(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Daesh Darknet: Under The Hood

leave a comment »

Screenshot from 2015-11-15 16:46:15

After having mirrored the new “unofficial” official da’esh darknet site I have some more insight into who may have done this as well as where the data is coming from. First off a mea culpa of sorts that this site claims to be the “unofficial” source for the darknet but they are using feeds from official sources. So really I guess unless you really don’t understand da’esh you could say it is unofficial but the reality is they will claim just about anything as a win and at their behest so make of that what you will. In either case this site exists, it is using approved da’esh propaganda from Al-Hayat, and thus to me it’s still pretty official.

So back to the under the hood look at this new darknet propaganda tool…

Screenshot from 2015-11-17 08-50-02

Once I started looking at the site code the following became apparent:

  • It’s a wordpress site
  • It’s got a backend feed in the clear
  • It’s a re-hash of a site out on the clearnet called
  • It’s an amateur job at darknet security

Since this story hit all the news sites many people called into question whether or not this was a ‘real’ site because… Well I have no idea why people would call it into question really. Anyway, the fact of the matter is that this was put up by an acolyte of da’esh who at least has enough wherewithal to get a host in the darknet and forward a clearnet feed to it. The fact that they are using WordPress 4.3 is another interesting tidbit. Perhaps they are not as mental genius as some people, maybe the ones calling this site into question in the first place might have been thinking. You see kids, these guys are not all mental geniuses ok? They make mistakes all the time and most of the time they are rookie stupid ones at that.

That said, here is the data I pulled from the site:

<guid isPermaLink=”false”></guid&gt;;

inetnum: –
netname:        US-CHOOPA-20150320
descr:          Choopa, LLC
country:        FR
org:            ORG-CL301-RIPE
admin-c:        CN3183-RIPE
tech-c:         CN3183-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MAINT-AS20473
mnt-routes:     MAINT-AS20473
mnt-domains:    MNT-CHOOPA
created:        2015-03-20T07:30:59Z
last-modified:  2015-03-30T17:31:46Z
source:         RIPE # Filtered

organisation:   ORG-CL301-RIPE
org-name:       Choopa, LLC
org-type:       LIR
address:        100 Matawan Rd. Suite 420
address:        NJ 07747
address:        Matawan
address:        UNITED STATES
phone:          +19738490500
fax-no:         +17325661268
mnt-ref:        MAINT-AS20473
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
created:        2015-03-19T08:30:22Z
last-modified:  2015-03-23T12:14:27Z
source:         RIPE # Filtered

person:         Choopa Network
address:        100 Matawan Rd. Suite 420 Matawan, NJ 07747
phone:          +1-973-849-0500
nic-hdl:        CN3183-RIPE
mnt-by:         MAINT-AS20473
created:        2015-03-11T16:38:19Z
last-modified:  2015-03-11T16:38:20Z
source:         RIPE # Filtered

As you can see the site in the clearnet is hosted out of Choopa LLC which has it’s HQ in New Jersey. However, when you start to dig on this you also get information that the server actually resides in Amsterdam.

Screenshot from 2015-11-18 08:06:16

Screenshot from 2015-11-18 07:52:23

Either way, the system behind this data feed is in fact a windows box and could be vulnerable to some attacks as you can see from this Nmap:

Nmap scan report for ( ———-> is a virtual hosting connected to choopa
Host is up (0.11s latency).
Not shown: 995 closed ports
22/tcp   open     ssh
139/tcp  filtered netbios-ssn
443/tcp  open     https
445/tcp  filtered microsoft-ds
1720/tcp filtered H.323/Q.931

All this data leads me to believe that the end user can be tracked down easily enough by authorities but I also think that without that, I can still track down who set this up without having to attack an onion site like the FBI. Besides, I don’t have a million dollars to give to a university to deanonymize anything. So let’s look at it from another angle. When you look at the onion site, if you look carefully, at the bottom right corner of the pages you see the following address: Let’s have a closer look at that and see what we find shall we?


EsdaratReturn is a re-spelling of “Isdarat” which was a site put together by da’eshbags in the past to be the alternative to YouTube as you can see below. This site is presently offline it seems and my guess is that this person(s) wanted to re-kindle that flame in the darknet because their site went boom boom. Isdarat started in May it seems and I am not fully up to speed on it’s history. That will be for my next blog post. I plan on continuing the backtrace to accounts on twitter that mentioned not only Isdarat, but also esdarat. Once I backtrack I believe I will be able to come up with the who and more of the why this site came to be in the darknet.

Screenshot from 2015-11-18 08:24:58

In the meantime though, I suspect that this post will cause a stir in the jimmies not only to the creator of the onion site but also all those keen watchers out there who wanna take things down like esdarat or isdarat or whatever shingle the daeshbags hang to serve their propaganda from. Since the rss box is in the clearnet and the content seems to be coming from Google, I expect to see a site in the darknet soon without any real content on it if you know what I mean… Have fun kids!

Make it so.


UPDATE: Seems the daeshbag onion has fallen down and gone boom already!

Screenshot from 2015-11-18 09:49:24

UPDATE 2 11/23/2015

Now both of the sites are down. The onion site and the backend RSS in the clearnet.

Fall down… Go boom.

Written by Krypt3ia

2015/11/18 at 13:57

Posted in Da'esh, DARKNET

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: