Web Intelligence

Monitoring Riots on the Deep Web: A Case Study Using Lunar

Monitoring Riots on the Deep Web: A Case Study Using Lunar

In today’s digitally interconnected landscape, the coordination of riots, from planning to execution, often unfolds within the confines of chat applications. These riots cause significant disruptions to public order and safety, threatening the stability of communities and inciting fear among residents. Moreover, they lead to substantial economic losses, property damage, and sometimes even loss of life. We conducted a query on Lunar, our deep and dark web monitoring tool, to explore this phenomenon. Over the last month, 70.5% of the posts originated from chat applications, with Telegram emerging as a primary platform for such activities:

Top sources with riot-related content

 This article delves into a case study concerning the riot at Makhachkala Uytash Airport in Dagestan, where extremist Islamics stormed the airport following a Tel Aviv-bound flight on October 29th. In this case study we will demonstrate how to use Lunar, our dark-deep monitoring tool, to monitor and glean actionable insights from such events, aiding governmental and law enforcement entities in proactive riot preparation and response.

Case Study: The Riot at Makhachkala Uytash Airport, Dagestan

This case study will examine Lunar’s role in monitoring riots and events that police face daily. Government agencies and law enforcement can use the intelligence found on the deep and dark web as complementary information for better preparation.

Gaining relevant and actionable insights from Lunar to help prevent events like the riot at Makhachkala Uytash Airport involves three phases:

Phase one: Discovery

In the initial phase, we employed Lunar to locate sources housing discussions on radical topics within extremist groups in Russia. We executed a search query that incorporated various radical keywords, such as “anarchy”, “rebellion”, “protest”, and “demonstrations.” We also applied several filters, including the external links filter. These steps allowed us to identify a post with an invite link to a channel containing indications that users are planning extremist riots. 

Screenshot of a post from Lunar where we found the invite link to a new Telegram channel containing risk indicators of new violent riots
Screenshot of a post from Lunar where we found the invite link to a new Telegram channel containing risk indicators of new violent riots

Upon entering the channel, we discovered a heated discussion among extremist Islamic members. Notably, the channel’s admin had pinned a message outlining details of a specific riot, including the designated gathering time of 21:00 local time.

Screenshot from the Telegram channel where the riot was planned
Screenshot from the Telegram channel where the riot was planned

Phase two: Investigation

Having pinpointed the channel mentioned above as a focal point for riot planning, we added it to our coverage and intensified our investigation using Lunar. We aimed to unearth more comprehensive data regarding the planned Makhachkala Uytash Airport riot and its orchestrators.

During our inquiry, we stumbled upon a screenshot of a chat showcasing the recruitment tactics employed by these group members. It vividly illustrated how members were enticed with promises of payment for their participation in the planned activities.

A screenshot of a private chat that shows how they recruit members for their activities
A screenshot of a private chat that shows how they recruit members for their activities

Additionally, we were able to uncover potential identifiers of individuals possibly linked to this riot, which include their names.

Screenshot of a member that can be linked to the riot (originally including his name)
Screenshot of a member that can be linked to the riot (originally including his name)

Expanding our investigation, we discovered additional closed Telegram groups discussing the riot, some of which engaged in conversations featuring anti-Semitic themes.

Screenshot from a closed Telegram group providing further details about the riot, alongside discussions involving anti-Semitic themes
Screenshot from a closed Telegram group providing further details about the riot, alongside discussions involving anti-Semitic themes

Phase three: Monitoring

Using Lunar, we created an alert to monitor these groups and channels in order to find data regarding upcoming events and invite links for associated new sources. Lunar lets you set alerts based on predefined queries, ensuring you remain on top of any potential threats or risky events. You can also set a time range, specifying how often you receive notifications and their priority.

Screenshot from the new channel that was opened to replace the closed channel
Screenshot from the new channel that was opened to replace the closed channel

Following the riot, Telegram shut down the channel promoting it. However, we identified a new channel as a replacement. We promptly updated our alert system to include this new channel, enabling us to gather intelligence and seek indications of forthcoming events.

Predict and prepare for emerging threats with Lunar

The deep web and dark web serve as primary arenas for extremists to coordinate and incite riots. The case of the Makhachkala Uytash Airport riot represents just one facet of a larger trend observed in deep and dark web circles. Governments and law enforcement agencies need tools like Lunar that help them predict, investigate, and mitigate emerging threats, whether they manifest in cyberspace or as physical disturbances like riots. With Lunar, organizations can take proactive steps to ensure the safety and security of local communities and prevent substantial damage from the actions of threat actors.

Yhonatan Harari
Yhonatan Harari

Cyber Analyst

Spread the News

Not subscribed to our Dark Web Pulse updates?

By submitting you agree to Webz.io's Privacy Policy and further marketing communications.

Feed Your Machines the Data They Need

Feed Your Machines the Data They Need

GET STARTED

Don't be the last one to know!

Chances are your compromised data is already traded on the dark web.
Ready to discover them and protect your business?

Ready to Explore Web Data at Scale?

Speak with a data expert to learn more about Webz.io’s solutions
Create your API account and get instant access to millions of web sources