When 24-year-old Evan Kohlmann told the manager of his research group that terrorists were using internet forums to orchestrate attacks in the early 2000s, he was met with intense scepticism.
As strange as it might seem in hindsight, the internet was not where intelligence investigations took place at the time and this – as Kohlmann quickly came to realize – had created something of a blind spot.
At the start of the century, terrorists linked with Al-Qaeda and other extremist groups were embarking on a long love affair with the deep web – the area of the internet not indexed by traditional search engines.
The deep web gave extremists the ability to communicate on a global scale, away from prying eyes. And the terror-focused think tank for which Kohlmann was working didn’t want to hear about it.
“It seemed to me that this really was the future. We would have given our arm for this kind of information and it was just being offered up to us on a silver platter,” Kohlmann told TechRadar Pro. “And it just didn’t seem like anyone had a good handle on it.”
It was this realization that would see Kohlmann carve out a niche expertise that later made him an invaluable asset to the world’s leading intelligence agencies. When they finally cottoned on to the problem, that is.
Sowing the seeds
Kohlmann arrived at Georgetown University in Washington D.C. with dreams of studying American politics, but quickly became disillusioned with his cohort.
Instead of energy and spirited debate, he found an assortment of well-connected but dispassionate classmates interested only in “the hunt for fame and fortune”, which Kohlmann found “enervating and extremely boring”.
In a spirit of determined contrarianism, he went in a pursuit of an experience diametrically opposed to the path chosen by his high-society peers – and a cause worth investing in.
Motivated by an interest in war-torn Afghanistan, which at the time was under the thumb of the Taliban, Kohlmann began a period of online research from which he has never surfaced.
His early findings were that the deep web was a kind of “wild west”, in which there “was not a lot of law enforcement and therefore not a lot of paranoia about surveillance,” Kohlmann explained.
Along with long-time friend Josh Devon, now fellow co-founder of risk intelligence firm Flashpoint, Kohlmann joined the aforementioned think tank, where he first came to understand that terror activity on the web warranted serious investigation. But for a long time, he was all but alone in this opinion.
Eventually, however, he found himself in the right place at the right time. When Ahmed Ressam was arrested at Port Angeles, attempting to enter the US with the chemical components of a bomb he intended to plant on the eve of the millennium, Kohlmann’s work and expertise was thrown into the limelight.
Almost overnight, US policymakers became all too aware of a new threat that they were ill-equipped to combat. And then, all of a sudden, a fresh-faced Kohlmann found himself delivering a briefing at the White House.
Kohlmann – who spent our conversation prowling around his dining room in a t-shirt, shorts and a pair of flip-flops – could certainly be said to fit the computer whizz archetype, but an expert he insists he is not.
He has always had an interest in computers and had spent time coding simple websites as a teenager, which gave him some grounding. But, nonetheless, he was keen to emphasize that he didn’t need a wealth of expertise to access the areas of the internet frequented by the world’s most dangerous terrorists and criminals.
Asked about the kinds of tools he uses to conceal his identity when conducting research, Kohlmann played down their sophistication. “The truth is, we don’t use any methods that are incredibly innovative or unique – we use the same methods as [any other forum user],” he explained.
According to Kohlmann, the best way to catch a terrorist is simply to act like one. “If illicit actors are using the Tor network to connect to a particular forum in order to anonymize their activity, then we need to use Tor. If they’re using a proxy, then we need to use a proxy.”
Both of these services act as an intermediary between the user and the web, veiling the original IP address. Tor goes as far as to route the user’s traffic through three separate proxy layers – an entry node, middle relay and exit node – for additional protection.
Popular messaging service Telegram is also extremely popular with illicit actors, Kohlmann told us, with hundreds of thousands of invisible channels used by groups ranging from ISIS and Al-Qaeda to Russian hackers and Neo-Nazis.
When accessing these online communities, the main priority for Kohlmann is to blend into the crowd and, to do that, both his traffic and behavior need to be indistinguishable from everyone else’s.
“If the techniques you’re using to anonymize yourself or to collect information don’t look like everything else, you’re going to get banned. In the same vein, if you post a lot of questions that wouldn’t be asked by a threat actor, you’re going to lose your account.”
Armed with a simple set of tools that are available for free to anyone, Kohlmann became extremely well-practiced at the art of “mimicking and mirroring”. That way, he avoided contaminating the honey pot of information that he and very few others knew existed.
Terror activity on the deep web
With twenty years on the deep web in his back pocket – and having worked alongside the FBI, Scotland Yard and many other intelligence organizations – Kohlmann is a font of anecdotes that never runs dry.
During our brief conversation, he recounted direct communications with Shiite militants engaged in an assault on the US embassy in Baghdad and an ISIS fighter who had been badly injured in combat.
As recently as this summer, he said, militants in Iraq announced attacks on foreign diplomats ahead of time via Telegram channels, in a bid to demonstrate their credibility to their peers. “Watch, here it comes. Here it comes!” they posted, moments before the launch of a rocket.
