How police hunted down an Ontario terror suspect from anonymous online posts
Ten weeks after the October 2014 terrorist attacks that targeted Canadian soldiers in Saint-Jean-sur-Richelieu, Que. and Ottawa, the so-called Islamic State received an encrypted message from Ontario.
“In Canada there’s a school called Canadian Royal Military College in Kingston,” it began. “Loads of students dressed in military uniform. I believe they have some agreement to serve in army after graduation.”
“All over town students walk around in uniform. They’re probably unarmed, but there is police squad cars constantly roaming the city, more than regular cities,” read the Jan. 2, 2015 dispatch. “It’s kind of important on my end to let me know when you’ve read.”
When the RCMP came across the message during an investigation, they had a problem. It appeared that someone had visited the military college of the Canadian Armed Forces and sent his observations to ISIS.
To make matters worse, the message had allegedly been forwarded to Reyaad Khan, a prolific ISIS attack planner behind several terrorist plots against the West, who had passed it on to a Canadian ISIS fighter.
If the RMC was a possible target, who had written the message? It had originated from the account of “Frank Dumberton,” on the encrypted social messaging application Surespot. So who was Frank Dumberton?
On March 25, 2016, the RCMP arrested Kevin Omar Mohamed in Waterloo, Ont. He pleaded guilty on June 2, 2017 to participating in the activity of a terrorist group. He was sentenced on Tuesday to 4.5 years.
In court on Monday, Mohamed admitted he travelled to Syria three years ago to join the Al Qaeda faction Jabhat Al-Nusrah and that he had used several aliases to post on social media about terrorist attacks in the West against “non-believers.”
A statement of facts agreed to jointly by the Crown and defence did not mention the military college incident but it was among the RCMP allegations raised at Mohamed’s bail hearing immediately following his arrest. The matter could not be reported until now due to a publication ban.
Paul Slansky, Mohamed’s lawyer, said his client “didn’t know who he was speaking to” when he discussed what “various universities and colleges” were like in Canada. “And the prosecution, police interpret this as information that was being provided to facilitate some kind of attack, but there’s no basis for that.”
But the RCMP said Mohamed had sent the message to an ISIS fighter in Syria and that it had been passed along to Khan, a British terrorist considered so dangerous by the government of the United Kingdom that it killed him in a drone strike.
The details of the RCMP investigation show how, as extremists have harnessed the Internet to push their violent agendas, police have pursued them there, peeling back the layers of seemingly anonymous online accounts.
Mohamed didn’t make it easy.
The former University of Waterloo engineering student used at least three aliases and accessed the Internet through free Wi-Fi at Tim Hortons restaurants. At times, he wrapped his phone in aluminum foil and used dark net software to conceal his online activities.
“Brothers, seriously, don’t be paranoid about security agencies,” he wrote on Twitter on June 17, 2014. “They are not all-knowing all-hearing.”
But he may have misjudged.
WATCH: Cybersecurity expert explains how the dark web is used by criminal organizations
“There’s nothing too technologically advanced in what they did,” Daniel Tobok, a digital forensics expert, said of the police. “This is what I call another day at the office,” said Tobok, CEO of Toronto-based Cytelligence Inc.
“They obviously received a tip about this person and his radicalized views. And they were able, leveraging technology like Twitter, like IP addresses, to track him.”
What struck Tobok was how long it took.
Who is Kevin Omar Mohamed?
Mohamed was born in Canada and grew up in Durham region, east of Toronto. He went to high school in Ajax. His father worked at an Oshawa auto-glass business. His mother is a Whitby realtor.
While at university, he “became very idealistic” and was “appalled” by the plight of the Syrian people, his lawyer said at his sentencing. He wanted to help. “Unfortunately, he chose the wrong way of doing it.”
On April 23, 2014, he bought a Turkish Airlines ticket leaving Toronto the next day. He flew to Istanbul, made his way to the border city of Antakya and crossed into Syria with the intention of joining Jabhat Al-Nusrah.
“Any1 who wants to come to sham [Syria] its so easy if u speak arabic justCome to the border,” he posted on Twitter on May 2, writing under the name Abu Khalid,” who described himself in his profile as a “supporter of international terrorism.”
