It all began on October 27, 2019. Rumour was, Abu Bakr al Baghdadi, the leader of Isis, was dead. Nothing was confirmed, but already the jihadist world online was thrumming with excitement and trepidation.
“I was walking through an airport,” Moustafa Ayad tells me. “Jet-lagged out of my mind.” A deputy director of the counter-extremism think tank Institute of Strategic Dialogue (ISD), Ayad tries to stay on top of the constant struggles and skirmishes, retreats and resurgences between Isis and their many enemies online. That day, as he scrolled through his phone, a blitz of Isis propaganda stared back at him. The digital Jihad was raising a dirge to Baghdadi on Twitter.
Flitting from account to pro-Isis account, Ayad noticed something strange. Some accounts carried short, discreet links, not within their tweets, but nestled in their biographies. He clicked.
The link, he realised, was not quite like any other he’d ever followed before. On his phone, Ayad saw folder after folder of meticulously catalogued terrorist content. “I thought it was a joke,” Ayad says. “Some kind of scam.” In the echoing marbled expanse of Dubai International Airport, on public Wi-Fi, in a Starbucks queue, he had stumbled upon a gigantic, sprawling cache of Isis material.
He clicked on a PowerPoint presentation, one of countless now in front of him. “Al Qaeda Airlines”, it said: a case study of the mechanics of hijacking planes, making your own chloroform, and the cell structure needed to organise a coordinated terrorist attack. Just then, a dim tannoy announced his flight.
Over the weeks that followed, Ayad and his colleagues at the ISD began their journey through the cache.
At first glance, the cache looks like a bunch of files on DropBox – its colour palette an on-brand Isis black-and-white, with a roster of ordinary folders. But the first thing you notice is the size. Its 4,000 folders hold over a terabyte and a half of multimedia multilingual content, spanning Arabic, English, German, French, Spanish, Russian, Bangla, Turkish, and Pashto. “It’s a blueprint for terrorism, complete with footnotes” Ayad tells me. “It’s everything anyone with an inclination for violence would need to carry out an attack.”
The cache’s content is a blend of the official products of Isis itself with those of often more obscure precursors, such as the Tawhid wal-Jihad Group, who fought coalition forces in Iraq, and the umbrella organisation of other insurgent groups, Majlis Shura al-Mujahidin. A small amount of it – just a few per cent by size – captures in screeds and sermons the ideas of key ideologues of Isis itself. The key personality in the “Fatwas over the Airwaves” folder, for instance, is Turki al Banali, a Bahraini cleric-turned-recruiter who in each episode desperately gives the core concepts of Salafi Jihadism an Isis-friendly spin.
Much of the stash, however, simply portrays daily life within Isis, back when the terrorist group still controlled a chunk of territory sitting astride Syria and Iraq. There are school curricula covering the six core subjects that, some estimates believe, were once taught to 130,000 children: English, PE, Arabic, Koranic Studies, Geography & History and a subject called “’ideology”, a course of indoctrination in Isis’s party lines expounding on the death and destruction awaiting all those who strayed outside of them. It is a mix of the banal and the horrifying – conjugating verbs and killing the infidels, where early readers learn that “S is for sniper” and “G is for grenade”.
There are mobile apps that teach Arabic by firing mortars at US soldiers. Al Qaeda airlines – the presentation Ayad first saw – is a four-part PowerPoint series with corresponding videos that looks at various attacks including 7/7 and the attack by the “shoe bomber” Richard Reid. An endless cascade of documents, presentations, infographics, print publications, magazines, and educational materials paint a rich picture of life under Isis that is in equal parts humdrum and horrifying.
There are “photo stories”, where Isis photographers meditate on everything from war spoils and prisoners to dentists and doctors under Isis rule. One commemorates a road recently fallen under Isis control, with a series of celebratory captions adorning photos of the road trailing off into a desolate landscape. There are also post-mortem reports on Isis’s mistakes, successes and strategies. Slides on something called “Operation Haemorrhage”, for instance, explain the strategy of inflicting death on the West through a thousand cuts; “with smaller but more frequent operations. The aim is to bleed the enemy to death.”
But authorities will be most concerned about the “Mujahid's Bag’”. That is the name of a large folder of the cache, which brings together training materials on urban warfare, weaponry, strategy, chemical production, and bomb manufacturing, as well as evading and deceiving security services both online and offline. An illustrated guide entitled “200 Tips”, provides would-be attackers with knowledge on hiding weapons, creating rudimentary explosives, disabling surveillance, wound-dressing, and martial arts. This, of course, reflects how Isis’s own training and organisation have been shattered after Mosul, Raqqa and their other urban centres were toppled one by one throughout 2017 and 2018. As their territory shrunk, they started relying much more on self-appointed fighters who may need to self-school in asymmetrical conflict. There are videos on chloroform development, slides on the creation of poison from apricots, and the relative merits and demerits of certain kinds of explosive.
