Durov’s visit to Azerbaijan

When Pavel Durov, Telegram’s founder, was detained in France, the first thing I noticed was that he had arrived in France from Azerbaijan. Naturally, the first question that came to mind was what Durov was doing in Azerbaijan. Thanks to his assistant Julia Vavilova or Juli Maletc, as she is known on Instagram, that question was answered in a few stories in Vavilova’s highlights titled “Azeri.”

Instagram screenshot

Durov did appear to visit the Cyber Security Center at the Ministry of Digital Development and Transport. As per the center’s website, it claims: 

The center, established with the support of PASHA Holding group of companies to strengthen the country’s cyber security capabilities, will play the role of the main center for training highly qualified professionals and trainers in this field. It is planned to train more than 1000 people within three years at the Azerbaijan Cyber Security Center, which started its activity on 28 March 2023. At the same time, thanks to the training of 15 trainers at the center, the training of cyber security specialists will be expanded in our country in the future.

Professional teaching staff from Israel, which is considered one of the world’s leading countries in the region in the field of cyber security, will arrive in Azerbaijan and provide trainees with knowledge and skills covering the latest cyber security threats, trends and best practices.

The center has classrooms, training rooms, simulation rooms and laboratories equipped with state-of-the-art technology and equipment. Students will be able to conduct research in these labs and develop various cyber security products.

There are a few interesting points about this text. First, the PASHA holding group of companies, which, in the words of the Organized Crime and Corruption Reporting Project (OCCRP), is “a conglomerate with interests in banking, as well as construction, insurance, travel, and investments,” owned by Arif Pashayev, the father of the first lady Mehriban Aliyeva. Indeed, with all the baking and other relevant businesses, the PASHA group must ensure none of its user data or transactions are compromised. Unless, of course, it’s the opposite – to cover what OCCRP and others have exposed in various investigations as the lucrative financial schemes that benefit the first family. The answer to this question is a topic for another story. 

The second interesting point was mentioning Israel and its “teaching staff.”  For pundits following Azerbaijan’s path towards digital authoritarianism, seeing Israel’s name mentioned as “the world’s leading” country in “the field of cyber security” is no surprise. After all, the Azerbaijani government has long benefited from Israel’s surveillance technology, about which I have written at first here and then more at length here.  

Finally, regarding students working in the lab, could part of their skill development also include hacking accounts, DDoSing independent news platforms, phishing, and engaging in targeted harassment online, as well as trolling? In 2023, AzNet Watch published this legal overview of the lack of remedies in Azerbaijan to protect targets in cases of online harassment: 

There is another body of review within the Ministry of Digital Development and Transport concerning cyberattacks – the Cyber Security Service. While the cyber security service does not possess sanctions against authorities, it does have the authority to review the cyberattack claims and issue general warnings concerning cyberattacks. Furthermore, this body may inform other investigative authorities if the problem concerns these authorities […] In addition, the Cyber Security Center is not an adequate remedy in practice. This body is also not independent and has no relevant investigative legal powers. Consequently, criminal law and administrative law remedies are not effective. In such cases, civil law remedies also cannot be effective due to the burden of proof issues

So what is the point of financing a center when it is not even independent and its use is rather dubious? In any case, perhaps a topic for yet another AzNet Watch investigation. 

Finally, knowing all that is known about the Telegram app, especially regarding the platform’s poor track record regarding safety, privacy, data storage, lax standards, and lack of content moderation, combined with his visit to the center that lacks independence and whose purpose remains dubious, what was this visit about? AzNet Watch will continue exploring answers to this question, but in the meantime, Az-Net Watch has documented numerous examples of civic activists being targeted via Telegram channels in the past. Here are just a few of them: 

another telegram channel, another public targeting campaign March 2023

exiled blogger continues to receive threats June 2022

in Azerbaijan a telegram channel mobilising a movement, to target LGBTQI March 2021

Facebook page, advertising telegram channel, targeting a woman activist March 2021

targeted harassment via telegram channels and hacked Facebook accounts March 2021

Amnesty International statement calls to stop gender-based reprisals in Azerbaijan May 2021

state sponsored harassment and targeting in Azerbaijan is very much alive and kicking – a year in review

Azerbaijan Internet Watch was launched around the time when more evidence kept emerging, on the use of authoritarian technology in Azerbaijan. This technology allowed the perpetrator(s) (in most cases identified as an institution or individual affiliated with the government of Azerbaijan] to target Azerbaijan’s civil society. These revelations marked a significant shift in the way the authorities were persecuting its critics. In addition to offline measures – physical intimidation through kidnapping, arrests, detentions, questioning; bogus trials, and lengthy jail times; and adoption of restrictive new laws limiting the ability of civil society to work –  there were new tools at the state’s disposal that could now deliver phishing attacks, DDoS attacks, targeted harassment, mass fake reporting on social media platforms,  hacking of personal as well as public social media accounts and emails, leaking unlawfully obtained data, online blackmail, the use of trolls and bots, and more. In none of these documented cases, it was possible to hold the state or its institutions, or the actors to account. Dismissals have been a common response. 

“By using its monopoly over the country’s information-technology infrastructure, it has disrupted internet access, placed temporary bans on social media services like TikTok, launched DDoS attacks, and used various digital-surveillance tools, including the Israeli spyware Pegasus, to target and censor activists and journalists. The democracy watchdog Freedom House now considers the internet in Azerbaijan “not free”.” Facebook is Failing Journalists, November 22, 2022, By Arzu Geybulla, for Project Syndicate

State-sponsored surveillance

In 2014, an OCCRP investigation revealed how mobile operators were directly passing on information about their users to the respective government authorities. Last year, AIW looked into the protection of personal data mechanisms that exist in the country. The research and legal analysis indicated that “the national legislation on personal data protection does not effectively protect individuals against the arbitrary use of their personal data by both public and private entities.” In addition, the analysis showed “that the national laws restrict and control personal data with intrusive measures, such as equipping telecom networks with special devices, and real-time access to vast amounts of personal data, in the absence of a criminal investigation or judicial order. As such, the absence of clear and enforceable regulations to protect personal data against arbitrariness and flawed systems due to negligence puts personal data at a higher risk of infringements.” Additional findings included the following information confirming OCCRP’s revelations in 2014:

The Presidential Decree No. 507 dated June 19, 2001 (IV) “On the division of powers of search operations’ entities while carrying out search operations,” ensures that the Ministry of Internal Affairs and the State Security Service can autonomously connect to the communication networks of telecom operators. That being said, the presidential order regulating the conduct of this kind of search and operation activity in the telecom industry dated February 15, 2017, is not public.

