XR Money Rebellion Planning Movement Vs Banks, Financial Institutions
Threat Intelligence Team
March 24, 2021 | 4 minute read
XR Money Rebellion Planning Movement Vs Banks, Financial Institutions
Extinction Rebellion (XR) is a London-based environmental group aiming at disruptive and nonviolent civil resistance. Launching their first public campaign in October 2018, XR centers their motives on resisting structures that dismiss climate change and degradation of natural resources. XR has been notable in eliciting mass arrest, a Ghandian tactic that garnered them press coverage, funding, and attention from government agencies and policy bodies. (Wilson E. , 2019). Although their sphere of influence has increased over the years in the UK and Western Europe, their influence is yet to grow in US and APAC. Political commentators have associated them with the words “anarchism”, “eco-socialism” and “radical anti-capitalist environmentalism.” (Wilson & Walton, 2019).
Sources cite individuals like Roger Hallam, Gail Bradbrook, and Simon Bramwell as the pioneer founders, among other activists from these earlier movements. Cyberint has identified Andrew Medhurst as Finance Lead for the UK chapter, and Michael Staindl as one of the prominent characters of the Australia chapter.
Earlier this month, XR announced that on April 1, 2021, they will launch a “Global Money Rebellion Wave”, shortened to “XR Money Rebellion”.
Figure 1 XR Money Rebellion tweeted an announcement of their movement on March 8
They outlined the following goals:
- Financial civil disobedience — debt and tax strikes; or threatening to conduct these actions.
- Digital Rebellion — simple actions organized online, such as phoneline jamming or mass targeting campaigns of a single institution. They did not expound on the nature of such “mass targeting campaigns”.
- Street protest (small action groups and mass mobilizations) — defacement actions include leafleting, branch occupations and disruptions, washable graffiti and/or fake oil(Money Rebellion, 2021). In their encrypted document, where they specify that they plan to pour fake oil around and inside buildings, as well as into cash machines. (Money Rebellion, 2021)
A shared document of their manifesto is available on CryptPad, where their demands from governments, banks, and other political, economic, and financial institutions to take the following actions:
- Tell the truth about our global economic system, which creates staggering inequity, distorts priorities, and causes harm. Financial institutions must fully disclose the social, climate, and ecological impacts of funding, so it is clear who is paying the true cost.
- Act now to stop financing death, destruction, and social collapse. Start repairing damage and make the necessary investments to prepare for the climate, ecological and health crises.
- Champion XR Citizens’ Assemblies at all key levels, including global, with legally-binding mandates to design a fair and just economy in service to all people and life on earth.” (Money Rebellion, 2021)
Cyberint found no explicit chatter on the open web, deep web, and dark web regarding high-sophistication cyber-attacks related to XR Money Rebellion. However, Cyberint detected blogs comparing their narratives on debt, tax, and finance to “fsociety”, the anarchist group in the hacking TV series Mr. Robot aiming at erasing global debt.
Cyberint assesses this movement may be sentimentalized by threat actors, seeking to maximize XR’s influence to garner interest and divert public attention to parallel anarchist/hacktivist operations.
Cyberint identified and are monitoring the following digital platforms related to XR Money Rebellion:
- earth – empty website
- Twitter account - @money_rebellion
- Instagram account - @moneyrebellion
- Information page https://extinctionrebellion.uk/act-now/resources/money-rebellion/
- Email address - firstname.lastname@example.org
- Telegram channel – t.me/moneyrebellion (110 members at time of writing)
More similar digital footprints were identified by Cyberint, including XR’s geographical sub-groups, referenced in the Appendix.
One of the earlier campaigns of XR Money Rebellion is Sharklays, a high-profile brand defacement against UK bank Barclays launched in June-July 2020, motivated by the fact that they are allegedly a top global financer of climate devastation. An independent website was setup, accessible on sharklays.co.uk, meant to take a stab at Barclays’ original website, emulating its brand colors and replacing its eagle logo with two adjacent sharks in ode to the climate narrative.
Figure 2 A screenshot of the website Sharklays, a wordplay on Barclays
Its domain registration information is obfuscated. A quick OSINT check reveals that sharklays.co.uk ranks high for malicious elements, possibly due to its A Record, 18.104.22.168, being associated with bad-reputation URLs, and communicating with malicious files, including Word documents infected with Emotet, a banking trojan. Cyberint identified potential IOCs, cited in the Appendix.
The above-mentioned IP is a direct-allocation IP, belonging to Sharktech, a small internet provider in Nevada, US with around 25 employees.
Figure 3 Third party OSINT tool ranks sharklays.co.uk with a score of 89 and a threat profile related to phishing.
The Sharklays campaign also has a Twitter account, @sharklays, with 209 followers.
Prepare for hacktivist-type attacks.
- Harden physical security mechanisms of cash machines; monitor for vandalism and physical damage (fake oil).
- Employ anti-DDOS best practices, such as monitoring suspicious communicating IPs, and restructuring servers in different data centers to minimize or avoid service interruption, i.e. avoid single point of failure.
- Harden and monitor firewalls.
- Keep software up-to-date and patch vulnerabilities, particularly against cross-site scripting attacks, SQL injections, and related operations. Conduct double validation of data.
- Escalate threat intelligence activities to detect related chatter, brand abuse, and defacements.
- Train personnel and be vigilant on social engineering attacks.
- Close unnecessary open ports.
- Practice password hygiene.
- Improve visibility on cyber vulnerabilities of partners and vendors.
Sharklays campaign identifiers:
22.214.171.124 – A record of sharklays.co.uk
sharklays.co.uk – domain of the main platform of the brand defacement campaign against Barclays bank, and platform of XR Money Rebellion’s most prominent brand attack against a bank
The following hashes are malicious files downloaded using the IP hosting sharklays.co.uk. It has a weak relation to XR Money Rebellion, however, these may indicate that the campaign may intentionally or unintentionally distribute them:
XR Related Domains:
rebellion.earth – mail domain
XR Social Media Accounts:
XR Telegram Channels:
XR Email Addresses:
- Money Rebellion. (2021). April 1st - Global Money Rebelion Wave.
- Money Rebellion. (2021, March 9). Money Rebellion Newsletter.
- Wilson, E. (2019, December 19). Extinction Rebellion: People Power on a Global Scale? Non-Violent Conflict Org. Retrieved from https://www.nonviolent-conflict.org/blog_post/extinction-rebellion-people-power-on-a-global-scale/
- Wilson, T., & Walton, R. (2019, July). Extreme Rebellion: A Review of Ideology and Tactics. London, United Kingdom. Retrieved from https://policyexchange.org.uk/wp-content/uploads/2019/07/Extremism-Rebellion.pdf
 Cyberint does not claim to dispute any details relating to climate change or the damage caused to the environment by current human activities.