Mid-2015 and Qatar was at the center of a scandal. Contentious reports suggested that 1,200 migrant workers died working on construction for the 2022 World Cup. The Qatar government refuted the claims, saying no lives had been lost in the construction of stadiums whatsoever. Whatever the real number, the waves of images and stories showing the abysmal treatment of those building modern day colosseums caught the public’s imagination.
Non-profits working on human rights across the Gulf states were not surprised, then, that a small group of unknown British and French activists set up a group called Voiceless Victims. It filled its website, Facebook and Twitter with horrific images of worker conditions, demanding international attention on the crisis. On 20 October 2015, the group called on a number of human rights organizations to help spread a „provocative viral video,“ as director Luke Hann put it.
A year later, the chief comms officer Amelie Lefebvre sent out a petition demanding soccer giant Barcelona F.C. cancel its sponsorship deal with Qatar Airways. To those who had brief communications with the Lille-based group – including Amnesty International, Anti-Slavery International, the International Trade Union Confederation and Building and Wood Workers‘ International – it seemed like one of thousands of small NGO fighting for a worthy cause.
Except it’s almost certain Voiceless Victims was a fake. Not only that, whoever was behind the facade has been accused of carrying out cyberespionage on real activists working on Middle East issues, attempting to find out their location and identity. And, in following the digital footprints left by Voiceless Victims, I found it’s surrounded by online, politically-focused spy operations firing off across the region.
At the end of a year in which made-up news made major headlines, and may have helped sway an election, Voiceless Victims represents a worrying, unprecedented extension of the fake trend: a fraud backed by time and money designed to trick individuals working in high-risk environments into revealing sensitive information.
A fake afoot
Amnesty was the first to uncover strange activity. After emails sent to various Amnesty staff set off security warnings, cybersecurity researcher Claudio Guarnieri was asked to investigate. Looking at emails dating back to March 2016, when Amnesty released major research on alleged labor abuses in Qatar, Guarnieri discovered that on clicking attachments, a report would fly back to the sender, containing the IP address, approximate geolocation and computer information of the recipient, including operating system and web browser. In some emails, GIFs unnoticeable to the human eye contained code that could retrieve the same information for the sender. He told me that whilst marketers use similar tools – Voiceless Victims used the WhoReadMe.com and ReadNotify.com services – to get receipt notifications, this appeared much more invasive and targeted.
“It seems to me they found a service that can be used for that particular purpose, deanonymizing and geolocating people that work on Qatar issues,”said Guarnieri, a FORBES 30 Under 30 alum and a researcher for Amnesty. “It might be they want to know what researchers human rights organizations have in Qatar. It might be for reconnaissance for further attacks, but no further attacks have been identified.”
Amnesty probed further, looking at the social media profiles of the organization and its staff. As noted in its own report today, Amnesty found the posts were “tasteless” and “relentlessly generic.” Last year’s Christmas campaigns, for instance, used images of suffering migrants with poorly-Photoshopped festive designs over them, calling on people to remember charity at that time of year.
They found a slice of fake news too. On the I Support Qatar Workers campaign pages on Facebook and Twitter, a screenshot purported to show an Al Jazeera story in which it claimed a hotline had been set up to help migrants get their passports back. Next to the article was a link to an apparent feature on Voiceless Victims‘ work on labor rights. But there was no evidence that either story was ever published. Al Jazeera confirmed the articles never ran. „Someone it seems cropped a story and created a fake story,“ a spokesperson told me.
Perturbed by the strangeness of everything to do with Voiceless Victims, Amnesty researcher Fabien Goa took the investigation a step further. In September, he and a colleague in France visited the Lille address listed on the official-looking Voiceless Victims site, Vlvictims.org. They asked the concierge if he’d ever heard of the organization. Never, he said. The postman? No. The teachers‘ union that has occupied the only office in the building for the past six years? Nope.
If Voiceless Victims was a fake operation as he now firmly believed, it was a dangerous one, said Goa. It wasn’t just targeting activists, it was asking any migrant workers with a story to tell to come forward. The group may have been building a honeypot in which to ensnare potential whistleblowers and support future surveillance, Goa said. „The major concern for us is that if this is state-sponsored as we suspect, or even if it is some kind of private initiative, it has major potential to undermine and endanger the legitimate work of civil society groups, including in defending international human rights standards,“ added James Lynch, deputy director of the Global Issues Program at Amnesty.