The above-mentioned legal environment makes subscribers’ personal data accessible to the law-enforcement authorities given that all collected user personal data is accumulated in the database established together with the law enforcement authorities or is equipped with the technical means allowing law-enforcement authorities access users’ personal information. Also, according to Article 11 (IV) of the Law on Operation and Search Activities, the decision of the court (judge) or investigative body or the authorized subject of operative search activity on the implementation of operation-search measures can be accepted not only when there is an initiated criminal case but also in a wide range of circumstances.  

In another report released in 2021, AIW identified the following loopholes grating the state further access to the personal information of citizens:

The Law on Telecommunication obligates network operators to install special equipment, provided by the State Security Service, Ministry of Internal Affairs, and Special State Protection Service onto the telecommunication networks enabling the Government to extract (intercept) data on anyone regardless of whether that person(s) is part of an investigation process or not.

The installment of special equipment within communication networks is regulated by the “Rules for equipping telecommunications operators and providers with additional technical means for conducting search operations, reconnaissance and counter-intelligence activities” issued by the Ministry of Transport, Communications, and High Technologies on  June 14, 2016. The Rule obligates telecommunication operators and providers to create technical conditions for the conduct of relevant activities within the communication networks.

The Rule defines that Telecommunication Control System (hereinafter – TCS) – is special hardware and software that provides confidential control over the exchange of information of subjects targeted by the relevant measures (such as search and operation, intelligence, and counterintelligence activities), as well as all statistical data of the network. TNS consists of data extraction facilities, transport networks, and control centers.

The Rule also indicates that relevant measures in the communication networks are carried out in accordance with the requirements of the laws of the Republic of Azerbaijan “On Operation-Search Activity” and “On Intelligence and Counterintelligence Activity”.

However, while the Law on Operation-Search Activity may allow secret surveillance and seizure of private information, there are no rules or procedures within the national legislation for secret surveillance and intercepting information by government agencies. There are also no clearly defined rules on determining the grounds for such surveillance and interception activities, their duration, and whether such activities can be stopped by a court or other higher state authority.

The above legal and investigative findings may explain how in 2012, during the Internet Governance Forum held in Baku, Neelie Kroes’s [who at the time, was the Vice-President of the European Commission responsible for the Digital Agenda for Europe] advisors had their computers hacked. At the time, Ali Hasanov, who was serving as head of the Azerbaijani Presidential Administration Social and Political Department said, “there was no such interference, and couldn’t have been.” Hasanov was “one of the key figures defining the government’s policies regarding media, freedom of speech, and political liberties,” according to an OCCRP investigation into Hasanov and his family’s media business. At home, Hasanov was also known as the “King of trolls.” And although he denied his passion for trolls, even at the time when he was leaving his office in January 2020, as it turned out, Hasanov was a troll factory supplier. In September 2021, AIW published this story revealing how the government of Azerbaijan did indeed operate its own troll factory:

Ever since the 2013 revelations about Russia’s troll factory, many in Azerbaijan wondered whether the country’s leadership too operated its very own troll factory. Unlike its Russian version, known as the Internet Research Agency, there was only anecdotal evidence of whether this was really the case in Azerbaijan. There were no former “factory” employees who came forward or undercover journalists who temporarily worked there and exposed the work carried out later. Not until this month anyway. An investigation against the executive director of the State Media Support Fund Vugar Safarli now reveals that the suspicions were valid after all. And that upon specific instructions a group of “bloggers” were responsible for monitoring Facebook and leaving comments under posts that were critical of the government or relevant government institutions.

The investigation is part of a criminal case launched against Vugar Safarli who until recently headed the State Fund for Media Development in Azerbaijan. Safarli was arrested in 2020 on charges of money laundering (allegedly 20million AZN) and abuse of authority. 

On September 2, Azerbaijan Service for Radio Free Europe, Azadliq Radio published parts of the testimony by Safarli where the former government official implicates not only that the government did indeed deploy trolls but that several high ranking officials including then Presidential advisor Ali Hasanov and former head of the Presidential Administration Ramiz Mehdiyev were well aware of this. Moreover, the building from where trolls operated belonged to Hasanov himself. 

“Ali Hasanov told me that the new rented space, will have internet bloggers who will work from there. And indeed there were a few, who sat there, working unofficially,” Safarli reportedly said in his statement according to Azadliq Radio reporting. 

Predating 2014 revelations, are a series of examples that were documented in this report showing how state-sponsored surveillance was used as early as 2008, albeit at the time, using less sophisticated technology such as black boxes and wiretaps.   

In the years that followed, the state-sponsored surveillance got worse as has been documented either here or by other platforms. The culmination was the use of Pegasus and targeted harassment of civil society activists online through the dissemination of their personal data obtained through hacking of their devices as well as social media accounts. 

As AIW described in this report:

Members of opposition political parties, independent journalists, political and human rights activists have long faced systematic pressure and persecution orchestrated by the government of Azerbaijan. The unprecedented crackdown against civil society that began in 2013, marked a new chapter, in the history of Azerbaijan’s civil society. One, marred by arrests and prosecution of high-profile activists, rights defenders, and journalists.

This systematic pressure and harassment were not only offline. It was only a matter of time, that the internet too would become a place to target activists, journalists, and human rights defenders, holding them accountable for their online criticisms on bogus accusations that often ended with lengthy jail sentences, forced apologies on public televisions (see The State of Internet Freedom in Azerbaijan report), detentions and further forms of persecution.

In a country where almost all avenues for freedom of expression and activism were eliminated, the internet, specifically online media platforms, and social media networks became new targets. To monitor discussions online, prevent citizens from accessing independent news online, or social media platforms, and to further curb freedoms online, the government of Azerbaijan embarked on a shopping spree, becoming a client of companies selling sophisticated surveillance equipment and technology.

By 2021, the government of Azerbaijan has successfully deployed a Remote Control System (RCS), Deep Packet Inspection (DPI), phishing, and spear-phishing attacks often with homegrown malware. The most recent addition to a wide variety of authoritarian technology deployed in Azerbaijan is Pegasus spyware.

