Posts Tagged: Mohamad Abd AlKarem

Aug 13

Who Built the Syrian Electronic Army?

A hacking group calling itself the Syrian Electronic Army (SEA) has been getting an unusual amount of press lately, most recently after hijacking the Web sites of The New York Times and The Washington Post, among others. But surprisingly little light has been shed on the individuals behind these headline-grabbing attacks. Beginning today, I’ll be taking a closer look at this organization, starting with one of the group’s core architects.

Earlier this year I reported that — in apparent observation of international trade sanctions against Syria — Network Solutions LLC. and its parent firm had seized hundreds of domains belonging to various Syrian entities. Among the domains caught in that action were several sites belonging to the SEA.

At the time, the SEA had a majority of its sites hosted at Internet addresses belonging to the Syrian Computer Society, an organization considered to have been a precursor to the SEA and one that was previously headed by Syrian President Bashar al-Assad. Following the domain seizures, the SEA was forced to find new homes for their domains. Soon enough, the group moved its domains and to a host in Russia (no doubt adding further chill to already frigid US-Russia relations vis-a-vis Syria).

Sometime during that transition period, the SEA’s main Web site got hacked. As in…completely owned. According to one confidential source, the attacker(s) gained access to the virtual servers that hosted the SEA’s site and downloaded the entire user database for and Shockingly (or perhaps less so for many security researchers who’ve dismissed the SEA as mostly a group of tenacious but relatively unskilled hackers), many of the top members re-used the passwords they picked for their accounts at their Hotmail, MSN and Outlook email accounts.

A snippet from the hacked database from

A snippet from the hacked database from In the third column are plain-text passwords.

In nearly any dump of a Web site user database, it’s generally safe to assume that the first few users listed are founders and administrators of the site. In the hacked database, for example, we can see that the first two usernames in the table are “admin” and “admin2.” Admin2’s email address is listed as The last entry in the database is April 19, 2013, just a few days after began seizing domain names in its stable with the “.sy” designation.

A Google search on that email address reveals its ties to the SEA, and shows that the account was in 2010 tied to a now-abandoned user named “SyRiAn_34G13” (leet-speak for “Syrian Eagle”). A reverse WHOIS search at on the address shows that it was used in Feb. 2011 to register a site called is no longer active (perhaps because it was hacked and defaced in May 2012 by other script kiddies), but thanks to the Wayback Machine at the indispensable Internet Archive, we can see the site lists as its creator a 23-year-old “virtuoso web designer” named Mohammed from Damascus, Syria. Mohammed says he is a senior front end developer at a firm in Damascus called Flex Solutions. Mohammed reveals that his last name is “Osman” when he links to his Facebook and DeviantART accounts, as well as his Gmail address ( That same Gmail account is also used for another account in the database: يوزر – which Google translates to “Yoezer”  “User” and used the password “963100”.

Continue reading →