,
17 tweets,
27 min read
Read on Twitter
Yesterday we published a deep dive on Saud al-Qahtani.
Who is he? Since October 2018, he has been known as the "mastermind" of the #Khashoggi murder.
He is one of #MBS's top aides and has been described as the Saudi crown prince's enforcer and chief propagandist.
Who is he? Since October 2018, he has been known as the "mastermind" of the #Khashoggi murder.
He is one of #MBS's top aides and has been described as the Saudi crown prince's enforcer and chief propagandist.
Al-Qahtani is also known as the "Lord of the Flies" — "flies" are what Saudi dissidents call trolls and bots that relentlessly attack critics of the Saudi state on social media.
They send death threats. They wage disinformation campaigns.
washingtonpost.com/world/saudi-el…
They send death threats. They wage disinformation campaigns.
washingtonpost.com/world/saudi-el…
Al-Qahtani has personally launched harassment campaigns against critics of the Saudi regime.
In August 2017, he launched a hashtag that translates to #the_black_list in English — it threatened dissidents that they would be "followed" if tagged.
In August 2017, he launched a hashtag that translates to #the_black_list in English — it threatened dissidents that they would be "followed" if tagged.
We built on reporting by @lorenzofb at @motherboard and on the work of a Twitter user called @HIAHY.
They tied email addresses from someone purporting to be al-Qahtani found in leaked emails from Italian spyware firm Hacking Team to profiles on sites like @HackForumsNet.
They tied email addresses from someone purporting to be al-Qahtani found in leaked emails from Italian spyware firm Hacking Team to profiles on sites like @HackForumsNet.
@lorenzofb @motherboard @HIAHY @HackForumsNet Neither @motherboard or @HIAHY could *definitively* show that al-Qahtani owned the emails.
We did it by using information leakage on Twitter and Google's password recovery pages.
+966 55 548 9750 and saud@saudq.com are both linked to @saudq1978's verified Twitter account.
We did it by using information leakage on Twitter and Google's password recovery pages.
+966 55 548 9750 and saud@saudq.com are both linked to @saudq1978's verified Twitter account.
@lorenzofb @motherboard @HIAHY @HackForumsNet @saudq1978 We also confirmed that al-Qahtani's Gmail account was linked to the same contact information as his Twitter.
His s.qahtani@royalcourt.gov.sa account was trickier.
We couldn't confirm it using information leakage. We relied on a telling exchange with a Hacking Team employee.
His s.qahtani@royalcourt.gov.sa account was trickier.
We couldn't confirm it using information leakage. We relied on a telling exchange with a Hacking Team employee.
@lorenzofb @motherboard @HIAHY @HackForumsNet @saudq1978 With al-Qahtani's phone number and email addresses confirmed, we went to work.
How much could we find on this guy online? A lot.
@al_b33lz3bub read all 441 posts by al-Qahtani on Hack Forums under his handle nokia2mon2. Here's what we found.
How much could we find on this guy online? A lot.
@al_b33lz3bub read all 441 posts by al-Qahtani on Hack Forums under his handle nokia2mon2. Here's what we found.
@lorenzofb @motherboard @HIAHY @HackForumsNet @saudq1978 @al_b33lz3bub He was scammed on his very 1st day on the forum in 2009.
And in 2010. And in 2015.
He was also hacked in 2015, and someone used his account to defraud users of Bitcoin.
He got his account back & recommended everyone turn on #2FA.
Reminder: This is a top intel official.
And in 2010. And in 2015.
He was also hacked in 2015, and someone used his account to defraud users of Bitcoin.
He got his account back & recommended everyone turn on #2FA.
Reminder: This is a top intel official.
@lorenzofb @motherboard @HIAHY @HackForumsNet @saudq1978 @al_b33lz3bub Another detail that raised eyebrows: He posted three times that he was drunk.
#SaudiArabia has a well-known prohibition against drinking alcohol, of course.
But maybe, just maybe, the rules aren't applied equally?!🤔
#SaudiArabia has a well-known prohibition against drinking alcohol, of course.
But maybe, just maybe, the rules aren't applied equally?!🤔
@lorenzofb @motherboard @HIAHY @HackForumsNet @saudq1978 @al_b33lz3bub What else was he up to on Hack Forums (which is known as a site for lesser-skilled hackers)?
Well, he bought and used as much remote hacking malware (RATs) as he could, including Blackshades, which was the subject of an unprecedented global law enforcement operation.
Well, he bought and used as much remote hacking malware (RATs) as he could, including Blackshades, which was the subject of an unprecedented global law enforcement operation.
@lorenzofb @motherboard @HIAHY @HackForumsNet @saudq1978 @al_b33lz3bub He also wanted to remotely access the microphones of computers to create secret recordings, but he couldn't figure out how, so he paid a Hack Forums user $100 to do it for him.
@lorenzofb @motherboard @HIAHY @HackForumsNet @saudq1978 @al_b33lz3bub Another major theme of al-Qahtani's Hack Forums posts — buying bots to use them for DDoS attacks.
He again lacked the technical knowhow, so he tried hiring flaky server admins or used DDoS for hire services.
He again lacked the technical knowhow, so he tried hiring flaky server admins or used DDoS for hire services.
@lorenzofb @motherboard @HIAHY @HackForumsNet @saudq1978 @al_b33lz3bub Al-Qahtani also targeted users on major social media platforms
He paid for the deletion of a YouTube channel & said a Hack Forums user had deleted 20 videos for him. He sought a tool to ban Twitter profiles
The Lord of the Flies also had an insatiable appetite for MOAR BOTS.
He paid for the deletion of a YouTube channel & said a Hack Forums user had deleted 20 videos for him. He sought a tool to ban Twitter profiles
The Lord of the Flies also had an insatiable appetite for MOAR BOTS.
@lorenzofb @motherboard @HIAHY @HackForumsNet @saudq1978 @al_b33lz3bub There's so much more on Hack Forums (check out the report!).
The most disturbing finding was al-Qahtani's network of domains, some of which were used for hosting malware and launching DDoS attacks.
We encourage readers to build off these findings in your own investigations.
The most disturbing finding was al-Qahtani's network of domains, some of which were used for hosting malware and launching DDoS attacks.
We encourage readers to build off these findings in your own investigations.
@lorenzofb @motherboard @HIAHY @HackForumsNet @saudq1978 @al_b33lz3bub It's interesting that the official #MBS entrusted with overseeing and planning the #Khashoggi murder exhibited extremely poor OPSEC when registering the almost all of the domains, using his true name and contact information.
@lorenzofb @motherboard @HIAHY @HackForumsNet @saudq1978 @al_b33lz3bub The report's author, @al_b33lz3bub, will describe some of what was found on this network of domains later today.
Suffice to say, nothing good.
In the meantime, please read the report.
Victims like #Khashoggi are owed the truth.
bellingcat.com/news/mena/2019…
Suffice to say, nothing good.
In the meantime, please read the report.
Victims like #Khashoggi are owed the truth.
bellingcat.com/news/mena/2019…
@lorenzofb @motherboard @HIAHY @HackForumsNet @saudq1978 @al_b33lz3bub To close this thread, we want to highlight that al-Qahtani is NOT one of the 11 suspects facing trial in Saudi Arabia for #Khashoggi's murder.
In fact, if @guardian's reporting is correct, he's still very much active.
The UN's @AgnesCallamard wants him investigated. We agree.
In fact, if @guardian's reporting is correct, he's still very much active.
The UN's @AgnesCallamard wants him investigated. We agree.
