Social Opportunity Structures in Hacktivism: Exploring Online and Offline Social Ties and the Role of Offender Convergence Settings in Hacktivist Networks

ABSTRACT

Hacktivism represents the promotion in the cyber landscape of ideologically motivated agendas using hacking techniques. Despite research on the topic has provided some clues on how hacktivist networks develop, the processes behind their evolution remain mostly unknown. This gap in the literature prompted us to research the role of online/offline social relationships and of the offender convergence settings in the creation, recruitment process and development of hacktivist networks. This study is based on 30 interviews with hacktivists, and it uses the social opportunity structures framework to analyze the development of 21 hacktivist networks. The results show that said networks can be divided in sub-categories based on the type of connections used to create them. Online social relationships and online convergence settings (particularly social media platforms and IRC channels) seem to play a key role in the development of hacktivist networks, while offline contacts are limited. For the recruitment process, hacktivists use comparable strategies to any organization, but three different categories were identified when discussing the level of sophistication applied to the selection of new candidates.

KEYWORDS:

• Hacktivism
• hacking
• offender convergence settings
• social opportunity structures
• cybercrime
• cybercriminal networks

Introduction

The digital era has changed the ways in which criminals meet and collaborate within the Internet, offering new opportunities, targets and connections (Décary-Hétu & Dupont, 2013; Dupont et al., 2017; Leukfeldt & Holt, 2020; Leukfeldt et al., 2017a; Martin et al., 2020; McAlaney et al., 2020; Nikoletos & Raftopoulou, 2022; Pete et al., 2020; Steinmetz, 2015). Similarly, individuals have used the same infrastructure to promote their ideas and political agendas combining ideological and technological backgrounds into what has become known as hacktivism (Coleman, 2014; Jordan & Taylor, 2004; Karagiannopoulos, 2018; Milan, 2015; Romagna, 2020). Hacktivism is a socio-political phenomenon that has been around for more than 25 years (Romagna, 2020). Hacktivists use hacking techniques against ICT (Information and Communication Technology) targets to promote a socio-political and ideologically motivated agenda. The Internet represents the perfect space for them, as it provides the high level of visibility needed for most types of socio-political protests (Milan, 2015; Romagna, 2020). Hacktivism is mainly done through collective actions (Dobusch & Schoeneborn, 2015; Karagiannopoulos, 2018; Karatzogianni, 2015; Milan, 2015; Romagna & Leukfeldt, 2023; Samuel, 2004), where people share the same ideologies (Milan, 2015; Milan & Hintz, 2013; Romagna & Leukfeldt, 2023; Samuel, 2004) and believe they will be more effective together in pursuing their goals.

For traditional offline criminal networks, it is known that existing social contacts such as family, friends and coworkers are of great importance, while so-called “offender convergence settings” – physical locations, such as cafés and bars – are used by criminals to meet like-minded persons outside their social cluster (Bouchard & Morselli, 2014; Felson, 2003; Kleemans & De Poot, 2008).

Comparable research done on cybercriminal networks showed that traditional offline mechanisms are still crucial for financially motivated cybercriminals – despite online opportunities – with offline social ties appearing to play a salient role in most of the networks (Leukfeldt et al., 2017a, 2017b, 2019; Lusthaus et al., 2023).

Instead, only a few studies have managed to explore the core of hacktivist networks, analyzing the dynamics in terms of social ties and recruitment process (Coleman, 2014; Menn, 2019; Richards & Wood, 2018; Samuel, 2004). Hacktivists’ operations can represent a threat to national and corporate security by disrupting critical services, and by influencing geo-political tensions as seen in recent incidents during the Ukraine-Russia war (Raj, 2022) or the Israel-Hamas war (Newman, 2023). Nevertheless, possible benefits should not be overlooked: hacktivists have sometimes been able to provide support or to raise attention on societal issues that would have otherwise gone almost unnoticed (Jordan & Taylor, 2004; Samuel, 2004).

Therefore, grasping the dynamics behind the formation of hacktivist networks and mapping the convergence settings used to do it, becomes essential to elaborate strategies aimed at mitigating or responding to dangerous drifts (such as radicalization or more violent forms of protests). It becomes necessary to analyze the role of offline and online social relationships that lead to hacktivism, to understand which ones play a key role in developing a hacktivist career (are, for instance, traditional ties such as those of family and friends as influential as online friends?). Moreover, given the relevant similarities that some hacktivist networks have shown with cybercriminal networks – for instance the more technical wing of Anonymous (Coleman, 2014; Olson, 2013) – the knowledge acquired by this research offers valuable elements of comparison to explore with a more systematic approach how similar cybercriminal networks evolve.

Despite the possible threats and the intricated situations that hacktivism creates, many questions about the development of hacktivist networks remain unanswered: How do hacktivists get in touch with each other? What are their online or offline ties? Are there specific places where they meet? How does the recruitment process work? Are their paths of engagement comparable with the ones of other cybercriminal networks?

In order to explore these gaps and to provide a better understanding of the phenomenon, we applied the social opportunity structures framework to hacktivist networks. We did this based on unique data: 30 semi-structured interviews with hacktivists over a 5-year period, gaining insights into 21 different networks. Our study answers the following research question: what is the role of online/offline social relationships and the offender convergence setting in the creation, recruitment process and development of hacktivist networks?

Literature on cybercriminal networks has clearly established that social relationships, common (criminal) values and interests are the bottom of solid cooperations (Decker & Pyrooz, 2011; Densley, 2012; Lusthaus et al., 2023; Morselli, 2009; Ouellet et al., 2019). Leukfeldt et al. (2017a) presented a typology of four types of networks, based on the developments of their offline/online growth: (1) growth entirely through offline social contacts, (2) offline social contacts as a base and online meeting places to recruit specialists, (3) online meeting places as a base and offline social contacts to recruit local criminals, and (4) growth entirely through online meeting places and online social contacts.

Although the offline social ties are essential in the development of cybercriminal networks, online meeting places (online convergence settings) offer additional opportunities (Dupont et al., 2017; Lauger et al., 2020; Leukfeldt et al., 2017a, 2020; Pastrana et al., 2018), sometimes better than those provided by physical spaces (see Lusthaus et al., 2023). Studies found that online forums can be important for cybercriminals since they provide the necessary knowledge and skills, and can offer international connections (see Dupont et al., 2017; Leukfeldt et al., 2017a; McAlaney et al., 2020; Pastrana et al., 2018; Pete et al., 2020). Online marketplaces have played a central role in exchanging illegal goods and services, particularly when considering cybercrime as a service, malware and exploiting tools. Many forums and markets use review systems relying on trust and on the evaluations of the customers, although these do not always work as planned (see Lusthaus et al., 2023). Social media platforms are also becoming a major center of aggregation, as shown for instance in the study by Bekkers and Leukfeldt (2022) who found that widely used social media platforms are often used to recruit money mules for money laundering.

This article further explores the role of online opportunities for hacktivist networks as a sub-category of cybercriminal networks. Indeed, for some networks, social opportunities have had a significant impact in finding suitable co-offenders in other countries; in providing marketplaces where criminal tools can be bought and sold; and in giving access to forums where networks’ core members could increase the criminal capabilities of their network relatively quickly. To date, it remains unclear to what extent traditional social ties have been replaced by their digital counterparts and whether this applies to all types of cybercriminal networks. This article therefore focuses on ideologically motivated networks of hacktivists, which can be plotted on the other side of the spectrum of cybercrimes, compared to the financially motivated ones.

The next section briefly describes the relevant literature concerning the collaboration among members of criminal networks including the concept of the social opportunity structures. This section also includes the most relevant studies related to hacktivists’ networks. Subsequently, the data collection section is illustrated with a thorough explanation of the interview process and methodological approach. Finally, the results are presented, followed by the discussion and conclusion to examine how the new findings fit into the complex landscape of cybercriminal networks.

Criminal networks

Criminal networks can be described as flexible structures of social interactions among individuals involved in criminal activities and bound by personal ties and shared norms of behavior (Paoli & Vander Beken, 2014). Said structures can vary widely, from simple, one-time partnerships formed to seize specific criminal opportunities, to more complex, bureaucratic-like organizations that monopolize markets or territories. These networks are characterized by their capacity to adapt and include new members and relationships, driven by needs such as trust, secrecy, and risk management, which are more pronounced than in noncriminal social networks. This definition emphasizes the adaptability and complexity of criminal networks and highlights the importance of social ties and the covert nature of their operations within criminogenic environments (Morselli, 2009).

Street gangs, organized criminals, radicalized (terrorist) networks although different in their intents and motivations share the need of finding trustworthy, capable and motivated individuals that want to engage in illegal activities (Bouchard & Morselli, 2014; Decker & Pyrooz, 2011). Part of the literature argues that the survival of a network requires two obligations: the recruitment of new members and the need to keep the existing ones together (Ouellet et al., 2019). Interestingly, while cohesion is a key for the continuity of the network, it must be correctly used: too much of it can hinder the network’s capacity to recruit new members, leading to stagnation and dismissal (Shi et al., 2017). The ability of keeping open the channels of recruitment was originally studied in social movements and only later more consistently applied by scholars interested in criminal networks (Ouellet et al., 2019). McAdam (1986, 2003) argues that network ties have more chances of resulting in recruitment when the potential member feels a certain affective or behavioral involvement with the organization. Similarly, in their longitudinal study on gang-associates in Montreal, Ouellet et al. (2019) found that whereas large networks that adopted more close structures had more chances to survive, smaller networks needed to adopt more versatile approaches. This situation was affected by how large the pool of potential recruits was and by the incentives in choosing one network over another.

As seen in research on cybercriminal networks (Dupont et al., 2017; Lauger et al., 2020; Leukfeldt et al., 2017a, 2020; Pastrana et al., 2018), technological advancements have further reshaped the dynamics of recruitment and engagement, significantly expanding the pool of opportunities to find new (and even better) potential candidates. The rise of the internet and social media platforms has allowed these networks to operate globally, enhancing their communication, coordination, and execution of illicit activities across borders with greater efficiency and lower risk of detection. This digital transformation has led to the emergence of transnational criminal organizations that can be more resilient and challenging to dismantle than traditional ones because of their complete or partial digital nature (Leukfeldt et al., 2017b; Lusthaus et al., 2023). Recent research has shown how the offline and online worlds are becoming more intertwined offering new opportunities for criminals to invest in different types of activities, but also to get in touch with individuals that followed very different paths before ending in a criminal network (Densley, 2012; Leukfeldt & Holt, 2020; Leukfeldt & Roks, 2021; Lusthaus & Varese, 2021; Lusthaus et al., 2023).

In summary, the creation and growth of criminal networks are driven by a combination of social interactions, deviant values and norms, rational choices, and more recently, technological advancements that might lead to a new frontier in the field. In the next two sections we explore the social opportunity structures framework and what is known about hacktivist networks in terms of social connections and recruitment.

Social opportunity structures framework

Kleemans and De Poot (2008) argue that social relations, trust, the often-transnational nature and a complex logistical organization are the main features for criminal organizations. Social relations play a particularly important role, to the point where the authors introduced a new concept – the social opportunity structure – elaborating it from the work of Clarke and Felson (1993) on opportunity theory and on social network theories (see Morselli, 2005)

Empirical research shows that social opportunities structures – social ties providing access to profitable criminal opportunities – occupy a key role in the creation, development and involvement in traditional criminal networks (Bouchard & Morselli, 2013; Kleemans & De Poot, 2008; Kleemans & Van Koppen, 2020; Leukfeldt et al., 2017a; McGloin & Kirk, 2010). Social ties are the bonds with family, friends and acquaintances that shape the (criminal) network and offer access to criminal opportunities (Kleemans & De Poot, 2008). Despite the lack of pyramidal organizations, researchers found that the structures are based on relationships where some people occupy more central roles than others, because they can count on resources like money, knowledge and contacts (indeed, social capital) (see Leukfeldt & Holt, 2020).

Nevertheless, social relationships are traditionally clustered and often limited by geographical, ethnic and social barriers (Kleemans & De Poot, 2008). In order to expand the opportunities and to find people who want to join the organization, it becomes necessary to establish contacts with individuals outside the original network (Ouellet et al., 2019). This can be done via offender convergence settings which offer links to other criminals and networks (Felson, 2003); and through key figures that occupy an intermediary role and provide manpower to strengthen the network (Leukfeldt et al., 2020). What Felson (2003) describes are socio-ecological conditions that define potential ties, rather than manifest or latent ones, which nonetheless are highly important for grasping patterns of criminal cooperation.

