International Journal of Intelligence and
CounterIntelligence
ISSN: (Print) (Online) Journal homepage: www.tandfonline.com/journals/ujic20
Hezbollah and the Internet in the Twenty-First Century
János Besenyő, Attila Gulyas & Darko Trifunovic
To cite this article: János Besenyő, Attila Gulyas & Darko Trifunovic (2023) Hezbollah
and the Internet in the Twenty-First Century, International Journal of Intelligence and
CounterIntelligence, 36:3, 669-685, DOI: 10.1080/08850607.2022.2111999
To link to this article: https://doi.org/10.1080/08850607.2022.2111999
Published online: 19 Sep 2022.
Submit your article to this journal
Article views: 1660
View related articles
View Crossmark data
Citing articles: 2 View citing articles
Full Terms & Conditions of access and use can be found at
https://www.tandfonline.com/action/journalInformation?journalCode=ujic20
International Journal of Intelligence and CounterIntelligence, 36: 669–685, 2023
# 2022 Taylor & Francis Group, LLC
ISSN: 0885-0607 print/1521-0561 online
DOI: 10.1080/08850607.2022.2111999
JÁNOS BESENYŐ , ATTILA GULYAS
DARKO TRIFUNOVIC
AND
Hezbollah and the Internet in the
Twenty-First Century
Abstract: Hezbollah is a significant power in Lebanon that operates as a
Shiite political party and militant group. With Iranian support, Hezbollah
has created a so-called resistance society from the Shiites neglected by the
government that is based on three pillars: military infrastructure, a largescale network of civilian institutions with the aim of improvement of the
well-being of the Shiite population, and a media empire that has an essential
role in disseminating the political messages and ideology of Hezbollah and
Iran in Lebanon, the Middle East, and other parts of the world, using the
full spectrum of media and new technologies, including Internet presence, to
shape public opinion, gain supporters and sympathizers, fundraise, and wage
information warfare against Israel and the Western World. This article sheds
Janos Besenyő is an Associate Professor at Obuda
University in Hungary and Head of the
Africa Research Center. He received a Ph.D. in military science from Miklos Zrınyi National
Defense University in Hungary. He established the Scientific Research Center of the
Hungarian Defence Forces General Staff and served in several peacekeeping operations in
Africa and Afghanistan from 1997 to 2018. His most recent publication is Darfur
Peacekeepers: The African Union Peacekeeping Mission in Darfur (AMIS) from the
Perspective of a Hungarian Military Advisor. The author can be contacted at janos.besenyo@
uni-obuda.hu.
Attila Gulyas graduated from the Kossuth Lajos Military College. He retired from the service as
Head of the department and is a researcher at the Obuda
University Doctoral School on Safety
and Security Sciences. The author can be contacted at gulyas.attila@phd.uni-obuda.hu.
Darko Trifunovic is a founding member and Director of the Institute for National and
International Security. He is an Associate Professor at Fudan University in Croatia. He served
as First Secretary of the Foreign Service of Bosnia and Herzegovina at the United Nations. He
is currently the representative for Serbia and Montenegro in the International Strategic Studies
Association. The author can be contacted at darko@intelligence-security.rs.
AND COUNTERINTELLIGENCE
VOLUME 36, NUMBER 3
669
670
} ATTILA GULYAS, AND DARKO TRIFUNOVIC
JANOS
BESENYO,
light on Hezbollah’s Internet activity and demonstrates Hezbollah’s
cyberespionage campaign through two examples, describing its “Fake News”
media camps and the possible connection between Hezbollah and money
counterfeiting and selling on the Dark Web.
Hezbollah is a special organization that is considered a terrorist organization
by some countries while others acknowledge it as a political party, because it
has a political wing and a military wing. Although the judgment of the
organization in the international community is not uniform, it is deeply
embedded in Lebanese political life; therefore, in contrast with other terrorist
organizations, it has every legal conduit to spread its ideology, raise funds,
recruit sympathizers, and so on. The aim of this research, after a short
introduction to Hezbollah, beyond giving an overall picture of the
organization’s Internet activity, is to demonstrate its information technology
capabilities, and to find any evidence or traces related to Hezbollah’s
Dark Web use.
HEZBOLLAH
Hezbollah (Party of God; also spelled Hezbullah, Hizballah, or Hizbullah) is
a political party and militant organization that was founded under the aegis of
Iran in 1982 during the fifteen-year civil war in Lebanon and the Israeli
invasion.1 Hezbollah is a “Janus-faced” organization because it was a kind of
militia initially, but today, as a political party, it preserves its militant wing. It
plays a vital role in the life of Lebanon.
The connection between Iran and Hezbollah has a long history. Iran has
been supporting the organization since the beginning, because it needed an
organization that collects all of the Shiites in Lebanon to make the influence
over the Shiite population more effective. In addition, it needed a proxy in
the ongoing low-intensity war against Israel, which is the main enemy in the
area. That is why many consider Hezbollah an extension of the Iranian
Revolutionary Guard Corps. The organization does not recognize the
existence or legitimacy of Israel which is its main enemy (along with the
United States). Israel is also regarded as a scapegoat for Lebanon’s numerous
problems. The organization also fights against Western influence in the
Middle East.
