Far-Right Lone-Actor Terrorist Attacks and Violent Extremist use of File-Sharing Platforms

Our most recent research analyses the terrorist attack in Bratislava, Slovakia on 12 October and the exploitation of smaller file-sharing platforms to disseminate terrorist propaganda.

This analysis is based in part on a confidential intelligence briefing produced by Tech Against Terrorism’s open-source intelligence (OSINT) team on 14 October 2022. If you would like to obtain a copy of this briefing, please email [email protected]

Executive Summary

  • The terrorist attack in Bratislava, Slovakia on 12 October 2022 is the latest mass shooting in Europe motivated by far-right violent extremism. The attack is the most recent in a series of attacks linked by their ideology and modus operandi, comprising both the methods of violence and means of disseminating propaganda employed by the attacker.

  • The use of outlinks from larger beacon platforms[1] to smaller file-sharing sites to disseminate the attacker’s manifesto reflects a new typology of behaviour within a subset of far-right violent extremist online networks, namely lone-actor attackers who seek to exploit file-sharing platforms to host their critical material, including manifestos and livestreams.

  • This method of dissemination conforms to the adversarial shift in online strategies exhibited by Islamist terrorist organisations, who have long targeted smaller file-sharing platforms for propaganda hosting. This strategy disperses content across a diversity of platforms, to complicate content moderation efforts.

  • This typology of behaviour characteristic of violent far-right lone-actors is however distinct from violent Islamist exploitation of file-sharing platforms in its preoccupation with committing lone high-profile acts of violence as well as with the sharing and preservation of associated propaganda in the immediate aftermath of a lone-actor attack.

  • A renewed focus on the evolving strategies of propaganda dissemination by the perpetrators of far-right violent extremist and terrorist attacks is required to more effectively respond to this threat which complicates content moderation and requires a more coordinated effort from governments and tech companies.

  • Focus must be placed on supporting smaller platforms and enabling them to both better prepare for and respond to terrorist exploitation of their platforms, particularly in the aftermath of high-profile attacks. Tech Against Terrorism’s Terrorist Content Analytics Platform (TCAP) which alerts terrorist content to tech companies when we find it on their platforms, is designed to mitigate this problem. It includes a broad network of platforms, including smaller platforms, and together with an effective OSINT response in the aftermath of attacks, we alert material to tech companies, big and small, as quickly as possible.


The attack

At 1900hrs on 12 October 2022 a gunman killed two people and injured one other on Zámocká Street outside the LGBTQIA+-friendly Tepláreň Bar in Bratislava city centre. The shooting, initially reported as a hate crime by Slovakian police, has been re-classified as a terrorist attack by Slovakian investigators. Prior to the attack, the attacker released a manifesto,[2] which indicates that his ideology and motives were rooted in anti-Semitism, racist nationalism, and anti-LGBT hatred. Tech Against Terrorism has been tracking and disrupting the spread of the manifesto since the day of the attack.

The New Zealand Classification Office classified the Bratislava Manifesto as objectionable on 19 October 2022. This classification criminalises the distribution and possession of the manifesto. As a result of this formal classification, Tech Against Terrorism has been able to alert tech companies through our Terrorist Content Analytics Platform (TCAP) when we identify links to the manifesto on their platforms.

This analysis will focus on the role of file-sharing platforms in the dissemination of propaganda linked to violent far-right lone-actor attacks. There is a pattern among a selection of attackers which represents an emerging typology of behaviour within the propaganda dissemination strategies of violent extremists on the far right. There has been an increase in the use of file-sharing platforms, especially after high profile lone-actor attacks such as this shooting, the March 2019 attack in Christchurch, New Zealand, which killed 51 people and injured 40 at two Mosques, and the May 2022 attack in a supermarket in Buffalo, NY which killed 10 people and injured 3.

Attacker’s Online Footprint

The attacker was active on social media in the weeks and days preceding the attack, posting violent messages and selfies near possible targets including outside the Tepláreň Bar. Further, the attacker appears to have been engaged with a variety of far-right online spaces and referenced the attack in Buffalo as a specific catalyst in his decision to implement his manifesto and carry out the attack.

Online footprint image
Figure 1. Attackers' Online footprint.

The Manifesto and its Dissemination

At 1351hrs CET on the day of the attack the perpetrator posted six outlinks on Twitter to a 65-page PDF document titled “A Call to Arms”. The manifesto outlines the attackers’ ideological views, attack planning, incitement of others to violence, and the sources of inspiration to carry out an attack. It also details how the author meant to spread the manifesto, and includes an explicit statement of their intention to share the manifesto on file-sharing platforms.

