2025-10-24: Investigative journalists at AlArabiyah use web archives in investigating Hezbollah leaders' assassination and 2024 Lebanon electronic device attacks
 |
| AlArabiyah documentary highlighting the two archived copies on the Wayback Machine calendar between which NortaLink website was allegedly removed. |
Last month, September 2025, AlArabiyah published a documentary in Arabic titled "قادة حزب الله.. قصة الاغتيالات". It investigated the assasinations of Hezbollah leaders and the 2024 Lebanon electronic device attacks. AlArabiyah, a Saudi state-owned international Arabic news and media outlet, is one of the most popular news channels in the Middle East and the world. AlArabiyah is so prominent that former president Barack Obama gave it his first formal interview as president of the US on January 26, 2009. The documentary is published on YouTube under multiple channels/accounts that belong to AlArabiyah including AlArabiyah, AlArabiyah Screen, and AlArabiyah Programs. It investigated Norta Global Ltd, the fake company that sold the explosive electronic devices (pagers and walkie talkies that exploded on September 17th and 18th of 2024) to Hezbollah, and looked into the history of the company's website using the Wayback Machine since it was removed from the web. The documentary stated that the website was deleted on September 19th, the day after the attacks, and highlighted the times between which the website was taken down (9:57 AM and 11:02 PM UTC) as shown in the following screenshots from the documentary. Why did the documentary highlight the first and last archived copies on September 19th and totally ignore the archived copy in between them (captured at 10:51 AM UTC)? I do not know.
 |
| AlArabiyah documentary showing the Internet Archive's Wayback Machine naming it in Arabic "The Archive of the Internet, Wayback Machine" |
 |
| AlArabiyah documentary highlighting the two archived copies on the Wayback Machine calendar between which NortaLink website was allegedly removed. |
Because web archiving is what most of my research is about, I paused the video and started to look for archived copies of the website in web archives. I looked in all public web archives and could not find a single copy in any of them except the Internet Archive (IA), which has 23 copies. The website only has a single page and it immediately comes across as a website for a fake company. I found that the website was not removed on September 19, the day after the attack as the documentary claims. It was, in fact, removed a few weeks before the attacks (sometime between 2024-08-06 and 2024-08-29). I doubt that this is an accidental error from the journalists at AlArabiyah. Is it possible that they just do not know how to use the Wayback Machine? I doubt it. The issue here is not that the page was removed and that the IA has archived a 404 page. Inspecting the first archived copy on 2024-08-29 shows that the website was not removed per se, but page's main div opacity has been set to 0 in its css style element making its content, the website, invisible. The home page for the website is entirely wrapped in that invisible div making the website invisible. Therefore, on 2024-08-29, the IA archived a "blank page", technically a transparent page. The screenshot of the inspection window shows that the page has text and iframes that still have information that the IA has captured. The average user thinks the website was removed by clicking the link to the memento and getting a blank page. A web savvy user can inspect the page and see that the captured copy of the page has elements in it, but the page was made invisible. The main point here is that the IA did what it is supposed to do, but the web master made the page transparent (invisible). This implies a level of sophistication far beyond just removing the website.
 |
| The inspector window in Google Chrome browser showing the site made invisible by setting the opacity to 0 in the CSS style for the div that contains the page. |
https://web.archive.org/web/20240829092008/http://nortalink.com/ (site made invisible)
Furthermore, I looked into social media links in these copies and found that their Facebook page has been deleted and that Facebook prevented the IA from capturing its content because it requires the user to be logged in to download the page.
 |
| Archived copy of NortaLink Facebook page showing that the Internet Archive's crawler was blocked at crawl time. |
 |
| Screenshot of the current linkedIn page of NortaLink. |
 |
| Screenshot of the linkedIn page of NortaLink from September 19th 2024 taken from the Internet Archive. |
The LinkedIn page of NortaLink (archived version) currently shows “Test” as the name. The oldest archived copy for the page is from February 19th of 2023. The archived copy of their LinkedIn page on 2023-10-21 shows the company page and the company name is NortaLink. It lists two employees working for the company. The archived copy of the employees page, captured on 2024-09-20, does not have any useful information since LinkedIn requires the user to be logged in to view the page.
 |
| The archived copy of NortaLink page on LinkedIn from 2023-10-21. |
 |
| The archived copy of NortaLink employees page showing that the IA was unable to archive the page because it redirects to the login page. |
NortaLink’s LinkedIn page now lists one person working for the company as a managing partner and that he/she is located in Algeria. The profile lists Norta as the only employer and the profile only has one activity on LinkedIn, a comment from July of 2025. The name listed on the profile is Fabenco Bentayeb. The last name is a popular family name in Algeria, but the first name, Fabenco, is unheard of.
 |
| Screenshot of the linkedIn profile page which states the the owner is the only current employee of NortaLink. |
The documentary claimed that Norta Global Ltd has only one employee, Rinson Jose, who travelled to the US on the day of the attack and is now wanted by the Norwegian government.
