Click here to read our latest report “Transmisogyny, Colonialism and Online Anti‐Trans Activism Following Violent Extremist Attacks in the US and EU”

Trends in Terrorist Use of the Internet in 2022 

Trends in Terrorist Use of the Internet in 2022 
27th February 2023 Arthur Bradley
In Insights
  • Terrorists were resilient online in 2022 and have continued to adapt their methods to ensure content remains available, such as through targeting of specific technologies and editing of content.
  • This is particularly through the creation of dedicated websites and servers which host large volumes of terrorist content and often remain online for long periods of time. Current mitigation strategies for domain abuse are failing to effectively counter this threat.  
  • Current crisis response mechanisms also do not adequately support small platforms, despite increased, deliberate targeting of small platforms by terrorists and their supporters to share attacker-produced content such as manifestos and livestreams. 

In January 2023, Tech Against Terrorism published our annual report “State of Play: Trends in Terrorist and Violent Extremist Use of the Internet – 2022.” The report analyses how terrorist and violent extremist (TVE) actors have adapted their online tactics to remain online throughout 2022. The majority of trends analysed in the report are key examples of the inevitable adversarial shift of TVE actors as they strive to maintain an online presence in the face of improving counterterrorism efforts. Of note is the continued significant threat facing smaller tech companies, particularly those operating file-sharing, messaging, and alt-tech platforms. The exploitation of infrastructure providers’ services to host Terrorist Operated Websites (TOWs) is also a critically overlooked issue in conversations around countering terrorist use of the internet. We are tracking hundreds of TOWs, many of which remain online for months or even years without disruption.

Emerging and Developing Technologies

In part due to support provided by Tech Against Terrorism, micro and small tech platforms have begun to address the threat of and respond swiftly to TVE exploitation. TVE actors are exceptionally resilient and have, as such, identified and targeted new platforms, platform types, and emerging technologies to allow the propagation of their content online. Terrorists are congregating on a complex ecosystem of micro, small, and medium platforms, including ‘alt-tech’, messaging apps, file-sharing services, and gaming and game-adjacent platforms. A significant minority of the terrorist content we identify relates to platforms built with decentralised (Dweb) technology, particularly official content produced by widely designated actors such as Islamic State (IS) and Al-Qaeda. A GNET report on the Dweb from August 2022, for example, analysed data from Tech Against Terrorism’s Terrorist Content Analytics Platform (TCAP) and found that 14% of IS propaganda was hosted on Dweb services. Members of the violent far-right ‘Terrorgram’ collective in 2022 also experimented with Dweb services in the face of imminent or actual suspension by more conventional messaging applications. TVE financing and crowdfunding are also increasingly transacted in cryptocurrencies, particularly Monero, with TVE actors sharing crypto wallets alongside propaganda in messaging channels. Migration to Dweb services, most notably of far-right TVE entities, is typically accompanied by messages claiming that Dweb applications cannot be moderated, and content can never be removed. This misleading assumption, which fails to capture the nuance of content moderation on Dweb services, has likely increased the intent among some terrorist actors to operate there.

Terrorist Operated Websites (TOWs) are also continuing to play a resurgent role in the broader online terrorist ecosystem. The resilience and discoverability of hundreds of static TOWs are undermining broader counterterrorism efforts across the tech industry, with many of these websites attracting millions of monthly viewers and remaining available in the same location for several months or years without disruption. These sites serve a variety of purposes, including propaganda sharing, recruitment, and directing users to more private online spaces for further communication. Others act as cloud platforms to host archives of material, or as purpose-built paste sites to aggregate links to terrorist content elsewhere online. While some TOWs are hosted using Dweb technologies or on the Dark Web, the majority of the TOWs we have identified are built and supported using traditional web infrastructure on the clear net

We are tracking more than 200 domains pointing to websites that are likely to be operated by (or closely affiliated with) terrorist actors motivated by a range of violent extremist ideologies. Industry disruption of these sites is patchy at best. In our experience of reaching out to infrastructure providers, there is a marked lack of consensus on whose responsibility it is to disrupt websites whose owners are in violation of terrorism legislation. A study carried out by us in 2022, for example, found that just 6 of 20 infrastructure providers referred explicitly to terrorism in their terms of service. Differences in global designation processes and online service providers’ terms of use, or appetite to take action, mean that terrorist actors continue to exploit policy and jurisdictional loopholes to host their content or register domains.

