sword and shouted "Allahu Akbar." Following his acquittal, he posted online praising martyrdom, prompting an undercover operation by counterterror officials with whom he shared his plans to use guns, knives, or a vehicle in an attack, as well as a graphic execution video via WhatsApp, leading to his conviction.
Mohiussunnath Chowdhury
London college student Sudesh Amman, 20, who was shot dead after stabbing two people in south London on February 2, had been under MI5 surveillance since his release days before from prison after serving half of his sentence for possession of ISIS recruitment material and manuals. He had shared this material in a family WhatsApp group called "La Familia" that included his three younger brothers aged between 11 and 15. Photos shared in the group also showed his younger brothers in their bedroom with a black ISIS flag, posing with BB guns, and sitting around a table using the ISIS one-fingered salute. He had sent beheading videos to his girlfriend, saying she should kill her "kuffar" [unbeliever] parents and telling her "If you can't make a bomb because family, friends or spies are watching or suspecting you, take a knife, Molotov, sound bombs or a car at night and attack the tourists (crusaders), police and soldiers of taghut [tyrant], or Western embassies in every country you are in this planet."
Sudesh Amman
Indian authorities arrested three suspected ISIS-inspired terrorists who had plotted mass attacks in Assam and Delhi on November 25, 2019. Police said that the three, Ranjit Ali, Mukaddir Islam, and Luit Jamel Zaman, had maintained contact with "many suspicious people" and learned to make bombs from content posted on WhatsApp and other platforms.
Assam Parliamentary Affairs Minister Chandra Mohan Patowary announces the arrests (Source: News18,com, November 28, 2019)
The following day, on November 26, 2019, Manchester, UK resident Mahdi Mohamud pleaded guilty to stabbing three people, including a police officer, at Manchester Victoria railway station on New Year's Eve 2018. He carried out the attack while shouting "Allahu Akbar" and "Long live the Caliphate." According to authorities, he had downloaded a guide on "the most lethal ways to strike with a knife" and accessed ISIS propaganda as well as speeches by Yemeni-American Al-Qaeda leader Anwar Al-Awlaki. Hours before the attack, he had created a "plan" document, then deleted WhatsApp and other encrypted apps shortly before leaving home to carry out the attack.
 
Immediately after the knife attack. Independent.co.uk, January 1, 2019; Mahdi Mohamud, BBC.com, November 27, 2019.
A father and son were arrested in Bali in October 2019 on suspicion of plotting terror attacks after pledging allegiance to ISIS. The two men are alleged to have had arrows, bayonets, and an airsoft gun to use in the foiled attack. Both were members in the extremist WhatsApp group "Menanti Al Mahdi"; in the group, the father had shared instructions on building bombs and automatic weapons.
Some of the materials found in the home used by the terror suspects
Authorities identified British student Mohammed Yamin using voice recognition technology, in October 2019, as the masked Al-Qaeda operative who delivered a militant speech in Syria in 2013. According to news reports, when he went to Syria he communicated with family members via WhatsApp, telling them he was doing charitable work in the area. Yamin has since returned to the UK.
Mohammed Yamin.
Three suspects were arrested in Uttar Pradesh, India shortly following the October 2019 murder of Indian politician and nationalist Kamlesh Tiwari. However, the Al-Hind Brigade claimed responsibility for the murder, in a WhatsApp message that stated: "Kamlesh Tiwari was a nuisance and whosoever points fingers towards Islam and Muslims, will meet same end. Al-Hind Brigade takes responsibility. Get ready to see more. The war has begun." Previously, in 2017, two ISIS operatives had revealed their plans to kill Tiwari after they were arrested in 2017.
Kamlesh Tiwari
Two Sydney, Australia men were arrested in July 2019 over their alleged connection to plans for a terrorist attack. Authorities said the two, Isaak el Matari and Radwan Dakkak, were ISIS members and were planning attacks. Dakkak was described by police as "prominent in the global online extremist community." El Matari, had been under police surveillance since returning to Sydney from Lebanon in July 2018. Authorities said they would "allege in court that the man was in early-stage preparations and was someone who had expressed intentions to carry out a terrorist attack in Australia." The two men were reported to have made threats about central Sydney locations on WhatsApp.
Isaak el Matari (source: smh.com.au, July 3, 2019)
A photo of three men alleged to be members of ISIS was circulated in May 2019 via WhatsApp, with the claim that they were in the Malaysian state of Sarawak. The post, which went viral, warned the public that they were believed to be either in Sibu or in Bintulu. However, police said that the three suspects had already been arrested and had never been in Sarawak.
The post that was circulated on WhatsApp
Following the massive coordinated Easter Sunday 2019 bombings across Sri Lanka that killed over 300 people and wounded some 500, the Sri Lankan government shut down WhatsApp and other messaging services. Although these attacks had no known links to social media, Sri Lanka has a history of violence incited on these platforms. In the wake of the attack, the U.S. State Department said that terrorist groups "continue plotting possible attacks in Sri Lanka" and could attack "with little or no warning," and escalated its travel advisory level for the country.
At the site of a car bombing in Colombo
Also in April 2019, Turkish media reported that Turkish authorities had captured 238 ISIS terrorists in November 2018 – among them four relatives of ISIS leader Abu Bakr Al-Baghdadi. According to the reports, a YPG/PKK terrorist said that his group and ISIS are allied, and that WhatsApp had been used for encrypted communications.
