The IP Spy Files: How Bahrain's Government Silences Anonymous Online Dissent

"No one in Bahrain is prosecuted for their opinions. That is everyone’s right." Hamad bin Isa Al-Khalifa, King of Bahrain
"People think that they are unreachable using anonymous accounts ... but it has never been easier finding them." Fawaz Alsumaim, MoI Cyber Crime Unit

Al Jazeera headline on Bahrain Twitter cases

Since October 2012, Bahrain’s government has jailed eleven netizens for allegedly writing anonymous Tweets that refer to Bahrain’s King Hamad using terms such as “dictator” (الطاغية) or “fallen one” (الساقط). The Government contends that such Tweets run afoul of Bahrain’s penal code, which prohibits “offending the Amir.” The present report, which is based on an eight-month investigation we conducted, shows that the Government apparently identified these individuals by sending the anonymous accounts malicious IP spy links from a network of Twitter and Facebook accounts impersonating well-known opposition figures or other seemingly friendly individuals.

When a netizen clicks on an IP spy link, they reveal the IP (Internet Protocol) address of the internet connection they clicked from. The Government can then compel the internet service provider of the IP address to disclose the real name and street address of that internet connection’s subscriber. Armed with a street address, the Government can conduct house raids, searches, and arrests. At trial, the Government links the subscriber’s IP address to the account, citing “secret evidence.” While the netizen is in jail, the Government apparently accesses their online accounts, and may target followers, friends, or contacts via private messages.

As we illustrate, using IP spy links to identify the author of a Tweet is unreliable: individuals other than the author can click on the IP spy link, and the link can be clicked from an internet connection not registered in the author’s name. In at least one case, an individual with no affiliation to the anonymous account in question was accused, convicted, and sentenced to prison; he was the subscriber of an internet connection that someone else used to click on an IP spy link sent to the account. The consequences of clicking do not always include jail time: some have lost their jobs, or suffered intimidation, house raids, or beatings because they were identified as the authors of anonymous Tweets that their employers or the Government found offensive. In all, our investigation identifies more than 120 both pro- and anti-Government accounts that were targeted with IP spy links traceable to the Government. In many of these cases, the Government has apparently not yet acted on information received from these links. By and large, the ostensible design of the Government’s IP spy campaign is to silence anonymous online dissent.

Executive Summary

Many people who are politically active in Bahrain conceal their true identity online to avoid reprisals or prosecution for criticizing the Government. Unsurprisingly, the Government wants to unmask these anonymous netizens. Since September 2011 or earlier, Bahrain’s Government has been targeting anonymous social media accounts, apparently in an effort to identify their operators. The Government targets accounts using malicious links and social engineering. It appears that the Ministry of Interior’s Cyber Crime Unit is orchestrating the attack. Victims receive malicious links from dozens of online accounts designed to appear legitimate: for example, an account named @Ali_Salman_, which impersonates the Secretary General of Bahrain’s largest licensed opposition party Al-Wefaq, and an account named @QamrAlKhalifa, a fake member of the Al-Khalifa ruling family. In some cases, the accounts are designed to impersonate the friends of a target: for example they created an account @aIboflasa to impersonate @alboflasa, a former army officer who became Bahrain’s first political prisoner after speaking at the Pearl Roundabout. The Government also sends malicious links through Facebook, e-mail, and likely via other services including YouTube, InstaMessage, and mobile messaging services including BlackBerry Messenger and WhatsApp. This attack puts the Cyber Crime Unit in the position of advising against “trusting strangers on social media networks,” while at the same time apparently exploiting this trust to compromise users.

Some of the malicious links sent by the Government are phishing links, as well as links to what appears to be spyware. However, the vast majority of the links are designed to reveal the IP address of the internet connection used to open the link. When an individual connects to the internet on his computer or phone, they are temporarily assigned an IP address by the phone company or internet provider whose service they are using (e.g., Batelco, Zain, Menatelecom, etc). Bahraini law requires that every time an IP address is assigned, the internet service provider must record the name of the subscriber of the internet connection, as well as the date and time. This information must be preserved for at least one year, and the security forces must be able to directly access this information at any time.

The Government apparently discovers an IP address by using various freely available IP Spy services. The services provide an easy three-step process for “locat[ing] your target:” first, you generate a link, then, you send it to your “victim,” who clicks on it, and finally, you receive an IP address via e-mail.

These are the freely available IP Spy services that the Government apparently uses to unmask activists.

Typically, each anonymous account is targeted with a unique IP spy link. When someone clicks on one of these links, the Government receives the IP address of the internet connection used to open the link, and can request the name and address of the internet subscriber. However, this process does not reliably identify the author of an anonymous message. The author is correctly identified only if (1) the individual who clicked is the author of the anonymous message, and (2) the author clicked on the link while using an internet connection registered in their name (e.g., their personal 3G or home DSL service). However, these assumptions are not necessarily valid. Often, the attackers send links using mentions on Twitter; a user is alerted when they are mentioned in a Tweet, but that Tweet is also publicly visible. The attackers likely use this strategy because they do not have access to accounts that are friends of their desired targets; Twitter only allows an account to send private messages to its followers. Because Twitter mentions are public, people other than the intended target can see the IP spy links, and may click on them. Thus, the Government may receive the IP addresses of these people, who are not associated with the anonymous Tweet or the targeted account. We identify more than 120 cases where a Government account targeted a Twitter account with an IP spy link using a public mention. In these cases, an individual not associated with the targeted account may have clicked on the link. Even if an operator of the account clicks on the link, he may not be the author of the anonymous message; many targeted accounts have multiple operators.

Our report shows that in some cases, the Government infiltrates activist social networks by secretly accessing Twitter accounts while their operators are in prison. This allows the Government to privately target any of these accounts’ friends or followers without arousing suspicion. However, even if the Government’s targeting is perfect and the author of the message clicks on the link, they may do so while using a friend’s internet connection, or a public wi-fi access point. In this case, the Government would receive an IP address of someone not associated with the targeted account. In fact, the Cyber Crime Unit issued a recent warning that public wi-fi access points could be used to blackmail their operators. They remarked that this type of wi-fi is prevalent all across the island: “There are scores of open wireless connections from Manama to Riffa.”

Despite the unreliability of this IP Spy method in identifying the authors of anonymous messages, the Government appears to be relying on it to persecute and prosecute. Some anonymous users who have clicked on these links have been subjected to house raids, beatings, arrests, account hacking, and dismissal from their jobs. Some have been convicted in court and sentenced to jail for Tweeting. In many cases, the consequences that these individuals have suffered are apparently a direct result of them having clicked on IP spy links. Some who have been arrested in these cases report that during interrogation, they saw or were shown papers from their internet service provider. Several technically savvy individuals described the papers as showing an IP address and a date and time. Others claim interrogators explained that the papers proved they were guilty of operating their anonymous accounts, and demanded their confession on that basis.

In at least one case, an operator of an anonymous Twitter account clicked on an IP spy link using someone else’s internet connection; the subscriber of the connection was jailed for operating the account despite having no connection to it.

