the home of online investigations

You can support the work of Bellingcat by donating through the following link:

Massive White Supremacist Message Board Leak: How to Access and Interpret the Data

November 6, 2019

By Bellingcat Investigation Team

Update: The Internet Archive has removed the SQL leak; however, the information is freely available via a torrent file (download here) or a Magnet link (click here, or copy/paste the link into a torrent client).

Today, the entire SQL database from Iron March, a now-defunct neo-Nazi / white supremacist message board, was posted onto the Internet Archive by the user “antifa-data“. You can access this data dump on the Internet Archive, and via a torrent file found here, or through this Magnet link.

This leak contained the entirety of the site’s information, including user names, registered emails, IP addresses of users, all of the forum’s public posts, and even the private messages between members. This message board was linked with the violent neo-Nazi group Atomwaffen Division, and has been widely studied by anti-extremist groups and researchers, such as the Southern Poverty Law Center (SPLC). The SPLC has also scraped all of the public posts from the site — well over 150,000 of them — and has been researching them over the last two years.

How to access the files

There are two ways to read and access the leak. The first is through the SQL database within the torrent, which can be accessed through an SQL database viewer (for example, MySQL Workbench or DB Browser for SQLite). However, this is quite arduous for the average user.

It is much easier to read through the exported spreadsheets that are included within the torrent file. The most important spreadsheets for analysis, and the most important columns within them, are:

core_members (All users)

  • Column A indicates the member ID, which is reflected across other spreadsheets as well.
  • Column B indicates the username within the site.
  • Column D indicates the registration email used by the user.
  • Column E indicates the time that the user signed up, converted into Unix time. You can convert the timestamp into normal time here; for example, the first user sign-up was at 1315842419, or 12 September 2011 at 3:46pm (UTC).
  • Column F indicates the IP address at registration; however, this could be spoofed if the user deployed a VPN or proxy connection.
  • Columns M-O indicate the date of birth provided by the user.

core_message_posts (All private messages)

  • Column A indicates the unique message ID — every single message sent on the forum has its own ID.
  • Column B indicates the message topic (thread) — each conversation between users has its own thread, and will not always be sequential to message ID, depending on how fast the users were writing back to one another.
  • Column C indicates the time of the message, converted into Unix time. You can convert the timestamp into normal time here.
  • Column D indicates the message content. Note that there is sometimes a blank space before the message begins, making it (falsely) appear blank in a preview on Excel.
  • Column F indicates the member ID, which can be cross-referenced with Column A in core_members.
  • Column G indicates the IP address used by the user who sent the message. This can be cross-referenced with Column F in core_members.

Cross-referencing private messages (core_message_posts) and the users sending them (core_members) is quite easy, in just cross-referencing usernames and member ID numbers. Click this image, created by Jake Godin, to see how to easily cross-reference these data sets.

core_message_topics (Titles of all private messages)

  • Column A indicates the topic (thread) ID number, which can be cross-referenced with Column B in core_message_posts.
  • Column B indicates the time that the message was sent, in Unix time. You can convert the timestamp into normal time here.
  • Column C indicates the title of the private message thread.
  • Column E indicates the member ID of the person who first sent the message, which can be cross-referenced with Column A in core_members.
  • Column I indicates the member ID of the recipient of the thread, which can be cross-referenced with Column A in core_members.

core_search_index (All forum posts)

  • Column F indicates the post content.
  • Column H indicates the member ID of the poster, which can be cross-referenced with Column A in core_members.
  • Column J indicates the post time, converted into Unix time. You can convert the timestamp into normal time here.

Potential research leads

In a cursory survey of the data, there are a number of investigative paths for identifying active users of this forum for violent white supremacists. In particular, there are a number of users who identified themselves as active serving members of the military in Western countries, especially the United States.

We have started to compile potential leads for these users, which can be accessed here. We encourage journalists and investigators to follow up on some of these, and other, leads that can be found in these data sets. Additionally, users can suggestion additions or revisions to the existing data set.

Bellingcat Investigation Team

The Bellingcat Investigation Team is an award winning group of volunteers and full time investigators who make up the core of the Bellingcat's investigative efforts.

Join the Bellingcat Mailing List:

Enter your email address to receive a weekly digest of Bellingcat posts, links to open source research articles, and more.

38 Comments

    • jomili

      Agreed – also the two using the .edu domain, is that worth pursuing?

      Not as computer savvy as some others on this thread but I want to get involved somehow.

      Reply
      • J-Bux

        I did a query for member account with .edu accounts.

        SELECT *
        FROM core_members
        WHERE email LIKE ‘%.edu%’
        ORDER BY email;

        Only returned two users.

        One from Elon, and one from sunysuffolk.

        Reply
  1. Tom

    If you’re curious what kind of passwords Nazis like to use:

    join the password hash and salt (separated with a colon)
    Example: passwordhash:salt
    And run through hashcat on mode 2811

    Reply
    • Michelle T.

      Currently have one of my workstations doing that as we speak – 2X Radeon R7 280X and a Xeon Phi 5110P 🙂

      Reply
    • bystander

      Thanks for the tip, Tom. For anyone else looking into this, there are two types of passwords in the data:
      (1) bcrypt $2*$, Blowfish (Unix) which Invision Power implemented for IPB bulletin boards with v4 in 2012, and
      (2) the proprietary protocol Invision used for IPB prior to version 4.
      With most cracking software such as hashcat, you want mode 2811 for the older passwords (you’ll recognize them by their very short salts) and mode 3200 for the newer ones. Protip: a good dictionary cracks the old ones silly fast. Happy hacking!

      Reply
  2. MadCatter

    There is a typo in the readme for converting the sql lite to CSV’s.
    The readme states that you need to use python, but what you need to use is python3

    Reply
  3. Solomon

    People who like graphs, here is the recent spike of activity thanks to India discovering Mastodon in the context of the last 6 months of mastodon.social A gigantic data leak from a white supremacist message board was posted onto the Internet Archive today. #

    Reply
  4. Martin Bohun Hormann

    Very likely a forgery.
    How do you want to verify the info is actually genuine?
    How hard is to setup some message board / DB, fill it with “hate speech” posts?
    Why? For example to justify funding to “combat hate/fascism/whatever online”,
    or to smear some people they don’t like, etc.

    Reply
    • Walter Kumiega

      Yes, there is a vast conspiracy to create an artificial neo-nazi movement. Or one could look at the mountain of evidence and come to the conclusion that the neo-nazi movement is very real with very real victims.

      Reply
      • concerned citizen

        Presumably people just registered with throwaway email addresses and the like. A big pile of data here, but not of much practical use.

        Reply
      • Oyster

        Actually there is a vast conspiracy to create an artificial white nationalist movement. It is run by the Russian GRU and their Hungarian intel friends posing as “white nationalists” and Trump/Putin/Orban right wing supporters – the people who got Trump elected.

        For years they’ve been recruiting people online, especially on conservative and religious websites, because they need volunteers. They also court/infiltrate the military. Of course some are real Nazi types, but most of them are just propagandists trying to split Western society along fracture lines.

        Reply

Leave a Reply

  • (will not be published)

You can support the work of Bellingcat by donating through the following link:

TRUST IN JOURNALISM - IMPRESS