I went to the website they listed on their LinkedIn page before the attack (norta.no) and found that it has also been removed. It has been saved 8 times between May 31, 2017 and September 20, 2024 by the IA. Recent mementos showed that the website returned a 302 status code (redirect) at crawl time, but older mementos from 2017 and 2018 showed that the website norta.no was also a single page website that looks just as fake as nortalink.com. Although the archived LinkedIn page showed that the company has two employees, The website featured pictures and information for three individuals that work for the company, Rinson Jose (CEO), Bibin P B (CTO), and Hanna Hananger (PRO). Assuming all are fake names, I was curious if they had any online presence with these names. Rinson Jose became so popular after the attack and is directly linked to it, so googling his name returns links about the bombing itself and any personal pages, if they exist, are buried under so many pages talking about the bombing. Furthermore, Rinson Jose must be a popular name because searching for people with that name on social media platforms such as LinkedIn, Facebook, and X returns dozens of profiles. Bibin P B must also be a popular Indian name because there are so many profiles on LinkedIn with that name.
Unlike the names of the first two employees (Rinson Jose and Bibin P B) listed on NortaLink’s website, Hanna Hananger is not a common name. On LinkedIn, I found what seems to be the same person from the picture. Unfortunately, the quality of their pictures on the website is so low it makes me think they deliberately posted such low quality pictures to hide their identity later on. The LinkedIn profile for Hanna Hananger shows a middle name, Charlotte, and says that she is located in Oslo, Norway. The profile shows that she worked in multiple countries including working as a social worker for two months in India, the same country the other two employees, Rinson and Bibin, are from. The profile page cannot be archived so I was unable to verify that the LinkedIn page has not been altered. I tried to archived it using the Save Page Now service from the IA’s Wayback Machine, but LinkedIn prevented the IA from archiving it and instead archived the login page for LinkedIn since LinkedIn requires the user to be logged in to download the profile page for Hanna Hananger. Trying to archive the profile page using Archive Today produced the same result.
 |
| The IA failed to archive Hanna Hananger's LinkedIn profile page |
Hanna Hananger’s LinkedIn profile page does not mention that she worked for any company that has Norta in its name. It is interesting that the first memento of norta.no (from 2017) shows that Rinson and Bibin are the only employees. Further online search showed that Hanna Hananger is listed as the founder and director of Link Child Foundation in Mbale, Uganda. It is possible that norta.no used her picture and identity claiming that she works for the company without her knowledge because Hanna Hananger seems to be a legitimate person and that's her real name. Mementos of norta.no show that the page did not have a bio for Hanna Hananger. Leveraging the IA to verify the legitimacy and consistency of websites, I looked for mementos for the Link Child Foundation's website. The oldest memento is from 2014 and it lists Hanna Hananger as the founder and CEO. The home page has been archived 54 times between 2014 and 2025. The organization seems to be legitimate and the archived copies of its website show a natural growth of this type of website between 2014 and 2025. I went to their Facebook page and it also seems legitimate showing a creation date of June 5, 2013. The page has photos posted showing the progress of building their facility in Mbale, Uganda since 2014 with some of the pictures tagging the facebook profile page of Hanna Hananger that has the same picture as her LinkedIn profile page. Multiple other websites including news websites have pictures and information about her including Lister24. Link Child Foundation has not posted on Facebook since December of 2023, has not posted on Instagram since May of 2024, and has not posted on Vimeo since 2020.
The take away message from this post is that the IA is a very effective tool to verify the legitimacy of websites with minimal work. AlArabiyah team utilized the IA in their documentary investigating the legitimacy of Norta Global Ltd, the company that supplied explosive pagers and walkie talkies to Hezbollah that killed and injured thousands of people, but AlArabiyah failed to extract the correct information from the Wayback Machine and presented inaccurate information about the date and time when the company’s website “disappeared”. Upon further investigation, I found that Norta Global is a fake company and that its website and social media pages were created to have a history on legitimate platforms like LinkedIn for the purpose of selling the explosive electronics to Hezbollah and carrying out the bombing attack later. Deutsche Welle (DW) stated that two former Israeli Mossad agents confirmed that the pagers bombing attack has been planned since 2022, which sounds correct since the first archived copy of Norta Global Ltd’s website was captured on February 19th of 2023. They stated that all the fake companies, along with their online profiles and fake advertisements, were created for the purpose of sourcing the pagers from the manufacturer and selling them to Hezbollah after planting the explosives in them. In the same interview, the former agents stated that unlike the pages’ sales plan, the selling of explosive walkie talkies to Hezbollah was planned 10 years before the attack. In another interview, a former Israeli Mossad agent confirmed that the fake online websites and online profiles created by the Israeli intelligence agency Mossad to promote the explosive electronics were later removed from the web. It seems like these fake companies, their website, and online social media presence were part of the plan to take down Hezbollah members and leaders.
Comments
Post a Comment