article

Al Qaeda's Web Revival

The FBI stopped a plot to blow up a Dallas building by surfing online forums. Their next worry: the return of a site once used for al Quaeda command and control.

10.02.09 8:48 PM ET

The FBI stopped a plot to blow up a Dallas building by surfing online forums. Their next worry: the return of a site once used for al Qaeda command and control.

He logged onto an extremist Web site, declaring his determination to carry out deadly jihad against the United States. But the FBI was monitoring his ominous plans. So when Hosam Maher Husein Smadi parked a vehicle in the basement of a  60-story Dallas office building hoping to detonate explosives triggered from afar by a cellphone, undercover agents who had been posing as anti-American jihadis swooped in.

On Monday, a judge decided there was enough evidence to send the case against Smadi, a 19-year-old Jordanian who is charged with conspiring to set off a weapon of mass destruction, to a grand jury (Smadi's court-appointed counsel said "we have a lot of work to do," arguing that it was too early in the proceedings to make a fair determination about his client's conduct). But his is not the only worrisome case of jihadi plotting online to surface of late. A new front in the so-called global war on terror has emerged inside an office building in Los Angeles—and it was launched the day before Americans commemorated the 8th anniversary of 9/11.

That’s when al-Ekhlaas, al Qaeda’s most important Web forum, suddenly came back to life—roughly a year after mysteriously going dark. Its name, which means “devotion” in Arabic, was registered at a Los Angeles domain registry company called namecheap.com.

“There is nothing that has made me more happy this Ramazan (sic) than [t]he Commencement of Al Ekhlass (sic) Forum,” wrote one man on “The Ignored Puzzle Pieces of Knowledge,” a Web site sympathetic to jihadis. “May they remain steadfast on the media frontlines.”

For four years, beginning in 2004, al-Ekhlaas was a key site for jihadi command and control, recruitment, fundraising, and propaganda, according to cyber-jihad investigator Evan Kohlmann. A plot to kill the British prime minister was hatched on the site, according to British investigators—who say the plot may have been thwarted because al-Ekhlaas was shut down before the plotters had a chance to act. Thanks to online recruitment, many of the forum’s thousdans of dedicated members found their way to Iraq and Afghanistan to become suicide bombers, according to Kohlmann. Then site went offline on Sept. 10, 2008. Kohlmann says he does not know why.

No sooner had al-Ekhlaas lurched back to life this fall than questions began spreading in jihadi online communications and chat rooms about its authenticity. Some saw it as a trap, created by U.S. intelligence. Kohlmann and others who track jihadi sites say it was most likely set up by foreign intelligence or cyber-vigilantes. Some jihadis suspect the handiwork of the CIA.

A further sign that jihadis are suspicious: The Al-Fajr Media Center and the Global Islamic Media Front, al Qaeda’s media operations, have warned followers to stay away. When Osama bin Laden’s most recent communiqué was released, it did not appear on al-Ekhlaas—a telling sign, since previous messages from bin Laden and other al Qaeda leaders had appeared there in the past.

Ekhlaas has been the target of international terror investigations before. As recently as August, 2008, an al Qaeda-linked jihadi in Israel was indicted for planning to blow up a bus depot there—using bomb-making instructions he found on Ekhlaas.

Those who believe in violent jihad are spread out around the world, making the Web the best way to communicate. Al-Fajr and GIMF—sophisticated, media-savvy Web operations—distribute the official proclamations of bin Laden, Ayman al-Zawahiri, and other al Qaeda leaders. And intelligence agencies around the world pay close attention, seeking insights into al Qaeda’s activities. Forums like al-Ekhlaas enable jihadis to share information, plan operations, and raise funds.

When it first resurfaced, al-Ekhlaas was hailed in the jihadi Web world. Several other sites, like al-Faloja and al-Shamokh, had been shut down in the days leading up to the 9/11 anniversary—sowing confusion and suspicion among those looking for their global jihad Web hookup. Some suspected the blackout may have been a concerted effort by intelligence agencies to prevent transmission of bin Laden’s annual 9/11 proclamation.

“There is nothing that has made me more happy this Ramazan (sic) than [t]he Commencement of Al Ekhlass Forum (sic),” wrote one man on “The Ignored Puzzle Pieces of Knowledge,” a Web site sympathetic to jihadis that was one of the first to report the return of Ehklaas. “May they remain steadfast on the media frontlines.”

But the jihadi community soon began to suspect the site might be fake. Graphics and pictures of bin Laden appeared to be of poor quality, some complained. Others noted that Al-Fajr and GIMF failed to acknowledge al-Ekhlaas. Dire warnings quickly followed. “The plan was intended to sow discord and create doubts and break the trust among the leaders of the jihadi media,” according to GIMF, proclaiming the effort a failure.

For their part, the operators of the new al-Ekhlaas defend the site’s authenticity—and blame Al-Fajr and GIMF for sewing the seeds of dissent.