There is little in this storage drive that people immersed in this world could not find elsewhere. The same beheading videos and scenes of death are depressingly available online. Bomb-making manuals and how-to-terror guides are squirrelled away in other archives and stores that Isis’s adherents have created. “Over the years, we have come across many caches of jihadist content - it is actually a staple of the jihadist media operation to have these archives online” says Mina al-Lami, an online Jihadism specialist at BBC Monitoring, a branch of the broadcaster that observes and analyses the global mass media. But “this cache stands out in terms of the size, the amount of the data stored on it, the range of the material and the fact that it's simply been resilient online”.
Stretching deep into the history of radical Islamism, following the twists of fortunes of Isis, it seemed an attempt to store, protect, and treasure the collective memory of a state that didn’t exist anymore. To build a digital monument of a departed reality. But crucially none of this is in the past tense. It continues today.
Ayad disclosed his find to the Metropolitan Police in November 2019, and to the New York Counter-terrorism Prosecutor’s Office shortly after.
The Met acknowledges they have received the referral from the Institute of Strategic Dialogue,. “We do not discuss specific referrals,” they say. “However, every single referral made to the CTIRU (Counter Terrorism Internet Referral Unit) of which there are thousands every year – is assessed by specialist officers and appropriate action is taken. Where material does breach UK terrorism laws, the unit will take steps to get it removed by the host website or platform. In the 12 months May 2018 to April 2019 alone, the CTIRU secured the removal of in excess of 8,000 links to online terrorist content.” The US Attorney's office for the Eastern District of New York declined to comment.
After Ayad’s reports, the cache remained available. It even continued to grow. “Following it turned into a bit of an obsession,” Ayad says. “I’ve watched the shape of it change. The style and design of it change. I can see the folders move.” Now that they were on the inside, Ayad and his colleagues could watch and track all the various attempts to proselytise the storage’s content to the outside world, and keep its message alive.
“This cache exists in a very large, vibrant and active jihadist media landscape” al-Lami explains. At the heart of this effort is a bot set up on Telegram. It sat in a public yet discreet channel, catering to the insiders of Isis’s online propaganda efforts. Like so many things in this world, its existence is passed hand to hand across a web of encrypted chat applications. “Do you want an account?” the bot would ask (in Arabic), once someone arrives. And when prompted, it would generate specific links to the documents in the storage.
These links were the key. “They meant we could track who was sharing what folder and where,” Ayad says. By watching where online they appeared, he could set up a live stakeout of the attempts Isis supporters were making to try to keep their social media presence alive.
Then there are the Twitter accounts featuring links to the cache in their bios, or sometimes even embedded in images. Digital mayflies, these accounts are lucky to survive for a day in the face of Twitter’s enforcement. Isis hijack accounts and try to automatically create new ones at scale, maintaining a constantly regenerating, constantly squished presence on the platform. On Facebook, Ayad found a scattering of micro-networks, small clusters of accounts probably compromised and hijacked by Isis supporters, sometimes used to pump out material related to the cache.
Beyond social media, the cache is also woven into the surviving Isis ecosystem on the open web. One site is a kind of Jihadi Netflix, says Ayad. “It has any of the videos you want. Attack videos, executions, notable speeches.” The site itinerantly bounces around from domain to domain on the internet. Wherever it is, the interface neatly shows metrics for each of the videos. And there, in the comments section, are links to the cache.
Then there is the innocuously named “Muslim News” – which brings together all of Isis’s official content from its once-expansive media operation, which reported on its battlefield successes, speeches, newsletters. There’s a website that brings together the back catalogue of ISIS’ radio station, called Anfal, or war spoils.
Taken together, the efforts to disseminate the cache amount to an advertising campaign of modest but persistent success. According to the traffic statistics platform Similar Web, the storage enjoys around 10,000 unique visitors a month. Whoever they are, it is clear that the cache isn’t the most eye-catching part of this ecosystem. It isn’t the most user-friendly, nor does it have the best graphics. It’s a storage drive, albeit one that blends the unique horrors and brutalities of that fallen regime with the dry, folder-based nature of an archive.
Enormous efforts have been made both by governments and the technology giants to clear Isis off of their platforms, and they face a much more hostile environment online than they did, say, in 2015. Yet counter-terrorism experts, officials, and the tech giants all complain that fighting terrorists online is like a game of whackamole. You hit one part of it, and it pops up somewhere else; before you’ve even raised the mallet, it’s popped up somewhere else too.
“What's really striking is just how easy it is for extremists to spread their propaganda in such an unprecedented way, to an unprecedented number of people” says Sara Khan, who leads the Commission for Countering Extremism, a UK government agency. “As soon as you take down one piece of streaming content or a cache or any material that's been uploaded onto web archives, for example, you find another hundreds gone up. And it's just this constant battle that we're having: the current way of doing this work is just not sustainable.”
