Introduction
Encrypted platforms continue to constrain visibility into extremist ecosystems; yet, the central challenge for analysts lies not merely in access, but in the reliability and interpretability of available information. Fragmented digital environments, the hybrid use of open and closed platforms, and strategic deception all complicate assessments. Effective monitoring therefore depends not just on technical collection, but on contextual judgment and careful analytical tradecraft.
Shifting Toward Encrypted Ecosystems
Over the past decade, extremist actors have progressively migrated from open social media toward private or semi-private environments. End-to-end encrypted messaging applications such as Telegram, Signal, and WhatsApp now play a central role in recruitment, propaganda dissemination, internal coordination, and community-building. This shift, however, has not produced a fully closed ecosystem. These groups continue to rely on open platforms for proselytism and legitimacy, often using them as gateways that funnel audiences toward more controlled spaces. This hybrid model creates both opportunities and blind spots: analysts can observe narratives, recruitment processes, and, more broadly, engagement patterns, yet struggle to confidently assess internal dynamics or real intent.
Access and Interpretation
Encryption undeniably creates access barriers, often limiting sustained observation. Yet even when analysts gain access to closed groups or invitation-only channels, they encounter an arguably more complex challenge: the information environment itself is inherently unreliable. Studies on the so-called cyberjihad show how messaging can be exaggerated, symbolic, or deliberately misleading. Public-facing channels are often designed for performance rather than communication, with actors intentionally seeding disinformation, for instance by inflating their perceived strength. In fact, much of the content is not designed to convey actionable intent but may serve strategic purposes such as legitimacy-building or recruitment by shaping perception.
This creates the risk of confusing rhetoric with real intent, and visibility with influence. High levels of engagement may signal successful amplification rather than genuine capability. Similarly, dramatic content may function as symbolic expression rather than as an indicator of imminent action. Moreover, the strategic use of deception further complicates observers’ interpretation, as content may be produced with the awareness of external monitoring, making it increasingly difficult to distinguish signal from noise. In this environment, the main limitation is not simply access, but epistemic reliability: individual data points rarely speak for themselves; rather, they require contextual understanding, as their meaning emerges through patterns and cross-platform validation.
Methodological Challenges
One of the most persistent difficulties in contemporary monitoring is the fragmentation of extremist ecosystems. Instead of operating within a single platform, actors usually move across environments, such as mainstream social media, niche forums, gaming platforms, encrypted messaging services, and occasionally the dark web. This dispersion reflects both defensive considerations (e.g., reducing exposure and complicating detection) and functional differentiation, whereby different platforms serve distinct purposes (e.g., outreach and coordination), resulting in a highly discontinuous information environment in which no single vantage point provides a complete picture.
Furthermore, these environments are not neutral spaces, but each has its own culture and communicative norms. Interactions that appear suspicious in isolation may be benign within platform-specific contexts, while meaningful signals can be easily overlooked by untrained observers. Without a deep understanding of these dynamics, analysts risk overinterpreting ambiguous behaviour or missing subtle indicators.
A further layer of complexity is introduced by temporal dynamics. Extremist content and networks are inherently fluid: channels are frequently created, migrated, or shut down; content can be edited or deleted; and narratives can evolve in response to external events. As a result, the information environment is not only fragmented, but also continuously changing. Observations captured at a single point in time may quickly lose relevance, while incomplete datasets can produce misleading impressions. At the same time, the proliferation of platforms and content streams generates a high volume of low-value or redundant information, making it more difficult to isolate meaningful indicators. Analysts are therefore often required to generate assessments under conditions of temporal instability, where both the object of analysis and the available data are in flux.
In this context of volatility, the conclusions of the analytical task must remain proportionate to the quality and persistence of the underlying data, often prioritising the development of sound assessments from partial datasets rather than extracting clear signals from a single source or reconstructing a complete picture – which is hardly possible.
Operational Constraints and Implications for Intelligence Practice
Monitoring encrypted spaces inevitably raises ethical and legal tensions, as intrusive collection techniques may undermine privacy protections or violate platform norms. Conversely, overly cautious approaches can leave analysts with limited visibility into emerging risks. These constraints can shape the operational boundaries within which monitoring takes place. That is why uncovering the contemporary extremist information environment demands continuous validation of sources and explicit acknowledgment of uncertainty. Effective monitoring depends on the integration of technical capabilities with contextual and behavioural analysis: to avoid producing a high volume of data without insight, signals extracted from encrypted or fragmented environments require interpretation grounded in historical patterns and actor behaviour within given platforms. Furthermore, familiarity with cultural and social dynamics, as well as with linguistic nuances, strongly contributes to understanding signals.
Looking ahead, emerging technologies are likely to further complicate this landscape. Developments such as quantum computing may eventually challenge existing cryptographic standards, altering the balance between encryption and access. As a consequence, analysts may be required to process even larger quantities of data, intensifying the problem of interpretation, resulting in the need for even stronger analytical judgment.
