Ankara: A cyber operation by Turkey's National Intelligence Organization (MIT) against the encrypted messaging application ByLock exposed the hierarchy and covert networks of the Fetullah Terrorist Organization (FETO), which orchestrated the defeated coup attempt of July 15, 2016.
According to Anadolu Agency, MIT obtained a database containing 215,092 users from the application's main server in Lithuania under its technical intelligence and cybersecurity powers granted by Law No. 2937. The data provided authorities with a detailed map of FETO's cell-based structure and its clandestine network within state institutions.
Unlike globally available messaging platforms such as WhatsApp and Telegram, ByLock was designed around anonymity and exclusivity. Users could communicate only if both sides knew each other's system-generated username or identification number and mutually added one another. No telephone number, email address, or SMS verification was required to register, making it possible for users to conceal their identities. The closed architecture also prevented outsiders from randomly joining the network, effectively limiting access to people admitted through organizational referrals.
MIT first learned of ByLock in July 2014 through intelligence assets who had infiltrated FETO. Investigations found that the software had been developed under a special instruction issued in November 2013, before the group's judicial and police operations of Dec. 17-25 that year. The security of the application's server was entrusted to a senior figure in FETO's cyber structure.
MIT subsequently established a specialist team within its Cyber Defense and Security Department to dismantle the covert network. The unit included database specialists, cryptanalysts, network experts, ethical hackers, and reverse-engineering specialists. The team identified the main server as being operated by a Lithuania-based company named Bastic Servers through nine IP addresses rented by FETO administrators using anonymous payment methods.
An initial cyberattack was launched in August 2015 to test vulnerabilities and the strength of the server's firewall. The firewall was breached in November, but the group detected unusual data traffic and temporarily shut down the system. MIT specialists then waited until Dec. 25, 2015, anticipating that company employees would be distracted by Christmas celebrations. The firewall was fully breached during the operation that night.
After gaining access, the team hacked an email account used by the company to communicate with customers and sent false messages to the FETO-linked software administrator saying there were no problems with the server. A backdoor installed on the system allowed data to be transferred to Ankara. Cyber specialists also used social engineering to access the computer of a data security employee in Lithuania by sending photographs in the name of the employee's girlfriend. This gave the intelligence team control of monitoring screens and allowed the extraction of millions of records without detection.
Cryptological analysis of the compiled source code identified Turkish terms including 'dosya,' 'posta,' and 'sesli arama.' One of the clearest indications that the application had been designed specifically for users in Turkey was an error message written in Turkish that read: 'Yetkiniz yok. (You are not authorized.)' Traffic between users was protected with complex end-to-end encryption algorithms.
The operation uncovered 60,748 internet subscriptions, more than 17 million messages, nearly 4.7 million emails, and 111,637 telephone numbers. Analysis of the database revealed for the first time the communications system used by FETO's so-called 'covert services structure,' according to the information compiled by Anadolu.
Technical work conducted in January and February 2015 identified the group's 81 so-called provincial imams and 160 figures described as country imams. On July 12, 2016, three days before the coup attempt, authorities identified 600 senior-ranking military personnel linked to FETO through ByLock correspondence and notified the Turkish General Staff.
The data also showed that the 2014 interception of MIT trucks was a planned organizational operation carried out by gendarmerie personnel acting on instructions from FETO's covert handlers. On July 15, 2016, a faction within the Turkish Armed Forces linked to FETO attempted to seize power in several cities, particularly Ankara and Istanbul. The coup plotters opened fire on civilians, turned against their commanders, and bombed the Turkish parliament and presidential complex, killing 253 people and wounding thousands.
The database showed that members did not use their real names but were assigned identification numbers beginning with one and extending beyond 215,000. Investigators determined that the numbers were not issued randomly but reflected users' seniority, importance, and position within the organization. The application was initially reserved for senior administrators and members of FETO's covert network before being expanded to the broader membership. Users assigned numbers among the first 100 were found to include some of the group's most important operational figures.