"Only the infidels say that this is a forgery and try to spread distrust about our distinguished forum. We confirm to our fighting brothers all over the world that the Ekhlaas network has returned and she shall remain. An official statement will be released later, Allah willing. Anyone who is sincere knows that this is secure and this is the real Ekhlaas Islamic network,” according to a translation of the site provided by Kohlmann, who monitors jihadi communications as a senior investigator with Nine Eleven Finding Answers, which seeks to expose terrorist cells with an eye toward preventing future attacks.

Still, the attacks have taken a toll; just days after resurfacing, al-Ekhlaas operators posted a statement in Arabic saying that they would post no new information until they had gained acceptance from Al-Fajr and GIMF.

The guts of the new al-Ekhlaas—passwords, data, forums and other information—are the same as when the old site was shut down in September 2008, according to Kohlmann and others who’ve accessed the site. But Kohlmann shares the jihadis’ suspicion that it is fake. “It is almost certainly fraudulent, and appears to be some sort of clumsy attempt to infiltrate and eavesdrop on the online jihadi universe,” says Kohlmann, who also serves as a paid consultant and expert witness on behalf of the FBI and Scotland Yard in cyber-terrorism cases. “In any event, it wasn't terribly successful.” If it is a trap set by intelligence, who is likely behind it? Al-Fajr suggests the current al-Ekhlaas is the work of U.S. intelligence. An administrator for the jihadi-sympathizing The Ignored Puzzle Pieces of Knowledge has a similar point of view.

“I suspect either U.S. (medium-likely), Israel (medium-likely) or Saudi Arabia (more likely) to have set up the board,” wrote an administrator going by the name anamslm in response to a question posed by The Daily Beast. “The guys who set up the new forum likely had access to a database dump of the old ekhlaas board. Usually the hosting companies give out such files only to government agencies.”

But Kohlmann doubts the U.S. is involved. “The U.S. government does not usually do stuff like this,” he says. “It's a little too in-your-face—the FBI and other agencies generally strive to be more subtle. My guess is either another Western intelligence service, a Middle Eastern intelligence service, or quite likely, independent cyber-vigilantes.”

When intelligence agencies and law enforcement get involved in these cases, they usually urge host companies and domain registrars to keep existing sites going, so that they can cull actionable intelligence, says Kohlmann. Sometimes, as may have been the case with the pre-9/11 anniversary shutdowns, they take them offline.

The shutdowns can cause jihadis to change the way they operate—driving them toward encrypted communications and text messaging, which makes it harder to track their operations, Kohlmann says.

There is a history of private vigilantes going after the jihadis. Starting in 2000, the now-disgraced Glen Jenvey in England pretended to be a jihadi and, in 2004, helped take down vitriolic Imam Abu Hamza al-Masri, who was arrested in August 2004 and charged with 16 counts of violating England’s anti-terror law, including calling for death to non-Muslims and inciting race hate. Abu Hamza was convicted and sentenced to seven years in prison, but was indicted in the U.S. for involvement in an attack on tourists in Yemen. He is fighting extradition to the U.S. (Jenvey admitted recently faking a plot against Britain’s Jews.) A former Montana judge named Shannen Rossmiller set up an organization called Seven Seas, and claims responsibility for more than 200 operations, leading to arrests and disruptions of jihadi activities.

Joseph Shahda, another jihadi tracker, thinks the new Ekhlaas may also be the work of private cyber-vigilantes.

“I believe that it was a group of private individuals who set up the fake ‘Ekhlaas’ and also were able to hack into the account of Al-Fajr Media Center and GIMF,” Shahda says. “In my opinion intelligence services would not have done such a thing because it was easily exposed to be a hoax.”

For their part, neither the FBI nor the CIA is talking.

Eugene Rome, an attorney representing namecheap.com, says that after hearing from The Daily Beast, the company initiated an internal review of al-ekhlaas19.net, to see if it should be de-registered for violating the company’s terms and conditions—which are designed to prevent illegal or abusive practices.

Namecheap—which registers hundreds of thousands of Web site names each year—has an automated registration process and does not vet sites for content, unless someone brings it to the company’s attention, Rome says.

“There is no feasible inquiry that can be made to anyone’s motives or extent of their true identity, as long as they are capable of meeting the requirements of registration,” says Rome, who says he was not familiar with al-Ekhlaas until contacted by The Daily Beast.

Rome says that, to his knowledge, no law-enforcement or intelligence agencies have contacted namecheap about the Web site.

The company is no stranger to jihadi Web controversy. In July 2004, Jeremy Reynalds, another private cyber-vigilante, wrote about a jihadi Web site called Hosting Anime showing two notoriously gruesome beheading videos. The Web site name was registered by namecheap. Rome said he has only represented namecheap for the past two years and has no knowledge of that incident. Namecheap CEO Richard Kirkendall failed to return phone messages, emails, and a request for comment.

Howard Altman is an editor in the converged newsroom of TBO.com, WFLA-TV and The Tampa Tribune. He has written about jihadi websites since shortly after 9/11, when he broke the story about the Saudi Bin Laden Group website’s pre-set expiration date of 9/11/01. Altman has won more than 50 journalism awards and had his work translated into several languages.