The Government’s IP spy attack has targeted journalists, labor unions, human rights groups, activists, licensed opposition groups, parody accounts, whistleblowers, Sunni groups, vigilantes, and even residents opposed to the seizure of their homes to build a government housing project. We highlight several cases of victims of this attack:

  • Ali Faisal Al-Shufa is a 17 year old student currently serving one year in prison for allegedly insulting the King using the @alkawarahnews account. The Public Prosecution claims it linked his IP address to the account on 9 December 2012. Around this time, the Facebook account linked to the Twitter account was targeted with an IP spy link via private message.
  • Ammar Makki Mohammed Al-Aali is a teacher currently serving one year in prison for allegedly insulting the King through the @14Feb_Tube account. During cross-examination at trial, Fawaz Al-Sumaim of the Cyber Crime Unit stated that Unit had obtained Ammar’s IP address through “a private way I cannot reveal.” It appeared as though the Government might be operating account after his arrest.
  • M was one of the operators of an anonymous village news account on Twitter. M received and clicked on an IP spy link in the Facebook account linked to the Twitter account, while connected through wi-fi belonging to one of the houses in the village. That house was raided three months later by police. Police failed to find a phone or laptop with the account open, and arrested the eldest son in the house, even though he was not associated with the account.
  • Salman Darwish was arrested from his home in East Riffa on 16 October 2012, and served one month in prison for allegedly insulting the King using an anonymous Twitter account. His family reported that police extracted a confession from him after a 27-hour interrogation during which they prevented him from drinking, eating, or using the bathroom. The Government apparently took an interest in his account two months prior to his arrest, and may have targeted him via direct message.
  • Mahdi al-Basri is a lawyer whose internet connection was used to send Tweets that the Government viewed as insulting to the King from the @karranah14 account. One of the account operators recalled receiving and clicking on a suspicious link in the past while using an internet connection registered to Mahdi. Mahdi was convicted of sending the Tweets, and is currently serving one year in prison.
  • Sami Abdulaziz Hassan is the leader of a trade union at Japanese engineering firm Yokogawa Middle East. He was sacked from his job in early 2013 after he was identified as the author of anonymous Tweets exposing alleged labor law violations by his employer. His Twitter account was targeted with IP spy links sent publicly via mentions. His company had filed a complaint about the Twitter account with Bahrain’s police.

We also highlight the following interesting cases of Twitter accounts that were targeted, even though we are unaware of any real-world consequences thus far:

  • Twitter accounts advocating for labor issues, including @Garamco_dismisse, and @BAS_OPPRESSED.
  • Parody accounts for high-ranking Government officials, including @SheikhKhalifaPM, @RashedKhalifa, @TariqAlHassan, and @Samorarajab.
  • An account instrumental in challenging dubious official government stories about individuals killed by security forces, @BAHRAINDOCTOR. She was threatened with arrest, after a friend clicked on an IP spy link sent to her.
  • A prominent translator of news from Bahrain into French, with connections in the French media, @BrokenAngel077. An IP spy account said that he had obtained her information, and threatened to “break” her “part by part” unless she agreed to stop Tweeting.
  • An account that Tweeted information about Government surveillance programs, and the names of policemen allegedly responsible for abusing detainees in custody, @The_Cheaters1. He noticed initial attempts to target him, but may have eventually been identified.
  • An anti-Government account, @mn9oreen_bh. An IP spy account allegedly sent him a link; after @mn9oreen_bh opened it from his phone, the account requested that he open it from his laptop, because it was not possible to spy on his phone.
  • Pro-Government residents whose homes may be seized to develop a Government housing project, including @DR3_AL7OORA, @hoora318, and @FYOUSIF00.
  • A member of the Saudi ruling family and the wife of a son of Bahrain’s King, @SahabAbdullah8, may have been targeted. An IP spy account appeared to stop a cyber blackmail attempt against Sahab, and then requested her help via direct message.
  • Sunni activists and Groups, including the 30 December Movement, and a member of the Al-Fateh Youth Coalition.
  • A notorious vigilante account allegedly operated by a member of Bahrain’s ruling family, @mnarfezhom. The Cyber Crime Unit confirmed it had opened an investigation into the account after a complaint was filed accusing @mnarfezhom of defaming high-ranking politicians.

We also issue urgent guidelines to operators of anonymous accounts on how to minimize the chance of their identity being revealed via this type of attack.

Twitter Arrests

In the past year, at least 11 people have been imprisoned and charged with insulting the King on Twitter, according to media reports. They have been sentenced to periods ranging from 1-12 months for violating Article 214 of the Penal Code, which proscribes offending the King. We have compiled the following partial list of those convicted in such cases.

Date of Sentencing Name Twitter Account Jail Time
1 November 2012 Abdullah Al-Hashemi ? 6 months
5 November 2012 Salman Darwish @JehadAbdulla 1 month
5 November 2012 Ali Mohamed Watheqi ? 4 months
13 November 2012 Ali Al-Haiki ? 4 months
11 December 2012 ? ? 4 months
15 May 2013 Hassan Abdali Isa @AboHamzah_BH 1 year
15 May 2013 Mohsen Abdali Isa @Abu_Haider 1 year
15 May 2013 Ammar Makki Mohammed Al-Aali @14Feb_Tube 1 year
15 May 2013 Mahmood Abdul-Majeed Abdulla Al-Jamri ? 1 year
15 May 2013 Mahdi Ebrahim Al-Basri @karranah14 1 year
25 June 2013 Ali Faisal Al-Shufa @alkawarahnews 1 year

We looked at the legal documents for some of these cases, and talked to the lawyers involved. Some of the lawyers who we contacted were unwilling to publish the legal documents, fearing retribution. We make the following broad observations from the documents:

  • It appears the accusations are referring to Tweets made via anonymous accounts.
  • At trial, the Public Prosecution’s case rests on “secret evidence” used by the Cyber Crime Unit to link the defendant’s IP address to the anonymous account. The defense argued that this does not constitute proof that the defendant authored the tweets in question. This argument was rejected.
  • When the defense requested information on how the IP address was obtained by the Ministry of Interior, the requests were declined.
  • The defense argued that a warrant is required to obtain the personally identifying information associated with an IP address.
  • In several cases, the defense noted that the anonymous account allegedly operated by the defendant remained active even while they were in prison. The defense argued that the continued activity implied that others could have published the offensive Tweets. This argument was rejected.
  • Lawyers requested copies of communications between the Ministry of Interior and internet service providers, as well as copies of search warrants, but often did not receive these items.

We received further information that two of the defendants were allegedly mistreated to extract confessions. For example, Ammar Makki says he was taken to a room with dogs and threatened with torture if he did not sign a paper affirming that he ran the account.

We provide an overview of some of these cases in more detail.

Case: Ali Faisal Al-Shufa

Date of Arrest 12 March 2013
Date of Sentencing 25 June 2013
Accused of Tweeting Various Tweets referring to Bahrain’s King as a “dictator/tyrant” (الطاغية) and “fallen one/illegitimate” (الساقط).
Linked to Account @alkawarahnews
Targeted with IP spy links? The Facebook account linked to @alkawarahnews was targeted with at least one IP spy link.
Clicked on IP Spy link? No information.
IP address linked to account at time of click? Documents filed by the Public Prosecutor show that an IP address was linked to the account on 9 December 2012.
Suffered consequences? Ali is serving one year in prison.

Ali Faisal Al-Shufa is a 17 year old student currently serving one year in prison for allegedly insulting the King using the @alkawarahnews account. We obtained the files for Ali’s court case, and publish selected excerpts below.

A letter from the Ministry of Interior describes how Ali was linked to the account:

Investigations were conducted into a number of Twitter users who are insulting His Majesty the King by spreading insulting terms through their accounts that are followed by a large number of Twitter users. Through these investigations we came across one of those individuals and it is the user of (@alkawarahnews) using protocol number from Batelco on [9 December 2012]. After receiving permission from the Public Prosecutor to gain information about the user of the protocol number, we found that the user is registered under the name of Faisal Ali Ibrahim Mohammed Al Shufa. Through the investigations that we conducted it is clear that the person running the account is the named person’s son Ali Faisal Ali Ibrahim Al Shufa. The individual is spreading tweets insulting His Majesty the King, such as “Al Kawarah/ Burning images of the dictator Hamad…” and “the mercenaries of the fallen Hamad are violently suppressing now…”

The Public Prosecution ordered that Ali be detained after his arrest. During this time Ali’s lawyer attempted to argue that Ali’s detention would negatively affect his studies, because of his young age. The Public Prosecution also ordered Ali’s electronic devices seized and sent to the Ministry of Interior for testing. The reason given for the detention and seizure was that Ali had “publicly insulted the country’s King through publishing terms through the social networking site Twitter,” from 2011 to 2012. The equipment seized included a Blackberry 9900 and a HP laptop. The Interior Ministry obtained the following information from Ali’s phone and laptop:

  • Internet search history
  • Twitter and Facebook login information
  • Images
  • Email addresses
  • Contacts and text messages

The Ministry of Interior Cyber Crime Unit interrogated Ali, and when asked about his charges, Ali responded:

I would like to inform you that I opened the Twitter account (@alkawarahnews) to spread news of events in the village (Kawarah) and the situation in Bahrain, I began to spread Tweets on the clashes that occurred there…I was tricked by the revolution and believed the rumors of bringing mercenaries from the outside to suppress protesters, kill them and torture them, however I found out that these are untrue.

