Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Jihobbyists’ Category

MuslimCrypt and Clickbait

leave a comment »

MEMRI talked up a report on a new “steg” program being offered and “used” by da’esh that was then picked up on by Wired (or more to the point someone called from MEMRI offering a story because slow news day at Wired) touting the new scareware booga booga booga that jihadi’s are using STEGO ERMEGERD! Of course this type of encryption has been around all along and in fact, as Wired alludes to, it has even been used by UBL back in the day as well. The fact that there is stego out there is nothing new but this alleged program is, maybe. You see, the problems I have with this assessment and the Wired story sold to them is that there is no real penetration of this software being used as far as can be seen and in fact nowhere on the net can the actual software be found to download.

So yeah, it is not in every da’esh cyber toolbox kids and if anything, it may be an OP trying to pop some of them on Telegram.

Telegram Accounts:

The Telegram accounts involved in this drop also seem to lack some history as well. I looked them up on Telegram and there isn’t much to see at all. Of course it could be that one needs to engage with them to see more but I am not going to do that for this so suffice to say that Google searches of these accounts, the names in them, and iterations thereof come up with nothing useful. In essence what I am saying here is they have “no history” and thus to me should be looked at as cutout accounts to drop this software from and nothing more. This is an important piece of the puzzle too but it seems MEMRI is more interested in selling subscriptions and getting on Wired than they are at being thorough in investigating things like this.

MuslimCrypt.zip and .exe:

Meanwhile one cannot find the software at all nor the zip file anywhere on the net. Not one download link anywhere. No uploads to MEGA, nor any of the other places that you would think that these guys would want to put it so that the jihadi masses can securely talk right?

Nopesauce.

The staggering lack of the file only leads me to believe that it was a drop to entice people to download in-line on Telegram in hopes that the account (MuslimTec) would be a form of watering hole attack. We see this kind of thing all the time in the hacking world and many of those kinds of attacks are carried out by more sophisticated actors. In this case the only place that the file can be seen is on Hybrid Analysis and on VirusTotal and even there there are only one to two drops of the file for testing. In all of these cases the files are not available for download so only one source has uploaded them.

Interesting huh?

So what do we have here so far… One source (MEMRI) sharing a story with Wired about a software package no one really has except MEMRI? How odd is this? Well, kinda odd and to me smacks of two things;

  1. MEMRI got played
  2. This was an OP by a nation state actor looking to own some jihadi’s

I will go into these ideas in some more detail below. Just remember that it is odd that these files are not out there in the forums nor being saved and uploaded for more penetration of use.

Reversal of the binary:

I found that the zip file had been uploaded to Hybrid in January as well as March 4th 2018. The VT upload happened in February 2018 so this has been around and about a bit. Remember though, these are the only instances of the files that I could find, and I REALLY wanted to find a copy. So whoever had the files to upload (assuming it was MEMRI) are the only ones to do so. I looked at the whole sandbox report of the zip and the executable and came up with some interesting factoids for you all.

  1. The language set is German
  2. The language of some of the re-used code snippets are in German, so, I could go either way on this one. Could be a German who did the coding or just someone who knows some and worked on re-used code to make this program
  3. This was cobbled together by someone with some skills
  4. The software does have what seems to be a keystroke recorder built in but it has nothing really to do in sandbox because it is a sandbox and no actual keystrokes are made
  5. Whoever compiled this has a pc name or a folder name on their system of “SultanEasy” with “SultanEasy-2” which, ya know, kinda sounds all code wordy to me

I scoured the internet for “SultanEasy” and “SultanEasy-2” to no avail. Now with that in mind consider that this was a slip up on the part of the coder and that this folder in projects is a code name.

Ponder ponder ponder… A piece of software magically dropped on Telegram by accounts with no history and a binary that has a keystroke logger embedded in it?

Hmmmmmmmmm…..

Oh, by the way MEMRI, your reversal skills suck.

An Op?

Overall, this smells bad and MEMRI seems to have fallen for it or is unable to read a reversal report and strings well enough to see things in perspective.

Could this be an operation by a nation state? Sure.