Kohlmann told us of relationships cultivated with some of the most influential members of these online terrorist communities in the early 2000s. Around the time of 9-11, for example, he interviewed a close friend of Osama Bin Laden and flew to London to meet with Abu Hamza al-Masri (known as “The Hook”), the radical cleric that led the Finsbury Park Mosque responsible for shoe bomber Richard Reid.
He also watched on as a Jordanian doctor named Humam al-Balawi surfaced as a major player on Al-Qaeda forums. Recognizing his influence and standing, Jordanian intelligence attempted to turn al-Balawi, whose status as a family man they thought they could leverage.
But the Jordanians had underestimated the extent of al-Balawi’s indoctrination. The doctor began to post cryptic messages to the forums, suggesting something bad was about to happen, and not long after, he blew himself up during a meeting with his CIA handler.
In most of these cases, the terror actors with whom Kohlmann was communicating had no understanding of his real identity – but this was not always the case.
In one particularly frightening incident, a leading light of the Al-Qaeda community – known by the moniker Terrorist007 – posted a video clip of an interview Kohlmann had done with the BBC to the forum.
He had done so as a kind of veiled threat, in full knowledge that Kohlmann was lurking (albeit anonymously) in the bulletin boards. This was back in 2005, during which year Al-Qaeda had made a habit of posting videos of their beheadings online.
What makes a terrorist?
Terrorists, according to Kohlmann, do not all grow from the same tree. In other words, not all have been radicalized by a life of poverty and violence, not all have strict religious upbringings and, certainly, not all are from the Middle East.
There is, however, an unfortunate archetype. Take Terrorist007 as an example; he rose through the ranks to become the webmaster of Al-Qaeda Iraq, but in reality he was just the teenage son of a Moroccan diplomat living in London.
According to Kohlmann, he was “a loser that had no friends – a 400-pound hacker living in his mom’s basement – and not exactly someone that fits into the ‘I’m starving and oppressed’ bracket”.
Likewise, the Jordanian doctor al-Balawi was just a “nerdy guy that was lured into this bizarre alternate world, who became a character in an online existence and was living his fantasy completely.”
“What you’re looking at is isolated individuals that don’t have many friends. [These types of people] are lured into scenarios in which their mundane real lives become secondary to the existence they build online.”
“The idea of suddenly feeling like a superhero has an allure to it. The idea that you will become famous, maybe infamous, has an allure to these people.”
The picture he paints is a frightening one, in which the line between a terrorist and a regular citizen is alarmingly thin. Two people with the same heady cocktail of character traits – not in themselves insidious – will take two totally divergent paths, perhaps depending on the particular corners of the internet in which they find themselves.
And terror groups are fully cognizant of this fact. ISIS, says Kohlmann, has been so successful in radicalizing people online largely thanks to its sophisticated propaganda campaigns. ISIS materials are distributed en masse and in a multitude of languages so as to reach the broadest section of society possible.
The arrival of live chat technology – and applications such as WhatsApp and Discord – has also had a tremendous impact on the recruitment efforts of terror groups.
On forums, it might take hours or days to receive a response, but with live chat an ISIS member might respond within a matter of minutes; the puppeteer can pull all the correct strings in real-time.
Only in recent years, in the aftermath of the 2016 US election and Cambridge Analytica scandal, has the full power of the internet to influence opinion entered the public consciousness, but terror groups have been tapping into similar human vulnerabilities for years.
Archiving the deep web
When it comes to policing the deep web, the problem boils down to data overload. When Kohlmann started out, his small team was able to record nearly every interaction that took place on terrorist forums, but today that is impossible.
Although the technology they are using is not necessarily all that sophisticated, criminals and terrorists are shielded by the flood of online communication. Without an initial lead to guide intelligence efforts, identifying genuine threats becomes a matter of finding a needle in the haystack.
However, Kohlmann is optimistic there is a practical technological solution to this problem. He sees a near future in which improvements in computing performance mean deep web activity can be essentially archived in real-time (i.e. collected, analyzed and made searchable), in a way that could allow intelligence to intervene before an incident plays out.
To illustrate his point, he gestures to the Christchurch attack of March 2019, in which a single gunman killed 50 Muslims engaged in Friday prayer. The perpetrator, white supremacist Brenton Tarrant, had published a manifesto to online bulletin board 8chan prior to the attack – and had even sent it to the office of New Zealand Prime Minister Jacinda Ardern.
The “holy grail”, says Kohlmann, is to be able identify and act upon information quickly enough to mitigate the damage caused by an attack, or even to prevent it entirely.
“It is our hope – and certainly our goal – to be able to let people know about an attack in advance if the critical early warning signs are there,” he told us.
“It’s great to be able to assist with investigations after the fact and put those responsible in jail, but that doesn’t save human lives. Prevention is the goal – that’s the next frontier.”