The Public Prosecution also interrogated Ali. The following is the transcript:

Q: What are the details of your confession?
A: I opened the Twitter account (@alkawarahnews) in March 2011 and in the beginning was spreading news about events that occurred in Kawarah such as weddings and religious festivities and after that I began to spread news of protests that occurred in Bahrain. I also took Tweets from other accounts and Tweeted them myself including terms like (trickster Hamad, dictator Hamad). I did not write these terms myself but copied them from other accounts and pasted them through my own account on Twitter.

Q: When did this occur?
A: I do not remember exactly but I think it was around July 2012.

Q: How were you arrested and summoned?
A: The police came to my house on [12 March 2013] around 2AM and they took me to be investigated, recorded what I said and bringing me to you today.

Q: How long have you been connected to the Internet?
A: I have been using the Internet for a long time, using my personal laptop for personal things and also using my phone to run my personal Twitter account.

Q: What is the display image shown in the account?
A: It is the body of the Pearl Roundabout with wings and a red background with Arabic writing on it saying “Al Kawarah Media Network,” and I made this image.

Q: How many people follow your account?
A: Around 9 thousand, I don’t know.

Q: What is your relationship to them?
A: I don’t know any of them.

Q: How many tweets did your account publish?
A: I don’t remember exactly, around 10 thousand.

Q: What are the terms used in those tweets?
A: Like I said the Tweets were about news from Al Kawarah village but then I published tweets about the demonstrations that were taking place in Bahrain, specifically in Al Kawarah, and some of those Tweets insulted his majesty the King such as (dictator Hamad, the fallen Hamad).

Q: And whom did you mean by those terms?
A: His Majesty the King Hamad Bin Isa.

Q: How do you publish these tweets?
A: I use my mobile phone where I copy them from other accounts and publish them through my own.

Q: What is the reason of using # in those tweets?
A: I use this symbol so the news can be published in accounts such as #bahrain, #14feb.

Q: How many tweets used those terms?
A: I don’t remember exactly, around 5 or 6 tweets.

We contacted @alkawarahnews, who reported receiving two suspicious links around December 2012. One link was from “Red Sky” (, and one was from “Save Bah” (

Case: Ammar Makki Mohammed Al-Aali

Date of Arrest 12 March 2013
Date of Sentencing 15 May 2013
Accused of Tweeting No information.
Linked to Account @14Feb_Tube
Targeted with IP spy links? The Facebook account linked to the Twitter account is friends with a known IP spy account.
Clicked on IP Spy link? No information.
IP address linked to account at time of click? No information.
Suffered consequences? Ammar is serving 1 year in prison. The @14Feb_Tube account may have been operated by the Government after Ammar’s arrest.

Ammar Makki Mohammed Al-Aali is a teacher currently serving one year in prison for allegedly insulting the King using the @14Feb_Tube account. Bahrain Watch obtained a portion of the defense’s cross-examination of Lieutenant Fawaz Al-Sumaim of the Cyber Crime Unit. We translate the relevant portion below.

Defense: What information do you have about the case?
Fawaz: Through our daily work monitoring social media and Twitter, we discovered an account that was making verbal defamations against His Majesty the King. Based on this, we carried out the necessary investigation to ascertain the identity of the owner of the account. Our investigation uncovered that the owner is Ammar Al-Aali. We then opened a case file with this information and sent it to the Public Prosecution to get an arrest warrant and a warrant to search his house to obtain the equipment that was used to carry out this crime. After obtaining permission, a police force unit was sent to arrest the defendant and his equipment from his house, who were then accompanied to the department, and a case file was opened to record his statements and confession that he registered the account in question, and that he insulted the King, and that he registered other accounts not mentioned in the file, which were used for the same purposes, to insult the King, in the way described in the file.

Defense: What kind of investigation did you carry out?
Fawaz: It is a secret investigation.

Defense: What was the content of the investigation?
Fawaz: The investigation is a way to get to the user of the account used to insult the King, by finding out the IP address, which determines the identity of the person using the internet line to open the account.

Defense: How do you get the IP address?
Fawaz: Through a private methods of our department that cannot be disclosed.

Defense: Did the defendant write the tweet insulting the King?
Fawaz: Yes.

Defense: Did you continue monitoring the account after the defendant was arrested to see that it was continuing to post tweets that were insulting to his Majesty, the King? Fawaz: That issue isn’t my specialisation.

The Facebook page linked to @14Feb_Tube was friends with a Government account, Amal Al-Shareef (

On 13 May 2013 -- more than two months after his arrest -- the account Ammar was accused of operating retweeted this video. The tweet no longer appears on his account.

While monitoring @14Feb_Tube, Bahrain Watch noticed that the account appeared to suddenly become active again in early July 2013. Bahrain Watch reported the account to Twitter as a possible victim of account hacking. Bahrain Watch noticed that the account had been suspended on 16 July 2013.

Case: M

Date of Arrest 12 March 2013
Date of Sentencing Case was dropped after arrest.
Accused of Tweeting “Oh Hamad Oh cursed one/you are damned” (يا حمد يا ملعون / ملعون أنت يا حمد)
Linked to Account A village news account.
Targeted with IP spy links? The Facebook account linked to the Twitter account was targeted with an IP spy link in December 2012.
Clicked on IP Spy link? M recalls clicking on the IP spy. Logs show that the link was clicked once from Facebook on the same day it was sent.
IP address linked to account at time of click? A person interrogated recalls seeing a paper showing an IP address and a date and time. They do not recall the date and time shown on the paper.
Suffered consequences? Their house was raided and electronic devices were confiscated.

M was one of the operators of a Twitter account that spreads information, pictures, and videos about protests in a specific village (a “village news account”), and its associated Facebook account. In December 2012, the account received an IP spy link from “Red Sky” ( in a Facebook private message. M clicked on the link while connected to the internet through a wi-fi connection of one of the houses in the village.

The link that M received in the village news Facebook account

On 12 March 2013, that house was raided around 2 AM by police. According to the family living there, police searched their home, confiscated all computers, and asked family members to unlock their phones. Police looked for open Facebook or Twitter accounts on the phones, seemingly in an effort to find a device with the targeted village news account. The family described how police used a device wrapped in an orange bag to detect the whereabouts of phones hidden in different locations around the house. Police failed to find any device with the village news account open, however, and arrested the eldest son in the house even though he was not associated with the account.

During interrogation, police urged him to confess that he was the operator of the account. Police said they had concrete evidence that he had insulted the King, and told him that they knew that the IP address of his house’s connection operated the account. They showed him printouts of Tweets from the account, as well as a paper from Batelco. The paper from Batelco allegedly displayed the IP address of their house’s connection along with a date and time, details of the connection’s subscriber, and web history logs showing that the internet connection was used to access The police released him after interrogation and did not pursue charges against him.

Case: Salman Darwish

Date of Arrest 16 October 2012
Date of Sentencing 5 November 2012
Accused of Tweeting No information.
Linked to Account @JehadAbdulla
Targeted with IP spy links? Known IP spy accounts sent messages to @JehadAbdulla.
Clicked on IP Spy link? No information.
IP address linked to account at time of click? No information.
Suffered consequences? Salman served one month in prison. His father claims he was mistreated during interrogation.

