The man in charge of Saudi Arabia’s ruthless campaign to stifle dissent went searching for ways to spy on people he saw as threats to the kingdom. He knew where to go: a secretive Israeli company offering technology developed by former intelligence operatives.
It was late 2017 and Saud al-Qahtani — then a top adviser to Saudi Arabia’s powerful crown prince — was tracking Saudi dissidents around the world, part of his extensive surveillance efforts that ultimately led to the killing of the journalist Jamal Khashoggi. In messages exchanged with employees from the company, NSO Group, Mr. al-Qahtani spoke of grand plans to use its surveillance tools throughout the Middle East and Europe, like Turkey and Qatar or France and Britain.
The Saudi government’s reliance on a firm from Israel, an adversary for decades, offers a glimpse of a new age of digital warfare governed by few rules and of a growing economy, now valued at $12 billion, of spies for hire.
Today even the smallest countries can buy digital espionage services, enabling them to conduct sophisticated operations like electronic eavesdropping or influence campaigns that were once the preserve of major powers like the United States and Russia. Corporations that want to scrutinize competitors’ secrets, or a wealthy individual with a beef against a rival, can also command intelligence operations for a price, akin to purchasing off-the-shelf elements of the National Security Agency or the Mossad.
NSO and a competitor, the Emirati firm DarkMatter, exemplify the proliferation of privatized spying. A monthslong examination by The New York Times, based on interviews with current and former hackers for governments and private companies and others as well as a review of documents, uncovered secret skirmishes in this burgeoning world of digital combat.
The firms have enabled governments not only to hack criminal elements like terrorist groups and drug cartels but also in some cases to act on darker impulses, targeting activists and journalists. Hackers trained by United States spy agencies caught American businesspeople and human rights workers in their net. Cybermercenaries working for DarkMatter turned a prosaic household item, a baby monitor, into a spy device.
The F.B.I. is investigating current and former American employees of DarkMatter for possible cybercrimes, according to four people familiar with the investigation. The inquiry intensified after a former N.S.A. hacker working for the company grew concerned about its activities and contacted the F.B.I., Reuters reported.
NSO and DarkMatter also compete fiercely with each other, paying handsomely to lure top hacking talent from Israel, the United States and other countries, and sometimes pilfering recruits from each other, The Times found.
The Middle East is the epicenter of this new era of privatized spying. Besides DarkMatter and NSO, there is Black Cube, a private company run by former Mossad and Israeli military intelligence operatives that gained notoriety after Harvey Weinstein, the disgraced Hollywood mogul, hired it to dig up dirt on his accusers. Psy-Group, an Israeli company specializing in social media manipulation, worked for Russian oligarchs and in 2016 pitched the Trump campaign on a plan to build an online army of bots and avatars to swing Republican delegate votes.
Last year, a wealthy American businessman, Elliott Broidy, sued the government of Qatar and a New York firm run by a former C.I.A. officer, Global Risk Advisors, for what he said was a sophisticated breach of his company that led to thousands of his emails spilling into public. Mr. Broidy said that the operation was motivated by hard-nosed geopolitics: At the beginning of the Trump administration, he had pushed the White House to adopt anti-Qatar policies at the same time his firm was poised to receive hundreds of millions of dollars in contracts from the United Arab Emirates, the archrival to Qatar.
A judge dismissed Mr. Broidy’s lawsuit, but suspicions have grown that Qatar had a hand in other operations, including the hacking and leaking of the emails of Yousef al-Otaiba, the influential Emirati ambassador in Washington.
The rapid expansion of this global high-tech battleground, where armies of cybermercenaries clash, has prompted warnings of a dangerous and chaotic future.
“Even the smallest country, on a very low budget, can have an offensive capability,” or initiate online attacks against adversaries, said Robert Johnston, founder of the cybersecurity firm Adlumin and a key investigator on Russia’s 2016 hacking of the Democratic National Committee. “Qatar and U.A.E. are going after each other, and that war is getting very, very bloody.
“The barriers to entry in this space are getting lower and lower.”
Before NSO helped the Saudi government track its adversaries outside the kingdom, and helped the Mexican government hunt drug kingpins, and earned hundreds of millions of dollars working for dozens of countries on six continents, the company consisted of two high school friends in northern Israel with one relatively mundane idea.