Could it be another group like Anonymous or some other vigilante group? Sure.

Could it be a serious attempt at making steagnography the go to encryption for jihadi’s today? Yeah no.

Nice clickbait though.

Derp.

K.

 

UPDATE: I was sent this by <REDACTED> this is from a paste of conversation screenshots from the MuslimTec Telegram channel…

Screenshot from 2018-04-02 14-45-24

So yeah, there are many comments in there about spies and even at one point claims of being hacked by dissension…

Just sayin.

Written by Krypt3ia

2018/04/02 at 18:06

Posted in Da'esh, jihad, Jihobbyists

Ahmad Rahami’s Journal: The Sycophantic Nature of Failed Seekers

leave a comment »

page-1

Ahmad Rahami, the new jihadi wannabe lone wolf du jour made a splash with his bombings of a dumpster and a trash bin on CNN and the other media outlets but let’s really take a closer look at Ahmed and his mindset with the release of his ersatz “journal of jihad” shall we? First off, I am tired of the media coverage and while this was serious, it just show’s you the level of recruit and planning that AQAP/AQ/da’esh have in the US presently and to wit, not very high. Frankly, looking at his journal pieces here I can only surmise that if Ahmad doesn’t have some sort of personality disorder it would greatly surprise me. On the other end of that spectrum, Ahmad clearly is a failed seeker acting out within the confines of his chicken shop malcontent diaspora in search of importance.

page-9

Ahmad opines the usual catch phrase diatribes seen in Inspire or Dabiq and on the web in general on the boards but seems to not really have a greater grasp of his own religion than most of the daeshbag recruits these days. Clearly he has been suckling at the tit of the jihadi propaganda machine and in fact had close contact with recruiters in Afghanistan and Pakistan where he spent a good deal of time in recent years on and off. These guys look for recruits who have weak wills and minds that can be easily swayed. Minds and hearts, ego’s in search of self importance that they lack presently but are told that they will be martyrs for the greater cause if they blow themselves or the far enemy up and it is bullshit.

page-4

page-3

 

page-5

page-6

page-8

All of the propaganda placed by these Khawarij are just a mental virus, neuro-linguistic programming, used to prey on the weak minded souls out there, those failed seekers in order to bring them in and turn them to the Khawarij will. For some time now the security services and governments of the world have been trying to see how they can combat these memetic viruses online and so far no one has been able to come up with a solid solution. Those wh0 are seeking will latch onto anything that they feel an attraction to and it has been since time immemorial. Cults, and religions both rely on this to build their base, belief is key and the means to that end is dogma.

In Ahmad’s diary we see this in action and we see the brain washing and self delusion that goes on here with the repetitive statements in this journal that he used to egg himself on to action. No doubt he wrote this out and continued to do so as he built the bombs. All of this, all the language is a means to an end to justify to himself his actions. Actions fed to him by the propaganda online, in person, and programmed into him and all the others who are willing to listen, to believe, and to act.

Weak minds.

Weak souls.

Pawns of the Khawarij.

I truly hope we can come up with a means to combat such memetic viruses but so far I see no hope of it. Prepare yourselves for the other weak minded jihobbyists out there to try and catch their own brass ring of importance. Just don’t let them enable fear to win and change the course of our governance to a fear based one… Well… One that is more so than it already is.

Dr. K.

Written by Krypt3ia

2016/09/23 at 14:25

Leaderless Jihad and Open Source Jihad: A Marriage Made In Hell.

leave a comment »

7631834-3x2-700x467

In 2013 I wrote about leaderless jihad and the “Stand Alone Complex” Now we are seeing this type of leaderless, “inspired by” thought virus playing itself out on the national stage. Last nights attack using a lorrie was something that was presaged by two issues of Inspire Magazine back in 2010 and 2014. There isn’t much to it really to gather some weapons, steal a truck, and then plow it into a crowd but it has taken this long for the insidious idea to take root in the collective unconscious of the would be jihadi’s. The days of a more rigid and trained “jihad” are being eclipsed by would be unbalanced individuals seeking attention and reinforcement of their sick ideas through the media, the internet, and our collective inability to look away from a tragic scene on a glowing screen.

