GhostSec
Screenshot from a GhostSec promotional video. Image: Courtesy of Sebastian Dante Alexander

Road to redemption: GhostSec's hacktivists went to the dark side. Now they want to come back.


The hacktivist group Ghost Security, or GhostSec, made a name for itself more than a decade ago when it began hacking terrorist groups like the Islamic State. During ISIS’s heyday, GhostSec took down hundreds of their recruitment and media sites. Then, last fall, GhostSec’s operations took a dark turn: The group began working with cybercriminal gangs to launch ransomware attacks. 

Click Here spoke to the group’s leader, a man who goes by the name Sebastian Dante Alexander, about the group’s decision to turn to a life of crime and why anyone should believe them when they said back in May that it's all behind them. 

“I do hope that people understand why we did it,” Sebastian Dante-Alexander said. “I'm not saying it justifies it, but it's definitely at a time where we needed to do it.”

The interview has been edited for clarity and length.

CLICK HERE: For a long time you were a hacktivist group using its power for what many people would agree was the greater good, and then last fall you created GhostLocker to launch ransomware attacks. What happened?

SEBASTIAN DANTE ALEXANDER: We started selling databases [of information from our hacking victims] a while ago. Though I’d say even then the databases that we did sell were the result of socially conscious hacks. We started selling [information] from the countries that we’d attack and we had private channel on Telegram that people could join for a small fee. 

The reason we started all that is to fund our operations. We have VSPs [Video Service Providers] and hacking tools that needed to be covered. The number and scale of the operations we were doing – with industrial system attacks, for example — required more funding so we developed GhostLocker. [GhostLocker was a ransomware-as-a-service operation that offered a full suite of tools.]

CH: So you were on the side of angels, and then you weren’t. Can you see how people have doubts about you now that your motivations and ideology have changed? 

SDA: The ideology didn't shift. We made sure that GhostLocker was not used against any hospitals. Hospitals were a big no. I made that a rule from the beginning that everyone understood. Nobody wanted to hit hospitals in the first place. The whole point of GhostLocker was to target higher scale corporations, which I believe — to an extent — are all greedy. 

We made sure it was not used to target any educational centers and if educational targets did get hit, we stepped in to make sure no damage was done. In 90% of cases [in which educational centers were caught up in a GhostLocker attack] we didn’t complete the attacks. We didn’t release their information. 

And as a result of all this, now we have enough funding to continue our operations, and we no longer need [to launch ransomware attacks and use] GhostLocker. That’s why we retired GhostLocker, stopped selling databases with stolen information and stopped all our financially motivated cyber crime. 

We’re focusing on hacktivism again.


CH: Were you apprehensive or concerned about sullying the GhostSec brand by deciding to move to cybercrime?

SDA: A hundred percent yes. [People in our group voice] a lot of concern, and we didn't know how we could manage this kind of thing [crime] properly. But after talking with the whole team, we figured that if we can control how GhostLocker is used and make sure that it's not abused, then yes, doing this was possible.

We vetted everything. Affiliates had to join GhostLocker and not just pay a fee, but tell us who their targets would be. We gave them a full rundown on the rules and told them that if they hit any of the [prohibited] targets — for example, hospitals, education centers, anything related to medical — we would give the victims the decryption key for free and whoever was responsible among the affiliates would be removed from our affiliate program without a refund.

We still have our morals. We still have our ethics. I won’t say that it wasn't cybercrime — because it was. I'm not going to deny that, but we did our best to [maintain our ethical code] and just make some money to continue operating the way we want to operate.

CH: Did anyone in the group advise against going this route?

SDA: Actually, after speaking with everyone in the group, we all came to the conclusion that this is what's best to keep the operation going.

CH: Even if it ruins your reputation and everything that you had built previously?

SDA: I know that it does give us a bad look and the articles out there and the reports on GhostLocker and everything will always be there. Information on the internet never disappears. And we did it knowing that all this would happen. 

What I can say is that I'm not worried that it ruins our reputation. What I do hope is that people understand why we did it. I'm not saying it justifies it, but it's definitely at a time where we needed to do it.

CH: Did you think that doing that would set a bad precedent for other hacktivist groups — GhostSec went into the world of crime and came out of it, why can’t we?

