Category Archives: OSINT

Political Spearphishing

If you’ve ever visited my LinkedIn you know that I admit to working for a “nameless detective agency” in Los Angeles. I haven’t displayed any of the stuff I’ve been doing, but this week I got something where I can make my findings public, a broad political spearphishing campaign.


The origin of the emails were obfuscated, but all anchored at Using Maltego I found dozens of subdomains.

Many Mail Servers

Many Mail Servers

The Whois lookup for the domain was completely useless, a proxy registration intended to thwart diggers. Current Whois Current Whois

But this particular operator didn’t register clean at the start of this game. Hello, Mohammed Benyahia. by Mohammed Benyahia by Mohammed Benyahia

The other 21 domains associated with his name were available:

Mohammed Benyahia domains

Mohammed Benyahia domains

Domains are registered to, and a quick scan shows that and are quartered in the same place today. This gives me the sense I’ve got the right guy, it’s not like someone picked up the domain at random and put it to work using Benyahia’s business as a cover. & &

I visited’s site and they conveniently revealed the @tersea Twitter account. It only took moments to find @Salutismo, Benyahia’s personal account, and then from there the rest fell out quickly.

@tersea & @Salutismo Common Contacts

@tersea & @Salutismo Common Contacts

Some of those are big media accounts, stripping those, it appears we’ve found some possible associates:

Benyahia's Probable Associates

Benyahia’s Probable Associates

Among them, I most like Dany Tech aka Omar Salhane, since he’s locked down and that sounds like a Moroccan name, same as Benyahia. Small accounts like these, particularly long abandoned, are absolutely treasure, they’re a candid admission of how things were in the past, and only a really experienced player will know to clean up, or to salt their trail with fake stuff.

Omar Salhane's One Mention

Omar Salhane’s One Mention


So that’s some initial recon. We’re looking for someone who can pick out who is important in a specific left leaning political organization and go at them hard. A Moroccan living in Paris with rented servers in Ireland? That doesn’t add up, so at this point I guess this guy is a service provider to many activities, perhaps some shady, and I change direction a bit.


If found thirteen IPv4 and two IPv6 addresses active for the twenty one domains.

Active IPs

Active IPs & Friends & Friends

The domain is hosted within AS36884 Wana in Morocco. There are some other servers within AS8560 1 & 1 in France.

1 and 1 Servers

1 & 1 Servers

I thought it would be interesting to employ ThreatCrowd, a Maltego transform that queries Alien Vault’s Open Threat Exchange. Two of the fifteen IPs came back hot – involved in malware campaigns. Notice the number of German domains here? All of Benyahia’s contacts are French speakers, so this looks like a generalized place for bad actors.

ThreatCrowd Results

ThreatCrowd Results

And the main domain came back hot, too.

tersea ThreatCrowd Results

tersea ThreatCrowd Results


I think Benyahia is a fraudster, a spammer, but he doesn’t read like someone who goes hunting in the American political space. He probably sold some services to someone who did, and that’s a deeper level of digging required to expose the truth. I haven’t seen the details on the attempts so I can’t predict if I’ll be able to display them here, or if they’re specific enough to identify the target.

This sort of work is fun for me, like doing a puzzle where there’s a scavenger hunt for the pieces before I can even start.