A list of thousands of email addresses gleaned from what hackers say are the mail servers for ISIS-affiliated websites mostly contains, as you might expect, accounts with the big free mail services.
But hidden among 1,500-odd Yahoo accounts and 800 Hotmail accounts is a much less likely domain: .gov, including the email accounts of government officials throughout the Arab world, and one American congressman, Sam Farr, of California.
One of the hackers behind the leak — the results of which were posted to Pastebin on Saturday — claimed to BuzzFeed News that all of the emails on the list have been in contact with the administrators of these servers, although BuzzFeed could not independently confirm this.
So how did these emails end up in the mail servers of what may be ISIS websites?
According to Adam Russell, Farr's press secretary, the email on the list — firstname.lastname@example.org — is an old generic public contact email address that the office hasn't used since Congress switched to contact forms. Russell also said that to his knowledge no one still has access to it. A test email sent to the email address bounced back.
Other .gov emails, including those used by a Jordanian government official and a Palestinian municipal worker, also bounced back. The Palestinian municipal worker, when reached by Facebook, said he had not used the email address after it was hacked into more than two years ago. A separate Palestinian email account, associated with the Palestinian prime minister's office, was also on the listserv. When contacted by BuzzFeed an official in the prime minister's office in Ramallah said they were investigating that email account, but added that it appeared to currently be accessed by individuals in the Gaza Strip.
The hackers who leaked the emails claim affiliation with #OpISIS, a hacktivist movement opposed to ISIS, the militant group well-known for its sophistication in using the internet in recruitment and communication with followers outside its constantly shifting borders in Syria and Iraq. #OpISIS previously took over hundreds of ISIS-related Twitter accounts.
"ISIS uses the Internet to manipulate people," one the hackers behind the leak, who goes by XRaySec, wrote in an email to BuzzFeed News. "If I can stop one person joining them, it's a success."
The hackers did not indicate the exact way the email addresses used on the site ended up there: whether they were all misappropriated, or whether some signed up out of sympathy with the group or to gather information on them.
Among the email addresses revealed in the hack of the mail servers of two sites, Dhiqar.com and Hizbut-tahrir.or.id, are half a dozen associated with government media and spokesperson departments for Arab States. Email addresses associated with the municipality of Dubai, the Bahraini government news agency, and the Ministry of Information in Yemen are also listed as visiting the ISIS sites.
The email addresses for Dr. Ahmed Khider Bashir, head of communication for Abu Dhabi's Environmental Research and Wildlife Development Agency, and Rachid Rirardi, Morocco's top administrator for water and the environment, also appear. Hassn Anbari, from Jordan's Institute of Diplomacy, used an email address associated with his organization, which also gets funding from the Anna Lindh foundation, a group of civil society organizations that promote intercultural exchange among Mediterranean nations.
The email for Rirardi bounced, while neither Bashir or Anbari returned a request for comment.
BuzzFeed News cannot prove beyond the assertions of the hackers that Dhiqar and Hizbut-tahrir are ISIS-affiliated sites. Dhiqar appears to be a political site in support of the Ba'ath Party, the political affiliation of ousted Iraqi president Saddam Hussein and a key source of ISIS leadership. Hizbut-tahrir appears to be an Indonesian jihadi site without explicit ISIS affiliation.
The hacker XRaySec, who worked alongside another co-hacker who goes by AnonNava, retraced his work for BuzzFeed News. He said they took advantage of a vulnerability in the mail servers of islamicstate.media, the website where ISIS supporters uploaded many of the grisly videos that made the group notorious. The information gleaned from these servers included emails and internet relay chat logs of the administrators of islamicstate.media. One message, entitled "Kuffars coming" (Kuffar is a derogatory term used to designate non-Muslims), informed recipients of a "brother" site to use to stay in email contact in case "atheists" attacked their communications. That brother site is Dhiqar.com.
According to XRaySec, the top admin of all three sites shares an IP address.
However the government emails ended up on the mail servers, if the hackers are correct that the ISIS admins were able to hide behind related but unaffiliated websites and communicate from those places, it's yet another testament to the group's savviness and sophistication on the Internet.
Joe Bernstein is a senior technology reporter for BuzzFeed News and is based in New York. Bernstein reports on and writes about the gaming industry and web culture.
Contact Joseph Bernstein at email@example.com.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Contact Sheera Frenkel at firstname.lastname@example.org.
Got a confidential tip? Submit it here.