In 2020, at the launch of its first “Supporter’s Security Magazine” on the pro-IS Rocket.Chat server, the Electronic Horizon Foundation (EHF) – a pro-IS non-institutional media house – described information technology as “one of the most important tools of our time,” and as the “language of the age that runs most [online] work fields.” Today, this statement endures as a foundational reference within the Islamic State (IS)’s online ecosystem. In recent years, operational security (OPSEC) has assumed heightened importance in the pro-IS digital environment, reflecting increasing scrutiny and pressure imposed by law enforcement and security agencies. While pro-IS users have paid more attention to their OPSEC, non-institutional media houses have increasingly addressed these concerns by sharing propaganda focused on ‘OPSEC best practices’ and insights regarding the features of various social media platforms. Nowadays, Qimam Electronic Foundation (QEF) and Ansar Electronic Security (AES) are the only media outlets that focus exclusively on spreading propaganda related to technology and online security. However, since August 2025, IS’s online ecosystem has witnessed the ‘re-emergence’ of EHF, which was the most prominent Ansar Production media house dedicated to users’ OPSEC and online security before it went offline in 2022. Therefore, this Insight discusses the return of EHF to the IS information environment by analysing its most recent propaganda material, seeking to explain the reasons behind its re-emergence.
The Electronic Horizon Foundation (EHF)
Created in late January 2016, the Electronic Horizon Foundation (EHF) was the primary pro-IS media outlet that produced propaganda related to the security of pro-IS users. From approximately 2016 to 2022, EHF endeavoured to provide pro-IS online users with tools and ‘best practices’ to address OPSEC, online activities, secure Internet browsing, and cybersecurity tips. During this time, EHF was the beacon for pro-IS media houses as well as IS munasirin committed supporters to spread propaganda material online. Moreover, EHF operated one of the most important websites within the IS digital ecosystem, providing users with articles, posters, and videos on how to enhance their OPSEC, use various social media platforms, and construct resilient and secure accounts in terms of security and anonymity. According to the Federal Bureau of Investigation (FBI), EHF was established by Mumin al-Mawji Mahmud Salim, also known as Taqni al-Mujahideen. He is accused of having provided IS with “technical advice and training” on how “to evade law enforcement scrutiny of their online activities.” Moreover, the FBI also considered him the founder of Muassasat Ṭalai al-Ansar (namely, Talaea al-Ansar Foundation or Vanguards of Ansar Foundation), one of the most influential Ansar Production media houses. Furthermore, the FBI is also searching for Salim’s fiancée, Sarah Jamal Muhammad al-Sayyid. She is accused of helping Mahmud Salim in establishing EHF, having a key role in the administration of EHF’s website, recruiting other IS members, and providing IS with web servers to host communications.
In November 2019, a user shared a message in QEF’s room on TechHaven, the pro-IS’s server hosted on Rocket.Chat. He contended that an Egyptian intelligence agent “exploited” EHF’s official account “for his malicious purposes.” This shows that the Ansar Production media outlet began encountering security issues since late 2019. Then, in March 2022, the Element server administered by EHF suffered a cyberattack, exposing pro-IS users to the authorities. The hacker disclosed EHF administrators’ personal information, referring to the media house as “a scam”. According to the hacker, EHF had solicited donations from users within the pro-IS online ecosystem but subsequently misappropriated the funds for its own benefit. Hence, the attack resulted in a decline in trust among pro-IS users towards EHF administrators and, more generally, the media outlet. In the aftermath of the cyberattack, EHF shared a poster affirming that it would “continue to operate” and provide follow-up. Yet, as already mentioned, the media house stopped the release of propaganda content online in 2022.