Hacktivists networks

Little empirical research has been done on the processes of the origin and growth of hacktivist networks. Milan (2015) argues that hacktivists have an intrinsic willingness to challenge the authority, which appears to be a recurring element in the normative structure of the networks. Four patterns are identified: first, the networks are likely to be informal and made up of peers, rejecting a hierarchical approach. Second, hacktivists seem to prefer small networks based on trust and loyalty where members identify with the same values and ideas. The recruiting process is centered on the same affinity principle, and it is often based on specific objectives (especially for new members). Third, the networks operate through a division of labor based on individual skills and reputation. This implies high commitment, but also flexibility in contributions. Last, hacktivists tend not to reveal their identities, and work using collective nouns and anonymity, leaving only the result of the action as a visible statement.

The available literature reports that only a few networks have been created through offline connections or developed stable offline interactions at a later point in time. In the 1970s, members of the Youth International Party (a radical and countercultural party that developed from the anti-war movements in the US) created a newsletter, the Youth International Party Line (YIPL), that quickly came to the attention of more techno-savvy and technology-oriented people with interest in political issues. The YIPL evolved into the Technological American Party (TAP) and its newsletter became a point of reference for technical information and mainly for phone-phreak (Jordan & Taylor, 2004). TAP represented a mix of people that knew each other (the founders) but that supported the growth of the party through the newsletter itself. The stories of the Electronic Disturbance Theater (EDT) (Jordan & Taylor, 2004; Samuel, 2004) and the Cult of the Dead Cow (cDc) (Menn, 2019) also point in this direction. Both these networks were known for having physical meetings while continuing their engagement process using social media platforms, forums and (back then) bulletin boards, showing a natural inclination toward the online environment.

When considering online relationships, what is known about hacktivists has been mainly extrapolated from the Anonymous collective (see Alexopoulou & Pavli, 2021; Coleman, 2014; Firer-Blaes, 2016; Knight, 2018; Olson, 2013). Although the studies have identified some patterns, Anonymous has shown a very heterogenous and dynamic structure that has changed across the years. Research focused on the development of the collective and its offspring LulzSec shows how the interaction among members mainly takes place in online forums and dedicated IRC channels (Coleman, 2014; Firer-Blaes, 2016; Knight, 2018; Olson, 2013). One peculiarity of Anonymous is that its members have also engaged in physical protests such as the Million Mask March, suggesting how social relationships, both offline and online, became central to the development of the collective (Knight, 2018). The extent of the social relationships pre-created online – before the operations are launched – remains unclear due to the limited number of studies.

Regarding convergence settings, in the pre-social networks era, bulletin boards and online forums were used among the first hacktivists to disseminate information and recruit (Jordan & Taylor, 2004; Karatzogianni, 2015; Samuel, 2004). While bulletin boards lost their appeal, forums have kept their central role, at least in terms of skills and knowledge. Studies on Chinese cyber warriors (Webber & Yip, 2018) and on Turkish ideologically motivated hackers (Holt et al., 2017) show that hacktivists use forums to recruit new members, gain consent among the online population and grow their communities. Anonymous took instead a different path, using IRC channels for recruitment and coordination. Any individual can access the public rooms, but the private ones, where strategies and targets got decided, were (and still are) only accessible to a limited number of trusted members (Coleman, 2014; Olson, 2013).

The advent of the social media platforms meant that hacktivists were able to reach a larger pool of candidates. For instance, the now inactive Syrian Electronic Army (SEA) had a massive presence in social networks, particularly Facebook, although it seems that the network was hybrid as several members knew each other offline (Al-Rawi, 2014). Anonymous also made extensive use of other platforms: videos have been uploaded on YouTube and then reshared through Facebook and particularly through Twitter (Farmer, 2022), as happened with operation ISIS (Richards & Wood, 2018) and more recently with operation Russia (Raj, 2022). Networks have also been recruiting in Telegram (Raj, 2022) although the extent of their success and the modality of recruitment are little explored.

Methodology

Data collection

We conducted 30 semi-structured interviews between November 2017 and December 2022, among self-identified hacktivists (17) or hackers (13) who engaged in hacktivism. “Hackers engaged in hacktivism” are those respondents who initially did not identify themselves as hacktivists, but who did report that their actions were ideologically motivated and that they used computer hacking techniques to execute them. We used two criteria to select the participants: first, they had to use computer hacking techniques to promote their agendas. The actions were not limited to acts of hacking – defined here as computer trespass (Holt, 2020) – but could also involve social engineering, the disruption of digital services (for instance through a DDoS), the use of malware to hinder a device or steal data, and so on. Instead, we excluded from the selection all those individuals who were engaging in forms of so called “clicktivism/slacktivism:” a low commitment type of digital activism that results in little or no change and is often associated with low-risk and loose/weak-tie actions, such as likening, resharing or following contents published by others (Ozkula, 2021). This does not mean that the participants in our study hadn’t engaged in these forms of actions during their career as hacktivists. But their favored techniques to promote their agendas were linked to hacking or other disruptive online actions.

The second criterion was instead linked to visibility, meaning the way hacktivists promoted their ideologies and how their actions were shared by the media. In order to meet our selection, the participants had to advertise their operations and make them visible online by using social media platforms (such as Twitter, Facebook, YouTube, Telegram and so on) or by defacing websites. Alternatively, we selected possible participants who had attracted media attention (for instance, by attacking significant targets such as large companies, government websites and international organizations). In this last case, even if the hacktivist had not openly promoted their attacks in any channels, the fact that their operations had caught the attention of the media was considered enough to meet this criterion.

We selected two pathways to find respondents: first, by mainly searching Twitter and Facebook accounts which seem to be used often by hacktivists to gain visibility. Keywords such as #hacktivist #hacktivism #digital_activist #cyber_warrior #defacement #defacer #Anon #Anonymous #Op were used to find suitable candidates. Second, we used the largest online database of defaced websites known among the hacker and hacktivist community: Zone-H.org. This database contains daily updated records of defaced websites, which are divided into categories depending on the motivation that prompted the defacer to act (Romagna & Van den Hout, 2017). We only used defacements registered under “political motivation” and “patriotism.” The type of information the defacers left on the page (e.g., the name of the network or a Twitter handle or an e-mail address) was utilized to contact the person(s) or the network involved in the defacement. In addition, we applied the snowball method: participants were asked to refer us to other hacktivists by mentioning our project and referencing us. This technique proved to be particularly effective because we did not need to gain the trust of the new respondent and because the referred participants seemed to be open in discussing the topics of the interview. As one of them said: “If M. said that you are OK, then I know I can trust you” (R30).

We reached out to 120 people of which 60 showed an interest in our project. 30 participants were willing to start an interview and to answer our questions. They were members of 21 different networks (Network 1 = N1 and so on). For six of these networks, we interviewed two or three members, allowing us to compare the answers for discrepancies. This allowed us to see how different hacktivists approached the same network and how their stories differ in terms of previous experiences. In 13 cases we interviewed the network’s founder, who often offered more detailed stories.

The 30 respondents were contacted using Twitter (20), e-mail (4), Facebook Messenger (3), Telegram (2) and Wire (1). The interviews were instead conducted using the favorite means of communication decided by the interviewees: Telegram (8), Twitter (7), e-mail (4), Facebook Messenger (3), Wire (3), Signal (1), IRC (Internet Relay Chat) (1), Twitter/Signal (1), E-mail/Facebook (1) and Skype (1). The interviews were either in English or Italian. After the first contact, each participant was briefed about the aim of the research, the data management process, the possibility to stop the interview at any time. To establish contact with possible candidates, we created a Twitter account named @PHacktivism and a Facebook page. In Telegram, we created a channel called Project Hacktivism which was regularly updated with news on the topic. For the interviews via Signal, Telegram, Skype and Wire we used the accounts of the researcher who carried out the interviews. Concerning the e-mails, we initially used a dedicated university account, but we later switched to ProtonMail (an e-mail provider known for its higher level of anonymity) accommodating the respondents’ request.

Given the difficult and relatively hidden population we researched, there were some ethical considerations we considered to ensure both the respondents’ and our safety. We therefore obtained the approval of the Ethics Committee of Legal & Criminological Research of the Vrije Universiteit Amsterdam and NSCR (Netherlands Institute for the Study of Crime and Law Enforcement before starting our research.

Based on the outcome of the Ethics Committee’s decision, we interviewed only people who were 18 years or older. We asked the participants not to disclose any future targets, but we discussed with them previous operations, although keeping the details at a minimum level. All the respondents’ nicknames (Respondent 1 = R1, and so on) were anonymized.

Finally, we used an interview protocol based on the social opportunity structures framework which is partly built on the work of the Dutch Organized Crime Monitor (Kruisbergen et al., 2018) and of Leukfeldt et al. (2017a, 2017b). The list of topics discussed during the interviews contains questions about existing relationships among members before joining a certain network; online and offline places used to meet other hacktivists (convergence settings); and procedures for the recruitment of new members.

Data analysis

The analysis was done with AtlasTi software for the coding part. The first author did the first round of coding, which was then examined with the second author. When differences or doubts arose, they were discussed thoroughly and resolved by the two authors together. This process ensured consistency in the interpretation of the data and was aimed at limiting personal biases. To extract more meaning from the data, we allowed our coding activity to tell us new things not directly linked to the theoretical framework. This type of analysis offered us a structured approach, but also the capacity to see beyond the theory to discover unexpected outcomes.

The analysis was run on a network level, meaning that we discussed the relevant elements of the 21 networks we studied. But we also decided to provide some extra information based on the single stories of the 30 respondents, since they reflected on previous experiences with other networks and offered relevant data. We strongly believe this approach helps us to better understand different dynamics within hacktivist networks and provides a broader picture of the hacktivist landscape.

Respondents self-reported their membership of a given network. In some cases it was possible to verify if their claims were real. For instance, when respondents had been involved in a website defacement it was possible to see their nicknames on the defaced webpages, often (if not always) together with the name of the other members of the network and of the network itself. Similarly, members of hacktivist groups often post information about successful operations on their social network accounts, often tagging the name of the network and the other members belonging to it. Other times, the collective account of the network was used to tag the online handles of each member, providing a sort of proof of their links. Therefore, we could often (but not always) double check the truthfulness of the claims made by the respondents about their belonging to a network. We never had a member belonging to more than 1 network among the 21 we analyzed. Only one respondent claimed to be involved with a second network. In that specific case we asked the respondent to focus only on the network he or she felt more connected to.

We began our first cycle of analysis taking a deductive approach and applying the main elements of the social opportunity framework. In order to do so, we used two different coding methods, following the procedure suggested by Saldaña (2015). First, we coded the interviews using hypothesis coding. Hypothesis coding is not only used to assess a researcher-generated hypothesis (which is not the aim of this research), but also to run content analysis and analytic induction of a qualitative data set (as it happens in our case). Following the available literature on hacktivist and cybercriminal networks, we wanted to understand whether hacktivists met online, or whether they developed their networks through contacts of peers and acquaintances met in the offline world. To do so, we took the elements of the social opportunity framework and we operationalized the variables into binary codes as follows: offline convergence settings/online convergence settings; offline social relationships/online social relationships. This allowed us to create macro-categories that helped defining how each network was initially built. In the second cycle, we further analyzed the data seeking to provide more meaning and depth to our findings. We therefore applied axial coding to determine which codes were dominant and which were less important. The advantage of using axial coding is that this method “relates categories to subcategories [specifying] the properties and dimensions of a category” (Charmaz, 2006, p. 60). We used the four categories elaborated by Leukfeldt et al. (2017a) in order to classify the development of each network, analyzing whether they were created offline and then moved online, or vice versa; and by exploring the role of social relationships online and offline (see the results section for a detailed explanation). This approach allowed us to place each network in the correct category and to further elaborate the different features that characterized the development of said networks.

During the second cycle, we also noticed that our data provided relevant information concerning the recruitment process applied by different networks. This represented an unexpected but welcome finding that moved away from what was theorized both in the social opportunity framework and in the literature. Therefore, we combined pattern coding, to identify the most common methods of recruitment; and then focused coding to identify the most salient categories within this theme. Similarly, this technique was used to explore how closed or opened were the hacktivist networks we analyzed when considering their recruitment policies. Overall, this combined approach offered us the opportunity to provide more meaning to our data, deepening the deductive process that we were following, and allowing us to conduct an inductive analysis to explore new elements and extract new findings from our data.

Results

In this section we discuss the results of our analysis focusing on three elements: first the classification of the different networks according to the four categories elaborated by Leukfeldt et al. (2017a); second, the function played by online convergence settings; and lastly, how the recruitment process looks like among hacktivists’ networks.

Networks’ classification

Leukfeldt et al. (2017a) divide financially motivated cybercriminal networks into four typologies, based on their growth: (1) entirely through offline social contacts; 2) through offline social contacts but expanding online using offender convergence settings; 3) mainly via online offender convergence settings, but expanding also offline; 4) fully online.

When applying this categorization, our data show that the networks are not equally distributed. 16 out of 21 (N2, N3, N6, N7, N9, N10, N12, N13, N14, N15, N16, N17, N18, N19, N20, N21) belong to category (4) networks grown fully online. The respondents claimed that their networks were created in the digital environment either through online social contacts previously established, or via online offender convergence settings. It is often difficult to distinguish what comes first, as many hacktivists meet in online places dedicated to operations (such as IRC channels) and develop contacts with like-minded people, with whom they then create the network.

In this category, online convergence settings play a key role in creating and shaping the network, as almost all the respondents claimed that they met their members in IRC chats, hacking forums and social network communities dedicated to hacking and hacktivism. For instance, N17 was created by hacktivists who met in IRC chats managed by Anonymous, where they knew they could find people interested in the same topics. After several interactions, they decided to step out of Anonymous and to build their own network more in line with their ideology and goals. Similarly, N18 was formed after taking part in chats managed by Anonymous that promoted operations against Russia. The founder decided to separate from Anonymous and to create his own network using IRC chats and Twitter for recruitment. In both cases, online convergence settings were used either to join already existing operations or to form a new network. Networks like N20 created their own Telegram and IRC channels where they expressly called for wannabe hacktivists while also offering technical trainings and guidance. Most of the networks followed this approach.

Other networks, like N14, were instead built through online social contacts. The core members (mainly hackers) knew each other from previous experiences. They used hacking forums and IRC chats to exchange ideas without specific plans for collaboration. This thought came later, when the founder (R24), not completely satisfied with Anonymous, decided to tack a step aside from it, while keeping the network under the same banner. As he explained:

I was working with a few others on an #Op (2011) and […] I used to teach and coordinate with a couple of them. So, I got the idea: why not starting a team with people that can coordinate and collaborate and because of that can do a better job? Knowing that I [would have] just picked the best for the inner circle. A lot wanted to join, but I just picked the elite (not just based on hacking skills) and I […] was to get a small network [able to] make a “difference.” [This approach] has proven to be right in many #Ops. (R24)¹

Today, R24’s network (N14) makes extensive use of social network platforms (mainly Twitter and Facebook) to promote its ideas and recruit new members. Nevertheless, only very few members can enter the inner circle and they normally have to be introduced by an associate (R30), thus establishing a major role for the social relationship.

The other three categories of Leukfeldt et al. (2017a) were less common in our analysis. Four out of 21 networks (N1, N4, N5, N8) fell under category (3) networks created and developed mainly via online offender convergence settings but expanding also offline. An example is provided by N1: its founder (R1) did not intend to create a network, but after meeting a friend of a friend and discovering the common interest in hacktivism, R1 suggested teaming up. The pair quickly developed into an online network thanks to the visibility gained by their operations (mainly directed by R1) and by their posts on Twitter:

I had some media coverage. Random people started coming in, wanting to join this team. They thought it was something big, something international made of hundreds of people. […] I had people wanting to join every day. (R1)

The network continued the recruitment process both online, choosing from among the people who wanted to join the team, and offline. For instance, a member was a student who met R1 during a workshop he offered at the student’s university. The student showed a good attitude and, excellent skills, and was finally approached with a political topic to test the ground. Only after that, was he offered the opportunity to access and cooperate with the network.

Only one network, N11, fits into category (2) networks created online using offender convergence settings, but mainly expanding offline. N11 was originally created online when its leader met other hackers on a Facebook community and decided to set up a network mainly interested in gaining knowledge, improving skills and exploring new challenges. Later though, the same leader decided to shift (at least partially) toward patriotic and political goals. The network was then expanded both online and mainly offline. The founder contacted several friends who lived in the same town and were already proficient with hacking. He then asked them to join, convincing them to use their skills for a better cause. The network changed its attitude: the international members slowly left or became less active, while the friends grew into the core and engaged in operations to support their country.

Offline interactions were not uncommon among the respondents, even in the other categories (11 of them claimed to have this type of contact), but these offline interactions normally happened either before the individuals joined a network, mainly when starting their hacking career, or after the network was already established, as seen with N11: “[I created the network] with friends. […] We live in a neighborhood where everyone is hacking. It’s our lifestyle.” (R19). Overall, offline social relationships did not seem to play a major role among hacktivist networks as regards their creation. But they seemed to help consolidate the internal relationships after the network was created, by showing signs of increased trust among members.

Lastly, no networks among the ones analyzed met the criteria to be classified in category (1) networks created and developed fully offline.

Convergence settings

Offender convergence settings are the places where criminals or wannabe criminals meet and recruit. All the 21 networks showed to different levels that hacktivism is intrinsically linked to the digital environment. We identified four categories of convergence settings. Three online: a) social media; b) open online chats; c) online forums. And one offline d) physical environment. Ten networks used two or more types of them.

Social media platforms represented the most common form of online convergence settings as 17 out of 21 networks employed them to meet and recruit. Facebook was used by 8 networks, followed by Twitter (7) Telegram (2) and Discord (1). Five networks also indicated other social media without providing specific names. Six networks were actively using two or more platforms, but this number could be higher when considering that some of the members had personal accounts in more platforms.

Facebook was favored by some networks because it offers easy access and visibility, and can provide room for thousands of members. For instance, R22 – a prominent member of N13 – started his hacker/hacktivist career alone in an anti-pedophiles community and was recruited by other members of his future network to engage in socio-political operations. Similarly, R5 met his associates on Facebook and proceeded to create his own team: “There are many Facebook groups in I. where to show off deface results. It was there that we met.”

Twitter seemed to represent a good point of contact for possible new recruits and for promoting operations (N1, N12). On this point R29 (N14) said: “I would take a ride in Twitter, and I would listen a bit around. […] I approached these operations simply because whatever you look for on hacking, especially on Twitter, you will see that it is full of ops.”

Last, Telegram and Discord were mentioned once each, probably because they have gained popularity among hacktivists only in recent years. For instance, during #OpRussia, the operation launched by Anonymous and other networks against Russia following the start of the Ukraine-Russia conflict, several Twitter accounts belonging to hacktivists invited people to join either Discord channels or Telegram channels (Raj, 2022), as confirmed also by R27, who has been a member of different hacker and hacktivist networks that made use of these platforms.