Mohamed met members of Jabhat Al Nusrah and remained in Syria “at the direction” of the group, according to the agreed statement of facts. “His purpose was to enhance the ability of that group to commit terrorist activity.”
But he then crossed back into Turkey and met his brother and mother, who had flown there to find him. “They travelled to Antakya in order to persuade him to come home,” the statement of facts said.
Mohamed returned to Toronto on May 24.
“Are you in Syria?” someone asked him a month later on the social media platform Ask.FM.
“I was,” Abu Khalid responded. “I left due to unfortunate circumstances.”
He soon resumed posting on Twitter as Abu Khalid, assuring his followers he was raising money “to head back for jihad.” He suggested that “brothers” consider “cutting contact” with their parents “or else you might head back home.”
“If anyone reads my Tweets and sees I was in the lands Jihad and came back to the land of kufar [disbelief] don’t think it’s something I’m proud of,” he wrote. “Maybe you shouldn’t live in the lands waging war on Islam unless your planning attacks against them. Perhaps either get out or attack.”
“I’m starting to realize attacking the West is really beautiful,” he wrote. “Why don’t you get off your butt and attack? Either hijra [migration] to the lands of jihad or strike the kuffar [non-believers] in their homes right?”
One of the Tweets asked “bros in the west” what was stopping them from “killing vulnerable soldiers right now.”
The MEMRI report
The posts did not go unnoticed. The Middle East Media Research Institute, a U.S. group that monitors online extremist content, used a phishing technique to determine that Abu Khalid had accessed the Internet from Whitby.
On July 3, 2014, MEMRI published a report titled English-Speaking Jihadi Returning From Syria, Likely A Canadian, Incites Attacks In The West. It collected his Tweets and called him “a great admirer” of Osama bin Laden and Al Qaeda cleric Anwar Al-Awlaki.
Around that time, CSIS officers came to the house three times asking about Mohamed’s trip to Turkey, his mother said. She said she wasn’t concerned Mohamed had done anything because he told her CSIS harassed devout Muslims.
She eventually told them not to come back.
Project SWAP begins
The RCMP probe, Project SWAP, did not begin until a year later. “We began our investigation in July of 2015 when we received a MEMRI report,” Sgt. Adam MacIntosh testified at Mohamed’s bail hearing.
To identify Abu Khalid, police obtained a production order from the courts. It authorized police to obtain records identifying the user of the Rogers Internet Protocol address that MEMRI said was the source of his Tweets. The IP address turned out to be registered to Mohamed’s home address in Whitby, MacIntosh said.
Then police came across a screen capture of the message about the Royal Military College. MacIntosh said police found it when, in a separate investigation, they served a production order on Waterloo, Ont.-based KIK, a popular messaging application.
The military college was portrayed “as a prospective soft target … a place where you had several unarmed soldiers that would be vulnerable,” MacIntosh testified, adding the message had been shared “for the purposes of helping to facilitate a potential target in Canada.”
“Frank Dumberton” had sent it to an ISIS fighter in Syria who went by @AbuIsmail1435, who then passed it to Khan. Khan in turn sent it to the KIK messaging account of a Canadian ISIS fighter — whom police did not name.
Christian Leuprecht, an RMC political science professor and terrorism expert, said to the best of his knowledge staff were not told about the incident. But he said security was ramped up at the college, and at other Canadian military facilities, following the deadly 2014 attacks on soldiers.
Military facilities have security measures that might not be apparent to an uninformed observer, Leuprecht said. “And so even if somebody had tried to follow through with this sort of a plot, it is not clear to me that they would have been met with success,” he said.
“But you can see how in the mind of somebody who doesn’t really understand how the military does security assessment, hardens perimeters around facilities, whatnot, how they might look at this and look at it as a potentially appealing target.”
Likely because Surespot is based in Colorado, the FBI got involved, disclosing to the RCMP the IP address connected to the “Frank Dumberton” message about the military college. Police traced it to a Tim Hortons in Whitby, MacIntosh testified.
The RCMP then served a production order on Datavalet, the Montreal company that provides Internet service to Tim Hortons. That identified the device that had sent the message as a ZTE Concord smart phone. Another production order served on ZTE showed the phone was allegedly registered to Mohamed’s mother, MacIntosh said.