Screenshot from 2016-07-15 07:00:082014 Inspire

 

Screenshot from 2016-07-15 07:04:082010 Inspire 2 “Ultimate Mowing Machine”

 

Soft targets were always the preferred avenue of attack but now they are becoming seen as a top priority for security forces since the attacks in France and other places like Bangladesh. While Dahka on the face of it had a contingent of more trained individuals the attack last night is as simplistic as they come. This is what is really scaring the populace and the security services because now it seems that the authors and actors of these acts are in fact just one guy and not a cabal that they could perhaps track using pervasive surveillance. A cell of one is hard to track and certainly if they self radicalize by just downloading Inspire magazine and watching YouTube, well, what can one do? There are no easy answers here in the world of detection and prevention.

Screenshot from 2016-07-15 09:26:04

So here we have it, I have been pointing this out for a while and at first it was AQAP trying to inspire “OSJ” or Open Source Jihad. Now Dabiq and Da’esh are carrying it on and furthering it with the media zeitgeist that ensues with each attack. The net effect here is that these people are selfradicalizing with the help of the media’s obsession on covering ad nauseum these acts. The pervasive hand wringing and talking heads only serve to whet the appetite of the would be jihobbyist into action. Forget the Inspire magazines and the videos, just watch CNN and that is enough it seems. This all is very much like the plot line to “The Laughing Man” arc of Ghost In The Shell. An act carried out on the media instilled others to carry out like acts to be on the media and further the idea(l) as well as serve as a means to self fulfil the actors need for attention and satisfaction.

laughing-man

This is pure psychology at work and there are a host of reasons and syndromes that could likely be pointed at to rationalize it’s happening. The fact of the matter is that now we are seeing it play out rather bloodily on the streets of the world in furtherance of an idea and ideal set that lends itself to the like minded.. Or should I say mentally ill? Yes, I would say mentally ill. These actors are acting out and likely have some borderline tendencies to start with. These people feel outcast in their societies or out of place within the societies they are living in as a second generation citizen. It is a complex thing to nail down and I suggest that anyone who might want to delve into it further read “Leaderless Jihad” by Marc Sageman.

We need a more nuanced approach to the GWOT and I am afraid we won’t get that…

K.

 

Cyber Jihad Marketing: Yelling FIRE! In A Crowded Theater

leave a comment »

Screenshot from 2016-06-20 07:37:15

 

Recently, a reporter that I know came to me asking if I would look at this ICIT-Brief-The-Anatomy-of-Cyber-Jihad1 and give input on it. They wanted to have my opinion because the firm that wrote it was seeking a reporter to flog it on their news site. I told the reporter after looking at the “analysis” this exact quote; “This report is the marketing equivalent of yelling fire in a crowded theater” Well, it seems that CNBC bought it though and my hand has been forced to write about this travesty. ( CNBC Report that forced my hand ) I told the reporter to back away slowly and to their credit they did. CNBC not so much. So here I am going to outline how this report is full of marketing and cognitive bias and wild assumptions. Oh, and that is if you can get past the hyperbolic language in the first graph…

Screenshot from 2016-06-20 08:47:58

I shit you not..

Cyber Caliphate & Junaid Hussain:

The report goes on a long time talking about Da’esh and their origins. While much of that data is right on the report starts to go off the rails once they begin talking about the “cyber” part of the picture. They start off by talking about Juny and his cybering, the defacements out there, and the propaganda war that is still ongoing by the likes of Da’esh, AQAP, Boko Haram, etc. Which is all fine, mostly accurate, but then they start to talk about “possible capabilities” after they just pretty much said “They aren’t that capable” Cognitive dissonance much there guys? The truth of the matter is that to date, the propaganda war is the biggest and most dangerous war here, not the so called cyber war that this “analysis” is pimping. I have been following this stuff since 2001 and Juny is the new Younis Tsouli really, both were/are moderately skilled in hacking but not much more than that. Both were much more a propaganda figures, and more dangerous in that capacity than any of their hacking skills. In fact, in the case of Younis, he got the heat and popped for that very reason, he was making a splash and attracting followers. Juny had that very same skill set and became much bigger a deal because he caught the zeitgeist for the jihobbyists out there with his mouth on Twitter. This is why he was killed with a hellfire, not because he hacked any big databases or got the real dope from some hack. In short, both were a danger because they had followers, and those followers were radicalising off of their jihadi bluster online and caches of propaganda from the main marketing teams of their respective terrorism groups. (AQ for Younis and Da’esh for Juny)