The Law on Operation-Search Activity overseas phone tapping and information extraction from communication channels. Further, the third section of article 10 of the Law on Operation-Search Activity does not require a judicial act or supervision of higher authority while wiretapping and extracting information from technical communication channels unless there is a need to install technical devices such as voice, video, or photo recorders at the place of residence of the individuals.  

In other words, anyone in Azerbaijan can be subject to such a form of oversight.

In Azerbaijan, “anyone” is often, a representative of Azerbaijan’s civil society. This includes political activists, rights defenders, journalists, members of opposition political parties and movements, and feminists, to name a few. As AIW documented in its February 2023 report: 

2022 has been no different than recent years in terms of online attacks and internet censorship in Azerbaijan. Human rights defenders, activists, politicians, and media professionals in Azerbaijan are increasingly becoming victims of cybercrimes, including electronic surveillance, privacy infringement, and cyberstalking, due to their independent and legitimate professional activities. The online targeting of individuals critical of the government has become increasingly frequent and constant. And yet neither of these cases has been effectively investigated, and the perpetrators have not been identified.

Despite the active use of the criminal and administrative offenses legislation, including other technical resources to limit freedom of expression on the internet [including the blocking of key opposition and independent news websites, summoning and punishing individuals for critical opinions distributed online], the state systematically fails to provide effective investigation on the complaints of the individuals subject to unlawful covert surveillance (Pegasus), cyber-attacks, online blackmailing and hacking attempts against activists and media professionals. In most cases, reveal that online harassment against government critics is organized by the government or government-linked institutions.

In April 2022 report, Meta reported that it removed a hybrid network operated by the Ministry of Internal Affairs of Azerbaijan that combined cyber espionage with Coordinated Inauthentic Behavior (CIB) to target civil society in Azerbaijan by compromising accounts and websites to post on their behalf.

There has been a shift however in the use of technology. Based on the monitoring of cases documented by AIW, one scenario indicates that as a result of several forensic exposes tracking the source of phishing attacks and the use of other pervasive surveillance tools to the state, the latter now relies on targeting critics through online harassment and online targeting campaigns in order to damage and/or discredit their reputation. That and the use of restrictive new laws makes silencing dissent less reliant on technology. That being said, there are still cases of phishing attacks as was the case with activist Abulfaz Gurbanli, who was phished through an email and WhatsApp messages in February 2022. A file disguised as grant-related information from a known donor organization containing a virus was sent to Gurbanli via his email. On WhatsApp, the activist received a message from someone impersonating herself as a BBC Azerbaijan Service journalist. The targeting resulted in the installation of spyware on his device and the hacking of his social media accounts. At the time, AIW requested assistance from Qurium media to analyze the link shared in the email and despite the journalist’s assurances, the link did contain a virus. “The mail pointed to a RAR compressed file in Google Drive that once downloaded required a password to be decrypted. The password to decrypt the file was included in the phishing e-mail: bbc. Compressed files that are password protected are common in malware phishing attacks as the files can not be scanned by antivirus,” concluded Qurium in its preliminary report. The further forensic report identified malware written in AutoIT. Once the link (in our case the link to a drive where the alleged journalist left questions for the political activist) was opened, the hacker through the deployed malware installed a persistent backdoor in the system. “The software connects to the domain name smartappsfoursix{.}xyz to download the rest of his software requirements. It downloads gpoupdater.exe and libcurl.dll which look responsible for uploading files to the command and control server. During the execution of the malware several (10) screenshots of the Desktop were uploaded to the server,” read the Qurium analysis.

Targeted harassment: the case of Bakhtiyar Hajiyev

The most recent case of state-sponsored digital targeting is of political activist Bakhtiyar Hajiyev. Hajiyev was arrested in December 2022, shortly after his return to Azerbaijan from a trip abroad. Charged with hooliganism and contempt of court, the activist was then sentenced to 50 days in pretrial detention. That time however was extended twice, most recently until April 2023. Prior to his arrest, Hajiyev often criticized the Ministry of Internal Affairs over its targeted harassment. He was then abducted by unknown men and during his time in captivity was forced to delete his social media posts critical of the ministry. The investigations into Hajiyev’s kidnapping have not been conducted and up to this day, it remains unclear who were Hajiyev’s kidnappers. Throughout the past few years, Hajiyev was also the target of an online blackmail campaign. Three years ago, Hajiyev said there were multiple attempts to break into his social media and email accounts. 

At the end of December 2022, while Hajiyev was already behind bars, some anonymous social media accounts shared private correspondence between Hajiyev and Vusala Mahirgizi, an editor. The leaked conversations alleged Hajiyev was a marionette of one of the clans [in reference to various clans in key government positions in Azerbaijan]. Hajiyev published a statement in which the activist said, the leaked correspondence was a violation of his privacy, given it was obtained through hacking of his personal accounts and that the allegations of him being a marionette, were false.

It is worth noting that this correspondence was leaked during calls for the activist’s release. The leak was largely viewed as an attempt to turn the activist into a scapegoat and weaken the advocacy campaign calling for his release.

Since February 22, 2023, however, Hajiyev has been the target of another blackmail campaign. At least six different Telegram channels have been disseminating conversations between Hajiyev and various women:

Identified Telegram channels:

  • https://t.me/bextiyarhaciyev18

  • https://t.me/baxtiyarifsa

  • https://t.me/+SzloVHfBVkg1YjEy

  • https://t.me/BextiyarinIfsasi

  • https://t.me/BextiyarinIfsasi

  • https://t.me/+DiENXqq3ed4zMzcy

Similar information was leaked by fake Facebook accounts. The leaked correspondence also contained sexually explicit photos of women appearing with Hajiyev. The online targeting of women with their faces publicly disclosed in these groups has led to at least two women being forced to leave their homes and go into hiding from their families, fearing reprisals for ‘immorality’ from their families.

Although there is proof that some of the shared correspondence was photoshopped the targeting has tarnished Hajiyev’s public image and placed the lives of women in the photos in danger. 

The anonymous admins of these chats have also published the names of other activists, threatening to leak their conversations with Hajiyev as well. Some of these activists are advocates calling for Hajiyev’s release. 

The Ministry of Internal Affairs refuted the claims that it may have been behind the leaked information. However, according to Hajiyev’s lawyers, Hajiyev arrived at the Baku General Police Department in his car and left his phone in the car. The car stayed there for three days and it is likely his phone was compromised during this period.

In October of last year, this story explained how Telegram is being used in Azerbaijan. “In Azerbaijan, the app has become a nexus for hate speech, propaganda, and the repression of dissent. In March 2021, multiple Telegram groups were identified in Azerbaijan sharing sex tapes and nude photographs of women. Among the victims were journalists, civic activists, and female family members of exiled political activists as well as ordinary women. The groups and pictures were reported to Telegram, but it took weeks before they were taken down. The damage to the women targeted was done. The channels shared sensitive videos of journalist Fatima Movlamli, the sister of exiled dissident blogger Mahammad Mirzali, civic activist Narmin Shahmarzade and Gunel Hasanli, daughter of opposition party leader Jamil Hasanli.”

Activists in Azerbaijan also pointed out that it is not Hajiyev’s reputation that is placed on the line with this blackmail campaign, but the women too, whose photographs are shared in the absence of their consent. Last year BBC published this investigation about the use of the platform in targeting women specifically “to harass, shame and blackmail them on a massive scale.” Gulnara Mehdiyeva, a feminist activist who has been targeted herself in the past, said in a Facebook post on February 28, “Terrible things are happening in the country. The government, which is responsible for protecting the safety of citizens, deliberately and knowingly wants to make those women victims of suicide or murder.” Two years ago, Mehdiyeva was targeted in a video shared via Facebook, containing a series of leaked private audio messages, that were extracted from Mehdiyeva’s social media accounts and emails. In a February 28 Facebook post, Mehdiyeva also wrote that not only faces of these women were not blurred but the perpetrators of the blackmail campaign also shared the names of the women and at least in one correspondence leaked, the home address of one woman. One of the women whose identity has been exposed in this campaign, was Tunay Aliyeva, an actress and model who said this blackmail campaign was a “cybercrime and invasion of people’s privacy.” In a letter addressed to the First Lady and the First Vice President Mehriban Aliyev, the actress asked that the First Lady personally stepped in, as a woman and a mother herself, in order to put an end to this “abomination.”

No-war activists and feminist activists

AIW has documented how activists who openly criticized the second Karabakh war were targeted by state-sponsored harassment before:

From public Facebook posts and pages targeting the activists, with threats of violence and physical harm, calls for public shaming and punishment, to questioning at Security Services, this has no doubt been one of the harshest, collective, online public harassment campaigns observed until now in Azerbaijan.

In a recent piece published by Lossi 36, Thijs Korsten and Viktoria Kobzeva also wrote:

Following the two-day war and increased public disapproval of Azerbaijan’s actions towards Armenia, government-linked media accounts launched a social media campaign. The photos and names of individuals who condemned the government’s aggression were circulated with the hashtag “Recognise the Traitor” on Facebook and Twitter. The people who were singled out are not marginal anti-war activists but rather prominent opposition figures, who the government sees as a greater threat.

The use of Telegram for the purpose of targeting and harassment has been in use not only in the case of Hajiyev. Previously AIW documented how the platform was used to target feminist activists too:

In recent days, at least three telegram channels were reported for sharing profane content targeting women in Azerbaijan. One channel called “Wretched men club” shared sensitive videos of journalist Fatima Movlamli, and exiled dissident blogger Mahammad Mirzali’s sister. Another group called “Expose bad-mannered girls” has targeted other women activists. A third one, targeted specifically one woman whose Facebook account was hacked shortly after the International Women’s Day march in Baku. 

In the past, other women journalists and activists were targeted in an online harassment campaign. 

Activist Gulnara Mehdiyeva was targeted with a video shared on Facebook, containing a series of leaked private audio messages, that were stolen when Mehdiyeva’s social media accounts and emails were hacked last year

Activist Narmin Shahmarzade’s Facebook profile was hacked, her name changed alluding to her interference with people’s private lives. The hackers flooded her Facebook feed with private messages, some of which were fake, and shared nude photographs of her, including at least one edited photo and audio. Several hours later, a Telegram channel was set up, sharing Shahmarzade’s intimate photos. In an interview with VoA Azerbaijan service, Shahmarzade said, “When my account was hacked, video footage and other posts with criticism of the ruling government were deleted. Then, my personal messages on Facebook messenger were compromised. Some of them were shared after being edited and taken out of context. My personal phone number was exposed and as a result, I received numerous calls and messages of threatening nature.” Shahmarzade said, she has informed the Ministry of the Interior and the State Security Services and describes what happened to her, a crime and that she will be going to court. Shahmarzade also pointed out to AIW that the hacker who compromised her Facebook profile is likely the same person or member of the same group that targeted activist Gulnara Mehdiyeva last year because at least one of the audio that was shared via Shahmarzade’s hacked Facebook account targeting her, does not even belong to the activist and that she never had access to. Contrary, it was among material hijacked from Gulnara Mehdiyeva. 

Among the women targeted, is also dissident blogger Mahammad Mirzali’s sister. Mirzali told AIW that the intimate video of his sister was leaked to harm him. “On February 15 my family members and I received several messages from a US number threatening me to stop my work. Otherwise, they told me they would release the videos of my sister. They told me they were not joking. They leaked the video on March 5. Later they shared the video on telegram channels. The same video was also sent to our relatives,” explained Mirzali. Mirzali suspects the authorities are behind this nasty campaign against his family. On March 14, Mirzali was reportedly stabbed by a group of unknown men. Mirzali is currently at the hospital. 

In September 2020, activist Rustam Ismayilbeyli was intimidated by someone who presented himself as an employee of state security that unless Ismayilbeyli did not stop his activism, intimate pictures of his girlfriend would be leaked online. 

In 2019, journalist Sevinc Osmangizi was the target of a smear campaign that accused her of being a double agent and working as a spy selling government secrets. 

The same year, journalist Fatima Movlamli was targeted with a fake Facebook page created under her name, sharing intimate photos and videos of her in her bed.

In all of the incidents, the targets voiced their suspicion of the government involvement behind these attacks. No responsibility was taken.

Last year, feminist activist Sanay Yaghmur was targeted in a social media blackmail campaign. The perpetrators shared personal information about the activist which they obtained by hacking her email account. 


The practices of digital authoritarianism widely used in Azerbaijan also extend beyond its borders. Last year, Ahmad Mammadli, the leader of a political movement D-18, reported that local authorities intercepted a letter of acceptance to a Master’s program from a university in Turkey. The authorities accused Mammadli of forging the letter. 

This is not an exhaustive investigation and documentation by all means. But AIW will continue to document and monitor the situation and work with partners to keep exposing the use of information controls in Azerbaijan. 

A year in review – from online attacks to overall environment of internet censorship in Azerbaijan

The following overview covers some of the prolific trends which illustrate the scope of digital authoritarianism and information controls in Azerbaijan observed and documented in the past year. 

Introduction 

This report covers the online attacks targeting personal information and devices of human rights defenders, activists, and democracy advocates in 2022. The data is collected through media monitoring and information that was made available by targeted individuals who received support and assistance in mitigating the targeting.  

Overall, 2022 has been no different than recent years in terms of online attacks and internet censorship observed in Azerbaijan. Activists, human rights defenders, and democracy advocates received phishing attacks and were summoned to law-enforcement bodies for criticism voiced online where their personal data and devices were often interfered with in the absence of the owner’s consent. 

In some cases, there were reported hacking attempts and installed spyware programs. In January – December 2022, we observed overall 10 such cases.

Hacking and phishing attacks usually targeted the social media and email accounts of targeted community members. These were possible through the interception of SMS messages (set up as 2FA). In fact, SMS interception has been the main practice, leading to the hacking of scores of personal accounts, the paralyzation of social media accounts, the deletion of online posts, and the dissemination of personal information belonging to the targets.

Among some of the prominent cases was political activist Bakhtiyar Hajiyev whose social media accounts were targeted on multiple accounts. Hajiyev was also kidnapped twice in April and August 2022 and he was taken to the law-enforcement bodies. Police gained access to his social media accounts by force and removed posts that were critical of the authorities and state institutions. Hajiyev was arrested on December 9, on bogus charges, and sentenced to 50 days in administrative detention [shortly after his arrest Hajiyev announced he was going on a hunger strike. According to media reports, he stopped the strike on December 29, 2022]. 

Another civil society member, Imran Aliyev was also kidnapped by the Main Department for Combatting Organized Crime where his devices and social media accounts were compromised against his will.

Abulfaz Gurbanli, also an active member of civil society, was phished through an email and WhatsApp messages in February 2022. A file disguised as grant-related information from a known donor organization containing a virus was sent to Gurbanli via his email. On WhatsApp, the activist received a message from someone impersonating herself as a BBC Azerbaijan Service journalist. The targeting resulted in the installation of spyware on his device and the hacking of his social media accounts. 

At the time, Az-Net Watch requested assistance from Qurium media to analyze the link shared in the email and despite the journalist’s assurances, the link did contain a virus. “The mail pointed to a RAR compressed file in Google Drive that once downloaded required a password to be decrypted. The password to decrypt the file was included in the phishing e-mail: bbc. Compressed files that are password protected are common in malware phishing attacks as the files can not be scanned by antivirus,” concluded Qurium in its preliminary report. The further forensic report identified malware written in AutoIT. Once the link (in our case the link to a drive where the alleged journalist left questions for the political activist) was opened, the hacker through the deployed malware installed a persistent backdoor in the system. “The software connects to the domain name smartappsfoursix{.}xyz to download the rest of his software requirements. It downloads gpoupdater.exe and libcurl.dll which look responsible for uploading files to the command and control server. During the execution of the malware several (10) screenshots of the Desktop were uploaded to the server,” read the Qurium analysis.

Meanwhile, after taking over Gurbanli’s Facebook account, the hacker also deleted all of the content on at least seven of the community pages, where Gurbanli was an admin (screenshots below are from just two pages). 

Az-Net Watch previously documented attacks through phishing emails sent to civil society activists last year. At the time, an email impersonating a donor organization was sent to a group of activists encouraging them to apply for a Pegasus Grant. Preliminary forensic results carried out at the time indicated that the malware sent around in this email was similar to a phishing campaign from 2017, that was widely covered and reported by Amnesty International: “The victims and targets identified, as well as the political theme of bait documents, indicate that the campaign is largely targeting human rights activists, journalists, and dissidents. This campaign also aligns with findings by VirtualRoad.org in their report, “News Media Websites Attacked from Governmental Infrastructure in Azerbaijan”, which links some of the same network address blocks with “break-in attempts” and “denial of service attacks” against several independent media websites. “The malware that was observed is not sophisticated and is in some manner extremely crude. However, combined with social engineering attempts and an unprepared public, these tactics can remain effective against many targets.”

In another case, an online media outlet – ToplumTV – social media accounts were hacked by intercepting incoming SMS, set up as a two-step authentication method. This resulted in the removal of countless news posts as well as subscribers to the channel’s social media account. The media outlet was previously targeted in September and November 2021 – in both instances, the social media accounts were hacked by SMS interception.

Feminist activists also witnessed a surge in online phishing attacks and hacking attempts ahead of the International Women’s Day protest scheduled to take place on March 8, 2022. At least three activists received support to ensure online safety during this period. Similar attacks and targeting were documented last year. In addition to compromised accounts, some feminist activists have faced account impersonation. Most recently, activist Narmin Shahmarzade reported to Az-Net Watch, that a fake Instagram account impersonating the activist shared Sharmazade’s photos in the absence of her consent with inappropriate captions. Az-Net Watch is currently working with the platform to remove the fake account. 

Users of social media platforms, who posted critical of the government comments and posts, were also summoned to law- enforcement bodies where they were either forced to hand in their devices and passwords to their social media accounts or to delete their posts that were critical of the government. At least in 5 cases, activists and bloggers faced administrative arrests and interference with their social media accounts for their criticism online and activism. 

One of the most recently documented cases includes a blogger who was called into questioning after sharing a video on Facebook of the traffic police accepting a bribe. The blogger was forced to remove the video after the questioning at the police station. Aziz told Meydan TV that police threatened to keep him less he removed the video. After Aziz told the local media about the pressure from the police, the blogger was called back into the questioning together with his parents. 

In November, prominent lawyer, Elchin Sadigov said the law enforcement refused to return his mobile devices after the lawyer, would not share his passwords. Sadigov was arrested in September 2022 together with an editor of an independent outlet. In an interview with Meydan TV, Sadigov said, he considered demands that he shares his login credentials were a violation of privacy. 

Also in November, a member of D18 political movement, Afiaddin Mammadov, who was arrested on bogus charges and sentenced to 30 days in administrative detention said he was tortured by the local police officers after refusing to share his password to his device.

Other documented instances of social media users targeted over their online criticism this year include: 

In April, Meta released its pilot quarterly Adversarial Threat Report in which the platform said it identified “a hybrid network operated by the Ministry of the Internal Affairs.” According to the document, this network relied on, what Meta refers to as, “Coordinated Inauthentic Behavior [CIB]” in combination with cyber espionage, “compromising accounts and websites to post” on behalf of the Ministry. According to the report, these coordinated online cyberattacks targeted journalists, civil society activists, human rights defenders, and members of opposition parties and movements in Azerbaijan. The ministry’s press office was quick to dismiss the findings, saying the findings were fictitious. 

Azerbaijan was also among countries identified in Pegasus leaks targeting some 80 government critics among one thousand other Azerbaijanis identified in the targeting with Pegasus spyware. 

The attacks and support provided, in the course of the past year, illustrate that no matter how well-prepared political activists and members of civil society are in Azerbaijan, digital security awareness is insufficient in autocratic contexts like Azerbaijan. 

We also observed that existing legal remedies in the country are insufficient to find perpetrators behind such targeting and hold them to account. While in a few instances targeted community members filed official complaints, the investigative authorities showed reluctance in effectively investigating the incidents. 

This year, Az-Net Watch published this detailed report about litigating Pegasus in Azerbaijan in which together with a legal expert we conclude that existing national legislation concerning privacy and surveillance is insufficient, and is left to vague and often overt interpretation in the hands of law enforcement and prosecutor office. As such, Azerbaijan continues to systematically fail in providing effective legal remedies and sound investigations against state-sponsored digital attacks and surveillance. Moreover, despite evidence-based reports of targeted and coordinated cyber attacks against activists, the government thus far has not investigated and/or provided effective legal guarantees. And in all cases filed for investigations, nearly a year later after Pegasus spyware has been identified to be in use, the law enforcement authorities are yet to take formal investigative actions. 

In another report published this year together with a legal expert, Az-Net Watch identified serious gaps in data privacy protection mechanisms in Azerbaijan. Our analysis indicated that the national legislation on personal data protection does not effectively protect individuals against the arbitrary use of their personal data by both public and private entities. The analysis also indicated that the national laws restrict and control personal data with intrusive measures, such as equipping telecom networks with special devices, and real-time access to vast amounts of personal data, in the absence of a criminal investigation or judicial order. 

Conclusion 

These and other instances of digital threats and offline persecution for online activism illustrate that internet freedom in Azerbaijan continues to decline with no signs of abating. For yet another year, Azerbaijan was ranked “not free” in Freedom on the Net 2022 report released by Freedom House. In addition to scores of news websites currently blocked in the country (a practice observed since 2017), the state has also resorted to blocking or throttling access to social media platforms and communication applications in recent years. In September 2022 the state demonstrated its control over the internet by blocking access to TikTok on the grounds the platform was casting a shadow over military activities, revealing military secrets, and forming wrong public opinion. The blocking was carried out amid renewed military tensions between Armenia and Azerbaijan. Other users said they experienced issues accessing WhatsApp, Telegram, and slow internet connectivity speeds. Previously, during the second Karabakh war (in 2020), users in Azerbaijan faced internet restrictions as well. 

Civic activists in Azerbaijan express concern over state control of the internet at a time, when social media platforms, and independent as well as opposition online news sites have become the sole sources of alternative information accessible to the public outside of traditional media. 

The present environment is further exacerbated by the continued crackdown on civic activists as in the case of Bakhtiyar Hajiyev mentioned earlier in the report. In addition, a number of critical bills approved by the parliament this year, demonstrate a profound lack of interest on behalf of the state to ensure basic freedoms including freedom of the media and of association. As of February 2022, a restrictive new media law compels online media outlets to register with the government agency and has imposed a number of other critical requirements and criteria that critics say only serve the purpose of silencing independent journalists and news platforms. 

On December 16, 2022, the parliament also approved a critical bill on political parties, introducing a new set of exhaustive restrictions on political parties. 

As such, Azerbaijani civil society is facing a turbulent year ahead both offline and online in an environment dominated by state control on all forms of dissent leaving many wondering how far the state is willing to go to silence the critics. 

questioning over social media posts critical of government measures raise concern [updated August 3]

The questioning of political activist Ruslan Izzatli, on July 28 over his social media post renewed concerns over government oversight of social media platforms and its non-transparent approach to cherry-picking issues that it deems unfit for public discussion.

Izzatli was not the first person to receive a call from the Prosecutor General’s Office last month inviting him for a meeting. In an interview with one media platform, Izzatli explained that the prosecutor’s office refused to explain the reason for the meeting over the phone and asked that the political activist comes in person. 

During the meeting that took place on July 28, Izzatli was asked questions about a Facebook post in which the political activist shared some of the grievances of war veterans and servicemen since the second Karabakh war. He criticized the state for lack of measures in addressing these issues. “If Aliyev’s team can visit returned territories today it is because of the servicemen and war veterans. But their problems remain unaddressed,” wrote Izzatli in the said post.   

Izzatli was also asked whether he had evidence for the claims made in the post and why the political activist wrote the post in the first place. The political activist also said he received a verbal warning.

Separately, on July 30, the General Prosecutor’s Office said it has warned seven other users over their public posts shared on social media. The Prosecutor’s Office in a statement said the users were warned after the Prosecutor’s Office identified a violation of the Law on Media. Specifically the statement said, 

During monitoring, it was identified that during the publication of news in media, provisions of Article 14.1.11 of the Law on Media were not observed [Facts and events must be presented impartially and objectively, and one-sidedness must not be allowed]. 

In order to prevent cases of violation of socio-political stability, human and citizen rights and freedoms, a number of relevant persons were invited to the Prosecutor General’s Office and the prosecutor took measures. 