Conclusion
Encrypted platforms do not simply obstruct monitoring but redefine the nature of the analytical task. Yet, for intelligence and research communities, the challenge is not limited to gaining access, but to interpreting behaviour within environments shaped by performative communication and fragmentation. Given this ambiguity, assessments must account for the risks of overinterpretation and underestimation, maintaining clear distinctions between observation and inference. Methodological rigour and contextual understanding therefore become the primary determinants of analytical value; without them, analysis risks being shaped by the very distortions it seeks to interpret.
Credible assessments ultimately depend on analytical tradecraft: integrating observations fragmented across time and platforms, maintaining clear distinctions between rhetoric, intent, and capability, and grounding judgement in cultural awareness and the acknowledgement of uncertainty.
Bibliography
Alava, S., Frau-Meigs, D. & Hassan, G. (2017). Youth and Violent Extremism on Social Media: Mapping the Research. UNESCO. https://doi.org/10.54675/STTN2091
Arma dei Carabinieri. (2016). Rassegna dell’Arma dei Carabinieri, No. 3. https://www.carabinieri.it/docs/default-source/Editoria/rassegna/rassegna-3-2016.pdf
Carter, J., Maher, S. & Neumann, P. (2014). #Greenbirds: Measuring Importance and Influence in Syrian Foreign Fighter Networks. ICSR. https://icsr.info/wp-content/uploads/2014/04/ICSR-Report-Greenbirds-Measuring-Importance-and-Infleunce-in-Syrian-Foreign-Fighter-Networks.pdf
Combating Terrorism Center at West Point. (2016). How Terrorists Use Encryption. CTC Sentinel, Volume 9, Issue 6. https://ctc.westpoint.edu/how-terrorists-use-encryption/
Council of Europe. (2025). Report on the emerging patterns of misuse of technology by terrorist actors. https://rm.coe.int/report-on-the-emerging-patterns-of-misuse-of-technology-by-terrorist-a/4880281a94
IMCTC – Islamic Military Counter Terrorism Coalition. (2025). Exploitation of Encrypted Communication Platforms for Terrorist Operations. https://www.imctc.org/en/eLibrary/Articles/Pages/article12102025.aspx
Joint Counterterrorism Assessment Team (JCAT) (NCTC, DHS, & FBI). (2023). Terrorist Exploitation of Online Gaming Platforms. https://www.dni.gov/files/NCTC/documents/jcat/firstresponderstoolbox/144s_-_First_Responders_Toolbox_-_Terrorist_Exploitation_of_Online_Gaming_Platforms.pdf
Klečková, A. (2021). Open Source Intelligence and Terrorism. PSSI. https://www.pssi.cz/download/docs/8539_pssi-alumni-brief-01-osint-4.pdf
Ogele, E.P. (2025). Unveiling the Shadows: Exploring the Roles of the Dark Web and Encrypted Messaging Apps in Facilitating Online Terrorist Networks. Journal of Strategic and Global Studies: Vol. 8: Iss. 2, Article 3. https://scholarhub.ui.ac.id/cgi/viewcontent.cgi?article=1175&context=jsgs
Royal Commission of Inquiry into the Attack on Christchurch Mosques on 15 March 2019. (April 2026, last accessed). The Report. https://christchurchattack.royalcommission.nz/the-report
Sayyed, H., & Paul, S. R. (2025). Exploring the role of encryption and the dark web in cyber terrorism: legal challenges and countermeasures in India. Cogent Social Sciences, 11(1). https://doi.org/10.1080/23311886.2025.2479654
Sistema di informazione per la sicurezza della Repubblica. (2014). Relazione sulla politica dell’informazione per la sicurezza. https://www.sicurezzanazionale.gov.it/data/cms/posts/132/attachments/32d6f762-8e3d-4ba0b50e-4aa6e3a5dd3e/download?view=true
Tech Against Terrorism. (2023). Terrorist Use of End-to-End Encryption: Insights from a Year of Multi-Stakeholder Discussion. https://techagainstterrorism.org/news/2023/01/11/terrorist-use-ofend-to-end-encryption-insights-from-a-year-of-multi-stakeholder-discussion
TechCrunch. (2016). ISIS Has Its Own Encrypted Chat App. https://techcrunch.com/2016/01/16/isisapp/
Francesco Macci holds an Erasmus Mundus International Master’s Degree in Security, Intelligence, and Strategic Studies (IMSISS), a master’s degree in Leadership for International Relations and Made in Italy, and has completed an advanced training course in Space Institutions and Policies with a scholarship from the Italian Space Agency (ASI). For the Moroccan Institute for Policy Analysis (MIPA), he published “The Growth of the Moroccan Military Air Power” (2023). He coordinated the Security & Defense Working Group of the European Student Think Tank (EST); he has worked as an intelligence analyst in the private sector, and currently serves as a Security Manager.