All show, no tell
More evidence of a fake emerged in my own research. Hann, I’d determined, was a liar. On his LinkedIn page he’d claimed to have been a director at the Global Justice Center for seven years and he’d obtained a law degree from Oxford University. Neither had any record of a Luke Hann. An Oxford University spokesperson said the Bachelor of Laws (LLB) degree he claimed to have didn’t even exist. Neither Hann nor his colleague Lefebvre had any contacts on LinkedIn, despite claiming illustrious careers in the third sector. Across Facebook, Twitter and their website, the entire web in fact, both were faceless.
There were other attempts at dissimulation. A check of VlVictims.org domain records revealed nothing: it had been privacy protected since its creation in March 2016. But a search for VoicelessVictims.in, the domain from which Luke Hann had sent email in 2015, did not have such protections. The registrant had a Russian email, street address and telephone number. Attempts to call the number immediately dropped, however, whilst emails returned failed. A check on VoicelessVictims.org (a domain that was never ostensibly used by Voiceless Victims in any way) brought up the registrant as an Ewald Harm living in Amsterdam, the Netherlands. A call to the number supplied led to the voicemail of a real man, an Annewim De Jong, a manager at Enterprise Rent-A-Car. He had not responded to voicemails asking for comment at the time of publication. More fake personas? More than likely.
VoicelessVictims.com, meanwhile, was created by an American, a New York-based legal firm Suzanne C. Flanagan & Associates. That appears to be legitimate. Flanagan explained she was an attorney who sued nursing homes for abuse and neglect of elderly persons in New York State. “I purchased that domain name with the intent of starting a nonprofit for elderly, homeless animals and autistic children. Unfortunately, I have been too engrossed in my practice to get it off the ground, but I plan to move ahead in the New Year.” She’d never heard of the other Voiceless Victims.
I presented these facts to PR Newswire, the platform from which Voiceless Victims had disseminated an April press release about the launch of VlVictims.org. It subsequently removed the release from its website (though it remains live on other sites that aggregate PR Newswire releases). Meanwhile, Le Monde, one of France’s most-respected newspapers that also reported on the group today, found no record of any Voiceless Victims registered as an NGO in France.
I sent over the mass of evidence indicating a fake to Daniel Cuthbert, chief operating officer at security consultancy Sensepost. His assessment was much the same: it was one big, obvious fake. “One major red flag was the fact the website did not appear anywhere else on the internet. No one had talked about them on forums, it was like it didn’t exist,” he told me. “It’s all show and no tell.”
But then an unexpected email. From Luke Hann. It arrived from firstname.lastname@example.org on December 14th. All previous attempts to message Hann and Lefebvre’s personal addresses failed. So had calls to the French number listed on the site, which was actually a Voice Over IP line that could have been hosted anywhere.
Having laid out the claims that his firm was a fraud, he responded: „We have tried with our limited resources to achieve public awareness and to expose the harsh human rights violations of foreign workers in Qatar. Unfortunately, since we started this campaign we received various threats. We sincerely hope that your information isn’t coming from the same ones who are trying to bring us down and prevent the truth about foreign workers situation in Qatar to be told.“
Shortly after Hann sent the message, the narrative took another strange twist: the VlVictims.org site was scrubbed and replaced with a stark message. Voiceless Victims was under attack. And the „Bad guys“, whoever they were, had won.
Hann later claimed he was travelling and didn’t have time to speak on the phone. Frustrated, I finally suggested whoever I was emailing was only trying to delay publication of this article, and that it was odd he couldn’t make time for a call with a reporter who was questioning his existence.
An email on December 19th complained Voiceless Victims had been “confronted with all kinds of threats. We have been under attack multiple times, from those that want to make sure no one exposes their wrong doings [sic].” Then today, Voiceless Victims called the claim it worked for Qatar „preposterous.“ „The acquisition [sic] regarding us redirecting Amnesty on malicious websites is just false and feels like an attack,“ he added.
All further requests to speak on the phone went unreturned. Having been quiet since the summer, Voiceless Victims had miraculously emerged again with some stark claims. And yet it could not offer any defense of claims it was a fake. Beneath the words there was, again, no substance.
This week, Voiceless Victims’ Facebook page disappeared. As did Amelie Lefebvre’s profile, and her Twitter. The walls were crumbling.
