The purpose of this piece is to share the results and preliminary analysis of SOFREP’s online investigation into the reportedly unlawful imprisonment and continued detention of the crown prince’s cousin, Princess Basmah bint Saud bin Abdulaziz al-Saud. A general overview of her plight and why it matters was recently published here. We recommend reading the linked article first before reading this one.

As SOFREP previously reported regarding Saudi Crown Prince Mohammad bin Salman’s (MbS) phone hack of Amazon CEO Jeff Bezos, there is significant cause for concern over MbS’ dastardly ascension to power and his brutal wielding of it. Ostensibly a friend of the West, the crown prince is responsible for torturing and dismembering a U.S. resident; he continues to lead a military coalition contributing to war-induced famine in Yemen; and he duplicitously spends his ill-gotten billions on lavish self-indulgence abroad — all while preaching fiscal austerity at home.

This background is what led SOFREP to investigate the princess’ circumstances and story. The course of this investigation yielded useful information that provides both context and tactical “ground truth” of the princess’ circumstances. This information allows us to continue our analysis, make inferences, and ultimately hold MbS accountable by educating the public on the unethical and illegal actions he condones, or directs, in his role as the de facto ruler of the Kingdom of Saudi Arabia.

The value of online investigations — using Open Source Intelligence (OSINT) and publicly available information (PAI) — cannot be understated. Online investigations firm Bellingcat previously published a very revealing piece on MbS’ right-hand man and advisor Saud al-Qahtani. The piece demonstrates the utility of using such PAI to illuminate what malign actors are doing. Our hope is to offer similar value in the following content by starting with what we know of the princess and her circumstances.

Our start point: the tweet heard round the world

Our investigation began with the verified Twitter account attributed to Princess Basmah, the account used to publicly post her plea for help notifying the world of her unlawful imprisonment in Ha’ir Prison. Given that the princess and her daughter are detained, they presumably do not have unfettered internet access. During their imprisonment, they reportedly have been communicating with family members and close associates sporadically by monitored telephone. It is possible that in-person visits are allowed but we have not yet observed any mention of them. The princess’ methods of communication are important because they increase the difficulty of attributing access to and control over the social media accounts used to post her plea.

Screenshot of Princess Basmah’s Twitter account.

Of note, the last tweet from the princess’ account was several months after she was detained, implying that a staff member or close associate obtained access to the account. Both the princess and her daughter’s Twitter accounts were much more active up until the day of their arrest on 28 February 2019, at which point they went eerily quiet.

Kingdom of Deceit: The tale of an imprisoned Saudi princess

Read Next: Kingdom of Deceit: The tale of an imprisoned Saudi princess

Certainly, the absence of social media activity from a public figure and avid Twitter user such as the princess was not unnoticed. It is possible a staff or regime member attempted to provide the illusion of normalcy; however, this cannot be inferred from PAI alone. Most importantly, these observations raise several questions regarding who has access to the account, under whose direction they were using it, and why news of the princess’ imprisonment was not made public until mid-April 2020.

After her arrest, it isn’t clear who has been controlling her accounts

Also associated with Princess Basmah’s Twitter account is her official website. The princess was an avid blogger and used several platforms to broadcast her messages of equality, women’s rights, and general reform. In addition to her Twitter, the princess used her personal website, a blog, and a Saudi opinions website to share her messages. Again, quite eerily, the princess’ last blog post was published the day of her birthday, 1 March, several hours after she was taken away by eight armed men the night before.

We used the Wayback Machine to study her website and its historical content. This resulted in the below capture of her website taken two days prior to her arrest. Of note, the website is far less professional, less expansive, and less official in appearance today than it was before her arrest. This again raises questions as to who maintains access to the website and under whose direction it was being updated.

Pre-arrest website:
Screenshot of Princess Basmah’s website as captured by the Wayback Machine on 26 February 2019, two days before her arrest.

Contrasting sharply with the pre-arrest website is the princess’ official website after she was arrested, which now lacks professionalism, is only one page, and posts text and possible images of the princess’ latest pleas for help that were posted on her Twitter account. We can now infer — but cannot confirm — the possibility that whoever is relaying and posting her pleas on Twitter also maintains access and permissions to her official website.

Searching for Whois and domain name registration information, we learn that the website domain, basmahbintsaud[.]com, was created in 2011 and is registered with website domain host GoDaddy through 2025. This implies the domain owner is the princess or someone with access to her. The possibility of an account breach notwithstanding, it appears her accounts were possibly under the control of a staff member or close associate.

Post-arrest website:
Screen capture of the princess’s website after her arrest. It features text and images of the pleas that were posted on Twitter.

In London, the princess was an active businesswoman and possibly preparing her daughter for succession

When the princess’ website was created in 2011, she was residing and working in London. Composite PAI shows that, while in London, the princess purchased many website domains, incorporated legal businesses for them, and used them as test beds to explore her ability to create her own platform.

One such platform was a social thesis — The Fourth Way Law — founded by the princess to restructure societal approaches to equality and social justice. This thesis was accompanied by several Twitter accounts and a research center — Global United Research and Analysis Ltd — dedicated to the same cause. Most these companies have since gone dormant following her arrest; however, United Kingdom legal filings show the princess transferred majority control of these companies to her daughter a mere five months before their arrest. This could indicate a possible succession plan, or recognition of pending trouble to come. The below Companies House information shows the transfer of the princess’ research directorship to her daughter in September 2018.

United Kingdom Companies House business listing for the princess’s research center associated with her thesis, The Fourth Way Law. Note the princess’s resignation as director and appointment of her daughter.

Historical searches for domain registration information also leads us to several emails, physical addresses, and phone numbers associated with the princess’ main website, in addition to other websites she created. We first conducted historical searches for registration information associated with her name and domain. This revealed a list of other websites she created, which in turn led to additional email addresses and domains. Below, we see the websites initially attributed to the princess and the email used to register them.

Historical registration information for the princess’s website, which provides us with a thread of additional websites to research, thereby expanding our search.

This information is important because it provides insights as to who the princess was working with at the time and who she used to establish her businesses and websites. It also expands our search by providing us with additional domains and emails to research. Observation of the email structure ****@basmahbintsaud[.]com offers us an easy extrapolation of other emails used by the website, the princess’ social media, and general contact information. All of this helps us characterize the nature, accessibility, status, and ability of her staff to communicate with both the princess and the outside world. More importantly, it allows us to attempt to infer what level of control these accounts are under and whether or not they are known, being monitored by, or under the control of the oppressive Saudi regime.

Saudi Arabia's crown prince promises country will return to 'moderate, open Islam'

Read Next: Saudi Arabia's crown prince promises country will return to 'moderate, open Islam'

When we cross-reference website ownership with Twitter posts, it initially appears both are under friendly control. It is not likely the regime would wittingly allow knowledge of the unlawful imprisonment of a member of the royal family to become public. This assessment is supported by cross-referencing known website and email information with the princess’ Twitter account using information leaked from Twitter’s password recovery page.

Twitter leakage using the password reset feature, which confirms our known email structure is associated with her website.

Such cross-referencing is critical because it strengthens our assessment (or hope) that the princess’ Twitter and websites are probably under control of the same entity. Given her Twitter account and website(s) share emails, it increases the likelihood that they were managed, established, or accessible to the same individual(s).

All roads lead to Rome determining account access

As of several days ago, our investigation suggested that her website and social media accounts were under friendly control, and that whoever maintained access to them maintained access to the princess herself and was able to use the accounts as a platform to communicate with the outside world. While not optimal, a lifeline to the princess’ staff or close associates provided access to the “ground truth” inside the regime, and how a member of the royal family was being illegally treated. This was a critical lifeline for us in maintaining an ability to continue highlighting regime injustices.

However, and most unfortunately, the bad guys also receive a vote. Several days ago, the princess’ website suddenly appeared to have gone “offline” and was not reachable. The website displayed an error suggesting an origin web server issue that prohibited the website from being accessed. While innocuous and not an uncommon error in and of itself, the website being taken down just after it had been used to call out the regime’s injustices is no coincidence. It also complicates our understanding of the situation and potentially removes our lifeline to individuals with close access to the princess and her daughter.

Error message received upon attempting to reach her website, which was taken offline several days after she posted a public plea for help.

The website takedown also complicates understanding of the princess’ Twitter account ownership. Shortly after her initial pleas were posted, her official media office claimed her personal account had been hacked and that unauthorized content had been posted. However, additional messages asking for the release of the princess have since been posted — again complicating the question of account ownership. Significantly, we believe that her official media and personal Twitter accounts are possibly managed by the same individual(s). This is evidenced by Twitter leakage suggesting that her official media account email shares the same domain as her website and personal account.

Twitter leakage showing email associations between the princess’s official and personal Twitter accounts.

Our confirmation of emails linking the princess’ website and Twitter accounts, as well as analysis of other website information, led us to the following: two primary London addresses; two possible Jeddah, Saudi Arabia addresses; a boutique London-based accountancy firm; several confirmed mobile phone numbers; several confirmed personal email addresses; and, ultimately, one possibly Saudi national potentially still in the princess’s employment whose location we seek to ascertain.

As any hacker, criminal, spy, journalist, or marketer will tell you, such information is highly valuable in pursuing additional leads. Thus, this Saudi individual may be the key to understanding the princess’ plight and how to communicate with her via her staff or close associates.

The possible employee who may hold the key

PAI tells us that the go-to man used by the princess for website domain registrations is named Haydar (surname withheld). This is the name associated with the email addresses used to register her domains over the course of several years while she was in London. Cross-referencing this name and known email addresses with other PAI reveals several phone numbers and addresses associated with Mr. Haydar and others close to the princess.

During initial website registrations — and sometimes before implementing Whois privacy protections — Mr. Haydar used the names of the princess and her daughter, along with a combination of variously attributed phone numbers. One such example follows in the below image.

PAI revealing the princess’ website creator and associated address circa 2016 while she was in London.

We have confirmed that two of the publicly derived numbers (redacted), both from the U.K., likely belong to Mr. Haydar. They are also associated with two possibly personal Twitter accounts of his that we have yet to locate but believe exist.

U.K.-based mobile phone number associated to Mr. Haydar and connected to his Twitter account.

 

U.K.-based mobile phone number serviced by Vodafone and associated with Mr. Haydar.

Preliminary analysis of other known numbers suggests they belong to the princess’ daughter, Mr. Haydar, and a formerly Jeddah-based brand strategist we assess was possibly in the princess’ employment. One such number is displayed below, which was initially observed in a website registration executed by Mr. Haydar on the princess’ behalf, and which correlates to the aforementioned princess’ daughter. Other numbers may belong to additional members in the princess’ inner circle based on similarities observed in mobile carrier selection and numbering plans; however, additional analysis is required.

Mobile phone number first observed in an early website registration by Mr. Haydar that we attribute to the princess’ daughter.

Two physical addresses we identified are both located in London, and both appear tied to innocuous locations that we have yet to associate with anything meaningful. The above address is a three-story residence similar to a row home that was used as a Bed & Breakfast boutique hotel from January 2011 to December 2016; it was also used several times by Mr. Haydar as an address associated with website registrations. During these registrations, he used a combination of the princess’ email, his phone number, and then this address. It is possible that Mr. Haydar lived or temporarily stayed at this address, but we have yet to confirm this.

The website of the Bed & Breakfast sharing the same address used by Mr. Haydar to register websites on the princess’ behalf.

A second address of interest ties back to at least two commercial storefronts in the very affluent and well-known London neighborhood of Kensington. Without further information, it is difficult to assess this area’s relevance, if any. Initial assessments of these storefronts do not indicate any apparent association with Mr. Haydar or the princess, but more analysis is certainly required.

Her Royal Highness has a private head office that may still be operational

As we seek to better understand account ownership, PAI revealing the existence and structure of the princess’ private head office — located in Jeddah — proves valuable. The below graph documents the basic structure of her office, the various positions within it, and their general responsibilities. The office, reportedly managed by a close family member, is the primary conduit through which all news, inquiries, and management of her affairs are routed.

Of note, we know that the princess’ official website was maintained by an employee in the office’s press office section. We do not know, and have not yet assessed, the extent to which this may remain true given the princess’ detention. We also do not yet know the extent to which this office is under the control or influence of the opposition, or the extent to which various communication restrictions, surveillance, or similar nefarious measures may be in place.

HRH Princess Basmah’s private head office structure, responsible for managing her affairs.

Ostensibly, the princess’ office would continue to serve her despite her most unfortunate circumstances. Our research has illuminated various individuals connected to her office, and we currently seek to understand the following: their ability to communicate with her; the level of potential opposition control over them; and what measures are being enforced to coerce, limit, misinform, or otherwise further obfuscate news of the princess’ plight from becoming greater public knowledge.

The journey continues

As we continue our online investigation into the circumstances surrounding the crown prince’s latest (public) victim, we seek to address how the aforementioned London addresses are relevant, if at all, and what role Mr. Haydar plays. We maintain hope that he is a staff member or someone in the princess’ inner circle, given the long period of time he worked with her to establish her many domains. It is possible this could be true, given research findings for one website registration associated with both the princess and Mr. Haydar that listed Jeddah (the princess’ Arabian residence) as the location. Such a geolocation could mean nothing, or it could mean that Princess Basmah and Mr. Haydar worked and traveled together at the same time — implying he was a staff member or close enough to her to work with her in both London and KSA.

We also seek to better understand the individuals in her inner circle — namely those staff and family members with routine access to her — in the hopes of assessing their ability to communicate news of the princess’s status to the outside world.

We hope you have appreciated taking this journey with us, and we look forward to sharing any updates as they become available. The top priority for us is discerning the meaning and status of the princess’s website takedown — one of her primary lifelines — and what it means for the control over her accounts. We welcome any feedback, thoughts, impressions, insights, or discoveries in the comments.

Thanks for listening.