Hezbollah is considered a terrorist organization by eighteen countries
without distinguishing between its military and political wings, while other
countries and the European Union (EU) separate the political and the
military wing and recognize its political wing as a legitimate political party.
INTERNATIONAL JOURNAL OF INTELLIGENCE
HEZBOLLAH AND THE INTERNET IN THE TWENTY-FIRST CENTURY
671
In this context, it is thought provoking because Sayyed Hasan Nasrallah is
the head of both wings.
Hezbollah is responsible for approximately 30 terrorist attacks, including
bombings, assassinations, hijacking, and kidnapping between 1983 and 2012.
The number of casualties is about 500 while the number of injured is near
1,000 people.2 The targets of the Hezbollah attacks were typically Israeli or
Jewish interests worldwide, ranging from Europe to South America.
In addition, Hezbollah is closely connected with the Sunni–Islamic
fundamentalist Palestinian Hamas organization and the Palestinian Islamic
Jihad. Despite the religious differences, there are numerous similarities
between Hezbollah and Hamas. Both have a political and a military wing,
they share the same goals and tactics/, and the judgment of the two
organizations is not uniform within the international community. That said,
Hezbollah is a role model for Hamas.3
Hezbollah proclaimed its new ideology manifesto in 2009, in which it
vowed to oust Western powers from Lebanon, demanded the destruction of
Israel, and showed its commitment to Iran’s supreme leader. The
organization expressed its desire to build an Iranian-inspired Islam regime
while keeping the Lebanese people’s freedom and self-determination.
Hezbollah refers to itself as the “Organization of the Oppressed on Earth”
and the “Revolutionary Justice Organization.” The main goal of the party is
the “liberation” of Jerusalem and the land of Israel by the Arab World,
which is governed by an Islamic government established by Hezbollah.4
Hezbollah has built a so-called resistance society in Southern Lebanon,
Beirut’s southern suburb, and the Bekaa Valley. Today Hezbollah struggles
to liberate the Shebaa Farms area occupied by Israel in the Six-Day War
(1967) from Syria.
The organization participates in the civil war in Syria alongside Iran and
Syria, supporting Bashar al-Assad’s regime, gaining very valuable experiences
that improve its military capabilities.
That said, Hezbollah is deeply embedded in Lebanese society because it
created a state within a state. It has a health care system, media services,
agricultural centers, an educational system, low-cost schools, and a financial
system. Hezbollah oversees the Al-Shahid Association of the Martyr’s
Institute, which pays stipends to the family members of martyrs.
The first leader of the organization’s political wing (between 1989 and 1991)
was Subhi al-Tufayli, who was dismissed when he was against the decision to
participate in the Lebanese parliamentary elections. His successor was Abbas
al-Musawi, whom Israel assassinated in 1992. Following the murder of Abbas
al-Musawi, the current leader Hassan Nasrallah got into power. As secretarygeneral, he oversees the seven-member Shura, which has five sub councils: the
political assembly, the jihad assembly, the parliamentary assembly, the
AND COUNTERINTELLIGENCE
VOLUME 36, NUMBER 3
672
} ATTILA GULYAS, AND DARKO TRIFUNOVIC
JANOS
BESENYO,
Figure 1. Extraction of the organizational chart of Hezbollah.
executive assembly, and the judicial assembly. It is hard evidence for the tight
Iranian connection that there are two permanent Iranian representatives on
the Shura council. Figure 1 shows the extraction of the organizational chart of
Hezbollah. (The whole organizational chart can be seen at https://hezbollah.
org/organizational-chart.)
As reported by the U.S. Department of State in 2019, Hezbollah had tens
of thousands of supporters and members worldwide5 who made a
considerable amount of donations, but with international financial sanctions,
this source dried up. The U.S. sanctions against Iran have adverse effects on
Hezbollah as well. Due to the sanctions, Iranian support of Hezbollah
significantly decreased in the last few years, although they are still tied to
each other with thousands of threads. Lebanon together with Hezbollah are
facing complicated challenges today, including the political crises that come
from the political instability and the deeply rooted corruption in the society
that are fundamental problems in Lebanon. In addition, the U.S. and EU
sanctions of the Lebanese economy and the explosion at the Port of Beirut,
then the COVID-19 pandemic, not to mention the Syrian civil war with the
Syrian refugees, are burning questions today.
This situation may spur one to underestimate Hezbollah’s capabilities,
but it is far from the truth. Hezbollah is a progressive, well-prepared
organization with every capability needed to wage traditional lowintensity conflicts and wage modern information warfare in the twentyfirst century.
INTERNATIONAL JOURNAL OF INTELLIGENCE
HEZBOLLAH AND THE INTERNET IN THE TWENTY-FIRST CENTURY
673
HEZBOLLAH ON THE INTERNET
The leadership of Hezbollah is fully aware of the importance of the Internet
and its inherent possibilities in the permanent conflict with Israel and the
United States. They established the traditional media outlets’ Internet-based
counterparts and the ways to continue their propaganda and recruitment
activity on social media sites despite banning its official profiles.