As such, Sakhavat Mammadov, Rovshan Mammadov, Zulfugar Alasgarov, Elgun Rahimov, Fuzuli Kahramani, Zeynal Bakhshiyev and Ruslan Izzetli received a warning based on Article 22 of the Law on Prosecutor – to avoid cimilar negative incidents from taking place again.

The General Prosecutor’s Office repeats, in its appeal to media and social network users, that dissemination of unverified information that lacks clarificaition from the state institutions is unacceptable and holds one accountable according to existing legislation. 

According to Alasgar Mammadli, a media law expert, Article 14 of the Law on Media, applies to journalists, newsrooms, and online news sites. But the majority of the men summoned to the Prosecutor’s Office this time were not journalists Alasgarli told Turan News Agency in an interview. The cited Article 14, cannot be used against individuals for expressing their thoughts. This is clearly an attempt to restrict freedom of expression said Mammadli. Journalist Sakhavat Mammadov who was among the group who received a warning agrees. Speaking with Turan News Agency on August 3, Mammadli said, that the warnings and questioning are meant to pressure activists and journalists and are clearly political orders. “Instead of calming people down, these incidents only raise tension and cause opposite effects. It shows there is an attempt to withhold information from the people, which only breeds rumors and disinformation.” 

AIW has analyzed the Law on Media and its implications on media freedom in Azerbaijan here. Among key findings were poorly worded definitions and excessive requirements and restrictions for online media content [see below Article 14 as an example]; challenging parameters of registration of journalists, especially those working for online media outlets and freelance journalists; and lack of oversight and checks and balances to monitor decisions taken within the scope of the new law. 

Article 14 of the Media Law requires that information published and (or) disseminated in the media (including online media) must meet at least 14 requirements. The law also requires that content published by media outlets should meet the requirements of the Law on Protection of Children from Harmful Information and the Law on Information, Informatization and Protection of Information which provides an exhaustive list of requirements criticized for vagueness.

For instance, Article 14.1.6. of the law prohibiting media from using “immoral lexical (swearing) words and expressions, gestures” contradicts the requirements of the European Court of Human Rights standards as “prescribed by law” on the account that it lacks sufficient clarity and precision. The article also does not comply with a standard, “necessary in a democratic society,” “found in Articles 8-11 of the European Convention on Human Rights which provides that the state may impose restrictions of these rights only if such restrictions are ‘necessary in a democratic society’ and proportional to the legitimate aims enumerated in each article.”  The text authorizes the authorities to consider any impugned statement or general criticism as an “immoral lexical (swearing) words of expressions”. With such a broad definition, this requirement has a chilling effect on journalists.

Article 14.1.11 of the law reads, “facts and events must be interpreted impartially and objectively, and one-sidedness must not be allowed.” A duty to impartial and accurate reporting and one-sidedness is likely to result in journalists refraining from exercising their right to freedom of expression without self-censorship. A failure of this requirement subjects the journalist to heavy sanctions. Furthermore, taking into account the existing political atmosphere in the country, such broadly defined restrictions can prevent journalists and other professionals working for online media from staying impartial without any interference.

Article 14.1.14  concerns published content according to which, “publication (dissemination) of information about the crime committed by a person in the absence of a court order that has entered into force should not be allowed.” Such a direct ban in general form could limit the freedom of expression, in particular, where certain cases are widely covered in the media on account of the seriousness of the facts and the individuals. The journalist also can be subject to disproportionate sanctions for publication or dissemination of information, which is already known to people, for instance in case of scandalous news about the corruption of officials. This clause heavily limits the primary duty of ensuring diversity and plurality of voices in the media.

Any imposed restrictions must meet the requirements as prescribed by law pursuant of legitimate aims (allowed by the international human rights law), necessary in a democratic society, such as proportionality, and non-discrimination.

In May, AIW looked into content regulation on the internet carried out by the Prosecutor’s office and how the measures in place, silence free speech often relying on the use of a restrictive law on Information, Informatization, and Protection of Information. This legal overview was prepared following an uptick of cases in which social media users faced punitive measures for their online activism by the Prosecutor’s Office. At the time, the analysis concluded that the Prosecutor General Office has taken on a temporary role of taking measures against activists, journalists, and media within the scope of laws on information and media and with the powers vested in the prosecutor’s office under the existing legislation on administrative offenses and the law of the prosecutor’s office. 

The day Ruslan Izzatli was questioned, Azerbaijan’s Press Council – nominally independent media regulation authority – held a press conference. Speaking at the briefing, the chairman of the Council Aflatun Amashov, expressed his concerns over circulating social media posts damaging the reputation of the Azerbaijani military. As such, the chairman said the council is ready to offer its recommendations on creating a legal framework to regulate social media platforms in Azerbaijan.

Speaking to Meydan TV, media law expert Khalid Aghaliyev said, the council’s proposal to regulate social media platforms is likely linked to the state’s intentions in having social media platforms open representatives in Azerbaijan and then use these representatives to further consolidate control mechanisms over social media platforms.   

journalists, rights defenders, activists targeted with Pegasus – a global investigation

An international collaborative reporting on the #PegasusProject released simultaneously by a number of international media, including The Guardian, the Wire India, the Washington Post, and OCCRP among 12 others, the global investigation documents how NSO Group, an Israeli surveillance company, sold Pegasus, a hacking software, to authoritarian regimes to target human rights activists, journalists, and lawyers across the world based on an investigation into a massive data leak. The investigation and the list were coordinated and obtained by the Paris-based journalism nonprofit Forbidden Stories and advised by Amnesty International.

Among the countries revealed to be using Pegasus was also Azerbaijan.

Ever since traces of surveillance technology were revealed to be in use to targeted civil society in Azerbaijan, there were suspicions that among the technology deployed, was also Pegasus. The most recent investigation, confirms these suspicions.

The data leak, containing some 50,000 phone numbers also showed that some of the people identified as owners of the targeted phone numbers were people of interest by clients of NSO since 2016.

According to OCCRP, at least 1000 of those numbers are from Azerbaijan.

“Reporters spent months establishing the identity of the people behind the numbers, and succeeded in verifying nearly a quarter. While NSO Group describes itself as a company that helps governments detect and prevent terrorism and crime, the list of Azerbaijanis selected for targeting shows how the tool was systematically abused. All but a few of the numbers identified by reporters belonged to journalists, activists, lawyers, and members of the country’s beleaguered opposition.