The links led to six different file-sharing platforms hosting a PDF of the document. Following the attack, the manifesto was likely lifted by supporters from these six small file-sharing sites and subsequently re-uploaded on other file-sharing platforms as well as across popular messaging channels affiliated with the violent far right, including chatrooms, message boards, and forums.

Network analysis image

Figure 2. Network analysis of manifesto distribution following the attack.

Despite the removal of the original post by Twitter, this decentralised dissemination strategy creates a relatively robust network of links and hosting sites through which the manifesto can be found and re-shared by those sympathetic to the attacker’s views. The attacker is explicit about his desire to use these sites so that “these words get out to people.”

Exploitation of File-Sharing Platforms by Terrorists and Violent Extremists

The use of file-sharing platforms is a strategy long employed by terrorist and violent extremist actors online. Since November 2020, Tech Against Terrorism has, by means of our Terrorist Content Analytics Platform (TCAP), located, verified, and alerted a total of 24,635 unique URLs linking to official terrorist propaganda and placed on file-sharing sites by both far-right and Islamist terrorist entities.[3] According to Tech Against Terrorism’s monitoring, Islamist terrorist groups have turned towards the use of smaller file-sharing sites after being increasingly moderated on mainstream social media and under increasing scrutiny across large platforms.[4]

Networked file-sharing dissemination is a strategy essential to both Islamic State and Al-Qaeda’s propaganda ecosystems and content thus distributed represents a significant proportion of such organisations’ total online content, and comprises predominantly content in the earlier stages of the dissemination process.[5]

Hosting content on file-sharing sites and sharing links to the content on social media limits the impact of content moderation by specific platforms since smaller platforms to which users are directed are often unable to combat terrorist use of their services on their own. As a result, this strategy provides a more stable hosting environment for terrorist content.

Islamist graph title

Islamist graph
Figure 3. URL links to file-sharing platforms by Violent Islamist Extremists. Source: TCAP.

Across the wider far-right terrorist online ecosystem, messaging platforms and archives remain a more popular method of content dissemination representing 67.1% of unique URLs.[6] The lack of widespread exploitation of file-sharing platforms by the violent far-right is likely due to three key factors. Firstly, violent far-right actors often share content within groups such as messaging apps, which already provide a stable environment for content. Secondly, violent far-right content is not as identifiably tied to designated terrorist organisations, and is therefore less likely to be moderated, meaning that violent far-right actors have historically found it less necessary to diversify their propaganda dissemination strategies. Lastly, there are several alt-tech services that provide some violent far-right actors with a more permissive space on which to communicate and propagate their message, mostly having been deplatformed from more mainstream social media.

These trends complicate content moderation efforts as they make violent far-right content difficult to identify and classify, networks of content dissemination hard to track, and terrorist content on certain platforms hard to remove. While we have not yet seen the widespread adoption of file-sharing platforms to host propaganda by the far-right terrorist and violent extremist online ecosystem, lone actor attacks have popularised this strategy. This is likely due to the coordinated tech sector response and automated removal of violent content which largely prevents the hosting of violent far-right content on larger platforms.

Far-Right Violent Extremist Attacks and File-Sharing Platforms

Violent far-right extremists have a long history of propagandising acts of violence. Manifestos and other propaganda have been shared by many attackers before and during their violence. The March 2019 attack in Christchurch, New Zealand has become a recent reference point for a wave of attacks, high-profile examples of which include the August 2019 El-Paso shooting, which killed 23 people and injured a further 23, the October 2019 Halle attack, which killed two people and injured two, and the May 2022 attack in Buffalo, NY. Several of these attackers did not use file-sharing platforms, but instead shared and hosted their propaganda on fringe social media platforms and messaging boards. When focusing on the exploitation of file-sharing platforms three recent attacks hold prominence. The 15 March 2019 attack in Christchurch, the 12 October 2022 attack in Bratislava, and the 14 May 2022 attack in Buffalo. Both the Christchurch and Bratislava perpetrators outlinked their propaganda to filesharing sites in the hours immediately preceding their attacks. By contrast, the presence of the livestream and manifesto of the Buffalo attacker on file-sharing sites is due to re-uploads by supporters following the attack.

If the use of file-sharing platforms to host the attacker’s propaganda is representative of a new behavioural typology characteristic of lone-actors and their supporters, this suggests a move away from hosting and sharing content on one platform. This was a strategy previously instrumental to disseminating the most shocking content, whereas the forums and social media sites that used to host content now serve as beacons to direct followers to content on more stable sites. This shift is likely due to increased scrutiny and attention to extreme violent far-right content across major platforms.