The Indonesian counterterrorism squad Densus 88 arrested suspected terrorist Riky Gustadi, aka Abu Riky, 26, in March 2019, and seized weapons, in Riau province in Indonesia. The arrest was in connection with a terrorist plot against Indonesian President Joko Widodo set for that month. Abu Riky is believed to have issued an order on WhatsApp to members of a WhatsApp group to carry out the plot. He is also believed to have helped fund a member of a terrorist group; the funds were channeled to the ISIS-linked Jamaah Ansharut Daulah terror group.
It was reported in January 2019 that Indian intelligence agencies had successfully gained access to the WhatsApp account of a Pakistani terrorist by sending him a message with an official-looking heading containing spyware that he opened. He was tracked down from his IP coordinates to a location in southern Jammu and Kashmir, and arrested, in September 2018. Authorities said that this was the first time that Indian experts had managed to circumvent the platform's security settings.
Iftikhar Ali, 19, a Sainsbury's shop assistant from Totteridge, High Wycombe, Bucks, UK, was sentenced in January 2018 to three years and six months in prison. He had been found guilty in December 2017 on 12 counts of transmission of a terrorism publication and an additional count of possession of a document likely to be useful to a person committing or preparing an act of terrorism. Authorities said that between September and October 2015, he had sent several WhatsApp messages glorifying acts of terrorism.
Iftikhar Ali
III. Governments Pressure WhatsApp Over Terrorist Use Of Its Services
U.S. Government Pressures WhatsApp And Its Parent Company Facebook For Backdoor Access
The government and law enforcement have been pressuring WhatsApp, and its parent company Facebook, to enable backdoor access to its messaging services, arguing that the end-to-end encryption is used by criminals such as terrorists and pedophiles. In a September 2019 statement, Facebook said that "end-to-end encryption already protects the messages of over a billion people every day [and they] strongly oppose government attempts to build back doors because they would undermine the privacy and security of [their] users everywhere."
The Justice Department, led by Attorney General William P. Barr, is pushing Facebook for access to WhatsApp messages, arguing that this is a vital crime-fighting tool. He wrote in an October 4, 2019 letter to Facebook CEO Mark Zuckerberg: "Companies should not deliberately design their systems to preclude any form of access to content even for preventing or investigating the most serious crimes."
The Senate Judiciary Committee held a hearing on March 11, 2020 on the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act) that would create incentives for companies to "earn" liability protection for violations of laws related to online child sexual abuse material. Critics are calling EARN IT a way to give law enforcement the backdoor to encrypted platforms – such as WhatsApp.
UK Home Office National Security Director Says UK "Support Strong Encryption" But "Risks To Public Safety... Are Grave"
Chloe Squires, Director of National Security at the U.K. Home Office, gave written testimony on December 10, 2019 in the Judiciary Committee Unites States Senate hearing on the topic of encryption law. Squires stated that the U.K. Government "supports strong encryption and understands its importance for a free, open, and secure internet." Nevertheless, she wrote: "The risks to public safety where encryption precludes the needs of law enforcement, including targeted access to content, are grave. That impact is felt in two distinct areas. Firstly, by inhibiting the ability of law enforcement agencies to access content in exceptional circumstances where that is necessary and proportionate to investigate serious crime and protect national security, and where an interception warrant for that purpose has been lawfully issued. Secondly, by diminishing a company's own ability to identify and tackle the most serious illegal content and activity running over its platform, including grooming, indecent imagery of children, terrorist propaganda and attack planning."
Indian Government Discusses Feasibility Of Blocking WhatsApp In "Insurgency-Hit Areas"
It was reported in June 2018, that India's government would examine the feasibility of blocking WhatsApp in "insurgency-hit areas." That month, top Indian officials met to discuss the growing use of WhatsApp by terrorists in the country; the meeting focused on the removal of malicious content posted by "keypad jihadis," and was attended by top officials from the Ministry of Electronics and Information Technology, the Department of Telecommunications, and security agencies and law enforcement.
IV. Jihadis Warn About WhatsApp, Alleging Security Issues
Despite WhatsApp's widespread use by jihadis, some have issued warnings about its alleged lack of security.
The pro-ISIS Qimam Electronic Foundation warned, on February 25, 2020, against using WhatsApp, claiming that conversations on public channels on it show up in Google searches.
The same day, Al-Qaeda supporters warned that WhatsApp conversations show up in Google searches.
A November 26, 2019 article in the HTS-affiliated Ebaa' weekly newspaper warned against using WhatsApp and listed five alleged security vulnerabilities. The article, by the "tech team," said that these and other breaches may expose users, particularly revolutionaries and mujahideen, to surveillance by intelligence agencies, and that WhatsApp shares user data with these agencies. It recommended instead "safe and reliable" platforms, including Riot, Wire, and Signal.
The pro-ISIS Electronic Horizons Foundation (EHF), which disseminates cyber security information for online supporters of ISIS, maintains a Telegram channel and also uses WhatsApp. Nevertheless, on November 17, 2019, it published a statement on Telegram warning users about WhatsApp, claiming that there is a risk of surveillance because it shows users' phone numbers. It also cautioned that WhatsApp is closed-source software, requires permissions that puts user privacy at risk, and is owned by Facebook, a company which surveils the online activity of users.
Read The Full Report
Note to media and government: For a full copy of this report, send an email with the title of the report in the subject line to me...@memri.org. Please include your name, title, and organization in your email.
(To view this report in full, you must be a paying member of the JTTM; for membership information, send an email to jttm...@memri.org with "Membership" in the subject line.) 
|
