EclecticIQ
nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

QAnon Conspiracies Show Organic Growth Capability with Multi-layered Digital Infrastructure

EclecticIQ Threat Research Team December 22, 2020

QAnon Blog-Conspiracies Show Organic Growth

QAnon infrastructure and Modus Operandi drive a horizontally controlled, organically self-sustaining user community. While the group behind QAnon is seeding the direction of the narrative, the content is produced by followers leveraging infrastructure that cannot be directly tied to the original QAnon group and that appears to be maintained by followers.

This Modus Operandi (M.O.) empowers QAnon’s adaptability to recent events against the group, such as censorship on social media platforms. QAnon has moved from fringe to mainstream and its content is now appearing and being distributed in sites not directly linked to the QAnon phenomenon and narrative.

QAnon is capable of influencing the focus and narrative of millions of people. Narratives could be weaponized to threaten a broad range of individuals and organizations as followers become radicalized via an increasingly hostile and violent narrative.

QAnon, from Fringe to Mainstream

QAnon is led by an unidentified individual or collective operating under a public alias known as “Q.” Q’s posts started appearing in October 2017 in the anonymous image board 4Chan. Q presented himself as a high-ranking official within the US government willing to disclose ‘classified’ information closely related to the actions of Donald Trump through a publicly accessible forum.

The narrative and related content published by Q revolves around the following tale: Donald Trump is secretly fighting members of the US and global elite who are part of a cabal of Satan-worshipping pedophiles controlling the world and running a global child sex-trafficking ring.

There are no definite figures about the number of QAnon followers, but they are now estimated globally in the millions. Translation services provided by QAnon infrastructure and its adaptation of the narrative to local issues support a global outreach.

While QAnon's focus has been strictly political until recently, some of its followers are potentially a threat to public or private organizations that Q and its distributed narrative deems malicious. The past two years have seen car chases, kidnappings, armed stand offs with the police and a murder allegedly associated or directly driven by the QAnon narrative. 

Some QAnon followers radicalize very rapidly, in one case it took a person only 20 days from the first encounter with the QAnon narrative to making threats of violence. Should Q accuse a certain organization or individual of wrongdoing, it is probable based on observed precedent that a percentage of the many millions of QAnon followers world-wide will be ready and willing to respond to Q’s “call to arms.”

QAnon Adaptive Response against Censorship

The QAnon phenomenon has shown an adaptive repose against censorship as proven by the transfer of activity towards stealthier and less controllable venues.

In early October 2020, Facebook, followed by other social media companies such as Twitter and Youtube, banned all QAnon related groups and channels. This move led to the migration of many QAnon followers to other social media platforms such as Parler that do not censor QAnon related channels.

The censorship also led to a change in the QAnon distribution mechanism. A large part of the QAnon content distribution has moved to Telegram channels. QAnon Telegram channels existed before the social media ban, but started re-organizing after the ban. Many channels are now closed with a strict procedure to vet new participants wishing to join, making access difficult for “non-believers.”

QAnon Content Seeding Modus Operandi

Q discloses alleged secrets in public posts known as “Q Drops.” The posts are not disclosures, but rather riddles that followers are supposed to decipher. In the QAnon community, these riddles are known as “dough” and followers solving the riddles are the “bakers” turning “dough” into “bread.” The content within and linked to the riddles distributed by QAnon is usually taken out of context, twisted, or fabricated.

Q Drops first appear on the 8kun forum which acts as one of the two main primary sites. Secondary and tertiary sites distribute and enrich the original posts with additional content created by the curators. QAnon followers further share the content on social media sites and messaging channels.

QAnon Network Structure and Data Distribution Flow

QAnon distributes its content through three layers of web infrastructure that guarantees followers a fail-safe access to conspiracy theories and allows for active follower participation that incentivizes continuous content generation and distribution. These layers:

  • Drive content seeding;
  • Mirror content, branching off the main narrative;
  • Generate offshoots of the main narrative, organically building additional narratives.

Layer 1: Primary Infrastructure Drives Content Seeding

The QAnon group supplies content via two primary channels: Qalerts[.]app and 8kun[.]top. 8kun[.]top is a forum-based website that drives most of the activity within the QAnon user community. This site provides users the possibility to further the narrative using the “bake dough into bread” Tactics, Techniques, and Procedures (TTPs) previously described. The site also comprises unrelated objectionable content that likely limits audience engagement.

The Qalerts[.]app site functions as an extended distribution network replicating original Q posts from 8kun. It does not provide the user community with the same capabilities that the 8kun[.]top website does and instead serves as largely a “push” website distributing new content narratives.

Both sites are hosted by Vanwatech, a provider known for hosting fringe websites and infrastructure supporting cybercriminal activities.
Logically first reported that Vanwatech was linked to Nick Lim and/or Jim Watkins, who both also previously worked maintaining and promoting public access for the QAnon conspiracy network. EclecticIQ analysts independently corroborated the connection between Nick Lim/Jim Watkins and Vanwatech. In its report, Logically also listed neo-Nazi websites and phishing sites posing as banks and mobile providers hosted on the Vanwatech infrastructure.

EclecticIQ analysts identified some domains reported by Logically remain active and new conspiracy-based websites associated with QAnon supporters have come online via Vanwatech in the last few weeks since this article’s publication.

Layer 2: Secondary Infrastructure Mirrors Content; Branches Main Narrative

A tier of secondary websites mirrors data from the primary infrastructure and serves important branches of the main narrative developed by the Q group.
The community enriches the content from primary infrastructure by adding narratives, derived from alleged connections suggested by QAnon followers as they give their own interpretations of Q messages.

