Logo on ThePro, aka Hatem Deeb's personal blog.
The Syrian Electronic Army topped the news cycle again this week, following takedowns of The New York Times, Twitter, and Huffington Post UK. They're just the most recent efforts in a long string of high-profile hacks, which targeted the likes of the Associated Press, the Onion, and NPR.
The SEA has said it is waging cyberwar to denounce media coverage of the conflict in Syria they see as being overwhelmingly anti-Assad. But who's actually running the operation? New evidence indicates that it's a 19-year-old Syrian named Hatem Deeb.
While the SEA has conducted a handful of interviews with the media, including with our colleagues at VICE, they have done so anonymously. Their identities have remained secret in all media correspondences, veiled behind user names like TheShadow and ThePro. ThePro, or Th3Pr0, has claimed the mantle of lead hacker, and his identity has so far been under wraps.
The tech press is fond of noting that the SEA has used relatively primitive techniques to execute high-profile hacks. Some experienced hackers and security analysts have called their attacks downright amateur, as some of the group's Twitter takeovers are the result of old phishing attacks. And they've also inadvertently left a digital paper trail that may reveal the identities of their highest profile members.
Not long after the AP and Onion hacks, I got in touch with a hacker working in Syria. At the time, he said that the SEA were amateurs, mostly young men in their twenties who lacked computer science or security backgrounds. The hacker—who we'll call X—was able to glean the SEA's IP in Damascus, and then he, with the help of a number of other hackers, was able to break his way into the SEA server, X says. They snagged a trove of information from the SEA's servers: around 140 email addresses, largely Hotmail accounts, all belonging to alleged SEA members.
The crown jewel, however, was the evidence that ThePro is Deeb. Deeb, it turns out, had listed his real name on one crucial document: The receipt for the virtual private server (VPS) he'd rented for the SEA. His listed email address was Admin@ThePro.sy, which is also the address associated with ThePro's blog. The credit card number he'd used was tied to the name Hatem Deeb.
The pilfered documents show that the owner of the VPS was Hatem Deeb and the exact same username logged into the console as the admin.
Hatem Deeb was listed as the admin at http://www.syrian-es.net/, the Syrian Electronic Army's website, while it was still hosted in Syria. The servers have since been moved to Russia, but before they were moved, the hacker retrieved Deeb's admin password information. He also flagged the site's whois credentials.