Screenshot from 2016-06-20 07:45:48

Of course the report would not be scary enough without the “Cyber Caliphate” an operation that Juny lamented was just him, no one else, before he got whacked on Telegram. That’s right kids, Juny was pimping something and making shit up. Once Juny got whacked you know what happened? Groups of guys like Team Fallaga took up the mantle and went on to deface pages like the dickens! “OOH SCARY DEFACEMENT BRO” While the report states this, and some of the other information I just mentioned, they then go on to analyse and say that these guys aren’t capable now but someday… SOMEDAY they could be. Oh really? You don’t say! Sure it is possible but it is not likely. Given that most APT activity takes money, time, and cohesion, the jihadi’s are all over the place and usually small disparate groups of skiddies, not solid hackers. So, the scare tactic of analysis is way off the mark in this report and this is why I told the reporter to step back slowly from their pitch. If this group had left it at that, it could happen but it is not likely I would have had some respect for them. Instead they chose the other scare the client into buying shit route. As for Cyber Caliphate and all their other silly acronyms, none have shown that they are a credible threat to much else than an insecure web page. No real data has been hacked and their “data drops” of enemies to kill have all come from open sources on the internet. Sure, is it problematic that they are doing this? Sure. Is it a clear and present danger of cyber capabilities that they could strike the grid next?

No.

Just stop.

Jihadi Helpdesk

PSSSST hey morons.. There is no Helpdesk

Screenshot from 2016-06-20 07:46:05

I need not say more right?

… But I will.

DO YOUR GOD DAMNED HOMEWORK AND QUITE THE FEAR MONGERING FOR MONEY!

CYBER JIHADI DARKNETS

Of course these guys could not miss an opportunity to scare and of course they had to use the scary “Dark Net” or “Deep Web” I have been on the dark net for a long time and I will tell you I have found a few sites but nothing there is that scary. In fact, to date, the sites either have been hacked soon after and taken down, or just sit unused. So really, the dark net is no threat here. Sure, the jihadi’s are using technology to obfuscate their chats now and trying to hide in the “deep web” of un-spidered content but the reality is most of this stuff is non operational. What the jihad today (Da’esh) wants mostly is to radicalize and activate those in the US like Omar Mateen without even really having contact with them.

Screenshot from 2016-04-29 13:12:15

So, the darknet… Not so much a terrorist haven kids. Sorry

https://krypt3ia.wordpress.com/2015/11/15/the-first-official-daesh-darknet-bulletin-board-has-arrived/

https://krypt3ia.wordpress.com/2015/11/18/daesh-darknet-under-the-hood/

Overall Analysis of Scare Marketing and Cognitive Bias

This report is a travesty of a tissue of what if’s that really is just a pulp thriller wannabe disguised thinly as a marketing piece cum serious analysis of Jihad online.

Please believe none of it.

Dr. K.

Written by Krypt3ia

2016/06/20 at 12:50

The Nuclear Bomb of the Mujahideen

with one comment

Screenshot from 2015-06-24 08:13:59

Nuclear Bomb of the Mujahideen:

AS IF the jihadi’s were listening to some people in the media they responded to a dearth of their particular brand of crazy in the darknets by adding a new site Monday. The Nuclear Bomb of the Mujahideen is a single page on the onions with six download links for documents on how nuclear weapons work, how to make one, and how to calculate the effectiveness of materials and fallout. Yes indeed, the darknet is now indeed scary because the AQ centric author of this single page has uploaded old data from 2006 that was circulating the clearnet on the jihadi boards back then.

