A Kenyan security guard now facing charges in Qatar after writing compelling, anonymous accounts of being a low-paid worker there found himself targeted by a phishing attack that could have revealed his location just before his arrest, analysts say.
While analysts from Amnesty International and Citizen Lab said they were unable to say who targeted Malcolm Bidali, the phishing attack mirrored others previously carried out by Gulf Arab sheikhdoms targeting dissidents and political opposition. It also would require access to confidential information stored by telecommunication companies typically only released to government or security force officials to be able to be useful as well.
Ooredoo and Vodafone Qatar, the two major internet providers in Qatar, did not respond to requests for comment. Qatar as well did not respond to questions about the phishing attack targeting Bidali.
The weekslong detention of Bidali, 28, in an undisclosed location comes ahead of Qatar hosting the 2022 FIFA World Cup and has again raised questions about freedom of expression in this small, energy-rich nation before the tournament.
“There is no evidence that he is being detained for anything other than his legitimate human rights work — for exercising his freedom of expression, and for shining a spotlight on Qatar’s treatment of migrant workers,” multiple human rights organizations campaigning for Bidali’s release recently wrote.
Bidali worked 12-hour days as a security guard. In his spare time, he wrote anonymously under the pen name “Noah” about his experiences as a guard, including trying to improve his worker accommodations and the challenges of life.
The reason for Bidali’s detention by security forces beginning late May 4 remains unclear. About a week earlier on April 26, he spoke and briefly appeared in a videoconference with civil society and trade union groups describing his experiences.
Just hours after that videoconference ended, a Twitter user sent Bidali a link he later clicked on that appeared to initially be a video from Human Rights Watch. But instead, it sent him to a decoy, look-alike YouTube page that “might have allowed the attackers to obtain his IP address, which could have been used to identify and locate him,” Amnesty said. An IP address is a numeric designation that identifies its location on the internet.
“In like 10 minutes, almost any techie can set a website to capture the IP address of someone who clicks,” said Bill Marczak, a senior researcher at Citizen Lab who also came to the same conclusion as Amnesty. “The hard part is converting the IP address into a real name and address.”
That typically requires access to private information kept by internet service providers that typically only they or governments can access.
Twitter later suspended the account that targeted Bidali with the phishing attack. The San Francisco-based social media company did not respond to questions about the suspension.
Late on Saturday night, Qatar said in a statement that Bidali had been “formally charged with offenses related to payments received by a foreign agent for the creation and distribution of disinformation within the state of Qatar.” The statement did not elaborate or offer evidence to support the allegation.
If convicted under Article 120 of Qatar’s penal code, which uses similar language as the Qatari statement, Bidali could face up to 10 years in prison and a 15,000 Qatari riyal ($4,000) fine. Early last year, Qatar also amended its penal code to allow for prison sentences of up to five years and a fine of 100,000 Qatari riyals ($27,500) for anyone publishing “rumors or statements or false or malicious news or sensational propaganda,” according to Human Rights Watch.
Qatar is home to the state-funded Al Jazeera satellite news network. However, expression in the country remains tightly controlled.
Related: ‘Dark Basin’ Hack-for-Hire Group Targeted Thousands Worldwide
Related: Journalists’ Phones Hacked via iMessage Zero-Day Exploit