What the DarkMatter Cyber-Mercenary Hack Scandal Means

Earlier this week, the Justice Department revealed that three former U.S. intelligence officers were facing federal charges in connection with their work for DarkMatter, a foreign cybersecurity company based in the United Arab Emirates.

The men, who previously worked for the National Security Agency, were part of a covert operation titled “Raven ProjectWho, between 2016 and 2019, helped the UAE government spy on critics of its regime. To this end, hackers helped the Middle Eastern monarchy to break in IT systems and devices around the world, including those located in the United States

Although the culprits have since entered into a deferred prosecution agreement with the government, essentially allowing them to escape jail time (a loophole with a prize of $ 1.6 million) – the ramifications of the case are surely not so easy to put to bed.

Suffice it to say that the idea of ​​former US national security agents targeting US systems at the behest of a foreign government is a pretty frightening scenario. Yet such activity is probably only the tip of the iceberg when it comes to the nastiness of the spyware industry – a poorly understood area that, as many have noted, has few meaningful legal or regulatory safeguards to prevent this kind of depraved shit from happening.

The “Raven” incident itself shows that there are few constraints on US-based companies wishing to sell powerful cyber weapons to foreign governments: DarkMatter’s agents apparently collaborated with a Denver-based US cyber company Accuvant– who sold them a $ 1.6 million iPhone hack tool that was used in subsequent hacking escapades.

The scandal is also made worse by the fact that one of the defendants, Daniel Gericke, currently serves as the chief information officer of ExpressVPN, one of the most widely used privacy products on the market. Yes, a guy who has been accused of breaking federal laws to compromise US networks and devices is also currently employed by a company that is supposed to protect your privacy online. Scary, right?

The news of Gericke’s involvement in Project Raven naturally sparked quite a bit of outrage online, fueling a conversation about the reliability of the average privacy product.

However, the company defended its decision to hire her and even admitted that it knew his past when he hired him in 2019.

“We find it deeply regrettable that the news of recent days regarding Daniel Gericke has raised concerns among our users and given reason to question our commitment to our core values,” the company said. said in a blog post Thusday. “To be completely clear, while we appreciate Daniel’s expertise and the way it has helped us protect clients, we do not condone Project Raven. The surveillance it represents is completely antithetical to our mission.

But how heartwarming can these assurances really be when it’s clear that the privacy industry is seemingly populated by the same people who run the surveillance industry?

This year, controversies involving the surveillance industry continued to crop up, one on top of the other, fueling calls for national and global regulations that can combat abuse.

In particular, the outrage was renewed during the abuse of the NSO group, a famous Israeli spyware company known for selling its powerful malware compromising devices to repressive regimes around the world. In July, a number of nonprofits and media outlets began publishing articles related to the “Pegasus project, A survey of the extent to which the company’s malware has been distributed around the world. The investigation revealed a treasure of some 50,000 “potential targets” of Pegasus which the researchers said included the phones of dignitaries and diplomats such as French leader Emmanuel Macron, as well as devices belonging to other presidents, former prime ministers and the King of Morocco, among others. Even more problematic, last week Apple announcement fixes for security holes that had seen Pegasus related exploitation. Patches applied to some 1.65 billion Apple products, whose tastes had been vulnerable since March.

Despite all of this, there may be some hope on the horizon with indications that regulators are finally giving in to calls to action.

As an example, consider the case of SpyFone, a “stalkerware” company that the critics say has helped “stalkers and domestic abusers” in their quest to monitor victims. The company was recently banned exploitation by the Federal Trade Commission – a first-of-its-kind move that could signal an upcoming crackdown on the spyware industry as a whole. FTC Commissioner Rohit Chopra also suggested law enforcement agencies could review whether criminal charges were warranted.

However, privacy advocates have suggested that simply banning the occasional operation of a business or occasional lawsuits would not be enough. Amnesty International, which has helped denounce abuses by NSOs, has call for a global moratorium on the sale of spyware until a “human rights compliant regulatory framework” can be developed and implemented. Other activists have suggested in the same way that all sales should be halted until governments can “investigate and regulate this industry” – which is misunderstood by lawmakers and everyday peopleple the same.

Correction: A previous version of this article incorrectly referred to UAE cybersecurity company DarkMatter as BlackMatter. We regret the error.