The Internet division of Hezbollah set the following goals for itself:
spread propaganda through the Internet and highlight the ideology of
the party,
wage psychological war against Israel by using the inventions of the
new medium,
support the Palestinian resistance movements against Israel,
strengthen its leadership among the Lebanese Shiite society and popularity in
the Arab world, and
present Israeli aggression and highlight the fight of the “resistance society.”
Social Media Presence
… since the moral elements are among the most important in war. They
constitute the spirit that permeates war as a whole, and at an early stage
they establish a close affinity with the will that moves and leads the
whole mass of force, practically merging with it, since the will is itself a
moral quantity.
—Carl von Clausewitz6
Security experts and defense analysts wrote numerous articles and books on
scenarios of the subsequent cyberwars. They envisioned crashing networks
and disrupted critical infrastructures; they thought hackers would fight
against hackers. But they missed one scenario when the attacker has no
cyberwar capability, but it has personal computers, smartphones, and
Internet access. ISIS had no cyber capability, so it could not hack networks;
instead, it hacked the information itself on the networks when it occupied
Mosul. As a result of the successful social media campaign, the organization
recruited more than 30,000 new members from more than a hundred
countries to join the “Caliphates.” This successful campaign highlighted the
importance of social media in information warfare.7
Hezbollah also recognized the importance of the new possibilities inherent in
the new domain. Social media proved an excellent medium for spreading
Hezbollah propaganda, although, in the beginning it was restricted to mostly
the Internet-savvy young generation, but some years later, as the new
technology integrated into everyday life, they reached the senior generation as
well. Hezbollah created a significant number of social media accounts on
Facebook, Instagram, Twitter, and YouTube to spread their propaganda. A
AND COUNTERINTELLIGENCE
VOLUME 36, NUMBER 3
674
} ATTILA GULYAS, AND DARKO TRIFUNOVIC
JANOS
BESENYO,
good example of this is when Hezbollah ran an “equip a mujahid”
crowdsourcing campaign on Facebook and Twitter, spurring the online
supporters to fulfill their religious obligations by buying weapons,
ammunition, and other military equipment for the Syrian war.8 The contents
of the social media profiles were in harmony with well-known Hezbollah
propaganda.9 These profiles regularly violated the rules of the websites, which
is why a so-called whack-a-mole game was played between the moderators and
the account managers. The latter kept on changing their profiles with the same
content. Interestingly, the most obviously terrorist accounts were not banned
until June 2018, when, under lawmaker pressure, Google and Facebook
suspended Hezbollah and Hamas accounts. U.S. lawmakers criticized Twitter
because it distinguished the military and political arms of the organization and
did not take any action effectively, allowing the organizations and their
affiliates to use the platform. Members of the U.S. House of Representatives
sent a letter to Twitter, Google, and Facebook in September 2019, requesting
information on the number of Hamas and Hezbollah accounts and a timeline
of suspending these accounts. At the same time, they called Twitter to update
its policy to comply with U.S. laws. Following the letter, Twitter also
suspended the Hamas- and Hezbollah-related accounts.10
The reader may wonder why the tech giants did not ban the obviously
terrorist accounts on social media. The advertiser on social media brings in
money—that is the reason why they hesitated banning the extremist sites.
Hezbollah, Hamas, and other affiliated organizations advertised on these
platforms, as other organizations do today. A good example is when
Facebook—between July 2018 and July 2020—made over $23 million in
advertising revenue from inauthentic networks that violated the platform’s
policies (coordinated inauthentic behavior).11
Despite the suspended official profiles, thousands of sympathizer posts on
social media spread Hezbollah’s propaganda. Figure 2 is a screenshot of a
Hezbollah sympathizer’s tweet. The situation is similar on other social media
sites where the “Hizbullah “or “Hezbollah” search expressions in English or
Arabic yield thousands of results related to the terrorist organization.
Hezbollah “Media Camps”
Falsehood flies and the Truth comes limping after it.12
According to an article published by Telegraph News Agency in August 2020,
since 2012 Hezbollah has been running “Media Camps,”13 where it trains socalled media fighters to manipulate photographs digitally, manage a significant
amount of fake social media profiles, avoid Facebook’s censorship, and spread
fake news and disinformation. The students come for the 10-day training from
Bahrain, Iraq, Saudi Arabia, and Syria. The course is an excellent opportunity
INTERNATIONAL JOURNAL OF INTELLIGENCE
HEZBOLLAH AND THE INTERNET IN THE TWENTY-FIRST CENTURY
675
Figure 2. Tweet from a Hezbollah sympathizer.
for Iran and Hezbollah to spread their ideology and sow the seeds of
uncertainty in the region, especially in Iraq. The article is based on interviews
with more than twenty former students, politicians, and media experts who
asked for anonymity for obvious reasons. The Telegraph investigation revealed
that thousands of activists were trained to give their knowledge away after
going home. This camp is a multimillion-dollar business for Hezbollah. As
reported by the article, Iran also has been running a similar camp, but it is far
less popular than Hezbollah’s course. The reason for the high efficiency of this
course and the “electronic army” in the Middle East is the greater dependency
on social media compared with Western countries.
