Exposing GCHQ’s URL-Shortening Service and Its Involvement in Iran’s 2009 Election Protests

Dancho Danchev
Nov 24 · 4 min read

In 2009 Iranian citizens participated in a widespread Election Protest online and it appears that the GCHQ’s primary mission at the time was to launch a custom-made URL shortening service labeled — hxxp:// lurl.me part of the DEADPOOL Top Secret Surveillance and Eavesdropping Program part of GCHQ’s Joint Threat Research Intelligence Group (JTRIG) department which is heavily involved in offensive and defensive cyber warfare online tactics including actual “dirty tricks” aiming to shut down or discredit a particular online organization or an individual and is pretty similar to what I’ve managed to successfully achieve throughout the years in terms of establishing the foundations for my own OSINT methodology which leads me to the publication of hundreds of high-qualily and never-published before OSINT cybercrime research and threat intelligence type of analysis at my personal blog including the following commercial portfolio of cybercrime and threat intelligence gathering including cyber warfare type of services.

Sample Currently Active Twitter Accounts Known to have Participated in the DEADPOOL Top Secret GCHQ Surveillance and Eavesdropping Program:

https://twitter.com/2009iranfree
https://twitter.com/MagdyBasha123
https://twitter.com/TheLorelie
https://twitter.com/Jim_Harper
https://twitter.com/angelocerantola
https://twitter.com/recognizedesign
https://twitter.com/akhormani
https://twitter.com/FNZZ
https://twitter.com/GlenBuchholz
https://twitter.com/enricolabriola
https://twitter.com/katriord
https://twitter.com/ShahkAm147
https://twitter.com/Pezhman09
https://twitter.com/jimsharr
https://twitter.com/blackhatcode

The main purpose behind the use of this URL shortening service is to actually gather evidence that could be used to collerate and launch active CNO (Computer Network Operations) type of offensive or defensive cyber attack campaigns including actual Identification Targets identification for the purpose of feeding back the data through various other Top Secret GCHQ-themed Programs which appear to have been actually used by the GCHQ to track down and prosecute a LulzSec member and might have managed to intercept and actually trick a huge number of users into interacting with the rogue URL shortening service.

What users should keep in mind when using some of the most popular URL shortening services is to actually aim to prevent the leak of metadata and actual personally identifiable information which could be obtained from analyzing and processing the actual URL shortening service link statistics which on the majority of ocassions are publicly accessible. Yet another possible metadata obfuscation techniques which could be used to prevent such type of leaks includes hardware isolation including the use of an IDS (Intrusion Detection System) such as for instance Snort and the use of an advanced VPN (Virtual Private Network) type of service such as for instance Cryptohippie.

In terms of GCHQ’s Joint Threat Research Intelligence Group (JTRIG) what the Unit basically does is pretty similar to what I’ve managed to achieve in my personal Security Lab throughout 2008–2013 for the purpose of fighting and responding to a growing set of cybercrime attack campaigns including never-published before type of threat intelligence type of research analysis in terms of offensive and defensive Cyber Assets and Virtual SIGINT type of cyber attack profiling and responding to a growing set of current and emerging cyber threats successfully positioning me and my research as a primary competitor back then now a proud member and partner of the U.S Intelligence Community as a “4th Party Exfiltration” partner basically representing the process of “outsourcing SIGINT”.

Case in point is the Koobface botnet which basically represents a case study in “outsourcing SIGINT” including an actual Virtual SIGINT Journeyman perspective in terms of monitoring tracking down and eventually shutting down the actual botnet by exposing some of the primary botnet masters behind it.

The use of the rogue and potentially privacy and security compromising hxxp:// lurl.me URL shortening service courtesy of the GCHQ is similar to the NSA’s use of Iranian Cyber Proxies to participate in the BOUNDLESS INFORMANT Top Secret Program and it should be highly recommended that end users including organizations take basic network and security precautions to stay safe and secure online.

Dancho Danchev

Written by

The World’s Leading Expert in the field of Cybercrime Research and Threat Intelligence Gathering — https://ddanchev.blogspot.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade