July 27, 2016 | Foreign Affairs

The Myth of Lone-Wolf Terrorism

Co-written with Nathaniel Barr

This month, Europe has again been rocked by a series of shocking terrorist attacks perpetrated by lone individuals and claimed in the name of the Islamic State (ISIS). 

On July 14, Mohamed Lahouaiej Bouhlel, a Tunisian national residing in France, killed over 80 and wounded hundreds when he ploughed a 19-ton cargo truck through crowds celebrating Bastille Day in the southern French city of Nice. Mere days after the Nice massacre, a 17-year-old Afghan migrant seeking asylum in Germany attacked passengers on a train in Würzburg with an axe and a knife, wounding four before police killed him. Two other attacks claimed in ISIS’ name have been carried out since then: A suicide bombing on July 24 injured 15 in the German city of Ansbach, and on July 26, two attackers claiming allegiance to ISIS stormed a church in a suburb of the French city of Rouen, slit an 84-year-old priest’s throat, and took hostages.

These incidents are part of a broader trend of increasing violence carried out by lone individuals. Analysts, journalists, and scholars have been quick to label each perpetrator of recent attacks as a lone wolf: individuals who lacked substantial connections to ISIS or other jihadist groups and who carried out their operations without the assistance of others. The designation has generally been applied within 24 hours of these attacks, before significant intelligence about an incident’s planning and execution has emerged—and long before authorities have concluded their investigation. Indeed, less than a day after the Nice attack, observers rushed to describe Lahouaiej Bouhlel as a lone wolf who was not in fact linked to ISIS.

Observers have repeatedly erred by definitively categorizing attacks as lone-wolf operations when they would later turn out to be connected to broader cells or networks. At a minimum, individuals labeled lone wolves are often in communication with other militants, sometimes using encrypted services that are difficult to detect and decipher. There is a danger in rushing to label operatives as disconnected from others, as doing so can cause analysts to overlook the networks that facilitate and encourage attacks. It is time to put the myth of the lone wolf to rest.


The tendency to view lone attackers as unconnected to the broader ISIS organization prevented observers from fully comprehending the magnitude of the network that was behind the complex coordinated attacks in Paris and Brussels.

In April 2015, Sid Ahmed Ghlam, an Algerian national studying in France, called for medical help after accidentally shooting himself in the leg while handling a firearm. Authorities’ investigation revealed that Ghlam, who was in possession of several guns, was planning to attack churches in the Paris area and may have been involved in the murder of a woman found dead in a Paris suburb. In August 2015, three Americans restrained Ayoub El-Khazzani, a 25-year old Moroccan national, before he could open fire on passengers traveling by train from Amsterdam to Paris.

At the time, the two attacks were seen as disconnected, with Khazzani generallylabeled a lone wolf. And the bumbling incompetence of both incidents—Ghlam shot himself, while Khazzani’s weapon jammed before he could get off a shot—made the attacks seem like the work of rank amateurs. Meanwhile, ISIS fueled perceptions that it was primarily interested in inspiring lone-wolf attacks rather than guiding them, with a pro-ISIS media outlet producing a propaganda video shortly after Khazzani’s botched attack calling on “lone lions” to kill the group’s enemies.

But after the devastating November 2015 attacks in Paris, it became clear that initial judgments had been wrong. A March 2016 The New York Times article by Rukmini Callimachi detailed how Abdelhamid Abaaoud, the ground commander of the Paris attacks, had directed Ghlam, Khazzani, and several others to carry out attacks in Europe, even as he was preparing the Paris operation. Although he of course wanted these small-scale plots to succeed, they also helped deflect attention from ISIS’ more sophisticated operational planning, serving as a “smoke screen” that allowed the group to “calmly prepare” its future operations, in the words of one French official. Because counterterrorism analysts and officials viewed Ghlam, Khazzani, and other attackers as unrelated to one another, they did not identify the operational infrastructure involved in coordinating ISIS’ various attacks in Europe.

With the social media boom and the growth in encrypted communications, radicalization and operational planning can easily take place entirely online.The failure to identify common ties between supposed lone wolves and ISIS is part of a broader and long-standing pattern of underestimating the scope of jihadist networks in the West. An official inquiry into the July 7, 2005, terrorist attacks in London, for example, described the cell that carried it out as autonomous and self-actuating rather than tied to al Qaeda. One British official stated that “the London attacks were a modest, simple affair by four seemingly normal men using the internet.” But the idea that the London bombings were completely unrelated to al Qaeda was definitively refuted by a commemorative video the jihadist group later released in July 2006, which showed footage of a martyrdom tape recorded by cell leader Mohammad Sidique Khan. On the tape, al Qaeda’s then-deputy emir, Ayman al-Zawahiri, also claimed that Khan and fellow plotter Shehzad Tanweer had visited one of al Qaeda’s training camps in Pakistan “seeking martyrdom,” an account that has since been corroborated by Western intelligence agencies. Bob Ayers, a security expert at London’s Chatham House think tank, commented when the new video was released, “It makes the police look pretty bad. It means the investigation was either wrong, or they identified links but were reluctant to reveal them.”

Since then, officials and analysts have often continued to ignore attackers’ ties with broader networks. Part of the reason for the consistent failure may lie in a desire to avoid culpability; observers may perceive attacks carried out by networks as something officials should have prevented, but potential lone attackers are notoriously difficult to spot. Another reason may be a desire to downplay networks due to policy preferences, such as wanting to avoid taking kinetic action against the networks driving these attacks. But it is a mistake to conflate facts with policy preferences, and the truth is that terrorists’ ties to broader networks are frequently overlooked.

In fact, theories that recent attacks were the work of individuals are already being discredited. When ISIS claimed responsibility for the July 2016 Würzburg train attack, the group released a video featuring the perpetrator that demonstrated ISIS had advance knowledge that he intended to strike. Less than a week after the Nice attack, French authorities revealed that Lahouaiej Bouhlel may not have acted alone. Several individuals, whom prosecutors also described as having jihadist sympathies, were detained in connection with the massacre. One suspect had posed for picturesin the truck that Lahouaiej Bouhlel drove through a celebrating crowd. Further, the perpetrator, who had been planning the attack for months, had sent out a text message to an alleged coconspirator just minutes before the attack requesting “more weapons.”


The nature of radicalization and operational planning in the digital age has complicated efforts to interpret and analyze attacks perpetrated by single individuals. Jihadists plotting murders in the West used to congregate in person, meeting in small groups in underground mosques, houses, or other discrete locations. Radicalization occurred through in-person contact. Counterterrorism officials looked for physical hubs of recruitment, tapping phones and scanning surveillance videos for evidence that cells were meeting.

But with the social media boom and the growth in encrypted communications, radicalization and operational planning can easily take place entirely online. ISIS has capitalized on evolving communications technologies, building cohesive online communities that foster a sense of “remote intimacy” and thus facilitate radicalization. The group has also established a team of “virtual planners” who use the Internet to identify recruits, and to coordinate and direct attacks, often without meeting the perpetrators in person. Junaid Hussain, a British ISIS operative who was killed in August 2015, played the role of virtual planner for the May 2015 strike against the Draw Muhammad contest in Garland, Texas. Hussain hadcommunicated online with Elton Simpson before the attack and was the first to celebrate it on social media. It may take months—or longer—to detect the role of virtual planners in attacks.

The changing nature of operational planning underscores the need for a new paradigm for understanding the relationship between single attackers and networks. It no longer makes sense to apply pre-digital-age thinking to jihadist attacks perpetrated in the age of Twitter, Telegram, and end-to-end encryption.

Instead, it is useful to think of four categories of attacks, with descending connections to a network. The first category consists of operations in which the attacker was trained and dispatched by an organization. Reda Hame, who traveled to Syria and received weapons training from Abaaoud before being sent back to Europe, perfectly fits this mold. The second category is attackers in touch via social media with virtual planners such as Hussain, who help set targets, determine the timing of the attack, and provide technical assistance. The third category is operatives who are in contact with a militant group via online communications but do not receive specific instructions about carrying out an attack. Finally, the fourth category comprises the true lone wolves, individuals who strike without ever communicating with jihadist networks, either online or in person.

It is clear that extremely few of the jihadists labeled lone wolves truly fit that definition. As long as attacks are falsely categorized though, the world can’t even begin to fight back. We need a better model for understanding terrorism in the digital age.

Daveed Gartenstein-Ross is a Senior Fellow at the Foundation for Defense of Democracies and chief executive officer of Valens Global. Nathaniel Barr is the research manager at Valens Global.. Follow Daveed on Twitter @DaveedGR.