Salman Darwish was arrested from his home in East Riffa on 16 October 2012 and accused of insulting the King on Twitter using the @JehadAbdulla account. He was sentenced to one month in jail on 5 November 2012. Salman and his family deny the allegations that he insulted the King and claim that he has no connection to @JehadAbdulla.

Salman's father demands his release.

According to Salman’s father, Abdulla (@A_darwishh), interrogators extracted a false confession from Salman under duress. Abdulla claims:

  • Salman was interrogated for a continuous 27 hour period where he was denied food, drink and use of a bathroom.
  • After police threatened that they would summon his mother and sisters for interrogation, Salman confessed to the charges.
  • While Salman was in detention he was denied adequate healthcare for a rare illness he has which makes him suffer chronic kidney stones.
  • Before his arrest, a doctor warned Salman he had 15 stones which required close medical attention.
  • Due to mistreatment in custody, Salman caught an infection and his health deteriorated, necessitating his transfer to the prison clinic.

Abdulla thinks that the real reason behind his son’s arrest was to silence dissent and limit freedom of expression. Abdulla suggests that his son may have been used as a scapegoat by the Government for political reasons. After his release, Salman opened a personal twitter account @darwish_salman, which although critical of the Government, does not contain any direct criticism of the King. Commenting on his ordeal, Salman tweets: “When I was arrested with the accusation of insulting the King, some people got scared of opposing the shortcomings of the Government which has nothing to do with why I was arrested. Your silence makes them more willing to oppress you.”

Salman commented on his ordeal from his personal Twitter account.

The @JehadAbdulla account was an anti-Shia and anti-opposition account that also openly Tweeted criticism of the Government for being un-Islamic and not applying Sharia Law. On occasion, the account levelled criticism directly at the King, though we do not have any information about which Tweets the Government viewed as offensive to the King:

The King orders 185 million dinars to Gulf Air.. From where did you get that money you weakest and stingiest King in the world? while people beg for health treatment in newspapers. #Bahrain.

The Ministry of Interior and also the King himself should apologize for the attack against Sunnis in Hamad Town.. We are unlike the other oppositions that you have experienced before.. #bahrain

The King remaining in his position has become a danger to Sunnis, there has to be solutions for this. This King has turned the state against Sunnis at a time when we are facing the Shia threat.

#The_people_of_Bahrain_condemn_the_building_of_biggest_church .. Yes King we oppose you directly and openly and do not fear anyone in the sake of God. You are disobeying God and you must stop.

Our investigation shows that the Government took an interest in @JehadAbdulla in mid-August 2012, and may have targeted him then:

A fake Ali Salman account associated with the IP spy campaign tells @JehadAbdulla that Sunni and Shia are brothers. Salman Darwish joined his Shia brothers in prison several months later.

@JehadAbdulla says hello to an IP spy account.

Case: Mahdi Al-Basri

Date of Arrest 12 March 2013
Date of Sentencing 15 May 2013
Accused of Tweeting No information.
Linked to Account @karranah14
Targeted with IP spy links? The Facebook account linked to @karranah14 was targeted with an IP spy link.
Clicked on IP Spy link? An account operator told us that Mahdi was not associated with the account. This operator recalled clicking on a “suspicious link” at some point in the past using Mahdi’s internet connection.
IP address linked to account at time of click? No information.
Suffered consequences? Madhi is serving one year in prison.

N is one of several people who operate the @karranah14 Twitter account and a linked Facebook account. These accounts disseminate the latest news about the uprising in the Bahraini village of Karrana. N recalls clicking on a suspicious link by mistake in the past, while using an internet connection registered to Mahdi Al-Basri. However, N does not have the old link, as he says that the group periodically deletes all old messages from their Facebook and e-mail accounts. The Facebook account was targeted with an IP spy link recently, on 25 July 2013.

Amal Al-Shareef targets the account. We reported the link to for an abuse of their terms of service, and they disabled it.

Mahdi Al-Basri, a lawyer, was accused of operating @karranah14 and jailed. However, Mahdi is not associated with @karranah14, as confirmed by N. Mahdi’s personal account @MahdiAlbasri1, while generally sympathetic to the pro-democracy movement in Bahrain, does not seem to contain any Tweets that the Government might view as insulting to the King.

According to Mahdi's family, police raided their house at around 3AM on 12th March 2013. Police searched the house, confiscated computers, and inspected phones. No device was found with @karranah14 or the linked Facebook account. Police allegedly damaged some belongings in Mahdi’s room during the course of the search. Mahdi asked to see the search/arrest warrant but the police did not provide one, and allegedly laughed at his request. During his interrogation and trial, Mahdi consistently denied the charges against him.

The @karranah14 account mainly focuses on documenting the daily anti-government protests in the village, and general events related to the uprising. While we do not have any information about which specific Tweets the Government deemed offensive to the King, Tweets from @karranah14 display anger towards the King:

Oh Hamad Bin Isa you murderer every time you look at your ugly face at the mirror remember the faces of our martyrs and remember...

Protest from the village of Karrana we hold the illegitimate/fallen [King] Hamad and the Saudi occupation responsible for all the crimes...

Case: Sami Abdulaziz Hassan

Date of Arrest No information.
Date of Sentencing Not sentenced.
Accused of Tweeting Tweets against his employer.
Linked to Account @YLUBH
Targeted with IP spy links? The @YLUBH account was publicly targeted several times with IP spy links. Two IP spy accounts apparently sent e-mails to @YLUBH.
Clicked on IP Spy link? No information.
IP address linked to account at time of click? No information.
Suffered consequences? Sami was sacked from his job for Tweeting.

Sami Abdulaziz Hassan was the leader of the “Yokogawa Labor Union of Bahrain,” a trade union at the Middle East division of Japanese engineering firm Yokogawa. He was sacked from his job in early 2013 after he was identified as the author of anonymous Tweets exposing alleged labor law violations by his employer. His Twitter account was targeted with IP spy links sent publicly via Twitter mentions. His company had filed a complaint about the Twitter account with Bahrain’s police. Yokogawa Middle East claimed that Sami was sacked for failing to inform the company about the police investigation.

The @YLUBH account does not criticize the Government; it sends out pro-union messages, and criticizes Yokogawa Middle East for allegedly flouting local labor laws:

@YLUBH claims Yokogawa is not abiding by various local labor laws, including those that mandate annual leave and sick leave.

The @YLUBH account was publicly targeted by Government-linked accounts, who sent IP spy links:

Several IP spy accounts targeted @YLUBH in November and December 2012.

@YLUBH also may have been targeted via e-mail. While monitoring IP spy accounts, we noticed that two accounts messaged @YLUBH, asking to talk in private. In both cases, @YLUBH publicly responded with its e-mail address.

@YLUBH gives its e-mail address to an IP spy account.

A fake journalist may have contacted @YLUBH with a malicious link.

Another IP spy account, @sabreeena30, contacted @YLUBH on November 18, posing as an ex-employee.

@sabreeena30 claims to be an ex-employee.

The General Federation of Bahrain Trade Unions, Bahrain’s made trade union coalition, criticized the sacking of Sami Abdulaziz, and demanded his reinstatement.

Gulf Daily News article on Sami Abdulaziz’s dismissal.

This photo published by @SAIDYOUSIF shows Sami Abdulaziz at the GFBTU’s 2013 May Day rally in support of sacked workers in Bahrain.

Types of IP Spy Accounts

This section looks in more depth at the types of accounts that the Government uses to send IP spy links. The Government’s goal in designing an IP spy account is to trick users into trusting the account.

Impersonation accounts:

These accounts attempt to impersonate a well-known individual.

This Government account impersonates Al-Wefaq Secretary General Ali Salman (@WefaqGS), and occasionally Tweets fake political statements in addition to IP Spy links

Impersonation accounts:

These accounts represent fake people, usually attractive women or fake members of prominent families.

