On Sept. 14, the Department of Justice (DoJ) announced that three former U.S. intelligence community and military personnel faced criminal charges and promised to pay fines worth over 1.68 million dollars. The three men are accused of working as mercenary hackers for the United Arab Emirates (UAE) government, conducting cyberespionage against American targets, and violating U.S. laws against selling sensitive military technologies.
The hackers entered into a Deferred Prosecution Agreement (DPA) that restricts their “future activities and employment.” Acting Assistant Attorney General Mark J. Lesko stated that those who carry out activities in violation of U.S. law must expect to be prosecuted for criminal conduct.
“This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting, and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States,” Lesko said in a statement.
The individuals are 49-year-old Marc Baier, 34-year-old Ryan Adams, and 40-year-old Daniel Gericke. While Baier and Adams are U.S. citizens, Gericke is a former citizen of the United States. According to court documents, the defendants worked as senior managers at a company based in the UAE that carried out hacking operations between 2016 and 2019 on behalf of the UAE government.
The three individuals were warned that their activities fell under the International Traffic in Arms Regulations (ITAR) and that they needed a license from the U.S. State Department’s Directorate of Defense Trade Controls (DDTC) to continue operations. However, they dismissed the warning and continued to provide their services without obtaining the necessary license.
The services provided include “support, direction, and supervision in the creation of sophisticated ‘zero-click’ computer hacking and intelligence gathering systems.” These services allow for gaining access to a device without any action needed from the target. The employees at the company used these exploits to hack into computers and mobile phones worldwide.
Gericke is currently employed as the Chief Information Officer (CIO) at ExpressVPN, one of the leading VPN services in the world. In a statement to CNET, ExpressVPN said that they have known “key facts” about Gericke’s employment history, as he disclosed these matters “proactively and transparently” with the company right from the start.
“In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users’ privacy and security,” ExpressVPN said. After the plea deal was announced, Gericke’s Twitter and LinkedIn accounts were deleted without an explanation.
According to Reuters, the accused were part of a clandestine unit called Project Raven that acted at the behest of the UAE leadership to hack into accounts of rival governments, journalists, and human rights activists. The media outlet had earlier exposed Project Raven in 2019 with the help of Lori Stroud, a former National Security Agency (NSA) analyst who was also recruited by the UAE.
When tasked with targeting Americans for surveillance, Stroud and some of her fellow employees from the United States blew the whistle. Stroud is pleased with the charges brought against the men. “The most significant catalyst to bringing this issue to light was investigative journalism – the timely, technical information reported created the awareness and momentum to ensure justice,” Stroud said to Reuters.