With the lack of a reliable journalistic system, the people can only access
information on social media that is very cheap, popular, and easy to access.
The “electronic army” effectively exploits this situation. The “digital
warlords” launch social media campaigns with fake profiles spreading false
information on the target, and their other fake profiles share this until the
origin of the false information fades. The misinformation is widely spread
and builds in the public consciousness.
The Kata’ib Hezbollah group—designated as an Iraqi Shiite terrorist
group by Japan and the United States—spends a large amount of USD on
Facebook to boost its profiles. According to anonymous sources, 400
AND COUNTERINTELLIGENCE
VOLUME 36, NUMBER 3
676
} ATTILA GULYAS, AND DARKO TRIFUNOVIC
JANOS
BESENYO,
individuals have been working for the group’s “electronic army.” Some of the
fighters were trained in Hezbollah fake news camp, while the rest are trained
by the alumni of this course. The camp induced a so-called arms race among
the politicians in the area because having the most skilled electronic warriors
gives a prestige for the “owners.”14
The restrictions on Hezbollah in social media do not mean that the
organization waives the use of this kind of media. On the contrary, instead of
a direct presence, they have a presence on social media via their proxies and
sympathizers. The center of Hezbollah philosophy is the “resistance society,”
and the aim of the organization is to build a society that supports its military,
political, and social goals. The new situation demanded new solutions. With
the media camps, Hezbollah did not exhaust all of its possibilities to stay on
social media, because it changed its techniques and, instead of posting violent
content, which is usually getting censored out, it persuaded its supporters to
post peaceful messages about Hezbollah festivals, rallies, and the general
secretary’s speeches. Due to this change, thousands of Hezbollah-related
posts are on different social media platforms. According to an article on the
Bellingcat website in 2019, an ostensibly independent Lebanese activist group
augmented Hezbollah messaging and its fundraising system on social media.
The Attansakiyeh group defined itself as an independent organization and
had Twitter, Facebook, Instagram, Telegram, and YouTube accounts that
regularly posted indirect Hezbollah-supportive messages. Their messages
suggested the importance of Hezbollah in Lebanese society, but, to evade
social media censorship, they tried not to mention Hezbollah explicitly. (At
the time of writing this article, the group’s accounts are not available on the
aforementioned social media sites.15)
Virtual Entrepreneurs and Recruitment on Social Media
Hezbollah tends to learn from other, even Sunni, terrorist organizations about
new tools, techniques, and procedures (TTPs). Experts call one of the ISISintroduced techniques virtual entrepreneur or virtual planner. The point of this
new method is that the operative gets in contact with the candidate interested
in their ideology and wins their sympathy. As they are getting deeper into the
topic from the suggestions of the operative, they transit to a hidden form of
communication like Telegram or Wickr Me. The operative trains the candidate
for different kinds of tasks, such as surveillance, assassination, or fundraising,
just to name a few.16 Hezbollah realized that this method is cheap and highly
rewarding, and even if the terrorist attack is thwarted or the authorities reveal
the terrorist cell, Hezbollah can hide behind plausible deniability.17 The
Hezbollah virtual entrepreneurs use fake names like “Bilal” (full moon, water,
victorious, winner) and focus on Palestinians and Israeli Arabs to carry out
terrorist activities in Israel. For example, Muhammad Zaghloul (recruited
INTERNATIONAL JOURNAL OF INTELLIGENCE
HEZBOLLAH AND THE INTERNET IN THE TWENTY-FIRST CENTURY
677
Palestinian) got sixteen encrypted emails from a Hezbollah operative over the
course of several weeks requesting information on Israeli Defense Forces bases
and instructions on how to carry out suicide bombings.18 Based on opensource reporting, from January 2017, Hezbollah significantly reduced its online
recruitment activity. The reasons are unknown. According to some
assumptions, Hezbollah failed to gain a foothold in the West Bank, so it is
focusing on the Syrian side of the Golan Heights. The social media giants’
steps against the organization, together with Israel’s counterterrorism
endeavors, also might play a role in the failure of Hezbollah.19
Cyberwar, Cyberwarfare, Cyberespionage
Among the experts, there is no uniform definition of cyberwarfare, although
the widely accepted definition is the use of cyberattacks against states,
causing significant harm, disruption of vital computer systems, and loss
of life.20
The perpetrators of these kinds of attacks range from nation-state actors
to terrorist groups, cybercriminals, and hacker groups furthering the goals of
some nation.
In the course of the attacks, the actors can use the following kinds
of weapons:
different kinds of harmful software solutions, including viruses, malware
applications, Trojans;
Distributed Denial of Service attacks blocking legitimate users from accessing
devices or network services;
data theft from governmental, business, or educational institutions;
cyberespionage that compromises the target country’s national security;
ransomware solutions, data hostage, and blackmailing; and
spreading fake news and disinformation campaigns that cause chaos and loss
of confidence in financial or governmental organizations.
