US fines former NSA employees who provided hacker-for-hire services to UAE
The US Department of Justice has fined three former NSA employees who worked as hackers-for-hire for a United Arab Emirates cybersecurity company.
Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40, broke US export control laws that require companies and individuals to obtain a special license from the State Department's Directorate of Defense Trade Controls (DDTC) before providing defense-related services to a foreign government.
According to court documents [PDF], the three suspects helped the UAE company develop and successfully deploy at least two hacking tools.
The three entered into a first-of-its-kind deferred prosecution agreement with the DOJ today, agreeing to pay $750,000, $600,000, and $335,000, respectively, over a three-year term, in order to avoid jail time for their actions.
The three worked for DarkMatter's Project Raven
While the court documents are heavily redacted, Baier, Adams, and Genicke's story is well known, with their actions being first exposed by a whistleblower and documented in a multi-part Reuters investigation in January 2019.
Per the Reuters report and DOJ officials, the three worked as contractors for UAE-based company DarkMatter between January 2016 and November 2019.
The former NSA analysts worked inside Project Raven, a team inside DarkMatter that was made up of more than a dozen former US intelligence operatives.
Inside this project, the three helped develop Karma and Karma 2, two iOS zero-click exploits.
Designed to target iPhones, Reuters said the two exploits were used by UAE officials to spy on dissidents, reporters, and government opposition leaders.
DOJ targets hacker-for-hire scene
Besides today's fines, the DOJ agreement also includes the following clauses:
- Full cooperation with the relevant Department and FBI components;
- The immediate relinquishment of any foreign or US security clearances;
- A lifetime ban on future US security clearances;
- Future employment restrictions, including a prohibition on employment that involves CNE (computer network exploitation) activity or exporting defense articles or providing defense services under the ITAR (e.g., CNE techniques);
- Restrictions on employment for certain UAE organizations.
"This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States," said Acting Assistant Attorney General Mark J. Lesko.
"Hackers-for-hire and those who otherwise support such activities in violation of US law should fully expect to be prosecuted for their criminal conduct," he added.
"These individuals chose to ignore warnings and to leverage their years of experience to support and enhance a foreign government's offensive cyber operations," said Assistant Director in Charge Steven M. D'Antuono of the FBI's Washington Field Office.
"These charges and the associated penalties make clear that the FBI will continue to investigate such violations."
Catalin Cimpanu
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.