U.

S DEPARTMENT OF STATE
BUREAU OF INTELLIGENCE AND
RESEARCH

FINAL REPORT
November 17, 2015
COnfidential
The cumulative efforts of the Intelligence Community warn of an imminent
terrorist attack that will occur on the New York Stock Exchange (NYSE) in late July/
Early August. Extremists have implanted a mole within the NYSE, they will utilize a
radiological dirty bomb consisting of C-4 and it will be delivered via helicopter.The
attack will be carried out in three stages: 1.evacuation of the NYSE building 2. blockade
set up and martyr entry for the deployment of a cyber attack 3. detonation of the Dirty
bomb. Motivation appears to be in retaliation of the July 2019 U.S. drone strikes in
Dane Derpa, Pakistan. Key members of the plot have been identified and it will enter
execution phase in the near future.

Analysis
Attack Target
After the pursuit of several leads that proved to be false, the State Department has
concluded with a high degree of certainty that that location of the attack will occur in the
limits of New York City AND the New York Stock Exchange located along Wall Street in
Lower Manhattan. The attack will occur in late July based off reports from the NSA in
which approval to commence the attack was recorded to disseminate down the chain of
command from Ramadan Abdullah Mohammad (Shallah), the plot leader or
mastermind. It is possible that the attack will specifically occur on July 31st, 2020 to
coincide with the Muslim religious holiday Eid al Adha or Feast of the Sacrifice
Several key pieces of evidence lead to this conclusion:

As early as October 2020, it is clear that there is a search for someone who knows the
markets, according to a report from the NSA. Specifically, Tan Dailin, the technical
expert recruited by Hisako Ishii reached out to an individual looking for such. In
November the FBI intercepted a conversation between two individuals at a Mosque in
Queens, NY. One of the individuals says The China-man had a hit almost
immediately, the recording cuts out and catches ..hardest part to see if
employment..success It can be logically inferred that the China-Man referred to is
Tan Dailen and the State Department asserts that he was using his technical expertise
to hack into the NYSE HR systems to create fake credentials for someone to get hired
there or otherwise have proper access.
This is further compounded after a call that was intercepted by the FBI in late May of
2020. This was between Al-Shaer and Saad Khalid. Khalid has been placed as a mole
within in the company and has been testing pulling the fire alarm and noting how long it
took the staff to vacate the premises.
With the leads that the attackers wanted to gain access to someone in the markets,
the State Department made this connection to mean the New York Stock Exchange. To
support that, bio reports revealed that Khalid had connection in this sector AND he was
placed within the building for a task. The conspirators boasted that their attack would
have an effect on the American people for centuries, striking and disrupting the
economy would be a way to accomplish that.

Attack Details
On July 1st, an intercepted phone conversation monitored by the FBI gave great detail
into how the attack would be carried out. The call was between Saad Khalid who has
already been implanted within the NYSE and another unidentified male, someone who
wanted to review the plan. Since this person would need to know this information, he is
likely high ranking within the plot, this points to Al-Shaer, the operational leader.
The first stage of the attack involves the triggering of a fire alarm. This can be traced
back to a report from the NSA on May 26th, where Khalid indicated to Al-Shaer that he
pulled the alarm and it took roughly 3 minutes to evacuate the building. By evacuating
the building, it ensures that there are no witnesses around to see what is happening.
The second stage of the attack involves the strike team placing blockades on Wall
Street to prevent first responders from reaching the building and sending the disguised
martyrs in to conduct a cyber attack on the NYSE FedWire system. The martyrs are
likely disguised as firefighters. Citing the January 5th report from the FBI, a Middle
Eastern man was seen taking photographs of a FDNY vehicle. It is known that on