The “Security Tips Series” – Episodes 1 and 2
Since August 2025, within its ‘Markaz Intaj al-Ansar’ (Ansar Production Centre) section, Al-Fustat have shared new propaganda material produced by EHF, marking the restart of EHF propaganda activities. Al-Fustat is an IS institutional website featuring an archive of both institutional and Ansar Production propaganda material. The first media content was published in mid-August 2025, while the eighth was released in early October of the same year. The posters were produced in Arabic and are part of the “Security Tips Series”, which, according to the posters’ title, is divided into two different “episodes” composed of 4 different “paragraphs” (Figure 1). As the title suggests, the materials pertain to operational security (OPSEC) issues.
From a content analysis point of view, the first four posters shared on Al-Fustat constitute the four paragraphs of the “episode 1” of the “Security Tips Series” (Figure 1). The first poster emphasises the importance of having a separate device for viewing propaganda content and undertaking da‘wa (namely, proselytism) activities. The second poster suggests using the “airplane mode” and not connecting one’s mobile phone to the Internet directly from the SIM card, but rather through a router or other intermediary. The third poster emphasises the importance of disabling sensors on smartphones to mitigate the risk of being identified by authorities. The fourth poster recommends enabling Media Access Control (MAC) address randomisation, namely the hiding of the “unique identifier assigned to network interfaces for communication on a physical network.” Specifically, the MAC address is composed of a 48-bit hexadecimal number, which is unique. In the first half, it identifies the manufacturer, and in the second half, it identifies the specific device.
Figure 1: EHF posters of the “Security Tips Series – Episode 1”
The fifth, sixth, seventh, and eighth media content represent the four paragraphs of the second episode of the series. The fifth poster encourages the consistent use of a Virtual Private Network (VPN). The sixth poster invites users to use ‘IPv4 technology’, i.e. the fourth version of the Internet Protocol. The seventh poster suggests taking advantage of Tor bridges, which are relays that are not listed in the public directory of Tor. The latter is a network of virtual tunnels that allows you to improve your privacy and security on the Internet by sending your traffic through three random servers (in other words, relays) in the Tor network. Finally, the eighth poster calls on IS supporters to change the networks used to connect to the Tor browser.
Figure 2: EHF posters of the “Security Tips Series – Episode 2”
EHF’s “Technical Review of the SimpleX Application”
In late September 2025, within the Ansar Production Centre section of the IS al-Fustat website, the pro-IS media outlet EHF released a “Technical Review of the SimpleX Application.” As described on the official website, SimpleX Chat is a messaging platform designed for privacy and security. Its strong End-to-End Encryption (E2E) protects one-to-one chats, group conversations and calls. Between late 2024 and early 2025, pro-IS users and unofficial media, particularly the Ansar Production media houses, began creating channels on SimpleX Chat to disseminate IS propaganda material.
The guide outlines the positive and negative aspects of the application, thereby presenting its security features. Firstly, EHF introduces SimpleX Chat as an “instant messaging platform […] based on a decentralised network.” This feature distinguishes it from applications such as Telegram, which uses a centralised server. Secondly, the guide presents 11 advantages of SimpleX Chat, including the fact that registration does not require a phone number or email address, as well as the use of end-to-end encryption for exchanging messages between two profiles and sending photos, videos, files, groups, voice messages, calls, and video calls. Then, EHF presents four downsides of the application, such as the two-day expiration limit to download files and the lack of channels “comparable to Telegram.” In this same section, the pro-IS media house has included a box in which it points out that the platform has been “subjected to technical security review” by “several well-known entities in this field”, such as the company Trail of Bits. The guide concludes with some general considerations. EHF draws attention to a “basic technical rule”, namely that ‘no application is 100% secure for communication…Therefore, caution should be exercised when sharing personal or sensitive information through an online messaging application, regardless of the need to disseminate such information.”
Conclusions
The release of the “Security Tips Series” dedicated to OPSEC advice and the “Technical Review of the SimpleX Application” by EHF is of considerable importance within the pro-IS digital ecosystem. Considering the growing importance of online security following the arrest of Telegram’s CEO Pavel Durov, it is no mere coincidence that the material was published precisely at this contingency. Yet, questions arise over who is the author (or group of authors) of the propaganda content shared in the last few months on al-Fustat and bearing the EHF logo.
