The Department of Justice has allowed three former members of the American intelligence or military forces, who were paid to betray the United States by hacking computers on behalf of the United Arab Emirates, to escape criminal prosecution.
The hackers-for-hire were granted a “deferred prosecution agreement” that will only require them to reimburse the U.S. government with $1,685,000 to “resolve a Department of Justice investigation regarding violations of U.S. export control, computer fraud and access device fraud laws.”
The Department of Justice said Tuesday that Marc Baier, Ryan Adams and Daniel Gericke worked for a UAE-based company that “carried out computer network exploitation” for the UAE government between 2016 and 2019, including sophisticated “zero-click” hacking that could “compromise a device without any action by the target.” The hacks allow the hacker to break into computers and phones around the world including within the United States to gain passwords from U.S. companies.
The three individuals performed such actions despite being repeatedly informed that such work required approval from the State Department under the International Traffic in Arms Regulations, per the DOJ.
“This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States,” said Acting Assistant Attorney General Mark J. Lesko for the Justice Department’s National Security Division. “Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct.”
“Left unregulated, the proliferation of offensive cyber capabilities undermines privacy and security worldwide. Under our International Traffic in Arms Regulations, the United States will ensure that U.S. persons only provide defense services in support of such capabilities pursuant to proper licenses and oversight,” said Acting U.S. Attorney Channing D. Phillips of the District of Columbia.
Phillips indicated that the three men were not given favourable treatment because of their connections to national security entities, which work closely with prosecutors like Lesko, stating: “A U.S. person’s status as a former U.S. government employee certainly does not provide them with a free pass in that regard.”
The DOJ described Gericke as a “former U.S. citizen.”
The deal says:
Under the terms of the DPA, Baier, Adams and Gericke agreed to pay $750,000, $600,000, and $335,000 respectively, over a three-year term, which they may not be reimbursed for without the express approval of the U.S. government. In addition to the financial penalties, as part of the DPA, the defendants agreed to full cooperation with the relevant Department and FBI components; the immediate relinquishment of any foreign or U.S. security clearances; a lifetime ban on future U.S. security clearances; and certain future employment restrictions, including a prohibition on employment that involves CNE activity or exporting defense articles or providing defense services under the ITAR (e.g., CNE techniques), and restrictions on employment for certain U.A.E. organizations.
In 2019, Reuters reported on Project Raven, a “secret hacking team of American mercenaries” who “utilized a powerful new hacking tool called Karma, which allowed operatives to break into the iPhones of users around the world.”