The second most common form of online offender convergence settings are online chat tools. They were used by 10 out of 21 networks, with IRC channels being the most common meeting places. All the networks that used IRC channels had past experiences, or were still involved, with Anonymous. For instance, R29 was introduced to hacktivism in an IRC channel linked to a Twitter profile of a hacktivist involved in exposing pedophiles. Later, R29 became active in other IRC channels mainly run by Anonymous members where he got in contact with other networks. Similarly, R31 started his hacking career by joining a mixed IRC server with young and more experienced hackers. Later he discovered the AnonOps server: “I found many hacktivists in there and I started rolling with them; I started participating in Anonymous operations, etc. That’s when I felt that I became a useful person.”

The last category is represented by forums, mentioned by 6 out of 21 networks. The respondents claimed to use both surface and Dark Web forums. For instance, after having been disappointed by the inactivity of the police for a case of bullying, R22 reached out in multiple online forums run by Anonymous members and gained more support than expected. This result had an impact on R22’s decision to join a network and become a hacktivist. Another example is provided by R26. When asked how he met other hackers and hacktivists for operations he replied:

There is a place in my town […] where you can go if you want cheap software (pirated/cracked) […]. In the beginning I started going all the time to that place to learn from others. After a while they showed me how to access forums online. These days I only act online. I have accounts on multiple forums where projects are discussed. These days other members often ask me if I want to take part in some actions. It is not often now that I have to go to other people to looking for a project.

The words of R26 represent a bridge to introduce the last category: physical convergence settings. Although the information on them was scarce, it seemed that the respondents did not make much use offline convergence settings. As just seen, R26 established some contacts in what could be considered a cybercafé, but then moved online because there were more opportunities. The same happened to the founder of N1 (R1) who visited similar cafes in his town, but later switched to the online environment.

Recruitment process

In terms of the recruitment process, hacktivist networks adopt three strategies that are usually used by most of the networks and are implemented depending on what is needed at a certain point in time. Only for N4 we could not retrieve information about the recruitment process. The first type of recruitment can be compared to a sort of job offer where the network sketches a certain profile with specific requirements (for instance people experienced with DDoS attacks). This technique was used by 12 out 21 networks (N1, N6, N7, N8, N12, N13, N14, N16, N17, N18, N19, N20). In the second case, hacktivists search in their list of contacts (social capital) approaching specific people that might be interested in joining the network given their technical skills and/or ideological background. All the analyzed networks used this approach to expand. In these cases, the technical skills are not tested, because the candidate is already known for possessing enough knowledge. Issues might arise for the moral and ideological component as that specific candidate might not be interested in or may even be opposed to a certain operation. In such a situation, trust plays an important role as hacktivists are openly disclosing operations that could endanger them and they therefore look for people, although outside the network, who have proven to be highly reliable. R29 (N17), when asked about cooperation with other networks, stated: “They wanted to take [the members of the group] individually. I receive at least a couple of requests a week from people who ask me to join their team, all of which are always refused.” The third strategy is instead non-active and was used by 10 out of 21 networks (N1, N3, N8, N10, N11, N14, N15, N17, N19, N20): hacktivists belonging to particularly active or known networks receive many requests to join from people that are outside the circle of known acquaintances. As stated by members of N3, N14, N15, N20 these unknown candidates are either turned down immediately, or if they have a documented history as hackers, are tested with the usual tasks. In such situations, the network might have a more suspicious approach and therefore would likely undergo extra research to understand who the external parties are and why they want to join.

The last main finding concerns the three approaches hacktivist networks use to accept new members, based on their technical skills and ideological motivations. We identified: a) open networks where technical requirements underwent a general examination, and the ideological component was lightly scrutinized; b) semi-open networks where more requirements (both technical and ideological) were applied; and finally, c) closed networks where members had to prove their skills and undergo a longer evaluation process before being accepted. While there is not much difference between networks b) and c) in terms of technical skills, the latter devote more attention to the moral and ideological spheres. For 4 networks, it was not possible to state with full certainty where they belonged.

Open networks, 3 out of 21 (N3, N17, N18) tend to apply relatively simple criteria, as explained by R31, leader of N18:

I was having a conversation with an online friend on AnonOps IRC server. He told me that he initiated Operation RedScare, against Russia. So, I joined that channel with a new nickname […]. That’s how [N18] was formed, it was just a one-man army for the first two months, and it was created to attack Russian targets. I got the idea of expanding when many news articles started [depicting N18] as a group when it wasn’t.

Following the visibility given by the media, R31 opened a call for new members and was therefore contacted by several applicants via Twitter and private IRC chats. He then created a task that candidates had to decrypt: “Once they solve it, they will get my e-mail address through which they can contact me. I just asked them whether they have some knowledge in cyber sec, and I took them in according to their response.”

Semi-open networks 11 out of 21 are the most represented (N1, N6, N8, N9, N10, N11, N13, N15, N16, N20; N21), and seem to apply stricter selection criteria with more stringent requirements both in terms of hacking skills and ideological motivations. For instance, R1 (leader of N1) said that hacking skills were not enough to join the network, although they are a major element:

We tried recruiting new hackers a few months ago but we need a specific level of skills that we did not find among the few people that applied. […] I tested them, I gave them targets, interrogated them, what they do, what attacks they perform, what operating systems they work on, why they want to hack, and if I liked their answers, I taught them and this is how [N1] came to be.

Similarly, members of N10 said: “In order to get into N10 you need a lot of proven skills and good work.” A commitment to a certain cause in line with the network’s ideology was encouraged to get accepted but was not always mandatory. On this point, R19 stated that his network was mainly oriented toward patriotism but also accepted international members, although those felt less committed to that cause.

Closed networks 3 out of 21 (N12, N14, N19) recruited people by carefully testing the hacking skills and the ideological elements, often asking for extra information about the candidate’s personal history. Full alignment with the network’s ideology was not mandatory, but requirements were stricter compared to the other two categories. As explained by R30, thorough interviews are necessary to ensure that the candidates are not members of law enforcement agencies, or adversary networks. For instance, N12 was made up of members that were originally part of another network we contacted: N20. After the split in 2015, N12 members decided to focus on fighting terrorism (mainly ISIS) and to create a sort of collaboration with law enforcement agencies, although keeping (at least according to them) their independence. The leaders of N12 said that the new network became so prominent that they started receiving weekly requests to join, but decided to accept only skilled and ideologically motivated hacktivists:

If you don’t already have a strong working knowledge of extremism and how to identify targets on your own, we can’t waste time teaching you. […] You’d need some verifiable hardcode security clearances under your belt, amazing technical skills and know terrorism inside and out to even be considered for lowest level stuff.

On the same level of requirements is the procedure to enter N14. According to R30, one of the network’s most important members, several people over the years wanted to join:

There is a process of testing [people’s] moral. It’s a process, but just to make sure we choose the right person and don’t make a mistake. It’s not like we invite people to join a hacking club. No! It’s like real people fighting for humanity. It’s not about hacking. It’s about doing the right thing.

R30 added that full acceptance into the most intimate network’s circle (the one that runs the operations and chooses the targets) can take “years of trust, years of seeing what this person is capable of doing.” This point was confirmed by a less prominent member, R27:

After several interactions, we became “online friends” and I was dragged into his world and operations. Take into consideration that I have a PhD in computer science, so I was not far from the hacking world. And I was already an activist, so I used my skills to become a hacktivist and a member of N14. It took me a year to join his team.

Discussion and conclusion

Our research explored 21 hacktivist networks by means of 30 semi-structured interviews to provide a picture of how hacktivist networks are created and how new members are recruited. When looking at the classification of cybercriminal networks elaborated by Leukfeldt et al. (2017a), we noticed a major presence of category (4) networks grown fully online, therefore showing an important link with the online environment.

By applying the social opportunity structures framework (Kleemans & De Poot, 2008), we found out that relationships developed online, and online convergence settings play a key role in the creation of the networks. Specifically, people who met online during previous experiences occupy a central position in the development and growth of the network, while social media platforms and IRC channels represent the main forms of online convergence settings for (wannabe) hacktivists.

In terms of the recruitment process, hacktivists seem to choose from among three paths: an active form of recruitment, a non-active one, and one based on previous connections. Last, networks can be open, semi-open or closed when considering the level of scrutiny applied to new candidates.

Networks’ classification, social relationships and convergence settings

When considering the four categories elaborated by Leukfeldt et al. (2017a), our results show that the network classification is closely intertwined, with the role played by social relationships and convergence settings prompting us to discuss them together.

Twenty out of 21 networks either belong to category (4) networks grown fully online, or to category (3) networks created and developed mainly via online offender convergence settings but expanding also offline. The online component is predominant both in the formation process and in the consolidation phase, particularly when considering that even the networks belonging to category (3) are mainly based online. Offline social contacts are instead limited, while offline convergence settings were mentioned only twice and do not seem to be particularly relevant among hacktivists. Only one network falls under category (2) growth through offline social contacts but expanding online using offender convergence settings, while category (1) entirely through offline social contacts was not present in our analysis.

These findings differ significantly from those of studies on financially motivated cybercriminal networks (Leukfeldt & Roks, 2021; Leukfeldt et al., 2017a, 2017b; Lusthaus & Varese, 2021; Lusthaus et al., 2023; Roks et al., 2021), which show that the local and physical/offline dimensions play an important role in the formation and evolution of those criminal networks. The same hybridization concept discussed by Leukfeldt and Roks (2021) does not seem to apply to the hacktivist networks, or it applies only marginally as happened with some Anonymous members and operations (Firer-Blaes, 2016). It seems that for hacktivists, there are no specific needs to recruit among locals. International networks were more common in our study, with exceptions for those mainly involved in patriotism, but in that case, too, the local dimension was not important. We think that this major difference might be linked to the final aim of hacktivists, who are interested in gaining visibility and achieving a change in society. They do not need to be in contact with each other physically to be effective or to enforce particular forms of social control on the networks’ members. They mainly need to trust that the associates will fulfill their tasks during an operation and stick to their moral compass, as seen also in research on street gangs (Densley, 2012). As pointed out by Milan (2015), hacktivists often rely on loose networks made up of peers that allow a degree of freedom and do not need tight connections (not among all the members). This lets them discuss sensitive and possibly dangerous topics without exposing their real identities. This loose approach was only partially confirmed in our results, and it certainly depended on the type of network, both in terms of the technological sophistication and commitment of its members. On the contrary, financially motivated cybercriminals usually rely on closer links and a higher level of trust, often among people who have known each other for a long time, at least for the core members. This allows them to share the profits of their actions and to apply a tighter control to their activities (Kruisbergen et al., 2019; Leukfeldt & Holt, 2020, 2022; Lusthaus & Varese, 2021; Lusthaus et al., 2023).

In terms of social relationships, our research shows that the role of family and offline friends is less important in determining whether a person will join a hacktivist network. Family relationships have almost never been mentioned by the participants as the main entry point. In line with the findings of Lusthaus (2018), we discovered that even hacktivists who prefer online interaction do sometimes meet in person, or at least reveal personal information. This process seems to be linked to the need to build trust (Lusthaus, 2018), normally only after a solid online relationship has already been established among members.

Online social contacts are also important in the selection of new members. This is particularly relevant both at the beginning of the network formation, when lone hacktivists decide to involve other acquaintances, and after the core network has been established and the expansion is achieved through personal connections (friends or acquaintances) or reputation (asking a skilled hacker to join the cause). In this sense, our findings are in line with other studies not only in the filed of cybercrime (Holt et al., 2017; Leukfeldt & Holt, 2020; Leukfeldt et al., 2017a, 2017b; Lusthaus et al., 2023; Yip et al., 2012), but also in more traditional forms of criminal activities (Decker & Pyrooz, 2011; Densley, 2012; Morselli, 2009; Ouellet et al., 2019). It should not come as a surprise that some members have a very strong bond even though they have never physically met, nor do they know one another’s real identities. This point was thoroughly considered by several respondents (e.g., R29 and R30) who refer to the network as “a family.” As R29 pointed out, it is often a matter of affinity that does not depend on seeing a face, but on the mental link created between two individuals. Given the ideological component of hacktivist networks and the time that some of them seem to spend together online, it can be expected that certain levels of behavioral and ideological affinity play an important part in the constructions of these relationships (see, e.g., McAdam, 1986, 2003).

Although we did not deepen the analysis of trust and anonymity within the networks, it seems that even if real identities are unknown, the networks’ most prominent members tend to use a specific handle that works as a signature and makes them more easily recognizable in the online community. Extra research is needed on this topic, to understand whether the hypotheses made by Lusthaus (2018) about trust are applicable to hacktivist networks. The concepts of reputation, performance and appearance have been discussed with some participants and the preliminary findings seem to point toward a confirmation of these hypotheses when applied to the recruitment process, but the actual implications are still unknown.