WOOOO

Screenshot from 2015-06-24 08:24:57

So below I have some screen shots of the documents including the excel files that they left for calc’s to be made by some hapless jihobbyist who might try to make this happen. Frankly since there is nothing new here this is kind of a non story story BUT I wanted to get this on the blog before the MASS MEDIA SCARE engine sparked up and suddenly FOX is talking about the end of the world because DARKNET! This is not the end kids and in fact I think it much more likely that a dirty bomb would be used before some nuke was created by some group of jihadi’s or Da’eshbags.

Here are the details of the site:

  • Created Monday 6/22/15
  • Single page
  • 6 downloads
  • Email address of the creator is: sjpchm8723@mail2tor.com 
  • Old data
  • Excell and PDF’s uploaded are malware free (at this time)
  • Excel files do have macro’s though so there is that.. VT came up clean but MALWR.com failed me today (500 error)
  • Data is taken from government and science files on clearnet
  • Files created on system with Latin as base language not Arabi
  • Yes.. the feds now know about the site.

So take a gander at the images below then meet me at the metadata section!

Screenshot from 2015-06-24 09:21:522006 manual

Screenshot from 2015-06-24 09:22:25Put that DIY nuke on a truck!

Screenshot from 2015-06-24 09:23:41

 Implosion calculator for the package (Nuclear material fission)

Screenshot from 2015-06-24 09:24:00

 Fallout calculator

advanced_nuclear_weapon_design

OLD (FATMAN)

implosion_bomb_schematic

OLD IMPLOSION

METADATA:

What is more interesting from a DFIR kind of perspective is all the metadata that was left by the guy who put this site up and loaded those files. It could be all old data and I will have to go through my files to locate these pdf’s from 2006 to compare but let’s take a look shall we?

Screenshot from 2015-06-24 09:06:04

 Dude’s a Winderz user

Screenshot from 2015-06-24 09:06:16

 You can see where the 2006 files came from there…

Screenshot from 2015-06-24 09:06:31

 Using MS office and PDF machine!

Screenshot from 2015-06-24 09:07:20

Winderz 7!

Screenshot from 2015-06-24 09:10:11PDF details

Screenshot from 2015-06-24 09:10:37

MOAR PDF details

Screenshot from 2015-06-24 09:12:59

Excel

Screenshot from 2015-06-24 09:13:10

MOAR Excel

So what do we have here? Well, the creator not creating anything new. In fact the documents all come from the 2006 range (pdf’s) or 2014 in the case of the Excel files. So someone just downloaded these and then uploaded them to this site on Monday. Now, what I will say though is that they have enough comprehension of nuclear tech to include the excel files on the radiation fallout and calc’s for implosion but really, not much more than that. For all intents and purposes this could be a troll from someone who just Googled a bit and came up with a zip file to add to this site.

On the other hand, could this bee a phish of sorts? Why the email address? Feds? Or is this a real believer who wants to have the tech in the darknet and wants to have a discussion via mail2tor? I have to wonder about this and I may in fact email them to see what I get back. Since the files seem to be malware free (at this moment) I am going to say this is 50/50 a troll or a true believer. Though, the coincidence that a report on how there is a lack of terrorism (jihadi) in the darknet and suddenly this site appears, well, trollhard my friends.

Ok back to the media.. DON’T FREAK OUT!!! This is nothing. You have more to fear from your IP enabled toaster exploding like on CSI Cyber then you do of some numbnut finding fissile material on a darknet market and using these guides to make a bomb. Believe me.

K.

Written by Krypt3ia

2015/06/24 at 13:58

Posted in DARKNET, jihad, Jihobbyists

Darknet Jihad: These Aren’t The Sites You Are Looking For

with one comment

jihobbyism

 OMG DARKNETS!

I recently gave a presentation at Mass Hackers on “Online Jihad” which went very well. While I was covering the online jihad, the topic of Darknet Jihad came up as well, it usually does when anyone talks to me about the subject. Well, since giving that presentation I have seen various and sundry gubment types claiming that the “Jihadi’s are using the darknet! OMG! It’s why we need to have crypto front doors and de-anonymize the darknets!!!!”