Secondary sites may serve unrelated material not authored by the Q group. Other than the shared interest in the QAnon narrative, EclecticIQ could not find a direct link between the registrants maintaining the primary and secondary infrastructure. These sites are defined by the accuracy and completeness with which they replicate the content from the main sites. The infrastructure is not physically or logically connected. This indicates secondary websites are intended to maintain pseudonymity and is consistent with the horizontally controlled, organically self-sustaining user community model.

EclecticIQ analysts could not validate the identity of the people running these websites, but they portray themselves as QAnon community volunteers.

Layer 3: Tertiary Infrastructure Generates Offshoots of the Main Narrative

A ring of tertiary infrastructure provides momentum to the movement through independent and active community participation, organically expanding narratives.

The tertiary infrastructure solicits community participation into offshoots of the main narrative. The community within this infrastructure engages with branches of the main narrative, but is largely driven independently of content seeding from the main narrative.

The most significant site in the tertiary ring is qresear[.]ch. This website is distinguished by dense community participation and allows followers to submit content feeding the narrative branches of the conspirator network.

EclecticIQ observed three other websites in the tertiary ring managed almost certainly by the same individual.

QAnon Content Moving to Closed Channels/Underground Forums

Despite media reports QAnon activity is slowing down due to disillusionment in the QAnon community, EclecticIQ research indicates activity has rather moved towards secondary and tertiary sites, closed channels and underground forums.

Major media outlets and newspapers reported about a slow death of the QAnon phenomenon due to the results of the US elections. They based their conclusion on the absence of recent Q posts and on what appears to be a major slowdown in QAnon followers’ activity on 8kun.

EclecticIQ analysts corroborate activity is reduced on primary sites, but secondary and tertiary sites remain active and are expanding with what appears to be new volunteers joining their ranks to create and distribute content. EclecticIQ also spotted new infrastructure set up in the last few weeks to support new campaigns.

QAnon Modus Operandi is sophisticated and adaptive. The approach of delegating activities to the followers, involving riddles to solve (aforementioned “baking dough into bread”) rather than providing outright answers serves as engagement ensuring followers will not just passively consume content, but rather spend time creating it.

By delegating content creation to its community, QAnon has made it difficult to track and identify the sources of specific narrative and content. This approach provides a degree of obfuscation as it hides who is really behind the group in the mass of QAnon followers who have been charmed, want to believe the QAnon narrative and are volunteering their time to pursue what they perceive as being a “greater/heroic goal.”

The ban of QAnon channels on the biggest social media providers pushed QAnon content distribution underground. The re-organization of the QAnon telegram groups, now with strict vetting procedures, suggest a quick M.O. adaptation by the QAnon group which re-enforces a sense of exclusivity for QAnon followers.

In an M.O. normally seen in cults, with access to what is perceived as highly secret/classified information, followers of QAnon feel they are part of an “elite group” with special knowledge about the most inner secrets and wrongdoings of national leaders and the steps their heroes will take to bring justice.

Outlook

Current QAnon narratives revolve around alleged U.S. election fraud. EclecticIQ’s observation of the most recently created QAnon infrastructure substantiates the hypothesis of the “stolen election” narrative remaining the main focus of QAnon activity in the near future.

The delegation of content creation and distribution has been successful and is almost certain to continue. The content creation and distribution is incentivized by the quest to solve the riddles submitted by Q which encourages followers to remain engaged as they are rewarded with personal satisfaction and an increased status in the QAnon community.

The expansion in infrastructure, the success of the horizontal model, the adaptation in M.O. compounded with a growing number of followers, now estimated in the millions, suggest that QAnon activity will also almost certainly continue.

Though the QAnon phenomenon started in the U.S. in 2017, it expanded into Europe in 2020 by leveraging an anti-lock down narrative criticizing measures put into place by European governments to combat the COVID-19 pandemic.

EclecticIQ analysts believe with high confidence QAnon infrastructure will cement the current hold in the USA and Europe, support further activity, increase the followers count and further expand their area of influence into new countries.

Appendix - Infrastructure Details

Primary Infrastructure

https://8kun[.]top/qresearch/index.html
https://qalerts[.]app/

Secondary Infrastructure

https://www.qanon[.]pub/
https://qanon[.]news/
https://www.qagg[.]news/
https://beta.qagg[.]news/
https://www.qnotables[.]com/
http://qanon[.]video/
http://www.theqanonhub.weebly[.]com
https://qanonbin[.]com/
https://freedomforcenews[.]com/

Tertiary Infrastructure

https://qresear[.]ch/
https://qposts[.]in/
https://deathcas[.]es/
https://www.resignation[.]info/

Vanwatech Hosted Sites

2020-11-15 git[.]8ch[.]net
2020-11-15 chat[.]tora3[.]com
2020-11-11 theystoleyourvote[.]com
2020-11-10 mapthefraud[.]com
2020-11-09 qalerts[.]pub
2020-11-08 mapthevote[.]net
2020-11-03 patcher[.]kralmetin2[.]com
2020-11-03 Fpsh[.]pw
2020-11-03 monitor2[.]qaggp[.]news
2020-10-28 wewake[.]life
2020-10-28 archive.anonib[.]ru
2020-10-28 anonib[.]ru
2020-10-28 boards[.]anonib[.]ru
2020-10-25 conspiracynomore[.]com
2020-10-22 www[.]halifax-payee[.]net
2020-10-22 halifax-payee[.]net
2020-10-21 www.ezl[.]biz

New Infrastructure for Future QAnon Campaigns


2020-10-25 conspiracynomore[.]com
2020-11-08 mapthevote[.]net
2020-11-10 mapthefraud[.]com
2020-11-11 theystoleyourvote[.]com

 

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

3 more posts you might like

All Blog Posts (121)

Explore all topics

© 2014 – 2021 EclecticIQ B.V.
EclecticIQ. Intelligence, Hunting, Response.
Get demo