On 1 March, the Indonesian National Police announced the arrest of 14 members of the so-called Muslim Cyber Army (MCA) network for defamation, spreading hoax news and hate speech. Although the name might be familiar to most social media and internet users in Indonesia, it remains a nebulous and poorly understood network.
However, the Southeast Asia Freedom of Expression Network (SAFEnet) has been tracking the group from January 2017. SAFEnet volunteers have interviewed victims, conducted field investigations, monitored social media and analysed social networks. We have uncovered a systematic pattern of attacks, involving the use of social media to target perceived critics and foment social division and hatred.
No leader, no fixed structure?
The MCA, or as it is also sometimes called, Cyber Muslim Army or Muslim Mega Cyber Army, describes itself as an organisation without structure. Members claim MCA has no leader, no central office, no source of income, and members say they are paid no wages. The MCA has an array of affiliated groups, with names like the Srikandi Muslim Cyber Army, the United Muslim Cyber Army, the Legend MCA, Muslim Coming and many others.
Some members describe MCA as a shadow organisation, and liken it to Anonymous, the hacktivist group known for launching cyberattacks on governments, corporations and the Church of Scientology. Although MCA uses some of the same imagery, occasionally switching the distinctive Guy Fawkes masks used by Anonymous for a keffiyeh, it otherwise shares no connection to the hacktivist group. The only real similarity is that both groups rely on their anonymity to evade criminal sanctions.
There are several key characteristics of MCA. It is most active on Facebook, Twitter and WhatsApp but also has a presence on other popular platforms like Instagram and Telegram. Individuals may self-declare membership of the group, and express the MCA identity by changing the name of their social media accounts, using an MCA profile picture or avatar, or joining an MCA affiliated Facebook or WhatsApp group. Its members tend to act collectively, with each assigned certain roles or tasks. Another key characteristic is the tendency of members to deliver a consistent message across multiple social media channels at the same time. Relying on applications like Twittbot.net, MCA can quickly flood social media feeds with particular hashtags or messages.
— Muslim Cyber Army (@MegaCyber212) March 6, 2018
Falsifying accounts, triggering persecution
SAFEnet became aware of the extent of MCA’s activities when we began monitoring online cases of online blasphemy and persecution – cases that we grouped under the term “The Ahok Effect”. Following the conviction of former Jakarta Governor Basuki “Ahok” Tjahaja Purnama, there was a major increase in the harassment, intimidation and persecution of individuals deemed to have insulted Islam online. We have now identified more than 100 such cases of persecution. We sought to monitor these cases, and the motives and modes of operation of the perpetrators.
One of the first indications of the trend was a viral video that invited viewers to track down people who had insulted Islam. The 1:25 minute video opened with a logo for the “Blasphemer Hunter Team” (Tim Pemburu Penista Agama), and included a list of “People Wanted by the Muslim Community” for allegedly committing blasphemy. Viewers were encouraged to report people who they considered had insulted Islam or religious leaders via the address email@example.com.
A related Facebook page, “Database of People Wanted by the Muslim Community”, included a list of people accused of insulting Islam, screenshots of their social media accounts, and other sensitive personal information, such as their home or office addresses and phone numbers. In the cybersecurity field, this type of behaviour is commonly called doxing – the act of looking for and disseminating an individual’s personal data for malicious reasons.
SAFEnet’s research found a clear correlation between these activities on social media and offline persecution. After personal information was displayed on Facebook pages, vigilante behaviour would begin, usually within just 2-5 days. Organisations such as the Islamic Defenders Front (FPI) typically harassed and intimidated the accused person into issuing an apology and or dragged the person to the police and demanded they detain him or her for offending Islam.
SAFEnet monitored these developments for about five months and confirmed the consistent pattern before issuing a press release on 27 May 2017. Within a couple of days, Facebook blocked the MCA “Database” page.
SAFEnet and the Anti-Persecution Network found that MCA actively manipulated the public to fuel persecution. MCA would create imitation accounts, mimicking the profiles of real people, and use these imitation profiles to spread information designed to infuriate or offend the Muslim community.
This happened to Hananto, from Solo, Central Java, who was harassed and intimidated after an imitation account shared a photo of a Qur’an being burned and stepped on. Similarly, a fake Twitter handle @parlindsinurat_ was created to mimic the handle of Ahok supporter Parlindungan Sinurat. Parlindungan reported his imitator to Twitter and the National Police’s cybercrime unit but he was too late. The fake tweet spread, a mob descended on his home and he was eventually detained by police.
SAFEnet has attempted to trace several of the accounts claiming to be members of the MCA using the “IP Tracker” site, although all disguised their identities by using a virtual private network (VPN). Even if a location was detected, we would often find the owner of the account had long died, despite remaining active on social media. We have yet to establish how MCA was able to acquire and mobilise the accounts of dead people.
MCA is not acting alone
Although a group called Muslim Cyber Army was established some years ago, its primary concern was “cyber-jihad” – it did not focus on domestic political concerns. The MCA in its current form appeared at the time of the anti-Ahok demonstrations on 4 November and 2 December 2016. Initially this new body used the name Muslim Mega-Cyber Army (MMCA), although it was soon shortened to Muslim Cyber Army. Our research found that following the so-called 411 and 212 demonstrations in 2016, prominent social media figures agreed to form MCA branches in their home cities.
New variants of MCA have emerged, each with their own pet issues and identities. We have identified at least four main clusters of MCA accounts on social media, based on their collective behaviour and the types of messages they post. The four groups may often converge, such as for the major demonstrations that occurred from late 2016 to May 2017. But on other occasions, for example in demonstrations against communism, lesbian, gay, bisexual and transgender (LGBT) Indonesians, or foreigners, the differences become apparent. This table illustrates the four main groups of MCA accounts and the main messages they have shared.
MCA is clearly not a single entity. The MCA identity has been used to support the interests of a range of national political figures, mass-based organisations and political parties. Nevertheless, most of the issues are connected in some way to discrediting President Joko Widodo. SAFEnet has identified clear indications of connections between MCA and certain prominent military and political figures, although is still building evidence before making these details public.
From a list of victims compiled by the Anti-Persecution Network through to September 2017, SAFEnet identified the main reasons people were targeted by MCA. The most common trigger for persecution was a perceived insult against Islamic Defenders Front (FPI) leader Rizieq Shihab. People were also targeted for alleged insults against fellow conservative religious leader Arifin Ilham, Islam in general, and the FPI.
It is actually quite difficult to find any direct and specific correlation between the messages spread by MCA and their stated goal of defending religion. Rather, the main messages were: defend Rizieq Shihab; crush PKI; reject LGBT; anti-Chinese; imprison Ahok; and sink or boycott the supporters of Ahok and Jokowi.
This list of topics is similar to the main social and political issues that coloured the 2014 presidential campaign. MCA has played an important role in keeping alive the issues that were prominent in 2014, sharpening them further and deepening social conflict. What we saw in 2017 was only the beginning.
Police might have arrested 14 people suspected of being MCA members, but the network remains active. Some of its members have disguised themselves, for example, by changing their group names or avatars. Others, however, still proudly display the MCA name and profile images.
MCA is currently highly active in West Java, Central Java and East Java, three populous provinces that will soon hold local leadership elections. Our monitoring has shown that MCA accounts and bots have been deployed to support at least one of the candidates in West Java.
Attempts to replicate the tactics of the 2017 Jakarta Governor’s Election in the 2018 regional elections have raised fears that we will see a new round of persecutions based around identity politics. As the political figures and funders behind MCA have yet to be revealed, it looks like we will face a turbulent and divisive two years ahead.