*Baleful stare*

I am writing this post to set the record straight and to make a point… A cryptic point that someone reading this will get and you know who you are. The darknet is on the whole NOT being used by jihadi’s to hide their comm’s in the sense of going to darknet sites. Please for the love of everything sane, all you gubment types and wanna be spies get that the fuck into your heads right the fuck now.

Yes, the jihadi’s are using TOR and other VPN’s in attempts to hide their traffic on the “clearnet” but no, they are not gathering in large groups in hidden services sites on the actual “darknet” This is an important difference that many in the media and in the government either don’t get or don’t want to get in favor of having a scary scary thing to say to get the other ossified gubment workers (aka the Senate and House) to capitulate out of fear to their crypto breaking desires.

So lemme mansplain for you all about just what is going on in the darknet and what is not ok?

Darknet Jihad Funding

fundjihad1

FundJihad2Credit for screen shot Joe Cox and a hat tip for pointing out that it was there on the darknets.

What you see above this text are two sites that have appeared in the darknet and these have been the most tangible and visible of anything out there to date. The top picture is from a site that had a real bitcoin address and appeared in 2013 I believe. I wrote about it back then at least so maybe it was around in 2012. In the end though it amassed about 1200 bucks and then it was cashed out. Personally I think it was a scam site but who’s to know really.

The second more recent site is directly supposed to be a Da’esh site and it appeared last month on the darknet. It’s bitcoin address is real as well but to date has had no money put on it. This site too smells more like a fake or a dangle by an agency than anything else. Why? Because the fact of the matter is that to date, I nor anyone I know in the know, have found ANY other sites out there on the darknet, in the hidden services, at all that is jihadi in origin or aegis. None. Niente. Nada.

Of course there may be super secret sites that only a select few know the address of or maybe they are just using other sites like market places as dead drops but even this sounds a little too esoteric for the nitwits we see today in jihad and jihobbyism online. There is just no there there man, nothing to hang your crypto is bad hat on Mr. gubment guy! Ok ok ok, there was one upload to a file server in the darknet for one manual but the link was given on the clearnet jihadi board so how the fuck super secret is that?

Meanwhile Back In The Clearnet….

Ok so now that I have made myself I think crystal clear, let’s talk about what the jihadi’s are doing that I and others like me have seen. For the most part they have taken to TOR and TAILS like a mother since the Snowman dumps. This is to be expected right? I mean, look at all of us in the security community talking about this shit too right? If we say that it is better to TOR up or use TAILS to protect our basic security and privacy it stands to reason that these jihadi mo mo’s will too huh?

This is not rocket science kids…

Oh and yeah, since TOR has become every so user friendly, it is a natch that these guys will install it and use it on anything and everything that can run it. If you look below here you can see how they are using various tools on various platforms like Android just to reach their Da’eshbag Twitter accounts so they can spew their derpy propaganda!

kasperskyTor

onionANDROID

OnionTweet

So yeah, they are using TOR, TAILS, and anything else they think will give them an extra layer of protection. I have seen tutorials in Arabi all over the place for them to use and the mandate from the Da’eshbag pooba’s on how to be secure online. This however does not stop them from getting a JDAM shoved up their asses though when they take selfies am I right?

Derp… KABOOM!

Right, anyway, the skinny is that until these guys are all digital natives they aren’t going to be living and lurking in the darknets. Sure, they will have TOR, and sure they will have encrypted chats but hey, WHEN THE FUCK DID WE NOT HAVE THOSE OPTIONS TO START HUH? Really, for fucks sake stop it with the scare tactics USGOV and every god damned three letter agency! How about this, you say fuck all to the tech fixation and the shortcuts and you all get your HUMINT game back on?

That is how you will win this war. Make friends, find out where they are, and then JDAM the fuckers.

K.

