Beyond the Shadows: Mapping the Islamic State’s (IS) Persistent Dark Web Infrastructure

This report provides an in-depth analysis of Islamic State's (IS) presence on the dark web. Leveraging the capabilities of StealthMole’s Darkweb Tracker, Telegram Tracker, and other intelligence correlation tools, this investigation mapped out IS' digital infrastructure and exposed connections between dormant onion services, leaked propaganda material, cryptocurrency wallets, and pro-IS Telegram ecosystems.

IS is regarded as one of the wealthiest jihadist organizations globally. Their infrastructure, particularly on surface web and social platforms, is constantly under pressure from law enforcement and intelligence takedowns. However, their dark web presence remains resilient due to strategic domain redundancy and stylistic consistency in mirror site deployment. This investigation shows how, despite takedowns, IS' online ecosystem can still be traced and mapped using historical intelligence footprints available on StealthMole.

Incident Trigger & Initial Investigation

The investigation began with the identification of a live IS-affiliated onion site:

• http://f***********************************************************d.onion/

This site, referred to internally as “F******s,” is one of the more commonly known dark web assets attributed to IS. It is frequently circulated in encrypted chatrooms and remains a cornerstone of their deep web infrastructure. Running it through StealthMole's Darkweb Tracker led to the discovery of a sprawling web of 74 additional onion domains, out of which 60 were confidently linked to IS activity. These domains showcased operational similarities in structure, naming conventions, and content themes, including:

• Propaganda dissemination (including photo reports and PDFs of Al-Naba)
• Donations and financial collection via Monero
• Recruitment and contact via Telegram bot embeds

A particularly powerful feature of StealthMole is its ability to index and preserve even inactive or deleted onion URLs. This allowed for historical pattern mapping, showing that many of these domains follow repeatable templates, often only altering domain-level identifiers (e.g., switching .in to .ws or .blog) while maintaining identical directory paths and design layouts.

Subsequent scans of f******s.co.za and I****.blog revealed secondary pivots:

• http://7********************************************************d.onion
• https://i****.co.za
• i3**************************************************d.onion

From these, we tracked:

• Embedded XMR wallets
• Telegram bot names
• Recycled mirror domains

This domain-led mapping also exposed the Telegram ecosystem behind the IS content, linking site paths to specific bots (e.g., @s*************h_100bot) and channel handles that would otherwise remain disconnected.

As StealthMole indexed deeper pages like /lang/ar_d******n_******r/page/2/, and media-rich folders containing hundreds of images and hash strings, it became clear that these onion services were being used not only to spread ideological content, but also to coordinate digital outreach and decentralize hosting through .onion subdirectory nesting.

Pattern Recognition and Infrastructure Clustering

StealthMole revealed that IS often recycles domain names with slight variations to ensure resilience against takedowns and improve recall for their followers. These variations are often superficial (e.g., switching TLDs like .in, .ws, .blog) while maintaining a consistent base structure:

• Examples include:

• I*****.in, I*****.ws, i***.blog, i**.co.za
• .onion mirrors such as i3*********************************d.onion

This reuse of stylistic identity makes new mirrors instantly recognizable to IS followers while maintaining operational redundancy. These domains frequently link to the same Telegram accounts, Monero wallets, and file dumps, indicating a coordinated infrastructure managed by either the same actor or group.

A handful of core domains uncovered from the original f******s investigation appear to serve as root hubs, distributing identical content across the rest:

• 77******************j...onion
• zc*******************o...onion
• 4i*********************4...onion
• al***********************x...onion (now down)

Each of these sites:

• Hosted or linked to Al-Naba PDF archives
• Contained unique Monero wallets
• Shared Telegram bot or contact embeds
• Included XMPP/Matrix/Threema fallback contact options

Notably, StealthMole preserved even those domains marked inactive, enabling a full forensic mapping of IS’ decentralized infrastructure, a critical benefit when these actors recycle elements like bots and wallets even after apparent takedowns.