Content Moderation Avoidance Techniques

Despite the concentration of TVE actors on smaller, less moderated platforms, TVE entities have continued to maintain a presence on large, mainstream platforms. Here, however, they typically engage in more sophisticated content moderation avoidance techniques such as obscuring incriminating branding in propaganda or amending words in identifiable words and phrases. For example, we have observed supporters of Islamic State Central Africa Province (ISCAP) editing official content to cover firearms with emojis, to avoid automated detection of weaponry within the images. Similarly, ISCAP supporters have blurred official logos and symbols on multimedia content produced by IS. Whilst the majority of the TVE content we track originates on smaller platforms, messaging apps, and static websites, supporter networks persistently edit the content to share with a broader audience on big tech platforms. 

Content produced in languages other than English and Arabic is also generally more likely to remain online for longer on big tech platforms, based on our monitoring in 2022. Content in lesser-spoken languages, regional dialects, or languages used by a minority of a given platform’s user base is less likely to be effectively moderated, likely because many tech platforms are still developing the capacity to consistently detect violating content in all languages and dialects. It is likely that the translation of terrorist material is a reflection of the language spoken by the individuals uploading the content. However, in other instances, it may be a deliberate attempt by international terrorist organisations to target a specific audience, or to evade moderation. 

Crisis Response

Our report also analyses three case studies in online crisis situations relating to terrorism from 2022, including in Buffalo, New York, USA; Udaipur, Rajasthan, India; and Bratislava, Slovakia. Our tracking and analyses of these incidents and their online dimensions show there are still improvements to be made in cross-industry crisis response, particularly regarding support for smaller platforms. Our own crisis response work is agnostic to other protocols but aims to support the hundreds of smaller platforms that lack the available contacts or access to technology that larger platforms often have. This year we have played a crucial role in leveraging our broad network of smaller platforms to communicate bilaterally and facilitate the removal of hundreds of copies of attacker-produced content, such as manifestos or attack livestreams, from key online spaces.

In October 2022, for example, we responded to the online dissemination of attacker-produced content following the attack in Bratislava, Slovakia in which the attacker shared a manifesto online. Although the attacker used Twitter to share links to their manifesto, the original copies of it were hosted on six smaller file-sharing platforms. After the attack, supporters of the attacker also predominantly used smaller file-sharing platforms to upload copies of the manifesto; within 24 hours of the attack, we identified copies of the manifesto on 11 different small and micro file-sharing platforms, which were linked to social media, messaging, and forum platforms. 

Similarly in our response to the attack in Buffalo, New York, USA in May 2022, the majority of copies of the livestream and manifesto produced by the perpetrator remained available on smaller platforms and located easily via a browser search. Whilst improvements in the rapid removal of crisis content on larger platforms is a welcome development, this is undermined by the continued existence of this material on smaller platforms, including on the indexed web. It is therefore vital that these small platforms are adequately supported to identify, moderate, and remove TVE content from their services in an informed, accurate and timely manner. 

Looking Forward

Over 2022, TVE entities have maintained a robust presence online by focusing their efforts on targeting new and developing technologies to allow their content to stay online for longer. The migration of TVE entities away from traditional platforms to self-hosted spaces presents a significant threat moving into 2023, which requires a cohesive and robust response from the tech sector, policymakers, and counterterrorism experts. The threat of TOWs remains prominent across the TVE online ecosystem; not only do these websites present a way for TVE entities to host large volumes of content, but they highlight critical gaps in the mechanisms available to stop the use of the internet for terrorist purposes. Over 2023, Tech Against Terrorism will be focusing efforts on supporting the whole tech sector, including increased engagement with and support for website infrastructure providers. 

Tech Against Terrorism supports the global tech sector in tackling TVE use of the internet, with a specific focus on smaller platforms that may lack the knowledge, capacity, or technical ability to identify, moderate, and respond to TVE exploitation of their services. Smaller platforms are consistently exploited by TVE actors to ensure content remains online for longer. With this mission statement in mind, we developed the Terrorist Content Analytics Platform (TCAP) in 2020 with support from Public Safety Canada. The TCAP alerts platforms in real-time to terrorist content hosted on their services, basing its alerts on the designation lists of democratic nations and supranational institutions. While the TCAP supports platforms of all sizes, our priority is on smaller platforms with limited capacity to detect and counter terrorist exploitation effectively. Since the launch of the TCAP in November 2020, we have identified over 40,000 URLs containing terrorist content and alerted over 90 platforms. More than 90% of the alerted content was removed following our alerts. 

Arthur Bradley is the Open-Source Intelligence Manager, Tech Against Terrorism

Charley Gleeson is an Open-Source Intelligence Analyst, Tech Against Terrorism