Fake URL shortening service was part of British online spy operation

Iran protestsAn internet website that offered free URL shortening services appears to have been a front created by British intelligence in order to spread messages and monitor activists involved in protests in Iran and the Arab world. The website was used heavily during the Iranian presidential election protests of 2009, which became known as the Iranian Green Movement. After a brief hiatus, the website was used again in 2011, as the Arab Spring revolts in North Africa and the Middle East were intensifying. The information pointing to the use of the website comes from documents leaked by Edward Snowden, the American former intelligence employee who has been granted political asylum in Russia.

According to the leaked documents, the website, lurl.me, was devised by a specialist until of the Government Communications Headquarters (GCHQ), Britain’s intelligence agency that collects signals intelligence. The unit, called Joint Threat Research Intelligence Group (JTRIG), devised the website as part of an operation codenamed DEADPOOL. The leaked documents state that the purpose of the website was to operate as a “shaping and honeypot” tool, by helping disseminate messages in support of the protests while at the same time allowing the GCHQ to monitor the protesters’ online activities. Lurl.me first appeared in June 2009 as a self-described “free URL shortening service”, using the slogan: “we help you get links to your friends and family fast”. It was used repeatedly on Twitter and other social media platforms to spread messages against the government of Iran. But the vast majority of social media accounts that made use of the website, like @2009iranfree, were operational only for a short period of time, had few followers, and ceased all activity at the end of the Iranian Green Movement. By that time, hardly anyone was using lurl.me. But the website made its appearance again on social media in April of 2011, with messages against the government of Syria. According to Vice’s Motherboard website, Tweets using the lurl.me service appeared to be active only between 9 a.m. and 5 p.m. UK time, and only on weekdays.

Both in 2009 and 2011-2013, lurl.me was used to instruct anti-government activists on how to avoid being monitored by the authorities. Some links contained instructions on how to access the Internet via satellite. Others provided directions on using proxies to access websites that were blocked by the authorities. At the same time, however, the documents leaked by Snowden show that the GCHQ also used the service to track the activities of anti-government activists who clicked on the lurl.me links, and even to ‘deanonymize’ (=to establish the real identity) of these users.

IntelNews first reported on JTRIG in February 2014, when its existence was first revealed by Snowden. The specialist unit has been associated with targeting self-described ‘hacktivist’ groups like Anonymous or LulzSec, using malware, social engineering, and other techniques. JTRIG also appears to have conducted online intelligence operations against the government of Argentina.

Motherboard reports that lurl.me was last used in November 2013, shortly after Snowden began leaking files from his secret hiding place in Russia. Motherboard said it contacted GCHQ for a reaction to the lurl.me allegations, but the agency said it would “not comment on intelligence matters”.

Author: Joseph Fitsanakis | Date: 02 August 2016 | Permalink

Advertisements

2 Responses to Fake URL shortening service was part of British online spy operation

  1. Anonymous says:

    GCHQ – Government Communications Headquarters, not General Communications Headquarters

  2. intelNews says:

    @Anonymous: Thanks. Correction made. Second time I’ve made that error on this site. [JF]

We welcome informed comments and corrections. Send us yours using the form below.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s