Moonbahr is an Instagram profile for a fake, attractive woman. The profile solicits targets to chat on InstaMessage, a service for sending messages using Instagram.

Facebook account Amal Al-Shareef uses the same picture.

These Twitter accounts for fake members of the Al-Buainain and Al-Khalifa families targeted Sunni and pro-Government groups.

Typo impersonation accounts:

The most common type of IP spy account exploits Twitter’s sans-serif font, which renders a capital “I” and lowercase “l” in exactly the same way. These accounts have the same display picture, name, and description as trusted accounts, except they use a capital “I” instead of a lowercase “l” in the account’s username. These accounts will typically send IP spy links using public mentions, as they have very few followers. The Tweets are deleted soon after the links are clicked on, and the accounts are frequently renamed. The following image from Topsy shows a small sample of such targeting. Topsy occasionally archives deleted Tweets, and renders all usernames in lowercase.

Being fooled by these impersonators may have disastrous consequences.

In some cases, IP spy accounts are very clever in their targeting. For example, they may impersonate one of the participants in a Twitter conversation, and send a malicious link.

This conversation has three participants: @saudi44, @AlBinSanad, and @AIBinSanad. Can you spot the imposter?

Typo impersonation accounts use several other naming tricks besides substituting “I” for “l.” Sometimes, a vowel is substituted, e.g., “a” instead of “e.”

@slows77, a pro-Government Twitter user critical of the Muharraq Council might have thought that notorious pro-Government vigilante @7areghum was sharing a link with him if he didn’t look closely at the spelling of the username.

In other cases, two vowels are permuted, or an additional copy of a vowel is added.

The letters "ai" are permuted to "ia" in "Alshaikh."

An extra "o" is added to "maloood."

Legitimate accounts surreptitiously operated by the Government

The biggest potential risk to netizens comes when the Government gains credentials to access a trusted account.

On 12 March 2013, two brothers were arrested for allegedly operating the @Abu_Haider and @AboHamzah_BH accounts. After their arrest, both accounts showed activity: they regularly posted stories from major news outlets. We received information that this continued activity was the work of legitimate account operators. On 4 July 2013, while the brothers were still in prison, we observed that both accounts began to exhibit different behavior. The behavior seemed to be part of a Government effort to target or infiltrate the Tamarrod Bahrain movement, which calls for protests on 14 August 2013.

@AboHamzah_BH followed two accounts on 4 July 2013.

On 4 July 2013, @AboHamzah_BH followed two new accounts. The first was @Buhassan23, an account that had been repeatedly targeted by IP spy accounts in the previous few days. @Buhassan23 is an apparent key supporter of the Tamarrod Bahrain movement. The second was a known IP spy account account, @AlToobIi, which had only three other followers. The account was designed to impersonate @AlToobli. The new follows by @AboHamzah_BH were not follow-backs, and @AboHamzah_BH did not exhibit other follow-back behavior. According to our observations, @AlToobIi never mentioned @Abo_HamzahBH. It is worth noting that when an account blocks a follower, the follower automatically unfollows the account; unblocking this individual does not cause them to automatically re-follow you. Based on all of these factors, it seems likely that @AboHamzah_BH following @AlToobIi is an indication that the Government had access to this account.

@AlToobIi had three other followers, two of which are IP spy accounts.

While @AboHamzah_BH was apparently being operated by the Government, legitimate operation continued as well. This raises an alarming possibility: the Government may surreptitiously operate accounts, while the legitimate operators believe they are still in control.

@Abu_Haider followed three accounts on 4 July 2013.

On 4 July 2013, @Abu_Haider followed three new accounts. Two were common Government targets at the time: @tamarrodbh and @TamarrodBahrain, anonymous accounts that originated the Tamarrod Bahrain movement. The third account was @alaashehabi, the account of Bahrain Watch member Ala’a Shehabi, who had contemporaneously tweeted a warning that the Cyber Crime Unit was sending malicious links to identify and arrest anonymous users. In addition to following these three accounts, @Abu_Haider changed its profile picture to the Tamarrod Bahrain logo, and retweeted a number of tweets in support of Tamarrod, as well as Ala’a’s warning. This unusual activity by @Abu_Haider did not go unnoticed among his followers.

A concerned Twitter user was apparently suspicious about @Abu_Haider’s change in activity, and warned his followers.

Another account whose operator is allegedly in prison, @14Feb_Tube, began tweeting messages from “unfalert” a few days after 4 July 2013. The “unfalert” service sends tweets from an account when a user unfollows that account.

We reported @Abu_Haider, @AboHamzah_BH, and @14Feb_Tube to Twitter as possible victims of account hacking. We checked these accounts on 16 July 2013, and noticed that they were suspended.

Hacked Accounts?

On 24 November 2012, Reda al-Fardan, a member of Bahrain Watch based in France, was targeted by @RedSky446 with an IP spy link sent via direct message.

The IP spy link that Reda received from @RedSky446. The full name of the account is cut off in the image due to screen size constraints.

The redirect chain of the link was:

The attacker used two different IP Spy services: and The link contains a parameter “to,” which contains a Base64-encoded string. Decoding this string reveals an e-mail address: [email protected] We went to and registered with our own e-mail address to test. The site gave us a link that had a “to” parameter containing a Base64 representation of the e-mail address that we provided. We clicked on our link and received an e-mail containing our IP address. This indicates that the “to” parameter represents the e-mail address that the IP spy data is sent to.

Checking the statistics for the link ( shows us that the link was created by a user known as “al9mood” (, who is associated with hundreds of other links.

Reda clicked on the link, revealing to the attacker that his IP address was in France. After he clicked, he received a suspicious message through YouTube:

Moon Bahrain contacts Reda.

At this time, we did not realize that the IP spy attack was associated with the Government. We finally reported @RedSky446 to Twitter on 6 May 2013. On 15 May 2013, we noted that the account was suspended. An examination of @RedSky446’s Twitter timeline reveals that his behavior changed on 17 October 2012. It is possible that his account was hacked, or he was arrested on this date. His last tweets mentioned the arrest of Twitter users on 16 October 2012, and contained advice on how to safely operate anonymous accounts using the TOR browser and VPNs. It also appears that @RedSky446’s Facebook account was taken over around the same time (

We were unable to find anyone who knew @RedSky446 in real life. Several individuals who did not know him suspected that he lived in London.

Connection to Bahrain Government

This section provides an overview of our evidence that the Government is behind the IP spy campaign. One of the earliest IP spy services used in the campaign was The service is designed so that anyone who receives an IP spy link can view the IP addresses of all users who have clicked on that link. Bahrain Watch found several of these links and looked up the IP address data. We noticed that an IP within Bahrain’s Internet Exchange clicked on at least seven different links that were sent to various accounts. MyIPTest recorded the address as:


The links on which this address appears are the following:

Link IDTargets
17uxlgniaz @bah_leaks
bhbpva67sd @COALITION14
dyisb6f4zb @RashedKhalifa, @COALITION14
vfasadu3mo ?
3ce5asguf ?
fu969lkyie ?
86b2aoxty ?

The IP address is a private address, which is not routed on the public internet. This address was likely gleaned from some information sent by a proxy server, such as the X-FORWARDED-FOR header. Since is a Cisco router, it seems likely that the proxy exists behind the router, and NAT is active on the router. This setup would produce a request apparently forwarded via the router from the private address. Traceroutes show that several websites for Bahrain’s security forces are associated with the router:

IPDescription Police Media Center Various MoI sites Various MoI sites Various MoI sites

The following address click on several other links, according to data from


The appearance of the same private IP address suggets that this is perhaps the same actor as above, and suggests that is another router used by the security forces in Bahrain. We did not see any other instances where an IP address clicked on more than one link.