A cyberattack, on one hand, is a part of the cyberwar, so the cyberwar
consists of a series of cyberattacks, while on the other hand the cyberattacks
are regarded as a “campaign between wars” or “wars between wars.”21
Military experts consider cyberwar an asymmetric type of warfare because
one of the involved parties uses unconventional tactics to equalize its lower
military capabilities. In contrast with conventional warfare, information wars
do not need extensive and expensive military machinery. Instead, they
take a computer and Internet access, coupled with experts in computer
programming systems.
AND COUNTERINTELLIGENCE
VOLUME 36, NUMBER 3
678
} ATTILA GULYAS, AND DARKO TRIFUNOVIC
JANOS
BESENYO,
Hezbollah and Cyberespionage
According to uncorroborated information, Hezbollah has built a center for
cyberwarfare in the outskirts of Beirut in the Dahya neighborhood led by one
of the relatives of the secretary-general. The center is dedicated to the fight
against Israel. The hackers and other professionals, or at least a part of them,
are trained by Iranians. Although this information is not corroborated, some
events seem to prove the existence of the Hezbollah cyber unit.
Israeli security experts at the Check Point security firm revealed a
widespread cyberespionage campaign in 2015 whose origin reached back to
2012, targeting servers of military suppliers, telecommunication companies,
media outlets, and universities. The action affected a dozen countries,
including Israel, Japan, Saudi Arabia, Turkey, the United Kingdom, and the
United States, to name a few. The experts identified a unique software
package called “Explosive” used in the campaign. The analysis carried out by
the security experts found the “fingerprints” of the notorious Iranian
ITSecTeam hacker group in the malware’s source code tailored for
cyberespionage.22 Beyond this, the local setting of the operating system was
“Arabic-Lebanon” on the computer where the source code was compiled.
The software analysis provided further evidence for the Lebanese connection
because the malware’s control servers were physically located in Beirut. The
investigation also uncovered the identity of a Lebanese person who was in
connection with the servers. Check Point named the campaign “Volatile
Cedar” while the perpetrator got the Lebanese Cedar name, referring to the
cedar in the Lebanese national emblem. Evaluating the shreds of evidence, it
can be presumed with high probability that Hezbollah was behind the
campaign.23 Daniel Cohen, coordinator of the Cyber Warfare Program at the
Institute for National Security Studies, a prominent Israeli think tank,
has written:
We see the attacks are getting more sophisticated, the tools are more
sophisticated, and they [Hezbollah] are getting into the databases of
the system and are trying to gain intelligence—a password, details
of people.24
This was the first time Hezbollah was tied to a major cyberattack.
The Clear Sky Israeli cybersecurity company detected suspicious activities
on the network of some Israeli companies in early 2020. Comprehensive
forensic research on the compromised systems revealed special hack tools
familiar to the experts in connection with the “Volatile Cedar” campaign. The
attackers targeted Oracle and Atlassian web servers by exploiting known
vulnerabilities that were not patched. The experts studied the groups’ TTPs
and they identified those open-source tools that were used by the attackers to
find the vulnerable servers on which they installed their malware software
INTERNATIONAL JOURNAL OF INTELLIGENCE
HEZBOLLAH AND THE INTERNET IN THE TWENTY-FIRST CENTURY
679
packages. The software modules had numerous functionalities, like recording
keyboard strokes, uploading and downloading files, receiving commands
from the control servers, and database manipulation. Further analysis of the
software components used in the campaign revealed unique markers typical
for malware solutions of the Lebanese Cedar group. The encryption methods
within the programs, the style of the programming, and some code snippets
proved the Lebanese Cedar origin. Beyond this, the experts also found code
snippets from the malware solutions of the Iranian ITSecTeam and the
Persian Hacker group. However, there is no information on whether the
Iranian hackers gave Lebanese Cedar direct help or not.
Having the “fingerprints” of the group and knowing the TTPs, Clear Sky
made a widespread discovery on the Internet to find compromised publicfaced web servers. As a result of their research, they found more than 250
victims worldwide. Each of them was infected by Lebanese Cedar’s malware.
The most affected countries were mainly from the Middle East (Egypt, Israel,
Jordan, Saudi Arabia), but Argentina, Brazil, France, Germany, the
Palestinian Authority, the United Kingdom, and the United States were also
involved. Most identified victims are companies from the telecommunications
industry, Internet service providers, hosting providers, and government
agencies. According to the security experts, the campaign started in 2015, and
due to the prudent and wise use of the malware, it stayed hidden from
security experts for five years. Although Clear Sky security experts do not
claim unequivocally that the Lebanese group belongs to Hezbollah, the
targets of the first and second campaigns and Iranian cooperation all show
with high probability that Lebanese Cedar is connected to the Hezbollah
Cyber Unit. Regardless, after these two professional campaigns, Lebanese
Cedar changed gear from a “plain” hacker group to an advanced persistent
threat organization, because it has all the character of a stealthy threat actor.