NGOs exposed in the Middle East
Those contacted by Voiceless Victims have been subjected to frequent online attacks since the horrors in Qatar became public knowledge. Jin Sook-Li, migration, gender and campaign director of the Building and Wood Workers International, a Geneva-based global union federation with 12 million members, told me her employer’s general secretary, Ambet Yuson, had his email hacked earlier this year and its website server was frequently down at the start of the year. “My Skype was hacked too and I still don’t have it back,” Sook-Li added.
A spokesperson for the ITUC, a Brussels-based trade union federation that boasts 168 million members, pointed me to a press release from January 2016, in which it claimed to have been the victim of a “disinformation campaign” related to its activism around 2022 World Cup worker conditions. The attack “included the dissemination of fake videos and other materials, setting up of fake social media accounts and various other techniques aimed at the ITUC and at individual people.” It noted that ITUC staff email had been hacked and “falsified material inserted into emails.”
Separately, when general secretary Sharan Burrow was co-chair of the World Economic Forum meeting in Davos in January this year, cyber spies were tracking “pretty much every engagement that she had at Davos,” the spokesperson added. The digital sleuths then used fake social media profiles and search engine optimisation to promote fake and negative stories about Burrow. “Fake news is not news to us,” the spokesperson added, noting attacks spiked around quarterly meetings of the UN’s International Labor Organization.
Middle East spy campaigns against activists are rampant. A probe of the email server used by Voiceless Victims to track email recipients, Mxsvr.net, revealed multiple spywares. (I was unable to contact those running Mxsvr, ReadNotify or WhoReadMe). One malware was delivered from the server via a document designed to act as a lure, a supposed registration form for the Mohammed bin Rashid Al Maktoum Foundation, a charity founded by the vice president of the United Arab Emirates and ruler of Dubai. A malware researcher, who asked to remain anonymous, said that once the document was opened, the victim downloaded a variant of njRAT, which grants control over an infected Windows machine to a remote hacker, steals passwords and accesses the PC camera. In the last three years, njRAT has been increasingly used in surveillance campaigns on Middle East governments, telecoms firms and energy industry targets.
“The Gulf states’ cyber surveillance capacity building is something that’s of growing concern to us, and in certain instances it’s clearly proactive and very aggressive. If this Voiceless Victims campaign is an offshoot of that larger strategy, then it’s deeply troubling,” said Nick McGeehan, Bahrain, Qatar, and United Arab Emirates researcher at Human Rights Watch.
The hunt continues
Despite all signs pointing to the Middle East, there’s no evidence hinting at a specific perpetrator, only clues.
From the open source data available, there are indications Voiceless Victims is the work of individuals in the Middle East. I had an open source intelligence expert, who asked to remain anonymous, to carry out a “pattern of life” analysis on the social media activity associated with Twitter accounts @vlvictims, @ISQW2022 and @amelielefebvre0. Looking at 385 tweets over a nine-month period, it’s apparent that very few tweets were sent on Friday or Saturday (see chart below). “This aligns with the working week of a number of Muslim-majority countries, particularly in Arab states of the Persian Gulf,” my source wrote.
The timings of the tweets, they added, indicated the group had distinct start time (UTC 06:00 UTC) and end (16:00 UTC), “times which suggest a defined daily working pattern, and this apparent working period is more consistent to an Eastern time zone (possibly between UTC +0100 and UTC +0500).” It’s possible the timings were faked too, however, as Hootsuite was used to organize a timetable for posts, said Cuthbert.
It’s doubtful we’ll ever discover the real identities of those running Voiceless Victims. Amnesty could only guess that the Qatar government may have funded it, given the state has gone as far as to arrest journalists for fear of the appalling conditions for migrant workers. Qatar outright denied any knowledge of Voiceless Victims, in a letter sent to Amnesty this month.
Another theory the NGO put forward was an enemy of Qatar had set up the campaign in order to embarrass the country. If the Qatar government was accused of carrying out online surveillance on those trying to expose its wrongdoings, it would only look more repressive. The UAE was a possible suspect for Amnesty. Egypt has had frosty relations with Qatar too. Cuthbert’s best guess was a PR firm had been paid to carry out the work on the behalf of Qatar, but had bodged the job.
These are all hypotheticals. But the threat Voiceless Victims represents – the ease with which spies can create fake personas and organizations for surveillance purposes – is now all too real.