March 2019 attack in Christchurch, New Zealand

On 15 March 2019, in Christchurch, New Zealand an Australian national killed 51 people and injured 40 in a mass shooting at two Mosques. The attack was livestreamed directly to Facebook and copies of the manifesto, which outlined the attacker’s violent far-right ideology and incited others to violence, were provided in links to seven different file sharing platforms. Since November 2020, Tech Against Terrorism has identified and alerted 321 unique URLs linking to the Christchurch perpetrator’s manifesto and livestream across 30 platforms through the TCAP. Messaging and archive platforms hosted most of the content.

This attack has had a huge impact on its intended audience with subsequent attackers referencing the Christchurch perpetrator as an inspiration and copies of the manifesto and livestream shared across a wider network of file-sharing sites and messaging platforms by supporters.

May 2022 attack in Buffalo, USA

On 14 May 2022, a gunman carried out a shooting at a supermarket in Buffalo, New York, killing 10 people and injuring three others. The attacker shared a manifesto, engaging in anti-Semitic and racist rhetoric exhibiting common far-right violent extremist tropes. The attack perpetrator live-streamed the attack on Twitch. In the aftermath of the attack, between the 17-18 May, 2022 Tech Against Terrorism identified and alerted 103 copies of the attacker’s manifesto and livestream. Most of this content was identified on messaging platforms, and 43 URLs were found on one platform alone. By contrast, we identified 11 unique URLs across six different file-sharing platforms. The distribution of these URLs across a wider variety of file-sharing platforms represents a concerning trend of turning to small-file sharing platforms to fragment the location of content to complicate content moderation efforts. In total Tech Against Terrorism has identified 194 URLs linked to the Buffalo attacker’s manifesto and livestream on 34 different platforms. Messaging and social media platforms have hosted the majority of URLs.

Buffalo graph title
Buffalo graph
Figure 4. Copies identified on file sharing and video sharing platforms of the livestream and manifesto produced by the perpetrator of the attack in Buffalo, New York in May 2022.[7] Source: TCAP.

The Christchurch and Buffalo attacks stand out as recent shocking examples of the threat of far-right violent extremism. Our research suggests that at the time of writing, the manifesto linked to the attack in Bratislava has been shared in similar online spaces to these attacks, albeit less prominently. It is likely that the attack has been less sensationalised in these spaces due both to the absence of video content which has been widely disseminated in other attacks and to the smaller casualty count than incurred by other high-profile attacks.

Significance

These attacks provide a framework for future attackers and supporters, not only in the methods of violence and attack planning but also in the strategies of propaganda dissemination. The growing list of attackers from Christchurch to Bratislava build a body of knowledge on which others will draw, and will be evident in the online footprint, methods of violence and propagandistic value of future attacks and their perpetrators.

Tech Against Terrorism is focusing on supporting smaller platforms and file-sharing platforms to mitigate the threat posed by this shift in propaganda dissemination strategies. Tech Against Terrorism’s Terrorist Content Analytics Platform (TCAP) is designed to identify, verify, and alert terrorist content. Led by the work of our OSINT team we are focusing on supporting smaller platforms to prepare for and combat terrorist exploitation of their services. With a broad network of over 100 platforms, we help bring the tech sector together to mitigate the threat posed by terrorist actors and their shifting propaganda dissemination strategies. To date we have alerted over 39,000 unique URLs linked to terrorist content. Through the TCAP we alert new content daily and respond in real time to terrorist attacks, as we continue to do in connection with the shooting in Bratislava on 12 October 2022.


[1] A Beacon Platform is a platform used by TVE actors to centralise their propaganda dissemination, and to signpost users towards new content elsewhere online. This concept is based on analysis by Ali Fisher, Nico Prucha, & Emily Winterbotham, “Mapping the Jihadist Information Ecosystem: Towards the Next Generation of Disruption Capability,” Global Research Network on Terrorism and Technology, Paper No. 6, 2019.

[2] The manifesto circulated was in all probability written by the attacker, given his online footprint.

[3] [Terrorismanalytics.org](https://www.terrorismanalytics.org/)

[4] Conway et al, “Disrupting Daesh: Measuring Takedown of Online Terrorist Material and its Impacts” Studies in Conflict & Terrorism 42, no. 1-2 (2019).

[5] Weirman and Alexander, “Hyperlinked Sympathizers: URLs and the Islamic State” Studies in Conflict and Terrorism 43, no.3 (2020).

[6] [Terrorismanalytics.org](https://www.terrorismanalytics.org/)

[7] Video-sharing platforms are included as they serve the same functionality as file-sharing platforms.