October 7th, 2019, a 1985 GMC Brigadier was reported suspiciously purchased by one
Larry Morrison. This vehicle is similar to the ones that FDNY currently uses so it is
believed that this particular vehicle will be retrofitted to look like it. It would not be
suspicious if a firefighter unit arrived to respond to a fire alarm, it would be standard
practice, thus allowing easy access for the disguised martyrs.
Once the martyrs are inside, it is believed that they will target the computer networks of
the NYSE, specifically targeting the Fedwire System. The Federal Reserve Wire
Network is responsible for the secure transfer of funds between financial institutions and
customers. Disruption of this network and the overall network of the NYSE would cause
massive damage to the worldwide economy, likely causing many to collapse. Based off
internet data collection by the FBI from Comcast in April, Adel Abdel Bari, the plots
Gatekeeper, was flagged for searches relating to DDoS attacks and the Fedwire. So this
shows that there is interest in the FedWire system AND it gives evidence that they
attend to employ a Denial of service attack against the NYSE. The results of such would
be catastrophic ensuring that it would indeed be the last bells rung
The final phase of the attack involves the helicopter being flown to a centralized/ heavily
populated point in New York City (undetermined) to detonate the radiological weapon.
By placing it in a location like this, it ensures maximized dispersion of radiological
material. Note that State Department does not believe that this location is or has to be
directly over the NYSE.

Attack Method
It has been determined that a weapon of mass disruption and a cyber attack on the
NYSE will happen concurrently. The weapon of mass disruption refers to a radiological
dirty bomb, a primitive device in which thing such as TNT or C-4 act as a fuse that
along with highly radioactive materials vaporize the bomb and disperse those materials
into the air. Three key pieces of evidence led to the State Department arriving at the
conclusion that a dirty bomb would indeed be utilized.
First, In November of 2019, the owner of Smith and Son Construction Company
Reported 55lbs of C-4 Missing. This C-4 could act as the fuse that the bomb would
need.
Second, In December of the same year Moscow Victory Park was found dug up with
traces of radioactive material left behind. This infers that the conspirators were actively
searching for these type of materials for something. It should be noted however that the
State Department originally treated these reports with skepticism due to the unclear
motivations of the Russian FSB.

Lastly, in order to successfully and effectively disperse the bomb contents over a large
area, it would need to to be done by air. This is where the purchase and usage of the
helicopter comes in.
The goal of a weapon of mass disruption is not to kill as many people as possible, its
purpose is more to cause panic and fear among the public. This often causes great
economic damage in the process.
In addition to the dirty bomb it is also known that the conspirators will employ a cyber
attack, likely a DDos attack. Details to why the State Department believe this are
located in the third paragraph of the section titled Attack Details.

Transportation
Transportation was of great concern to the leadership of the attack. It must be done
carefully and discreetly due to the nature of the payload. From early reports it was
known that the helicopter parts were going to arrive from multiple locations spanning a
large geographic area. In February, a call was intercepted between Al-Shaer and a
Panero. Al-Shaer indicated he needs help crossing the waters. Panero is located in
Italy so it is assumed that he was responsible for helping the helicopter and bomb get
out of Eastern hemisphere via the Suez Canal, out to the Mediterranean then across the
Atlantic to Gibara, Cuba. Here, Martin Caballero who had contact with Al-Shaer on June
20th, provided a yacht for the two pieces of payload to journey northward to the
continental U.S. On this yacht, the helicopter would be assembled.
Is is believed that the yacht would enter a New York harbour or port and wait to be
signaled to fly the dirty bomb to a location over the city for detonation.

Finance
Broadly, finance was covered by two entities and up to 3 million dollars was acquired.
In October of 2019, the U.S. Department of Treasury issued a subpoena on one Adil
Khan, a known Al-Qaeda financier who transferred over 800 thousand dollars from the
National Bank of Abu Dhabi to the Central Bank of Yemen in Syria. The destination
account belongs to The Global Youth Relief Fund, a possible front for money
laundering.
Al-Shaer reaches out to Mikel Antza located in South Spain/ Northern France twice.
Once in October of 2019 then again in late January of 2020, both times asking for
funding. Mikel Antza has been determined to be associated with the The Euskadi Ta
Askatasuna (ETA) aka Basque, a separatist group located in Spain. The second call

Antza indicated that Anboto could be of help. This is referring to his wife and partner in
crime, Mara Soledad.
It is clear that the money raised went into the purchasing of both the helicopter, the
materials for the bomb and the purchasing and use of the yacht and freighter that
transported them.