Of the 245 Azerbaijani phone numbers on the list that were identified, a fifth belonged to reporters, editors, or media company owners.”

In its response, NSO Group, “claimed the data used by reporters was misinterpreted and that it does not allow its clients to abuse its software, which, it reiterated, is meant only to surveil criminals and terrorists,” while not responding to specific questions about Azerbaijan.

“NSO describes its customers as 60 intelligence, military and law enforcement agencies in 40 countries, although it will not confirm the identities of any of them, citing client confidentiality obligations. The consortium found many of the phone numbers in at least 10 country clusters, which were subjected to deeper analysis: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates. Citizen Lab also has found evidence that all 10 have been clients of NSO, according to Bill Marczak, a senior research fellow.”

Among identified journalists and activists on the list are:

  • Khadija Ismayilova, journalist
  • Sevinc Vagifgizi, journalist, Meydan TV
  • Fatima Movlamli, activist/journalist
  • Ilkin Rustamzade, activist, and his former wife Amina
  • Nine current and former journalists from Azadliq.info
  • Bahaddin Haziyev, editor, “Bizim Yol” newspaper
  • Elkhan Shukurlu, editor-in-chief of Strateq.az
  • Avaz Zeynalli, editor-in-chief of Khural
  • Anar Orujov, founder of Kanal 13
  • Aziz Orujov, director of Kanal 13
  • Rauf Arifoglu, editor in chief of Musavat newspaper
  • Mehman Huseynov, former political prisoner, and citizen journalist
  • Bayram Mammadov (who died in Istanbul earlier this year) and Giyas Ibrahimov – the graffiti prisoners (Mammadov, his father, and Ibrahimov’s mother are all on the list

According to OCCRP, the list also includes “more than 40 Azerbaijani activists and their family members on the list. Their presence on the list begins in 2019.”

In its report, the Washington Post writes, “the list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled. But forensic analysis of the 37 smartphones shows that many display a tight correlation between time stamps associated with a number on the list and the initiation of surveillance, in some cases as brief as a few seconds.”

“The numbers on the list are unattributed, but reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats, and military and security officers. The numbers of several heads of state and prime ministersalso appeared on the list.

Among the journalists whose numbers appear on the list, which dates to 2016, are reporters working overseas for several leading news organizations, including a small number from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar.”

How does Pegasus work

According to Access Now, since 2016, some 46 countries were identified where NSO Group’s Pegasus has been in use. “Reports from Access NowCitizen Lab, and others all show that an alarming number of people targeted using Pegasus have been journalists, lawyers, and activists, whose only crime was speaking out against and reporting on the injustices in their home countries.”

In March of this year, AIW reported on a France-based blogger, whose phone too may have potentially been infected with Pegasus. At the time, there was only suspicion and no conclusive evidence. While this still may be the case, three months later, it is now confirmed, that not only the government in Azerbaijan has been using various methods, to crack down on dissent with arrests, intimidation, and physical threats against civil society, but that it has been doing so using authoritarian technology including Pegasus.

facebook page affiliated with opposition hacked, again

On September 10, the Facebook page that belongs to an online news website bastainfo.com was hacked. Bastainfo.com is affiliated with the opposition party Musavat and is known for often running into problems with the authorities. Its editor was handed a five year suspended sentence in February 2019. The website bastainfo.com remains blocked for access in Azerbaijan. 

In January 2020, Azerbaijan Internet Watch reported how several Musavat party social media accounts were targeted. According to preliminary reports five Facebook pages, one Facebook group, and one website were targeted. 

Bastainfo.com page was targeted then as well. The page lost followers. During last week’s attack, bastainfo.com page lost some 5k followers, and content that was shared since 2017. 

Hacking and compromising Facebook, Instagram, and YouTube accounts (because these are popular platforms used by journalists and activists) is common in Azerbaijan and isn’t new. The online harassment of prominent accounts began several years ago at first, mostly on the level of government-sponsored trolls. Over the years, as the ruling government developed an interest in spyware technology, the types of attacks became more sophisticated while state-sponsored trolling and reliance on automated bots even though still used, became secondary. In each of these cases, finding the perpetrators have not been possible. And in cases when it was clear the attacker was an automated bot/state-sponsored troll the platform took no action. We finally know why. A former Facebook employee, Sophie Zhang, wrote a memo after getting fired from her job at the company revealing how the company dealt with fake accounts and bots. Among the countries, she has worked on and analyzed was Azerbaijan. “Ms. Zhang discovered that the ruling political party in Azerbaijan was also using false accounts to harass opposition figures. She flagged the activity over a year ago, she said, but Facebook’s investigation remains open and officials have not yet taken action over the accounts.” 

social media activist arrested [updated June 22]

[Update] On June 17, Irshadov was reportedly detained over a social media post. According to Meydan TV, the blogger was detained for criticizing a new quarantine rule restricting the reopening of some mosques that was introduced by the Cabinet of Ministers. Irshadov was released after a preventative discussion, reported Meydan TV.

May 18, activist Elvin Irshadov, known online as “Umari Ali” was reportedly arrested in the city of Lenkoran. A court in Lenkoran sentenced Irshadov to 16days in administrative detention on charges of disobeying police orders on May 19.

Irshadov is known for his critical posts online and has been previously warned by city police over his online activism. In one of his recent social media posts, Irshadov criticized authorities over the recent dismissals of city administrative officials calling it a political cover-up.

Irshadov, is not the first activist targeted for online activism. In recent weeks, scores of activists were targeted by authorities across the country.

independent news site hacked

On the morning of April 22, an independent online news platform, abzas.net noticed strange activity on its website. Not only did the website lose, a month worth of published articles, but that some articles’ headlines were also changed. 

In an interview with AIW, the website’s editor Ulvi Hasanli confirmed the attack. Hasanli said, this was not the first time, the website was under attack. “We have experienced DDoS attacks every month for a year between 2016 and 2017. Eventually, abzas.net was blocked in Azerbaijan and the website switched to .org”. 

Hasanli confirmed that the team was able to restore back the missing articles and reverted back changed headlines. 

While the team continues to investigate the source behind the attack, in an interview with Azadliq Radio, Hasanli said, they will seek legal remedy once they have sufficient evidence.