SDA: It's definitely bound to happen. Maybe others would use it for greed instead of funding operations. But I believe that if a hacktivist uses ransomware, let's say, against a bad government and asks for [forgiveness], I believe then it is a reasonable ask. It's still wrong. Ransomware is still a messed up thing, right? I'm not going to try to justify any of it. But I feel like it is a reasonable ask.

CH: Do you think that launching criminal attacks in cyberspace changed your perspective at all?

SDA: Definitely. I had a bad [impression] of the entire cybercriminal world before all this. I had a holier-than-thou attitude. “We're hacktivists. We would never do something like this.”  It sounds very egotistical. But I met a lot of different people. And it helped me understand that, for many of these people, cybercrime wasn't a choice. It wasn't their first option in life. A lot of them went through things that led to them having to shift to cybercrime. 

Now, I'm not going to talk about myself or my group, because I already explained why we did what we did and then put it behind us. But what I did see from the [darkweb] community is that, to them, it's a business. They don't see it as a crime. They don't see it as wrong because to them, it's how they hustle. It's how they earn. 

And I do say it's wrong, but it did change my perspective because I do understand that this is how some of them really earn their living. Some of them grew up in a rough environment. Whatever the case is, some of these people genuinely believe that this path is the only way they can go. And until they realize that they have a choice in their lives, they will continue.

CH: Tell me about this hacktivist training program you have: NewBlood.

SDA: We started the project a few years back. It was mainly started by a member of the group, Wond3rGhost. She's a very important member to the group and a wonderful member.

She started this project with the other groups and the other members in the group to push newcomers to do hacktivism. The NewBlood project starts with having guidance on OpSec [operational security], making sure that you will not go to jail doing the stuff that you do, because we understand that hacktivism is still illegal, even if it's for a right cause.

And then we have a lot of topics on OpSec in the NewBlood project. There's a lot of topics that we go over, from basic to advanced hacking skills. Recently we added more tutorials, write-ups and resources that go over industrial hacking, network and web app hacking. It covers a lot.

We have a chat room, which is about 100 people. We're going to keep it at 100 for now, because managing more than that is going to be a disaster. The channel is where we post the resources, the things that will help newcomers to learn and grow.

CH: How do you know that graduates from the NewBlood program will use all these new skills for good?

SDA: We can't guarantee that. People are people; they're going to do what they think is best, and we can't control that. But the ones that enter the chat room, they get asked a lot of questions and we make sure that we understand, at least, what they value as a person. And it helps us decide who should leave or stay in the group. 

CH: What else are you working on now?

SDA: In Israel, we have hit a few different corporations and government agencies that, you know,  deserve to be hit in the way that we're going to do it. We also have a few industrial attacks we're going to do against Israel. We have more government leaks coming from Mexico — more information on the cartels.

CH: What do you think people fundamentally misunderstand about GhostSec?

SDA: A lot of people will see us as this ego power. But the truth is, GhostSec has only been there to keep offering our hand and supporting everyone. The reason we are big and we gained the respect and fame, power, and things that we have is because we actually just love helping. 

We extend our hands to a lot of people. We support newcomers, old people in the community. We've done our part to keep our face strong. And to a lot of the new generation of hackers, they misunderstand that and they see it as us being mighty. I’d say a lot of them don't understand that hacktivism and groups like GhostSec, and GhostSec itself, is very much needed in the world nowadays. 

With a world that is continuing to grow digitally, it’s going to be very important to keep the balance of the world to bring better change.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Dina Temple-Raston

Dina Temple-Raston

is the Host and Managing Editor of the Click Here podcast as well as a senior correspondent at Recorded Future News. She previously served on NPR’s Investigations team focusing on breaking news stories and national security, technology, and social justice and hosted and created the award-winning Audible Podcast “What Were You Thinking.”

Sean Powers

Sean Powers

is a Senior Supervising Producer for the Click Here podcast. He came to the Recorded Future News from the Scripps Washington Bureau, where he was the lead producer of "Verified," an investigative podcast. Previously, he was in charge of podcasting at Georgia Public Broadcasting in Atlanta, where he helped launch and produced about a dozen shows.

Jade Abdul-Malik

Jade Abdul-Malik

is a producer for the Click Here podcast. She has worked on podcasts with Gimlet Media and Sony Music Entertainment and was a reporter for Georgia Public Broadcasting in Atlanta.