We also uncovered evidence linking the network of Facebook and Twitter accounts used in the IP spy attack to the Government. One account in the network, sabreeena30, shared the first and only post on a blog entitled “Cyber Crime Unit:”

Sabreena Ahmed (sabreeena30) shared a blog post from the Cyber Crime Unit on her Facebook page.

The post was shared at 6:01PM GMT-7 on 6 July 2011. Inspection of the post reveals that it was blogged at exactly the same time that sabreeena30 shared it on Facebook: 6:01PM GMT-7 on 6 July 2011. This suggests that the author of the blog is also the operator of sabreeena30:

Usman Fazal posted at exactly the same time Sabreena Ahmed shared.

The post was written by a user called “Usman Fazal.” Inspection of the author’s Blogger profile revealed the following:

Usman Fazal says he works in the military as a Computer Forensic Examiner.

His e-mail is given as “[email protected]” Furthermore, a search on LinkedIn for his name revealed these profiles:

Usman Fazal’s LinkedIn profiles say he works at the MoI or Cyber Crime Unit.

Further inspection of Sabreeena Ahmed’s Facebook page reveals that she likes a page called “MY OWN STUDY.”

Sabreena Ahmed likes a page called MY OWN STUDY.

The page is associated with Bahrain, as well as the e-mail address “[email protected]” The posts and pictures on the page mostly consist of information about computer forensics.

MY OWN STUDY is located in Bahrain, and uses a contact e-mail apparently belonging to Usman Fazal.

Target: Labor Groups

In addition to @YLUBH, we noted that several other labor accounts were targeted, including an account for politically sacked GARMCO employees, @Garmco_dismisse, and an account Tweeting about issues at Bahrain Airport Services, @BAS_OPPRESSED.

Using a similar modus operandi to the attack on @YLUBH, IP spy account @CrazyFrogBH poses as an employee sacked for political reasons from Bahraini company GARMCO.

@BAS_OPPRESSED was targeted at least six times, including these four.

Target: Parody Accounts

We noticed that several parody accounts for high-ranking Government officials were targeted by IP spy accounts.

@SheikhKhalifaPM, a parody of Bahrain’s Prime Minister, was solicited to receive images and documents by IP spy account @sabreeena30.

@RashedKhalifa, a parody of Bahrain’s Interior Minister, was sent links, and possibly spyware.

@TariqAlHassan, a parody of Bahrain’s Chief of Police may have been sent spyware.

@Samorarajab, a parody of Bahrain Minister of State for Information Affairs, Sameera Rajab, was sent an IP spy link.

We also noted that parody accounts for religious leader Isa Qassim, and former MP Mohammed Khalid were targeted.


@BAHRAINDOCTOR is an anonymous account, apparently operated by a doctor inside a public hospital in Bahrain. During martial law in 2011, the account revealed details about physical and verbal abuse perpetrated by security forces against doctors both at Salmaniya Medical Complex, and the Ministry of Health. @BAHRAINDOCTOR has also been instrumental in challenging dubious Government stories about individuals killed by security forces. Since the account uses as its avatar a stock photo of a female doctor, we refer to the doctor using the female pronouns “she” and “her.”

@BAHRAINDOCTOR’s account has been targeted several times. On 14 June 2012, she issued a warning about @Zbroadcaster, one of the IP spy accounts. @BAHRAINDOCTOR recalls that the account was attempting to ask her questions in an apparent attempt to figure out her identity.

@BAHRAINDOCTOR advises her followers to not reveal any information about themselves to @Zbroadcaster.

On or around 15 November 2012, @BAHRAINDOCTOR received an IP spy link, apparently from the Twitter account @HusainSayadAli, which appears to have been an impersonation account for @HusainSayedAli. The link and redirect chain are shown below:

The attacker uses two different IP Spy services: and The e-mail address associated with the link is “[email protected]

The doctor reported that she did not click on the link, but instead sent it to a friend who clicked on the link from inside the UK. @HusainSayadAli then apparently tweeted that he had discovered @BAHRAINDOCTOR was in London. This erroneous claim was presumably in reference to the information he had received from the IP Spy link. @mnarfezhom, widely believed to be a member of the ruling Al-Khalifa family, apparently quoted this tweet, and threatened the doctor:

@mnarfezhom promises @BAHRAINDOCTOR’s arrest.

After the threats, @BAHRAINDOCTOR reported that she lived in a state of anxiety.

Target: @BrokenAngel077

Broken Angel received an IP Spy link from @NaderAbduIEmam, an impersonation account for @NaderAbdulEmam. Her account was hijacked and renamed to @brokenangeI. Meanwhile, the attackers registered a new account with the name @BrokenAngel077. A Government account, @ghostofbahrain, apparently claimed credit for hacking her account, and threatened her:

@ghostofbahrain threatens @BrokenAngel077.

According to the Cyber Crime Unit, their investigations follow a protocol, which “includes first and foremost a complaint from the victim.” The Unit states that in most cases, they “warn the person and the issue is amicably solved, but if the violation is serious then the culprit could face two years' imprisonment and fines.”

Target: @The_Cheaters1

@The_Cheaters1 apparently Tweeted information about various Government spy programs, as well as the names of police officers allegedly responsible for abusing detainees in custody. We noticed that his account was targeted with IP spy links.

@The_Cheaters1 noticed initial attempts to target him, and warned his followers.

Even though @The_Cheaters1 noticed initial attempts to target him, the attackers persisted. IP spy account @RedSky446 appeared to come to the aid of @The_Cheaters1 by imploring his followers to follow and retweet @The_Cheaters1, who he described as a victim of spam. He then asked @The_Cheaters1 to talk in private, “in service of the revolution.”

@RedSky446 invites @The_Cheaters1 to talk in private.

@The_Cheaters1’s trust of @RedSky446 might have done him in.

Meanwhile, two other Twitter accounts seem to have cooperated in targeting @The_Cheaters1, using links to the Richtweets service, which allows Tweets of more than 140 characters, and also allows remote images to be embedded into tweets.

These two tweets seem designed to figure out the identity of @The_Cheaters1 -- the only user mentioned in common -- while not looking like a targeted attack

The inactivity of @The_Cheaters1 since January 2013 suggests that he was eventually tricked into opening malicious links, and was identified. This suggests that even technically savvy users may be vulnerable to targeting.

Target: @mn9oreen_bh

While we were searching for individuals who had been targeted by IP spy accounts, we noticed that an anti-Government account named @mn9oreen_bh had Tweeted images of direct messages he allegedly exchanged with an IP spy account @kashfalmastor. The IP spy account apparently sent @mn9oreen_bh a link, which he opened from his phone. The IP spy account then asked @mn9oreen_bh to please open the link from a laptop, as it was not possible to spy on @mn9oreen_bh’s phone.

@mn9oreen_bh posted these images of direct messages apparently exchanged with an attacker.

@sabreeena30 also solicited @mn9oreen_bh to receive files via e-mail.

@mn9oreen_bh’s account is inactive. We have been unable to reach him to find out more details about the link he clicked.

Target: Hoora Residents

To make way for a new Government housing project, hundreds of residents of Block 318 of Hoora were to have their houses taken and demolished. Many of these residents supported the concept of new housing, but opposed the seizure of their homes to build it. The accounts @DR3_AL7OORA, @hoora318, and @FYOUSIF00 apparently belonged to residents of Block 318 whose homes were to be taken. The accounts were otherwise pro-Government, but Tweeted criticisms of the Government’s handling of the project.

A banner created by Hoora residents expresses support for housing projects, but opposition to the taking of their homes.

@DR3_AL7OORA and @hoora318 were targeted with IP spy links that showed them maps of Hoora.

An IP spy account tried to solicit direct messages from @FYOUSIF00.

Target: Sahab Bint Abdullah Al-Saud?

