Using WEBINT and OSINT to Tackle Extremist Groups

August 25, 2020

Agencies that familiarize themselves with extremists’ cyber haunts stand a better chance of uncovering potential problems before they materialize

By Johnmichael O’Hare

Times of economic uncertainty and social unrest provide favorable conditions for extremism. Groups spanning a range of ideological persuasions can take advantage of the turmoil to promote their narratives, recruit new members, and, in some cases, commit violent acts.

Extremists from the far left and far right hold opposed worldviews but share one common thread: They rely on online resources to achieve their goals. Such groups leverage several social media platforms and internet forums to communicate with followers and organize activities. Online tools enable extremism. But law enforcement agencies that familiarize themselves with extremists’ cyber haunts stand a better chance of uncovering potential problems before they materialize.

Indeed, getting up to speed on internet extremism helps officers protect the public and might also expose threats made against the officers, themselves.


Among the recent string of violent events that have gripped our country, we have seen a massive amount of public unrest driven by agitators from across the extremist spectrum. Large sections of cities and neighborhoods have been shut down, property and businesses have been destroyed, and, tragically, people have lost their lives. In some cities, we have seen a perfect storm of rioting, violent crime and the coronavirus pandemic happening at the same time.

In addition, COVID-19 has provided cover for extremist activity. The pandemic has fomented fear and uncertainty around the world, and the resulting economic downturn has left millions of people out of work. Extremists now use online platforms to conduct messaging campaigns, aiming to exploit the dual crises.

In one investigation, the Institute for Strategic Dialogue, working with BBC Click, found that 34 COVID-19 disinformation websites racked up 80 million interactions on Facebook from January to April 2020. ISD’s report noted those interactions dwarfed the number of Facebook interactions the Centers for Disease Control and Prevention gathered during the same timeframe: a comparatively paltry 6.4 million.

Extremist groups organize acts of public violence and disinformation campaigns as part of their communications strategy, which seeks to keep adherents motivated and find recruits. The familiar surface web – home to widely used social media platforms – is often the key outlet for an extremist group’s propaganda. And if extremists are booted off the mainstream social media platforms, they often resurface on alternative platforms.

Misleading and inflammatory messaging, while problematic enough, offers a path to radicalization and, from there, a short hop to incitements to violence. Violent calls to action can and do appear on the surface web, but the more sophisticated threat actors are likely to plan and coordinate violent activities in the web’s subterranean levels.

The deep web, for example, operates below the surface web and can prove difficult to navigate since Google and other search engines don’t index websites in this layer. The dark web, a subset of the deep web, harbors a range of illegal activities, including marketplaces dealing in stolen credit card data and illicit drugs. Extremists also gravitate to the dark web, where they can use a variety of technologies to conceal their activities. Tools of the trade include anonymizing routers, no-log virtual private networks and proxy servers.


Law enforcement faces several challenges when investigating extremists’ online activities. The sheer scale of the surface web and its underground counterparts present one obstacle. As of July 2020, there were 1.78 billion websites, according to Internet Live Stats’ counter. Add to that billions of social media accounts and it becomes clear that threat actors have many places to hide.

The Dallas Morning News quotes Eric Jackson, the former chief of the Dallas FBI, saying that “it’s necessary for law enforcement to study extremists and learn the goals of the groups, their tactics, their use of social media platforms, the language they use to communicate, their use of props, such as their clothing, tattoos, graffiti.”

In addition, threat actors, including those associated with extremist groups, will attempt to anonymize themselves. They might employ one or multiple fake social media profiles, using email addresses from service providers that don’t verify a person’s identity. In doing so, they will use an online “handle” rather than their actual name. The more sophisticated extremists will use the dark web’s higher level of anonymity, adding another degree of difficulty to data collection and evidence gathering.

Another law enforcement challenge: respecting protected speech while investigating threat actors who could endanger lives, destroy property, or obstruct government administration. Speech might be offensive, but it doesn’t always rise to the level of a specific, imminent threat. Determining what is acceptable or what is a violation of the law can sometimes be challenging for officers.

Law enforcement agencies, however, can follow investigative practices and deploy technologies that address the obstacles of an online investigation. Those assets can help your organization uncover the threats extremist groups and individuals pose within your jurisdiction.

OSINT, or open-source intelligence, is an important tool law enforcement agencies can use to guide an investigation. OSINT encompasses a wealth of publicly available information, from traditional print publications to today’s vast array of digital media outlets.

A skilled investigator can gather a multitude of leads through OSINT. Searching the surface web can yield phone numbers, social media handles and IP addresses that can help resolve the identity of threat actors. Scanning the surface web can help launch an inquiry and, in some cases, might be all you need to snuff out a threat.

The open web, however, has its limitations. The surface websites Google indexes amount to perhaps 4% to 5% of all web sites. So, investigators need different tools when pursuing threat actors who have learned to anonymize themselves across the deep and dark webs. As it happens, extremist groups have become increasingly adept at concealing their activity and adopting operational security practices.

At this point, investigators need to couple OSINT with a we