Even as everything else moves, is shut down, replenished and rebranded, this corpus of documents stands as a stable resource at the centre. It is how propagandists store, seed, and share content – a core from which they can sally forth to Facebook, Twitter, or any of the other online thoroughfares where they might reach fresh eyeballs. But this isn’t just about day-to-day promotion. Isis’s trove of documents seems to represent something vaster.
How London’s Silicon Roundabout dream turned into a nightmare
The cache had been added to for years but really began in earnest in 2017, as Isis was swept from cities and towns across their former territory: Mosul, then Raqqa, finally Baghouz. Defeat after defeat had chased the militants out of their strongholds. This was exactly when that patch of digital territory became fuller and fuller.
The cache exists as a kind of back-up drive for the so-called Islamic State, a time capsule capturing the moment when Isis stood at the peak of its power, and now monumentalising that moment at a time when that power has been undercut.
Backing up your state isn’t an idea that begins or ends with Isis. A world away, the small Baltic nation of Estonia has also had to contemplate its own demise too. Passed around like a poker chip over the course of its history, Estonia emerged back into independence at the end of the Cold War. Toomas Ilves was one of its early presidents, and he knew that the key to its competitiveness, even survival, was to embrace the digital world.
Estonia pushed service after service, function after function of government onto digital platforms. They digitised the court system, medical prescriptions, and created an e-ambulance service. Pets are digitally registered on the pet registry, houses on the digital land registry. In 2005, Estonia became the first country in the world to allow online voting nationwide. An e- or an i- was put in front of everything: i-Voting, e-Tax, e-Business, e-Ticket, e-School, e-Governance.
All of this led Estonia to two inevitable conclusions. The first was that residency didn’t have to have anything to do with geography. And so in 2014, e-residency was born. For 100 Euros, you could become an e-resident able to access business, use banking, and declare taxes. You do not have to live in Estonia – you don’t even have to have visited Estonia – to work and pay taxes under it.
The second conclusion was that the state itself didn’t necessarily have to be tied to geography either. In 2017, Estonia set up the world’s first “data embassy”. A fortified server closet in Luxembourg, it is technically – as an embassy – on Estonian soil. The point of that server was to ensure “data continuity” in the event of either a crippling cyber attack or a literal, on-the-ground invasion. For the first time in its history, if Estonia were invaded, the state could be rebooted.
Rather than a data closet in Luxembourg, Isis uses a piece of software called Nextcloud. Developed by a German company and with its roots firmly in the open-source movement, Nextcloud is freely available for anyone to download and use, allowing its users to synchronise files across a group in a way that avoids any centralised hosting or control. The control and privacy that this kind of software gives is important to lots of people - from Government ministries and democracy activists to proscribed terrorist organisations.
Nextcloud is software; it is neither a service nor platform in the way that, say, Facebook or Google are, and so not responsible for content that they do not host. This is the brave world of decentralisation: there isn’t a tech giant to pick up the phone and yell at. (Nextcloud declined to comment for this story.)
Like any storage drive, the cache can be copied, and fragments of it are passed across a series of new, old, niche, and cloud-based storage services. Digital territory is far easier to hold and harder to capture than any of its geographic analogues. Decentralisation, federation, and user-control are the key selling-points of a wave of new services that hope to answer their user’s privacy concerns and offer something different from the centralised behemoths of Silicon Valley.
Of course, Isis’s backup has nothing of the cleverness of Estonia’s digitisation of state services. It is just a storage drive, and to say that a storage drive can constitute statehood is a stretch. On the other hand states and pseudo-states can find ways of reproducing some of their form and function – indeed their existence itself – in non-geographic spaces found online.
Isis can continue to offer “‘services”’ – propaganda, support, tutorials – to people across the world that consider themselves its citizens, thanks to its hold of digital territory, even after losing its geographic foothold.
Within the final weeks of this investigation, as this piece was being put together, Moustafa and his team then found another cache, this time by al Qaeda, using another piece of decentralised cloud storage software, OwnCloud – whose German manufacturer shares a founder with Nextcloud. And then another cache, using NextCloud itself, apparently enshrining al Shabaab.
“There is a phrase that’s always associated with terrorists: Baqiya wa tatamadad” Ayad says. It means “remaining and expanding”. The history of terrorism is really one of retreat and resurgence, constant adaptation in the face of pressure and loss.
And this is where we are today: the Cache alive, as far as we know; the struggles continuing, their foothold still there. In the face of pressure, their innovation continues, a scramble from the tech giants to make a new home on decentralised services. They must continue to look ahead, for more tech, more opportunities, more anything that allows them to keep alive their distorted version of the past.
Carl Miller is research director for the Centre for the Analysis of Social Media, at the think tank Demos. He tweets from @carljackmiller. This investigation was produced alongside Shiroma Silva, at BBC Click.