The hacking group known as the Syrian Electronic Army has wreaked havoc online for years, defacing a seemingly endless series of media websites and Twitter accounts, as well as targeting Syrian dissidents and activists both in Syria and abroad.
Despite their penchant for getting media attention, the real identities of the hackers the group has remained shrouded in mystery—until today. On Tuesday, the FBI accused Ahmed Al Agha, 22, and Firas Dardar, 27, two Syrians nationals, of being members of the infamous hacking group. The FBI identified Agha as "Th3 Pr0," and Dardar as "The Shadow," who have long been believed to be among the main members of the group.
Dardar and Agha are likely not the only members of the group, and it's unclear if, at some point, others used their hacking aliases. But several security researchers who have tracked the Syrian Electronic Army for years confirmed to Motherboard that both Agha and Dardar were suspected of being part of the group for years, though their names were never published until today.
"We were not sure, but within the Syrian IT community we had the names of many of them," said one of the sources, who asked to remain anonymous for security reasons. "At least now they'll know cyber attacks are not a game anymore."
"We were not sure, but within the Syrian IT community we had the names of many of them."
"There were a bunch of known names," said another source, who also asked to speak anonymously, adding that the list of names was never released because nobody was sure about what roles the members played, and there were concerns about putting people in danger.
As it turns out, Agha and Dardar were not hiding their identities or location that well at all, relying on American-based internet services to exchange personal data such as IDs and photos, and not even bothering to hide their Syrian IP addresses.
On November 11, 2010, someone from the Syrian Electronic Army created an email account, firstname.lastname@example.org, which the FBI believes was "primarily" used by Agha, according to the complaint. Through this account in April 2013, the hacker sent his own identification document containing his name and photo to somebody else, and he sent himself pictures of a wedding he apparently attended. Also, when connecting to his Gmail account, Agha didn't bother hide his Syrian IP address dozens of times, according to an affidavit by Patrick DiMauro, the FBI's investigator in the case.
Dardar committed some of the same mistakes, sending emails with photo ids and documents, including one issued by the Syrian Ministry of the Interior, in November of 2013. Moreover, as part of his activities trying to extort hacking victims of money, he exposed his name by sending victims his banking information.
Agha and Dardar even used these email accounts, as well as their Syrian IP addresses to conduct several Google searches both to prepare their attacks, as well as to search for the subsequent news coverage.
As part of the investigation into Agha and Dardar, the FBI obtained records and data for five Gmail addresses, a LinkedIn account, as well as several Facebook and Twitter accounts linked to both suspects as well as the hacking group, according to court documents.
The FBI believes both Agha and Dardar still live in Syria, respectively in Damascus and Homs, according to a bureau spokesperson FBI.
"We're hoping to bring them all to justice in the United States," the spokesperson said.
The indictments of Agha, Dardar, as well as a third alleged member living in Germany, who is accused of helping Dardar in his extortion activities, come years after previous reports that purported to identify Th3 Pr0, and other members of the group. The fact that they are both Syrian, moreover, seems to contradict the belief that the group was actually Iranian, as a recent New York Times article reported, quoting intelligence officials.
After news of the indictment broke, I reached out to several social media and email accounts controlled by Th3 Pr0 and the Syrian Electronic Army, but I didn't receive any answer. All the group's known Twitter accounts, normally used to spread news of their exploits, have been dormant for weeks.