In July, a threat emerged from an ISIS-associated Twitter account with few followers. The account alluded to an upcoming terror attack at a beach resort in Tunisia. Just a month before, a similar attack left 38 dead.
It may have gone undetected if it weren’t for a rogue hacker group called Ghost Security Group.
The group, which is made up of counterintelligence officials and computer specialists, had been monitoring the Twitter account for a month. While the under-the-radar account only had a handful of followers, many of them were high-profile ISIS members.
The hacktivist group immediately looked for intelligence contractors who could relay the info to the authorities. They found terrorist analyst Michael S. Smith II through Twitter. Smith, who works at defense consulting firm Kronos Advisory, serves as a counterterrorism adviser to members of Congress and was responsive to Ghost Security. He became the group’s conduit to authorities.
According to Smith, investigators used Ghost Security’s info to identify a target site, who they were targeting, and how they would execute the attack. The investigation ended with the arrest of more than a dozen terror suspects, Smith said.
“Without a doubt, this group has saved lives. At least into the dozens,” Smith told CNNMoney. “There are people working in the national security community in the United States, Europe, the Middle East … who will never be credited with that.”
FBI Director James Comey has repeatedly said that ISIS’ use of social media is unprecedented in terms of how aggressively it engages with people in the West. Its members are essentially overwhelming the system, Smith said, which means there’s room for outside support from groups like Global Security.
But in order for these groups to be effective, they have to coordinate with those who “have the mandates … to find, finish and fix the enemy,” said Smith. (The FBI would not comment on Ghost Security’s involvement in digitally tracking terrorists.)
Related: Top questions asked on the ISIS help desk
Ghost Security differentiates itself from the vast and often disjointed hacktivist collective Anonymous, which has also declared war on ISIS and claims to have taken down pro-ISIS Twitter accounts. A handful of members were previously part of Anonymous, including one of the leaders, who goes by the name “DigitaShadow.” He says Ghost Security is small and more focused.
“We have structure and leadership,” he told CNNMoney. “We also have a lot of counterterrorism experience. We have translators, linguists, research analysts on hand to analyze all the data that we receive.”
DigitaShadow has taken on the role of executive director and helps organize and assign tasks to the 14 members of Ghost Security who are scattered around the world. He also provides electronic equipment for the group. Ghost Security also works with another group, CtrlSec, which helps monitor the social media of terrorists.
Ghost Security was formed following the Charlie Hebdo attacks in Paris last January. DigitaShadow said it’s a full time job for the members, who are scattered around the world. Even though they’re just volunteers, they work an average of 16 hours a day.
“We realized for the first time, you could be [attacked] in the streets of Paris and attacked in [your] hometown in America,” DigitaShadow said. “Everybody could become a victim. So we wanted to do what we could to help slow them down.”
Related: Terrorists hide plans by ‘going dark’
DigitaShadow says Ghost Security has taken down 149 Islamic State propaganda sites, 110,000 social media accounts, and over 6,000 propaganda videos since it formed. Following the most recent attacks in Paris, the crew is trying to gather intel on the attackers’ digital footprints and identify social media accounts involved in the attacks. (CNN could not independently confirm this information.)
Ghost Security claims to have created automated software that identifies ISIS social media accounts. DigitaShadow says the collective has also infiltrated private ISIS communications, taken over ISIS social media accounts and pulled IP information to help identify and locate ISIS members. Ghost Security is primarily focused on bringing down ISIS, but they also target other Islamic extremists.
According to Smith, the group also identified and traced two brothers in Saudi Arabia who filmed themselves executing someone to demonstrate their support for ISIS. The group was able to take control of the Twitter account that uploaded the execution video and find information about the mobile device, which allowed authorities to locate the killers. (The two brothers were killed before U.S. intelligence acted on the information, according to Smith.)
After connecting with Smith this summer and funneling information to officials, the group changed some of its tactics to operate more lawfully — it now sees itself as gathering valuable data to send to authorities. While Smith says operations are done legally, there’s a fine line.
“Is hacking illegal? Absolutely,” DigitaShadow said. “Is fighting ISIS to try to stop threats and stop their propaganda — would that be considered illegal? It falls into a giant gray area.”
The Ghost Security team is working around the clock. They aren’t compensated but do receive some bitcoin donations.
Despite struggling to make ends meet, DigitaShadow says they won’t stop.
“If we were to stop now, lives would be at risk. It’s not a choice, it’s more of a way of life for us now.”