Just the Facts: ISIS Encryption

This is an attempt to collate all the information about ISIS comms within Europe, back to ISIS Syria. This is only operational terrorist comms, not propaganda or fanboy comms. There are links to source material and a summary of what is known.

The clear takeaway from this list is that: 1) ISIS doesn’t use very much encryption, 2) ISIS is inconsistent in their tradecraft. There is no sign of evolutionary progress, rather it seems more slapdash and haphazard. People use what they feel like using and whatever is convenient.

May 2014, Brussels. Jewish Museum

• Unknown?

Jan 2015, Paris. Charlie Hebdo, Jewish Grocery

• Laptop recovered; no encryption at rest; encrypted and unencrypted emails.

Jan 2015, Verviers

• Phone calls, no encryption

August 2015 — January 2016, Paris (no attack; independant cell?)

• Telegram used to arrange meetings
• Face to face meetings
• A female courier delivers an attack plan, handwritten on paper

August 2015, Thalys Train

• No public info.

August 2015, No Attack, Reda Hame

• Mobile phone flashing (call a number, hang up after it rings)
• Digital dead drop using TrueCrypt via file sharing sites

October 2015, (no attack) Italy

• WhatsApp message to Syria (Probably Android to Android, so at the time possibly encrypted)

Nov 2015, Paris. Football stadium, Restaurants, Bataclan

• Burner phones
• No encryption at rest
• Phone calls, SMS

March 2016, Brussels Airport

• Burner phones
• Laptop recovered; no encryption at rest
• No “going dark” process (equipment just discarded)
• Phone calls, SMS
• Recorded audio files of a call (VoIP?) recovered from laptop.

June 2016, Dhaka Cafe

• Threema, one of the few working mobile phone messengers at the time.

July 2016, Hyderbad (foiled attack)

• Encrypted email Tutanota (available as a free Android app)

Salah Abdeslam

• Unencrypted(?) laptop recovered at time of arrest

Abdelhamid Abaaoud

Greek Operations Center

• Computer and thumb drive, no encryption at rest. Link
• Phone calls to Verviers, no encryption

Paris Command Operations

• Phone calls to Brussels during attack

Bataclan Assault

• White Samsung, had Telegram installed but not used; sent plain text SMS; searched for, and saved, layout of Bataclan hall night before attack
• Witness claimed to see “text” on a laptop; French authorities have not reported a laptop recovered from Bataclan; suggestions of encryption similar to PGP (probably Mujahideen Secrets)? No public evidence of laptop. No public evidence of encryption