In terms of convergence settings, the physical environment seems to be significantly less important compared to the findings of other studies (see Leukfeldt et al., 2017a, 2017b; Lusthaus, 2018; Lusthaus & Varese, 2021) and of the main literature on other forms of crime (see Morselli, 2009). Overall, online convergence settings are largely favored by hacktivists both to recruit and to meet. Social media platforms are in the first place used for recruitment and communication (although in the second case hacktivists seem to use other chat apps such as Telegram and Wire), given the visibility they can provide (Romagna, 2020). Hacktivists use them not only to promote their agendas [Facebook and Twitter are particularly good for this, as pointed out in other studies (see Alexopoulou & Pavli, 2021; Farmer, 2022)], but also to attract new candidates, be easily found and even coordinate attacks, as also reported by Richards and Wood (2018) in their study on the Anonymous anti-IS campaigns. Although other social networks were mentioned less in our interviews, it does not mean that they are necessarily less important for the hacktivist community. As pointed out by Raj (2022), Telegram is gaining momentum and we have noticed that several respondents asked to use this platform for communication.

In terms of the recruitment process, our findings are in line with several studies (Holt et al., 2017; Milan, 2015; Yip et al., 2012) which show that in the online world newcomers can get in contact with existing members quite easily, without requiring central persons. This differs from the results of other studies (Leukfeldt & Holt, 2020; Leukfeldt et al., 2017a; Pete et al., 2020) that show key subjects at the center of a network managing contacts and facilitating the development of criminal syndicates. Particularly, the role of “broker” does not seem to have a clear position in the hacktivist community. It might be that this role does not exist, or more likely, that it exists, but plays a more marginal function. If, instead, we want to attribute the status of broker to the leader of a network, then our findings are more in line with previous studies (see Leukfeldt et al., 2017a, 2017b; Lusthaus & Varese, 2021), but we feel this would be a forced interpretation. More research should be done to understand to what extent hacktivist networks make use of brokers.

Lastly, we noticed how the recruitment process among hacktivist networks seems to be similar to the recruitment process of a regular organization: either through a position offered by the network (deliberate recruitment), or via third parties already known to the network’s members (social ties or social snowball effect) (Kleemans & Van Koppen, 2020), or by interested candidates offering their services. These three approaches are in line with the findings on more traditional forms of cybercriminal networks (Leukfeldt & Holt, 2020, 2022; Leukfeldt et al., 2017a, 2017b, 2019, 2020; Lusthaus & Varese, 2021; Lusthaus et al., 2023; Roks et al., 2021).

Limitations

When considering the limitations and strengths of this paper, and the new research paths, we believe that a sample of 30 respondents is good, but not representative of the whole hacktivist community. Nevertheless, these are unique interviews with active hackers/hacktivists and their experiences are therefore valuable, representing an insight into this relatively hidden community. Moreover, although we cannot generalize the findings on hacktivists to the whole hacking community, they certainly shed some light on the behaviors of hackers when setting up networks and recruiting new members. We also acknowledge that the geographical representation is limited to certain zones (particularly those where geo-political tensions are ongoing); nevertheless, this might be a sign that troubled areas are also the ones that produce the largest number of protesters (in our case hacktivists). More research is necessary to understand whether there is a relation in this sense.

When looking at the whole interview process, we noticed that some participants provided detailed stories, while others preferred to disclose less information. This affected the quality of the interviews, but it was accepted as a necessary consequence given the type of population. We also recognized that only rarely could we confirm the participants’ statements, meaning that the truthfulness of their declarations could not always be verified. Nevertheless, social network platforms helped us on this, since we had the opportunity to check the messages posted there (e.g., for the recruitment). This is also a further point of research, as it would be interesting to understand how these calls work, what type of language is used to attract possible hacktivists, but also what are their reactions (or those of the social media platform community). Moreover, it seems valuable to understand the role of specific media communities popular among hackers and hacktivists (Telegram, Discord and Twitter above all), and the role of forums both in the clear and in the Dark Web. We did not have the opportunity to apply a virtual ethnographic approach to the topic, but we feel sure it would contribute to improve the knowledge of the phenomenon.

Conclusions

We used the social opportunity structures framework (Kleemans & De Poot, 2008) to examine 21 international hacktivist networks. Following the classification of Leukfeldt et al. (2017a), we observed that the networks we analyzed were either created entirely online or initiated online and later expanded into the offline world. Hacktivists either met online, seeking like-minded individuals in ad hoc spaces, or developed their interest in the socio-political sphere after encountering individuals already engaged in hacktivism. Online offender convergence settings, such as social networking platforms, IRC channels, and hacking forums, played a pivotal role in nurturing these relationships. The central role played by the online environment represents a partial contrast with other studies on financially motivated cybercrime. Unlike in other cybercriminal networks, hacktivists tried to avoid offline social contacts and the sharing of too much personal information (with some exceptions). Additionally, we discovered that hacktivist networks followed different processes for recruiting new members and exhibited varying levels of sophistication and candidate selection criteria.

In conclusion, our research yielded important results to better grasp the hacktivist community and its operational dynamics. The study provides a relevant contribution to understanding how hacktivist networks are formed and developed, particularly when considering the role played by social opportunity structures within them. Moreover, it offers a glimpse into the hacker community and its connections with hacktivist circles. These findings are important because they provide a bridge toward our understanding of hacker networks which remain more elusive than their politically involved counterpart. As a final remark, we believe this paper contributes from a methodological perspective to the study of online populations involved in deviant activities, particularly due to the use we made of social media platforms and interview techniques.

Credit author statement

Marco Romagna: Conceptualization, Methodology, Formal analysis, Writing – original draft, Writing – review & editing, and Funding acquisition.

Rutger Leukfeldt: Formal analysis, Validation, Writing – original draft, and Writing – review & editing.

Acknowledgments

The authors would like to thank all the participants who dedicated time and energy to this project.

Disclosure statement

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Additional information

Funding

This work was supported by the NWO Nederlandse Organisatie voor Wetenschappelijk [Doctoral Grant Program for Teachers n. 023.011.035].

Notes

1. Quotes are reported as written by the respondents. We limited the corrections at the minimum level.