Several hypotheses can be envisaged in order to understand the ‘relaunch’ of EHF as the Ansar Production media house for online security. Notwithstanding the 2022 cyberattack and the consequent loss of legitimacy within the IS digital ecosystem, one of the original EHF administrators or operators may have resumed disseminating propaganda material, just when OPSEC has become a crucial matter for IS supporters. Yet, this hypothesis lacks solidity because it is quite difficult to explain the three-year absence from the scene of EHF propaganda. A more reliable interpretation focuses on the possibility that Ansar Production sought to restore the EHF role within the IS online ecosystem as an Ansar Production media outlet dedicated to OPSEC. Currently, the only media houses publishing propaganda content on that topic are indeed AES and QEF. From this perspective, it can also be explained why new EHF material was shared on al-Fustat, one of IS’s institutional websites. Specifically, despite being part of the Ansar Production media houses, EHF lost some of its reputation within the IS online ecosystem due to the ‘scandal’ caused by the 2022 hacking attack. For this reason, the authors assumed that it was an IS media tactic to give EHF its former remarkable reputation by sharing its material within Ansar Production Centre section. This could also restore EHF continuity with its past propaganda production and guidance within the ecosystem. For instance, this is particularly relevant when considering the “Technical Review of the SimpleX Application.” The publication of a negative review on SimpleX Chat by QEF in July 2025 prompted numerous reactions from pro-IS users, raising several doubts about the reliability and validity of the information shared by the non-institutional media outlet. It is conceivable that, by employing a flawed EHF propaganda product, IS has clarified, through an Ansar Production media house, its position regarding SimpleX Chat and its subsequent utilisation. Moreover, the publication of the “Technical Review of the SimpleX Application” might fuel the expansion of the pro-IS ecosystem on the messaging platform, which is currently witnessing a temperamentally propaganda flow, highly inclined towards the material of Ansar Production media houses.
Shifting to a counter-terrorism dimension, the fact that IS supporters and sympathisers are becoming more aware of OPSEC procedures could make it more difficult for law enforcement to identify IS users and, as a result, they can further strengthen their whole ecosystem’s resilience. In this respect, it is potentially significant that there is an increasing willingness to rely more on highly encrypted messaging platforms, such as SimpleX Chat. Moreover, the return of EHF highlights the importance of continually monitoring the platforms where the pro-IS ecosystem operates, in order to understand the needs of IS supporters and sympathisers, and prevent the emergence of new forms of propaganda that could enhance users’ online presence.
—
Alessandro Bolpagni is a senior research analyst at the Italian Team for Security, Terroristic Issues, and Managing Emergencies – ITSTIME. He also specialised in digital HUMINT (Human Intelligence) and OSINT/SOCMINT (Open Source and Social Media Intelligence), oriented particularly on Islamic terrorism and Russian Private Military Companies (PMC). He focused on monitoring terrorist networks and modelling recruitment tactics in the digital environment, particularly on new communication technologies implemented by terrorist organisations. He has produced operational reports and lectures for training and education purposes for companies, research centres, and law enforcement agencies.
Eleonora Ristuccia is a junior research analyst at the Italian Team for Security, Terroristic Issues, and Managing Emergencies – ITSTIME. She specialises in the application of Open Source Intelligence (OSINT) and Social Media Intelligence (SOCMINT) techniques. Specifically, she focuses on the study of jihad communication strategies and propaganda through various online platforms.
—
Are you a tech company interested in strengthening your capacity to counter terrorist and violent extremist activity online? Apply for GIFCT membership to join over 30 other tech platforms working together to prevent terrorists and violent extremists from exploiting online platforms by leveraging technology, expertise, and cross-sector partnerships.