False Leads
Throughout the duration of the investigation and analysis of intelligence, at times the
State Department was lead to believe that there 1.) the target of the attack has been
shifted to focus on a European city and 2.) Terrorists would carry out a cyber attack on a
nuclear reactor in Susquehanna, Pennsylvania
Intelligence from the CIA suggested that the focus of the attack has shifted to a major
European city such as, Paris, Berlin, London, or Madrid. The source of this information
was questionable and it came out of the blue with a wide range of attack target
possibilities. The State Department asserts that this was misinformation on the part of
the conspirators to throw us of their trail. The attacks are believed to be in retaliation of
U.S. drone strikes so it would be out of character for the extremists to attack a country
not directly involved.
In April of 2020, FBI had unconfirmed reports that enemy combatants infiltrating the
nuclear reactor in Susquehanna, PA. Upon further review, FBI found no evidence
supporting the claims. Tan Dailen would have fit the bill to conduct such an attack due to
his expertise in hacking. The State Department asserts that this attack location was
definitely considered but abandoned. Intercepted communication between conspirators
indicate that attacking this location was extremely difficult due to current
circumstances. It is unclear what was meant by current circumstances, it could point
to the physical security present and access to the location, or even insufficient funding.

Major Actors
(Include Analyst Notebook Image)

Through analysis, the State Department has developed a decentralized hierarchy

organizational structure to display the key actors. Deemed the mastermind is
Ramadan Abdullah Mohammad (Shallah.) With a Ph.D. in Banking and Economics, he
was a professor at the University of South Florida. Also known as Ustaz, meaning
scholar in Arabic, he is responsible for mobilizing the extremists.
Under Ustaz is his gatekeeper, Adel Abdel Bari. Adel has a violent past as an
Egyptian Islamic Jihadist, with connections to the bombing of US embassies in 1998.
He is direct contact with the mastermind. Intelligence reveals that Adel has contacted
Hisako Ishii in search of technical expertise. As well, intelligence gained from the FBIs
use of the Patriot Act disclosed his internet search records. Adels searches
encompassed ways to carry out DDoS attacks, companies that use Fedwire, US
Federal Reserve Banks and other large financial firms. He has been communicating
from Cario, Egypt.
Stemming from the gatekeeper, the State Department has declared Qayyum
Abdul Jamal as the playmaker. Also known as Al-Shaer or Little Ustaz, he is a
Pakistani national residing in Canada. As a religious lecturer with conservative views,
Al-Shaer has a history of terrorist association. Working directly under the Adel, Al-Shaer
is duties include recruiting loyal Jihadists to obtain weapons and is responsible for direct
strategy, operation and execution. Al-Shaer is key to communication between the onground actors and the wishes of Ustaz. For most of the plot he was communicating from
Damascus, Syria.
The financer of the operation is Mikel Albizu Iriarte, also known as Mikel Antza.
Antza, of Spain, is the leader of the Euskadi Ta Askatasuna. (ETA) Meaning Basque
Homeland and Freedom, the ETA is located in the northern part of Spain. As a
separatist terrorist wanted for murder, extortion and kidnapping, Antza and his wife
Maria Soledad Iparraguirre are in charge of the finances. Intelligence indicates that
Antza and the ETA are filtering the money into the operation.
Collected intelligence identified Arkady Gaydamak as the supplier of the
operation. The Russian arms-trafficker. It is believed that the he provided radioactive
material for the bomb due to his access to it in Russia.
Key to the plots transportation is Gustavo Rueda Diaz, also known as Martin Caballero.
He provided the yacht necessary to transport the bomb and the helicopter from Cuba to New
York.
The possible strike team consists of: Sharif Mobley, Amin Mohamed Durrani, Wassim
Doureihi, Mohammed Ali Hamadei, Saad Khalid, Khaled El-Masri and an unknown second pilot.
Many of these individuals were in attendance at a planning meeting in Europe.
Other key actors include the previously named, Hisako Ishii. She is an aid of Aum
Shinrikyo, an organization known for multiple attempted biological and chemical attacks.
Intelligence shows Ishii contacted Tan Dailin for his expertise. Tan Dailin, a Chinese native, is a
known expert hacker. It is believe that Dailins hacking skills and connections to the New York
Stock Exchange are used to facilitate the attack.