The security experts cannot estimate the quantity and quality of the
information obtained by Lebanese Cedar during the five-year operation.25
The two unveiled cyberespionage campaigns show that the organization’s
cyber capabilities have significantly improved in the last decade. The
campaigns, each going on for years, were bearing the hallmark of a wellprepared, disciplined, well-orchestrated group or groups. The amount and
the quality of the stolen information and the damage caused by Hezbollah
are inestimable. Likewise, the destination of the stolen data is also unknown.
In the mirror of the events, we can be sure that Hezbollah does not give up
the cyberespionage and for sure that it keeps on improving its cyber
capabilities, and it prepares for the next campaign—if it is not ongoing now.
AND COUNTERINTELLIGENCE
VOLUME 36, NUMBER 3
680
} ATTILA GULYAS, AND DARKO TRIFUNOVIC
JANOS
BESENYO,
HEZBOLLAH AND THE DARK WEB
What do terrorists do on the Dark Web? According to Serbakov,26 they use
it to spread their propaganda, and for fundraising, recruiting, training, and
coordination. Gabriel Weimann’s answer in his article with the title
“Migration to the Dark Web” is “more of the same but more secretly.”27
It is only partially true because, in contrast with ISIS or al-Qaeda,
Hezbollah has a big advantage due to its hybrid position; namely, it has legal
media conduits for reaching its audience.
Searching for Hezbollah on the Dark Web
Searching for the “footprints” of Hezbollah on the Dark Web is
cumbersome and time-consuming for a researcher because the traditional
search engines do not work in this domain. The popular Dark Web
systems—such as The Onion Router, Invisible Internet Project, or
Freenet—have their own search engines, but their abilities are limited and
far less efficient than their traditional equivalents on the Surface Web.
While the traditional engines like Google or Bing keep crawling on the
Internet searching for new sites and indexing them, the search engines on
the Dark Web work differently. There is no automated indexing so the
site owners can propagate their sites via public link collections, or the
databases of the search engines. But if a site owner does not promote
their site, others will not be aware of it.
The “Hezbollah” expression and its different spellings in different
languages did not yield any relevant results, neither on the search engines of
the aforementioned systems nor the searching in the link collections.
The second way to find virtual traces of the organization is based on the
assumption that Hezbollah is deeply involved in illicit activities, as proven in
Rachel Ehrenfeld’s book Funding Evil.28 Ehrenfeld presents in detail the
following financial sources of Hezbollah:
Support from Iran
Support from charitable organizations
Donations from individuals
Proceeds from legitimate businesses
Illegal arms trading
Cigarette smuggling
Currency and other counterfeit goods
Fraud
Robbery
Operating illegal telephone exchanges
Drug trafficking
INTERNATIONAL JOURNAL OF INTELLIGENCE
HEZBOLLAH AND THE INTERNET IN THE TWENTY-FIRST CENTURY
681
Figure 3. Hezbollah’s counterfeit dollar on the Apollon cryptomarket.
The reader may notice that a significant part of the sources comes from
illicit activity. In his book Terrorism Inc., Colin P. Clarke corroborates
Ehrenfeld’s findings that a considerable amount of Hezbollah’s income
comes from illegal activity, including currency and pharmaceutical
counterfeiting.29
Using this information as a springboard for a search of the dozens of
crypto markets, which are a main arena for illicit activities on the Dark Web,
yielded a remarkable result. As Figure 3 shows, Hezbollah made counterfeit
$100 USD denomination notes to be sold on the Apollon Market
cryptomarket.
Following the link to the description of the offer, the vendor, under the
pseudonym “therealbitsofall (100%),” says, “Please search Hezbollah fro [sic]
pricing and features. These are the best USD notes on the market. I’ve
partnered w Hez to provide a US-US sample so you can see them fast before
placing a larger order w him. This is for 1 sample note.” A further search on
the site yielded the vendor under the pseudonym “Hezbollah.” It seems that
he is a genuine counterfeit dollar vendor and “therealbitsofall (100%)” is only
a partner. “Hezbollah” sells bulk counterfeit “Hezbollah” USD dollars from
the 2006 and 2009 series, as seen in Figure 4.
“Hezbollah” gives some additional instructions for the buyers for aging the
money and how to use it safely. According to the buyers’ comments, both
vendors are reliable, and the counterfeit money is also high quality and
accepted by automated teller machines and shops. It has every security
AND COUNTERINTELLIGENCE
VOLUME 36, NUMBER 3
682
} ATTILA GULYAS, AND DARKO TRIFUNOVIC
JANOS
BESENYO,
Figure 4. Hundred dollar bills on the Apollon cryptomarket selling by Hezbollah.
feature, just like real money. The “Hezbollah” attribute of the counterfeit
dollar is a trademark of the quality.