CORRECTION: According to a tip I got from @Apate1114 there was a site back in 2012/2013 that was alleged to be a standard jihadi type site. In looking for any kind of backstop on this all I could locate were links that described the onion site in question (http://p2uekn2yfvlvpzbu.onion) In February 2013 it is listed as “http://p2uekn2yfvlvpzbu.onion/ Armas entrenamiento militar etc” 

Another site lists a file on the site for that time showing a pdf for a .50 cal rifle: contru�ao rifle:p2uekn2yfvlvpzbu.onion/arm/50calRifleConstructionManual.pdf Neither of these says jihadi site etc and unfortunately I have not seen an archive of the site.

Correction II:

I had a chat with @Apate1114 and they gave me a correction to the above. They provided a bad link there. The link is in fact instead: aub35xzuj7wslusm.onion and is no longer up. The site that was linking it in 2013 is seen below:

Screenshot from 2015-06-16 10:34:15

Screenshot from 2015-06-16 10:34:34This site, aljyyosh, calls the onion site موقع عربي غريب  which is “weird website” Since then, nothing has been seen of this site in the onion but as you can see on aljyosh there are plenty of tutorials on how to Tor.

Screenshot from 2015-06-16 10:40:01

Written by Krypt3ia

2015/06/15 at 23:14

Much Ado About Nothing: Team System DZ and Defacements

with one comment

Screenshot from 2015-03-27 08:35:58

Recently there was a spate of defacements by Team System DZ that has been making the rounds in the mainstream media. These defacements by Poti-SaDZ or Poti Sad Darky and his derpy bandito boyz using daesh symbols and poorly written rhetoric are nothing to write home about yet the media spins their skiddie exploits into media gold. Well I am here to set the record straight with you all. Poti, or Ahmed Saoudi is just a derpy kid in Algeria with nothing better to do than deface sites with others tools. He, and they, are just looking for the lowest of low hanging fruit to garner some attention for themselves. In fact, Poti here has some poor OPSEC as do many of his derpy little pals as you can see below.

Screenshot from 2015-03-27 08:48:59

Screenshot from 2015-03-27 08:06:26

In the first picture there you see his folders as he is running a tutorial on uber lee7 h4x0ring in winderz. The second picture is one of more than a few where he fails to engage his proxy and the handy little task bar there on the browser gives his home IP address(s) 41.100.113.208 and 41.100.76.152 respectively over time. Poti in fact logs in to the Team System DZ Facebook account without proxy a couple times and is likely unable to easily get on there because of issues with proxies, since ya know Zucky don’t play privacy.

Anyway, the IP space is for the following in Algeria:

IP address: 41.100.113.208
inetnum:        41.100.0.0 – 41.100.255.255
netname:        RegChlef
descr:          region chlef
country:        DZ
admin-c:        SD6-AFRINIC
tech-c:         SD6-AFRINIC
status:         ASSIGNED PA
mnt-by:         DJAWEB-MNT
source:         AFRINIC # Filtered
parent:         41.96.0.0 – 41.111.255.255

person:         Security Departement
address:        Alger
phone:          +21321911224
fax-no:         +21321911208
nic-hdl:        SD6-AFRINIC
source:         AFRINIC # Filtered

Other Data:

Poti-Sadz aka PoTi SaD DaRkY
https://www.youtube.com/channel/UCnHsj8Q7xOgTGSB9S-6mZdA

youtube.com/user/ahmedsaoudik/playlists … ahmedsaoudik
http://video.exstrim-bog.ru/author/ahmedsaoudik

Skype: poti_sad-dz

There are a lot of Ahmed Saoudi’s in the skype phone book as well but only a couple list Algeria as his location and one of them has 1992 attached to the name. So, 2015 – 1992 = 23 which would be a prime age range for this kind of stupid kid activity no?

Skype: ahmed.saoudi1992

Give em a shout and see! Look, what I am saying here is that in looking at these guys I would have to say that the are not the daesh A-Team of hacking. I would also say that perhaps they could be behind the last derpy Googling of some military names and posting a hitlist online thing. That there was also something that the media went nova on and in reality “no va” is really more appropriate.

HOLY WTF PEOPLE! CUT THIS SHIT OUT!

Anywho, I just thought I would dump this little OSINT OPSEC FAILTACULAR on you all.

Enjoy the lulz…

K.

Written by Krypt3ia

2015/03/27 at 15:08