4 min read

USA offers $100,000 bounty for alleged Syrian Electronic Army members


March 23, 2016

Promo Protect all your devices, without slowing them down.
Free 30-day trial
USA offers $100,000 bounty for alleged Syrian Electronic Army members

The US Department of Justice believes it has identified three members of the notorious Syrian Electronic Army, who have in recent years made a name for themselves with their high profile hacks against media organisations, targeted spear-phishing attacks, and redirecting well-known websites to display propaganda in support of the Syrian Government and President Bashar al-Assad.

In a press release, the US government has announced that it is offering a $100,000 reward for information which leads to the arrest of two of the individuals, who are believed to be based in Syria.

According to the department of justice, 22-year-old Ahmad Umar Agha, who goes by the online handle of â”The Pro,” and Firas Dardar, 27, also known as “The Shadow,” began their activities in the Syrian Electronic Army (SEA) in approximately 2011.

In most cases, the SEA’s activities were not that sophisticated – stealing usernames and passwords through simple phishing attacks, and then using those credentials to hack into email systems, social media accounts, and domain registrars to redirect websites.

According to the US Department of Justice, the group repeatedly targeted the computers and employees of the Executive Office of the President, but never successfully compromised systems there – perhaps because they used less than convincing email addresses such as [email protected].

That’s not to say that the pro-Assad hackers were not successful on many other occasions, however.


Their many past victims included Reuters (whose readers were redirected to a webpage under the SEA’s control, after the group poisoned ads provided by third-party service Taboola), the Washington Post (on more than one occasion) and even Facebook on Mark Zuckerberg’s birthday.



But perhaps one of the group’s most incendiary attacks came on 23 April 2013, when the Syrian Electronic Army managed to compromise the Twitter account of Associated Press.

The message tweeted by the hackers may have only been 12 words long, but when Associated Press’s two million followers read it the impact was dramatic.

The tweet read:

“Breaking: Two explosions in the White House and Barack Obama is injured”


It wasn’t true, of course, but that didn’t stop the Dow Jones Industrial average temporarily plummeting, and wiping a staggering $136 billion off the stock market.

Fortunately, in just a few minutes, people realised that the news alert was bogus – and the stock market recovered. But it’s one of the clearest examples ever of how even a simple phishing attack against a trusted source of information can result in mayhem.

It is little wonder then that the FBI added the Syrian Electronic Army to its “wanted list”, and experts in the computer security industry began to show an interest in unmasking their true identities.


What I found particularly interesting is how the American authorities appear to have identified Agha and his cronies.

The FBI raised search warrants for two Gmail accounts used by the group – th3pr0123[at]gmail.com and seatheshadow[at]gmail.com – as well as social media accounts such as LinkedIn, Twitter and Facebook.

Foolishly, but fortunately for the authorities, on April 28 2013 an email was sent from the th3pr0123 Gmail account containing images of ID documents. The name on the document was Ahmad Umar Agha and it helpfully had his photograph on it too.

A few weeks before he had used the same account to send images of himself at a wedding.

Additionally, on a number of occasions it appears that messages were sent by alleged members of the Syrian Electronic Army without taking proper precautions to keep their IP address private.

Further digging by the authorities uncovered similar emails sent by “The Shadow”, including ID documents and images of Firas Dardar, amongst other pieces of evidence that pointedt the finger of suspicion towards the alleged hackers.

A third alleged member of the Syrian Electronic Army, 36-year-old Peter Romar, has been charged with more hacking offences alongside Dardar, alongside accusations that he was involved in wire fraud, and extorting money from hacking victims.

It seems that hackers are just as capable of making mistakes regarding maintaining their privacy online as the rest of us. Perhaps there is a lesson for those of us who are law-abiding to learn from the mistakes made by others.

Of course, whether US law enforcement will ever be able to collar the suspected members of the Syrian Electronic Army is another matter entirely… It’s hardly likely at the moment that Syria is going to feel comfortable allowing American agents to grab the alleged hackers.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like