The fact that the vendor’s pseudonym and the counterfeit dollar’s name is
“Hezbollah” is not hard evidence, of course, but it is hard to deny that it is a
strange coincidence. Taking into account the quality of the “Hezbollah
money,” in the counterfeit money business the “Hezbollah” name is a kind
of hallmark.30
It is not likely that a Hezbollah operative is behind the nickname because,
according to Matthew Levitt, Hezbollah has built a worldwide network of
supporters, sympathizers, and formal operatives to provide financial,
operational, and logistical support.31
In some cases, these primarily informal groups are the sources of false
documents, weapons, counterfeit money, and financial funds. It is hard to
follow them back to Hezbollah, because the Hezbollah operatives, who are
involved in the crime, are in the background and run well-trained and
committed henchmen. They are described by an experienced Hezbollah-case
Federal Bureau of Investigation investigator as “useful idiots” who want to
be engaged in a glorious cause.32 While they are the basis of the plausible
deniability of the organization, at the same time the anonymity provided by
the Dark Web covers them so the circle is closed.
INTERNATIONAL JOURNAL OF INTELLIGENCE
HEZBOLLAH AND THE INTERNET IN THE TWENTY-FIRST CENTURY
683
CONCLUSION
Hezbollah, from the beginning, has waged war against its eternal enemy
Israel and Western influence—especially the U.S. presence in the region. The
history of the organization is patterned with kinetic wars and low-level
conflicts with Israel, but in the last few decades the war is waged in a new
domain. From the moment of its birth, Hezbollah has kept honing its
information warfare capabilities using every available means and domain.
The most significant evidence for their proficiency is the successful and
popular “Fake News Training Camp” that has been successfully working for
more than a decade, spreading their ideology and unrest in the Middle East.
It is hard to deny that the idea and its realization are the quintessence of the
technology available for everyone in the twenty-first century. The long-run
cyberespionage campaigns and involvement in the Dark Web in its raising of
finances prove that Hezbollah has grown to the challenges of the twentyfirst century.
The revelation of the connection between Hezbollah and the Dark Web is
a new achievement that requires further investigation in order to discover
more details, contacts, and procedures and techniques.
The organization’s history shows that it quickly adapted to new situations
and realized the importance of the inherent possibilities of new technologies so
in the future its presence cannot be overlooked in the cybersecurity landscape.
ORCID
Janos Besenyő
http://orcid.org/0000-0001-7198-9328
Attila Gulyas
http://orcid.org/0000-0001-5645-144X
http://orcid.org/0000-0003-3591-9554
Darko Trifunovic
REFERENCES
1
Dominique Avon and Anaїs-Trissa Khatchadourian, Hezbollah: A History of
the “Party of God” (Cambridge, MA: Harvard University Press, 2012),
pp. 23–24.
2
The Henry Jackson Society, Timeline of Terror: A Concise History of Hezbollah
Atrocities (London: Henry Jackson Society, 2012).
3
Carl Anthony Wege, “Hezbollah and Hamas,” TRAC Terrorism Research &
Analysis
Consortium,
https://www.researchgate.net/publication/265014056_
Hezbollah_and_Hamas (accessed 14 February 2021).
4
“Hezbollah: History and Overview,” Jewish Virtual Library, https://www.
jewishvirtuallibrary.org/history-and-overview-of-hezbollah (accessed 7 March 2021).
5
U.S. Department of State, Bureau of Counterterrorism, “Country Reports on
Terrorism 2019,” https://www.state.gov/reports/country-reports-on-terrorism2019/ (accessed 8 March 2021).
6
Carl von Clausewitz, On War (Oxford: Oxford University Press, 2007), p. 141.
AND COUNTERINTELLIGENCE
VOLUME 36, NUMBER 3
684
} ATTILA GULYAS, AND DARKO TRIFUNOVIC
JANOS
BESENYO,
7
Peter Warren Singer and Emerson T. Brooking, Like War: The Weaponization
of Social Media (Boston and New York: Mariner Books, 2018), p. 9.
8
Ibid.
9
Hezbollah’s Media Empire. The Meir Amit Intelligence and Terrorism
Information Center (2019), https://www.terrorism-info.org.il/en/hezbollahsmedia-empire/ (accessed 12 March 2021).
10
Sarah E. Needleman and Bowdeya Tweh, “Twitter Suspends Accounts Linked
to Hamas, Hezbollah,” Wall Street Journal (2021), https://www.wsj.com/
articles/twitter-suspends-accounts-linked-to-hamas-hezbollah-11572888026
(accessed 10 February 2021); Toi Staff, “Hezbollah Says Some of Its Facebook
and Twitter Pages Shuttered,” The Times of Israel, https://www.timesofisrael.
com/facebook-twitter-pages-of-hezbollah-shuttered (accessed 9 January 2021).
11
Chloe Colliver, Jennie King, and Eisha Maharasingam-Shah, “Hoodwinked:
Coordinated Inauthentic Behaviour on Facebook,” Institute for Strategic
Dialogue, https://www.isdglobal.org/wp-content/uploads/2020/10/Hoodwinked-2.
pdf (accessed 15 February 2021), p. 3.
12
Jonathan Swift, quoted in The Examiner, No. 14 (1710), p. 2, https://books.
google.hu/books?id=KigTAAAAQAAJ&q=%22Truth+comes%22&redir_esc=
y#v=onepage&q=swift&f=false (accessed 5 March 2021).