An account named @anaok6 (ID# 1533646338) tweeted a video entitled “Sahab bint Abdullah Drunk on Camera” directly at the Twitter account of Sahab Bint Abdulla Al-Saud, @SahabAbdullah8. Sahab is a member of the Saudi Royal family, and is married to Khalid bin Hamad Al-Khalifa, son of the King of Bahrain. The account @anaok6 was not following any accounts, and had only one follower -- an IP spy account. By the time we noticed the tweets, the video had been deleted, and it was unclear which YouTube account the video was associated with.

Two IP spy accounts, @CrazyFrogBH and @Bint_BuSalman, then targeted @anaok6 with two IP Spy links. One of the links was to the following page.

While conveying an innocuous message, an embedded image records the IP address of the user viewing this page.

The account @CrazyFrogBH then tweeted “TE Data Egypt” at @anaok6 -- presumably the implication being that @anaok6 was using that internet service provider. One of the Government accounts, @CrazyFrogBH, then told @SahabAbdullah8 “I need to talk to u if u allow me please … I need your help as I helped you twice now,” asking Sahab to look at @CrazyFrogBH’s previous tweets. Usually when the attackers ask for a direct message in this way, they send the recipient a malicious link.

Of course, we cannot be certain that Sahab was the target. Indeed, this could be a case of cyber blackmail against Sahab. However, it does appear suspicious that @CrazyFrogBH attempted to engage Sahab via direct message. As far as we could tell, Sahab never followed @CrazyFrogBH.

Target: Sunni Groups

We noticed that several Sunni activists and groups were targeted in the IP spy attack, including a member of the Al-Fateh Youth Coalition.

A sampling of Sunni groups targeted. Bahrain’s Bahrain’s Chief of Police (@Talhassan) was also apparently targeted.

The “30 December Movement” @7araka30dec, an account that called for a “Sunni day of rage” on 30 December 2012 to demand reforms, was also targeted several times.

@7araka30dec was targeted with IP spy links sent by at least two different accounts.

Target: @mnarfezhom

The @mnarfezhom account is allegedly operated by a member of the ruling Al-Khalifa family, and functions as a cyber vigilante, mobilizing his followers against those seen as opposing the Government. He was targeted several times by IP spy accounts. On 7 January 2013, the Cyber Crime Unit confirmed that an investigation against @mnarfezhom was underway, after members of the Sunni community claimed he was slandering top politicians by associating them with the December 30 movement.

One of many instances where an IP spy account targeted @mnarfezhom.

The IP spy links may have been successful in revealing @mnarfezhom’s identity.

@ghostofbahrain brags to @mnarfezhom nemesis @7araka30dec that he has “electronic data linking @mnarfezhom to Mohammed Salman Al-Khalifa”

Other Targets

We briefly mention a few other interesting targets we noticed.

Anonymous #OPBahrain

Around the April 2013 Grand Prix, Anonymous launched #OPBahrain, an operation to raise awareness of the human rights situation in Bahrain by widely disseminating pictures, videos, and articles, and hacking into Bahrain Government and Formula 1 websites. IP spy accounts targeted the Twitter users who organized this operation. The Gulf Daily News reported that “experts” from the Cyber Crime Unit were monitoring #OPBahrain, and were ready to respond.

An IP spy account offers content for #OPBahrain. The link redirects through an IP spy service.

The same IP spy account also targeted the popular @YourAnonNews account.

IP spy account @RedSky446 voiced his support for the operation.

We contacted the account @OpBahrain_, who claimed to have chatted privately with @Ba7raaania. Bahrain Watch asked @OpBahrain_ to share links that he received from @Ba7raaania, but he declined to do so.

@boammar (ex-MP Mohammed Khalid)

We also noticed that former Member of Parliament Mohammed Khalid was targeted by IP spy accounts on several occasions.

An IP spy account targets @boammar.

IP Spy in Other Countries

Bahrain Watch has received reports that activists operating anonymous Twitter accounts in the United Arab Emirates were sent links to the website via direct message from Twitter accounts of their friends who had been hacked. Activists who clicked on these links were later arrested.

Bahrain Watch has also received reports that anonymous Twitter users in Kuwait have been arrested. It is not clear how they were identified.

Safely Operating Your Anonymous Account

Bahrain Watch has released a simple guide on safely operating anonymous accounts. The guide is available in English and Arabic on our website.

Special Thanks

This report would not have been possible without the contributions of John Doe. Thanks to Eva Galperin from the Electronic Frontier Foundation, Maryam Al-Khawaja from the Bahrain Center for Human Rights, Yousif Ahmed from Bahrain Youth Society for Human Rights, F.B., M. J. and many who we do not wish to put in danger by naming. Thanks to Nick Weaver, Morgan Marquis-Boire, and John Scott-Railton.

Appendix A: IP Spy Services Used

URL to create IP spy links:
IP spy domains:


URL to create IP spy links:
IP spy domains:


URL to create IP spy links:
IP spy domains:


URL to create IP spy links:
Associated IP spy domains:


URL to create IP spy links:
Associated IP spy domains:


URL to create IP spy links:
Associated IP spy domains:


URL to create IP spy links:
Associated IP spy domains:


In some cases, we were able to verify that e-mails associated with the attacks had been registered with the IP spy services:

Appendix B: Response from IP Spy Services

Bahrain Watch contacted the services:,,, and In some cases, we contacted the services anonymously. We received responses from two services:, and Bahrain Watch did not contact, because the site was unavailable, and we did not contact, because their service did not appear to be abused on an ongoing basis.

We forwarded two links sent by the attackers. told us that they have no political agenda, and reserve the right to block anyone’s access to their service for any reason at any time. They told us that they had disabled access to the links we forwarded, as well as “hundreds of other” related links that we did not forward. They had also blocked several ranges responsible for these hundreds of links from creating any new links or viewing any IP addresses of those who had clicked on links. However, they noted that the attackers could access their service from different IP addresses, thus evading the blocks instituted by This appears to be the case, as we have since seen IP spy accounts send new links from this service

Despite claiming on their webpage that their mission is “to ... [keep] the internet safe,” disclaimed responsibility for the misuse of their service, and told us that there were “many other ways” for the Bahraini Government to obtain IP addresses associated with anonymous online accounts.

Appendix C: Recommendations to Twitter

Bahrain Watch contacted Twitter and suggested the following modifications to their service to help defend against the IP spy attack.

Impersonation accounts:

  • Implement safeguards for accounts that change usernames with high frequency. In the cases we’ve observed, usernames are often changed very quickly. In the most extreme case, an account took 21 different usernames over a 3 month period.
    • Accounts showing this behavior this could be flagged, or an upper limit could be introduced on the number of username changes.
    • A cooling-off period on the ability to publicly mention or DM users after a rename.
    • Display mentions and DMs from new or recently renamed accounts in a different visual style or color along with a warning.
  • Change the default font to visually distinguish lowercase “l” from uppercase “I.”
  • Run a similarity search through account usernames when accounts are created or profiles updated. For any similar names, check to see if the picture, description, and name are the same with any accounts of similar username. If so, then prohibit this name change. If Twitter only has a hash index on username, this might make similarity search difficult. However, it might be possible to do a limited number of hash lookups on similar account names (e.g., swapping any one lowercase “l” and uppercase “I”, or any one a/e e/a, or so on).

"IP Spy" links:

  • Blacklist domains used for IP Spy attacks. Twitter could: (1) ban the links (2) ban accounts that post them (3) warn users who receive them (4) or warn users who receive these links in certain countries. It seems like these options would be consistent with the "Twitter Rules" on Spam and Abuse, which prohibit use of the service to "compromise a user's privacy."

