The U.S. government has entered a Deferred Prosecution Agreement (DPA) with three former intelligence operatives to resolve criminal charges relating to their offering of hacking services to a foreign government.
Between 2016 and 2019, Marc Baier, Ryan Adams, and Daniel Gericke provided their services to a company that ran sophisticated hacking operations for the United Arab Emirates (UAE) government against various targets.
Former employees of the U.S. Intelligence Community (USIC) or the U.S. military, the three agreed to pay $1,685,000 in penalties to not be prosecuted for violations of U.S. export control, computer fraud, and access device fraud laws.
Essential U.S. input
After leaving the U.S. government employment, the trio joined the senior management ranks of a UAE company where they coordinated hacking operations against various targets.
They also supervised the creation of two hacking and espionage platforms called KARMA and KARMA 2, used to compromise iPhones belonging to targets of interest to the UAE.
The unit had more than a dozen former U.S. intelligence operatives helping the UAE with “surveillance of other governments, militants and human rights activists critical of the monarchy.”
KARMA and its successor relied on “zero-click” exploits (no user interaction needed) that enabled collecting sensitive info that allowed access to the targets accounts (email, cloud storage, social network) to steal data.
According to a report from Patrick Howell O’Neill at MIT Technology Review, the vulnerability that the KARMA platform exploited to take full control of a target’s iPhone was in Apple’s iMessage app and it was developed and sold by an American company named Accuvant (merged a few years back into what is now known as Optiv).
No license to hack
According to the DoJ, the work of the three defendants for the UAE company constituted a “defense service” as per the International Traffic in Arms Regulations (ITAR).
In this context, the defendants’ activity required a license from the State Department’s Directorate of Defense Trade Controls (DDTC). Despite being informed multiple times about this, Baier, Adams, and Gericke continued to provide their services without a license.
The DPA is the first of its kind and seeks to limit “the proliferation of offensive cyber capabilities undermines privacy and security worldwide.” Simply put, it discourages “hacker-for-hire” activity without a license under ITAR.
Under the terms of the agreement, Baier, Adams, and Gericke have to pay $750,000, $600,000, and $335,000 respectively, over a three-year term.
Apart from this fine, the three also lose any foreign or U.S. security clearances and are prohibited from employment that involves computer network exploitation (CNE) operations, a.k.a. hacking, or CNE techniques.
Daniel Gericke is the Chief Information Officer for ExpressVPN, one of the largest VPN providers. The company released a statement regarding the DPA that names its CIO: