The U.S. government has entered a Deferred Prosecution Agreement (DPA) with three former intelligence operatives in an attempt to resolve criminal charges relating to their offering of hacking services to a foreign government.
A deferred prosecution agreement (DPA), is comparable to a non-prosecution agreement (NPA), and it represents a voluntary alternative to adjudication in which a prosecutor agrees to give amnesty in exchange for the defendant agreeing to comply with specified conditions, as a deferred prosecution agreement might be used to resolve a case of corporate fraud in which the defendant agrees to pay fines, adopt corporate changes, and fully cooperate with the investigation.
Marc Baier, Ryan Adams, and Daniel Gericke provided their services to a company that ran sophisticated hacking operations for the United Arab Emirates (UAE) government against various targets, between 2016 and 2019.
These services included the provision of support, direction and supervision in the creation of sophisticated “zero-click” computer hacking and intelligence gathering systems – i.e., one that could compromise a device without any action by the target.
The three former employees of the U.S. Intelligence Community (USIC) or the U.S. military agreed to pay the penalties in order to not be prosecuted for the violations of U.S. export control, computer fraud, and access device fraud laws.
The three joined the senior management ranks of a UAE company. Here they were coordinating hacking operations against various targets, as well as supervising the creation of two hacking and espionage platforms.
KARMA and KARMA 2, the hacking and espionage platforms were used to compromise iPhones belonging to targets of interest to the UAE.
Back in 2019, the journalists from the news publication Reuters revealed that the hacking platforms were actually used by a clandestine UAE hacking team that was using the codename Project Raven and was led via a UAE-based company called DarkMatter.
It’s very interesting to note that more than a dozen of former U.S. intelligence operatives were helping the UAE with “surveillance of other governments, militants and human rights activists critical of the monarchy.”
KARMA and its successors exploited “zero-click” vulnerabilities to harvest sensitive information and get access to targets’ accounts (email, cloud storage, social media) in order to steal data.
According to Patrick Howell O’Neill, the vulnerability exploited by the KARMA platform to acquire full control of a target’s iPhone was in Apple’s iMessage software, which was developed and distributed by an American firm called Accuvant (merged a few years back into what is now known as Optiv).
NEW: The American company that sold a zero-click iMessage hacking tool to a UAE spying operation was Accuvant, a prolific Denver-based firm that specialized in iOS exploits. https://t.co/5o3K1f5jSn
— Patrick Howell O’Neill (@HowellONeill) September 15, 2021
The work that the three defendants provided for the UAE company constituted a “defense service” as per the International Traffic in Arms Regulations (ITAR), and because of this, the defendants’ activity had required a license from the State Department’s Directorate of Defense Trade Controls (DDTC).
Even if Baier, Adams, and Gericke knew about this they continued to provide their services without a license.
This DPA is the first of its kind, seeking to limit:
the proliferation of offensive cyber capabilities undermines privacy and security worldwide.
As per this agreement, Baier, Adams, and Gericke will have to pay $750,000, $600,000, and $335,000 respectively.
The three will also lose any foreign or U.S. security clearances and will be prohibited from employment involving computer network exploitation (CNE) operations, a.k.a. hacking, or CNE techniques.
Daniel Gericke, the Chief Information Officer for ExpressVPN released a statement regarding the DPA regarding its CIO:
We’ve known the key facts relating to Daniel’s employment history since before we hired him, as he disclosed them proactively and transparently with us from the start. In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users’ privacy and security.