Telegram Ecosystem and Social Media Integration

Telegram remains a cornerstone of IS' digital communication strategy. Our investigation traced onion-linked bots and accounts using StealthMole’s Telegram Tracker. Noteworthy entities included:

• Channels: https://t.me/+*************y, https://t.me/p**********7, https://t.me/b***********a
• Bot aliases: @s**************ah_100bot, @A*******3_bot, @At********4_Bot
• Dormant usernames: @b*******a (previously @f**********r), linked to IS material redistribution

Though several accounts are now suspended or inactive, StealthMole retained username histories and channel metadata, allowing reconstruction of influence pathways and actor overlaps. The linkage between IS-themed content and unrelated black market groups (e.g., p***********7) suggests overlapping spheres where ideological and criminal content may co-mingle.

Cryptocurrency Wallets and Financial Infrastructure

At least six unique Monero (XMR) wallets were identified across different sites:

• 85************************************************************************i
• 4*************************************************************************t
• 84************************************************************************c
• 43************************************************************************e
• 84*************************************************************************M
• 8**************************************************************************K

These wallets are usually found near contact forms or donation appeals. Their presence alongside Telegram links and decentralized chat options (Matrix, Threema, XMPP) suggests a tiered operational model where:

• First contact is via Telegram
• Financial transactions via Monero
• Secure follow-ups through encrypted messengers

Document and File-Based Intelligence

While investigating I*******m...onion, StealthMole uncovered a 23-page Arabic document listing dozens of Islamic State (IS) digital assets and secure communication tools. The document included links to websites such as k****m.com, z***a.org.il, and e********s.cc, along with credentials for Threema, Matrix, Conversations XMPP, and other platforms frequently used by extremist groups to evade detection. On initial inspection, it appeared to be a curated collection of IS-affiliated resources, offering insight into the group’s operational landscape.

However, deeper investigation into embedded metadata and associated identifiers revealed that this document was not compiled by IS, but rather by a researcher or threat analyst linked to the counter-terrorism initiative Antitatrof.com. One of the contact emails embedded in the file e*******@gmail.com was found through StealthMole’s Credential Mapping tool to be associated with several password leaks and stealer malware infections. This points to a likely scenario where the analyst’s system was compromised, potentially through phishing or infected threat intel samples, leading to unauthorized exfiltration of internal files.

The leaked report itself reflects a professional OSINT collection effort, likely intended for institutional use in monitoring, disrupting, or analyzing jihadist networks. Its tone, formatting, and focus on infrastructural data over ideological content support this conclusion. This case underscores not only the complex interplay between threat actors and those tracking them, but also the inherent risks for counter-terrorism researchers operating in hostile cyber environments where missteps can result in operational data leakage or false attribution.

Conclusion

This investigation highlights the Islamic State’s complex and resilient presence on the dark web, built not only on ideological persistence but also on a deliberate and strategic deployment of technical infrastructure. Despite widespread law enforcement takedowns, the group continues to thrive in digital anonymity by employing tactics like:

• Domain redundancy with visually and linguistically similar URLs (e.g., I*****m mirrors)
• Use of privacy-preserving cryptocurrencies like Monero
• Encrypted communication via Telegram, Threema, XMPP, and Matrix
• Layered hosting models with .onion mirrors and fallback domains
• Persistent use of bots, PDF propaganda, and media archives

The ability of StealthMole to index and reconstruct these digital fragments, long after threat actors believe them wiped, proves indispensable in mapping jihadist ecosystems. The case also illustrates how IS operational security protocols now prioritize flexibility, automation, and content mirroring across platforms and services.

Moreover, the presence of leaked credit card data and indications of financial experimentation underscores a blurring line between ideological extremism and cybercriminal behavior. It also raises questions about IS’ evolving fundraising strategies, which increasingly exploit anonymity, global finance loopholes, and digital deception.

Editorial Note

While every effort has been made to ensure the accuracy of this report, it is important to acknowledge that attribution in cyber investigations can never be guaranteed with complete certainty. The connections drawn are based on available open-source intelligence and StealthMole platform data. However, attribution remains probabilistic and subject to change as new information emerges.

The primary goal of this report is not just attribution, but also to showcase how StealthMole’s platform enables comprehensive, efficient, and intuitive profiling of threat actors through integrated tools such as Dark Web & Telegram Trackers, ULP Binder, the Compromised Data Set and others. These tools allow even independent researchers to connect dots across aliases, infrastructure, and behavioral patterns, transforming fragmented data into actionable intelligence.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com