When he was an engineering student, Mohamed had allegedly done a co-op placement in Kingston, according to MacIntosh.
“So we know that Mr. Mohamed, living in Kingston, would be aware of Royal Military College,” MacIntosh testified.
Asked why the “Frank Dumberton” message was not part of the facts agreed to by the Crown and defence at Mohamed’s sentencing, Crown lawyer Sarah Sheikh said that “at times allegations are allowed at bail hearings that aren’t relied upon as evidence at a trial or sentencing hearing down the road.”
“And that was the case here. As Justice Durno said in court, the guilty plea in the joint recommendation on sentence was a result of negotiations between the Crown and counsel for Mr. Mohamed. And the agreed statement of facts that was put forward before the court was a direct result of those negotiations.”
Mohamed moves to dark web
Police put Mohamed under surveillance in October 2015. He appeared to have no social life and only interacted with people on social media, MacIntosh said. He seemed to spend most of his time at Tim Hortons, the library and mosques near his home and in Scarborough.
His Twitter posts, now under the name Abu Jayyid, were anti-ISIS and supportive of Jabhat Al-Nusrah. But he also wrote that he was “very glad” that Prime Minister Justin Trudeau had stopped Canadian air strikes against ISIS. “Allah will not make for the disbelievers a way over the believers,” he posted.
Police had been following him for four months when, at a library in Toronto, he caught someone touching his unattended computer. The surveillance had been “compromised,” the statement of facts said.
The next day he switched off his phone, withdrew $3,500 from the bank and went offline. Police didn’t know where he’d gone until he used his phone at Tim Hortons in Cambridge, Ont. five days later. Photos showed him removing aluminum foil wrapped around his phone, using his phone and putting it back in the foil.
Tobok said aluminum foil can hinder surveillance in some cases, although it’s less effective with newer smartphones. “It’s almost like going to a basement,” he said. “Signals just don’t go through so you are off the grid. But the moment you unwrap that phone, the next tower will catch your signal.”
Mohamed had also started using Tor, “dark web” software that allows users to access the Internet without being traced.
“The difference between the dark web and what people think is the standard or normal web is the dark web doesn’t get archived and you can’t search Google or Yahoo or any other major search engine,” said Tobok.
“Organized crime and many terrorism groups will leverage the dark web for communication,” he said. “They can be anonymous and no data can really be retrieved.”
Mohamed’s mother called this RCMP on Feb. 28 to report he was missing, adding he was radicalized and might try to leave the country. That same day, he posted on Twitter asking: “Could someone on the run from the cops join Jabhat?”
He’d been missing almost a month when a witness reported seeing him at the University of Waterloo’s Student Life Centre. Police watched as he lived out of open campus rooms, including the multi-faith room.
On March 25, 2016, following a deadly terrorist attack at Brussel airport, he posted an animated video-game-style photo on Twitter depicting a mass shooting. Campus security removed him from the university for trespassing and the RCMP picked him up.
He was carrying a hunting knife and two sets of keys, which opened lockers 184 and 187 in the basement of the university engineering building. Inside one of the lockers, police found an envelope. Written on it, according to MacIntosh’s testimony at Mohamed’s bail hearing, was @AbuIsmail1435 — the online handle of the ISIS fighter he had sent the information about the military college.
Police also found what MacIntosh said was a handwritten list of the steps required to commit a terrorist attack. It mentioned “military, security personnel” under the heading about targets. The title in Arabic was: “Assassination.”
His lawyer argued Mohamed had only taken notes from an article he had read in the Al Qaeda magazine Inspire.
“He’s reading something interesting and making notes,” Slansky said. “All it reflects is an interest in the topic and writing it down.”
Slansky said while Mohamed had intended to “potentially” join Jabhat Al-Nusrah, he had not done so, Slansky said, adding there was no proof he meant what he said in his social media posts.
The Crown said Mohamed had accepted responsibility for his actions and was willing to participate in de-radicalization. “I’d just like to say I’m sorry and I recognize what I did is wrong,” Mohamed told the court.
© 2017 Global News, a division of Corus Entertainment Inc.