13
Wil Crisp and Suadad al-Salhy, “Exclusive: Inside Hizbollah’s Fake News
Training Camps Sowing Instability across the Middle East,” The Telegraph,
https://www.telegraph.co.uk/news/2020/08/02/exclusive-inside-hezbollahs-fakenews-training-camps-sowing/ (accessed 2 February 2021).
14
Wil Crisp and Suadad al-Salhy, “Fake News Production in the Middle East,”
Journalismfund.eu, https://www.journalismfund.eu/fake-news-production-MiddleEast, (accessed 15 January 2021).
15
Hector Martinez, “Hashtaggers for Hezbollah? How Social Media Fundraising
Can Skirt the Rules,” Bellingcat, https://www.bellingcat.com/news/2019/08/27/
hashtaggers-for-hezbollah-how-social-media-fundraising-can-skirt-the-rules/
(accessed 12 March 2021).
16
Michael Shkolnik and Alexander Corbeil, “Hezbollah’s ‘Virtual Entrepreneurs’:
How Hezbollah is Using the Internet to Incite Violence in Israel,”
CTCSENTINEL, Vol. 11, No 6 (2018), https://ctc.usma.edu/hezbollahs-virtualentrepreneurs-hezbollah-using-internet-incite-violence-israel/
(accessed
19
February 2021); Seamus Hughes and Alexander Meleagrou-Hitchens, “The
Reach of ISIS’s Virtual Entrepreneurs into the United States,” Lawfare,
https://www.lawfareblog.com/reach-isiss-virtual-entrepreneurs-united-states
(accessed 28 March 2021).
17
Shkolnik and Corbeil, “Hezbollah’s ‘Virtual Entrepreneurs.’”
18
Ibid.
19
Ibid.
20
Katie Terrell, Hanna Kevin Ferguson, and Linda Rosencranc, “Cyberwarfare”
[definition]. TechTarget, https://www.techtarget.com/searchsecurity/definition/
cyberwarfare, (accessed 10 March 2021).
INTERNATIONAL JOURNAL OF INTELLIGENCE
HEZBOLLAH AND THE INTERNET IN THE TWENTY-FIRST CENTURY
21
685
“The Cyber-War In the Middle East: Israel, Iran and Others,” Invisible Dog
Investigative
Journalism,
http://www.invisible-dog.com/cyber_war_eng.html
(accessed 5 February 2021),
22
The ITSecTeam is an Iranian hacker group believed to have been working on
behalf of Iran’s Islamic Revolutionary Guard Corps. Council on Foreign
Relations, “Cyber Operations,” https://www.cfr.org/cyber-operations/itsecteam
23
Jeff Moskowitz, “Cyberattack Tied to Hezbollah Ups the Ante for Israel’s
Digital Defences, Christian Science Monitor, https://www.csmonitor.com/World/
Passcode/2015/0601/Cyberattack-tied-to-Hezbollah-ups-the-ante-for-Israel-sdigital-defenses (accessed 9 March 2021).
24
Quoted in Jeff Moskowitz, “Hezbollah Just Upped the Cyber Ante against
Israel”, INSIDER, https://www.businessinsider.com/hezbollah-just-upped-thecyber-ante-against-israel-2015-6 (accessed 9 March 2021).
25
ClearSky Research Team, “Lebanese Cedar,” APT Global Lebanese Espionage
Campaign Leveraging Web Servers, Clearsky, https://www.clearskysec.com/
cedar/ (accessed 25 March 2021).
26
M
arton Serbakov, “A terroristak internet hasznalata [Internet Use of
Terrorists],” B€untetőjogi Szemle Szemle, No. 2 (2018), https://ujbtk.hu/drserbakov-marton-tibor-a-terroristak-internethasznalata%c2%b9/ (accessed 22
February 2021), pp. 85–93.
27
Gabriel Weimann, “Terrorist Migration to the Dark Web,” Perspective on
Terrorism, Vol. 10, No. 3, http://www.terrorismanalysts.com/pt/index.php/pot/
article/view/513/html (accessed 12 February 2021), pp. 40–44.
28
Rachel Ehrenfeld, Funding Evil: How Terrorism Is Financed—And How to Stop
It (Chicago: Bonus Books, 2003), p. 109.
29
Colin P. Clarke, Terrorism, Inc.: The Financing of Terrorism, Insurgency, and
Irregular Warfare (Denver: Praeger, 2015), p. 92.
30
American Jewish Committee, Setting the Record Straight on Hezbollah: Full
Report, https://www.ajc.org/news/setting-the-record-straight-on-hezbollah-fullreport, (accessed 24 March 2021).
31
Matthew Levitt, Hezbollah’s Criminal Networks: Useful Idiots, Henchmen, and
Organized Criminal Facilitators. The Washington Institute for Near East Policy,
https://www.washingtoninstitute.org/policy-analysis/hezbollahs-criminal-networksuseful-idiots-henchmen-and-organized-criminal (accessed 17 January 2022).
32
Ibid.
AND COUNTERINTELLIGENCE
VOLUME 36, NUMBER 3