Appendix D: Malicious Accounts

Twitter Accounts

Screen NameIDCreated At (GMT)Previous Names
@sabreeena30 199346014 Oct 06 16:47:00 2010
@RedSky446* 268461012 Mar 18 20:37:45 2011
@Ali_Salman_ 301322848 May 19 08:28:35 2011
@QamrAlKhalifa 468778819 Jan 19 22:21:43 2012 @MoonBHR
@Bint_BuSalman 479541951 Jan 31 14:02:20 2012 @kashfalmastor
@um_nassar 485500245 Feb 07 08:19:37 2012 @PakistanGames
@NawaIAtteya 485507966 Feb 07 08:34:41 2012 @SuperMulla
@Ba7raaania 485527587 Feb 07 09:12:42 2012 @PakistanGames
@bahrainimix 485539426 Feb 07 09:34:54 2012 @zainebaldwaar
@CrazyFrogBH 987487705 Dec 03 21:40:13 2012 @BuAIi196
@ASamee3M 1032260190 Dec 24 09:04:08 2012

* An inspection of @RedSky446’s timeline indicated that he probably began participating in the attack starting from 17 Oct 2012.

Facebook Accounts

Sabreena Ahmed* sabreeena30
Amal Al-Shareef* Amalalshareeef
Red Sky**

* Warning: contains sexual content
** We believe that Red Sky began participating in the attack starting from 17 Oct 2012.

E-Mail Accounts

E-Mail Address
[email protected]
[email protected]
[email protected]
[email protected]

Appendix E: Contents of

Created AtURLIP Spy Redirect/URL (if applicable)

7/3/2013 7:35:34

1/17/2013 21:55:47

1/16/2013 4:37:49

1/15/2013 19:27:39

1/13/2013 10:53:09

1/9/2013 20:59:34

1/9/2013 10:48:47

1/9/2013 10:29:01

1/2/2013 8:10:05

12/24/2012 20:07:15

12/24/2012 11:58:20

12/24/2012 7:03:08

12/23/2012 17:41:18

12/21/2012 15:44:01

12/20/2012 17:55:35

12/20/2012 7:03:05

12/19/2012 20:02:44

12/19/2012 19:23:04

12/19/2012 17:47:39

12/19/2012 7:12:43

12/18/2012 10:25:41

12/16/2012 22:05:34

12/7/2012 0:41:11

12/5/2012 7:58:18

12/2/2012 18:59:41

12/1/2012 9:28:33

11/30/2012 23:35:42

11/24/2012 16:15:21

11/21/2012 11:39:31

11/21/2012 11:36:24

11/20/2012 23:27:49

11/20/2012 13:42:06

11/19/2012 11:40:38

11/12/2012 15:22:37

11/12/2012 14:56:54

11/11/2012 15:56:49

11/10/2012 17:20:46

11/10/2012 17:15:55

11/7/2012 22:01:07

11/7/2012 21:56:30

11/7/2012 19:55:59

11/5/2012 20:37:24

10/25/2012 10:41:16

10/24/2012 21:21:57

10/24/2012 17:25:53

10/21/2012 20:21:25

10/21/2012 9:31:00

10/21/2012 9:20:33

10/21/2012 9:02:41

10/21/2012 8:09:12

10/21/2012 8:04:06

10/21/2012 7:45:49

10/21/2012 0:20:49

10/20/2012 23:09:38

10/20/2012 19:56:23

10/20/2012 19:38:07

10/20/2012 19:32:10

10/20/2012 19:25:14

10/20/2012 18:46:34

10/20/2012 18:44:45

10/20/2012 18:39:01

10/20/2012 18:32:57

10/20/2012 16:57:42

10/20/2012 16:48:54

10/20/2012 16:04:23

10/20/2012 15:21:15

10/20/2012 15:15:44

10/20/2012 15:13:19

10/20/2012 15:11:29

10/20/2012 15:07:31

10/20/2012 14:59:51

10/20/2012 14:49:46

10/20/2012 14:30:10

10/20/2012 14:07:49

10/20/2012 13:45:21

10/20/2012 13:37:05

10/20/2012 13:19:30

10/20/2012 13:08:48

10/20/2012 12:58:03

10/20/2012 12:54:03

10/20/2012 12:50:57

10/20/2012 12:48:40

10/20/2012 12:44:43

10/20/2012 12:35:53

10/20/2012 12:35:23

10/18/2012 18:57:35

10/16/2012 22:25:01

10/16/2012 20:02:50

10/16/2012 19:58:45

10/16/2012 19:05:47

10/16/2012 18:50:05

10/16/2012 18:39:59

10/16/2012 18:39:16

10/16/2012 18:38:22

10/16/2012 18:28:35

10/16/2012 18:22:58

10/16/2012 18:19:31

10/16/2012 18:17:59

7/8/2012 5:04:35

5/20/2012 20:08:35

5/17/2012 10:48:10

5/17/2012 9:32:37>

5/10/2012 5:29:45

5/9/2012 18:21:10

5/9/2012 8:54:51

5/3/2012 18:26:16

5/3/2012 18:24:50

5/2/2012 7:14:14

5/2/2012 5:52:17

4/26/2012 8:50:23

4/23/2012 10:13:56

4/22/2012 10:26:23

4/17/2012 16:35:33

4/15/2012 19:59:51

4/11/2012 16:39:24

4/9/2012 17:38:30

4/8/2012 10:22:53

3/25/2012 5:15:19

3/22/2012 7:33:14

3/21/2012 10:15:32

3/21/2012 10:08:31

3/21/2012 9:59:21

3/21/2012 9:22:14

3/20/2012 10:43:59

3/19/2012 8:28:44

3/19/2012 5:39:08!/Zbroadcaster

Appendix F: Twitter Accounts Targeted in Mentions

@10Nazha, @14feb, @14feb_tv, @14FebFree, @14febsatrawi, @7araka30dec, @7bitha, @a_binsafar, @abo_homod, @ahmedal_saeed, @aj_alfaris, @Al_Raqib, @alabqare, @alboflasa, @Alfateh_News, @Ali_Alaynati, @aljood13, @AlrashedBh, @ALSHAF3EE, @altariq86, @ALWEFAQ, @AlWefaqEN, @ANasserelhaq, @Anti_Traitors, @Arabcaricature, @AwalVolcano, @bahrainangle, @BahrainMirror, @bahrainmomo, @Bahrainspring, @Bahran_natio, @Bahranya, @BAS_OPPRESSED, @boammar, @boammarr, @boammarrr, @brokenangel077, @BUKHMAIS, @ciostaff, @COALITION14, @DR3_AL7OORA, @DrRajaaa, @ebtisamalmanaey, @el_khelid, @el9aqer, @esa300gs, @essaa_qasim, @Fathe7hum, @fatimaalhawaj, @fatoooma92, @free4ever1, @gulf_alkarar, @haaq77, @hbmad, @hfareed10, @HHSheikhRashid, @HJHDhaif, @hoora318, @HzeemRahma, @Ibn_Samaheej, @iMagabi, @izynb, @J_Ashabi, @jamry22, @kadhim30, @khubail, @klefaa, @LAFI_ALDHAFEER2, @majedyalali, @Malshurouki, @ManOfBahrain, @MariaSelba, @Maryam271, @MaSsSyY1, @MHeroshima, @mhmood_almotawa, @Milanello14FEB, @mmohd_khalil, @mnarfezhom, @mnarfezhom01, @MrDurazi, @mshkes, @muharraqawinet, @musty1619, @NaderAbdulEmam, @nayemoo, @noor_ali_ahmed, @orgbahraini, @qa7ba_girl1, @qalb_asad, @Qasim_Alhashmi, @Rafedy4ever, @Redha_Farhan, @Roo7Althawrah, @S_AlMerbati, @SAIDYOUSIF, @salmannaserbh, @samedoon14feb, @Samorarajab, @saraairaq, @saudi44, @saw_you_running, @Serat2015, @Sh_Alkashami, @slows77, @Starbh7, @sun_jassim, @Takrooz, @Talhassan, @tariqalhassan, @the_cheaters1, @theladyispyon, @UmAli107, @unknownkiller65, @wadeea11, @YakYakii, @YLUBH, @zahoralaali, @zahrasammak, @ZAlshaikh_BH, @zayani1, @zaynabalhawraa