Bellingcat @bellingcat Award-winning open source investigation. Want to donate? See here: www.patreon.com/bellingcat Jun. 27, 2019 4 min read

Yesterday we published a deep dive on Saud al-Qahtani.

Who is he? Since October 2018, he has been known as the "mastermind" of the #Khashoggi murder.

He is one of #MBS's top aides and has been described as the Saudi crown prince's enforcer and chief propagandist.

Al-Qahtani is also known as the "Lord of the Flies" — "flies" are what Saudi dissidents call trolls and bots that relentlessly attack critics of the Saudi state on social media.

They send death threats. They wage disinformation campaigns.

 https://www.washingtonpost.com/world/saudi-electronic-army-floods-twitter-with-insults-and-mistruths-after-khashoggis-disappearance/2018/10/19/98044874-d311-11e8-a4db-184311d27129_story.html?noredirect=on&utm_term=.d9fd424da236 

Al-Qahtani has personally launched harassment campaigns against critics of the Saudi regime.

In August 2017, he launched a hashtag that translates to #the_black_list in English — it threatened dissidents that they would be "followed" if tagged.

We built on reporting by @lorenzofb at @motherboard and on the work of a Twitter user called @HIAHY.

They tied email addresses from someone purporting to be al-Qahtani found in leaked emails from Italian spyware firm Hacking Team to profiles on sites like @HackForumsNet.

Neither @motherboard or @HIAHY could *definitively* show that al-Qahtani owned the emails.

We did it by using information leakage on Twitter and Google's password recovery pages.

+966 55 548 9750 and [email protected] are both linked to @saudq1978's verified Twitter account.

We also confirmed that al-Qahtani's Gmail account was linked to the same contact information as his Twitter.

His [email protected] account was trickier.

We couldn't confirm it using information leakage. We relied on a telling exchange with a Hacking Team employee.

With al-Qahtani's phone number and email addresses confirmed, we went to work.

How much could we find on this guy online? A lot.

@al_b33lz3bub read all 441 posts by al-Qahtani on Hack Forums under his handle nokia2mon2. Here's what we found.

He was scammed on his very 1st day on the forum in 2009.

And in 2010. And in 2015.

He was also hacked in 2015, and someone used his account to defraud users of Bitcoin.

He got his account back & recommended everyone turn on #2FA.

Reminder: This is a top intel official.

Another detail that raised eyebrows: He posted three times that he was drunk.

#SaudiArabia has a well-known prohibition against drinking alcohol, of course.

But maybe, just maybe, the rules aren't applied equally?!🤔

What else was he up to on Hack Forums (which is known as a site for lesser-skilled hackers)?

Well, he bought and used as much remote hacking malware (RATs) as he could, including Blackshades, which was the subject of an unprecedented global law enforcement operation.

He also wanted to remotely access the microphones of computers to create secret recordings, but he couldn't figure out how, so he paid a Hack Forums user $100 to do it for him.

Another major theme of al-Qahtani's Hack Forums posts — buying bots to use them for DDoS attacks.

He again lacked the technical knowhow, so he tried hiring flaky server admins or used DDoS for hire services.

Al-Qahtani also targeted users on major social media platforms

He paid for the deletion of a YouTube channel & said a Hack Forums user had deleted 20 videos for him. He sought a tool to ban Twitter profiles

The Lord of the Flies also had an insatiable appetite for MOAR BOTS.

There's so much more on Hack Forums (check out the report!).

The most disturbing finding was al-Qahtani's network of domains, some of which were used for hosting malware and launching DDoS attacks.

We encourage readers to build off these findings in your own investigations.

It's interesting that the official #MBS entrusted with overseeing and planning the #Khashoggi murder exhibited extremely poor OPSEC when registering the almost all of the domains, using his true name and contact information.

The report's author, @al_b33lz3bub, will describe some of what was found on this network of domains later today.

Suffice to say, nothing good.

In the meantime, please read the report.

Victims like #Khashoggi are owed the truth.

 https://www.bellingcat.com/news/mena/2019/06/26/lord-of-the-flies-an-open-source-investigation-into-saud-al-qahtani/ 

To close this thread, we want to highlight that al-Qahtani is NOT one of the 11 suspects facing trial in Saudi Arabia for #Khashoggi's murder.

In fact, if @guardian's reporting is correct, he's still very much active.

The UN's @AgnesCallamard wants him investigated. We agree.


You can follow @bellingcat.



Bookmark

____
Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.

Threader is an independent project created by only two developers. The site gets 500,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Running this space is expensive and time consuming. If you find Threader useful, please consider supporting us to make it a sustainable project.