Using technology developed by graduates of Intelligence Unit 8200 — Israel’s equivalent of the N.S.A.— Shalev Hulio and Omri Lavie started a company in 2008 that allowed cellphone firms to gain remote access to their customers’ devices to perform maintenance.
Word spread to Western spy services, whose operatives spotted an opportunity. At the time, American and European officials were warning that Apple, Facebook, Google and other tech giants were developing technologies that allowed criminals and terrorists to communicate through encrypted channels indecipherable to intelligence and law enforcement agencies. They called the phenomenon “going dark.”
Mr. Hulio and Mr. Lavie offered a way to circumvent this problem by hacking the end points of the communications — the phones themselves — after the data were decrypted.
By 2011, NSO had developed its first prototype, a mobile surveillance tool the company called Pegasus. Like its namesake, the Greek mythological winged horse, NSO’s tool could do something seemingly impossible: collect vast amounts of previously inaccessible data from smartphones in the air without leaving a trace — including phone calls, texts, emails, contacts, location and any data transmitted over apps like Facebook, WhatsApp and Skype.
“Once these companies invade your phone, they own it. You’re just carrying it around,” Avi Rosen of Kaymera Technologies, an Israeli cyberdefense company, said of NSO and its competitors.
The company soon had its first client for Pegasus: the government of Mexico, which was engaged in a crackdown on drug cartels. By 2013, NSO had installed Pegasus at three Mexican agencies, according to emails obtained by The Times. The emails estimated that, altogether, the firm had sold the Mexican government $15 million worth of hardware and software. Mexico was paying the firm some $77 million to track a wide array of targets’ every move and swipe of their phone.
NSO products were important to Mexico’s war against the cartels, according to four people familiar with how the Mexican government used Pegasus, speaking on the condition of anonymity to discuss intelligence matters. Mexican officials have credited Pegasus as instrumental in helping track and capture El Chapo, the famed drug kingpin who wasconvicted last month in New York and sentenced to life in a maximum-security prison.
Soon enough, NSO was selling to governments throughout the world, with the company claiming clients on every continent except Antarctica. NSO products — particularly Pegasus — helped break up terrorist cells and aided investigations into organized crime and child abduction, European intelligence and law enforcement officials said in interviews.
NSO’s first client, the Mexican government, was also using the hacking tools for darker purposes — as part of a broader government and industry surveillance effort. The government used NSO products to track at least two dozen journalists, government critics, international investigators looking into the unsolved disappearance of 43 students, even backers of a soda tax, according to Times investigations and research by Citizen Lab, part of the University of Toronto.
Those targets were subjected to a stream of harassing text messages that contained malware. Some messages warned that their spouses were having affairs, others that a relative had passed away. In one case, when government officials were not able to infiltrate the phone of a journalist, they targeted her 16-year-old son’s.
Though NSO says it sells its services for criminal and antiterrorism investigations, none of the Mexicans known to have been targeted were suspected in criminal or terrorism investigations.
“NSO technology has helped stop vicious crimes and deadly terrorist attacks around the world,” the company said in a statement. “We do not tolerate misuse of our products and we regularly vet and review our contracts to ensure they are not being used for anything other than the prevention or investigation of terrorism and crime.”
The company has established an ethics committee, which decides whether it can sell its spyware to countries based on their human rights records as reported by global organizations like the World Bank’s human capital index, and other indicators. NSO would not sell to Turkey, for example, because of its poor record on human rights, current and former employees said.
But on the World Bank index, Turkey ranks higher than Mexico and Saudi Arabia, both NSO clients. A spokesman for Israel’s Ministry of Defense, which needs to authorize any contract that NSO wins from a foreign government, declined to answer questions about the company.
A lawsuit alleged last year that in the months before his death, Saudi Arabia used NSO products to spy on Mr. Khashoggi, the Washington Post columnist strangled and dismembered in October by Saudi operatives inside the kingdom’s consulate in Istanbul. NSO denies the accusation. Several of Mr. Khashoggi’s closest contacts were targets of NSO hacking tools, Citizen Lab reported. Without access to Mr. Khashoggi’s devices, researchers have not confirmed whether he was a direct target of NSO surveillance.
Even in cases of blatant abuse, NSO continued to renew contracts with its government clients. In 2013, for instance, NSO inked its first deal with the United Arab Emirates. Within a year, the Emirati government was caught installing NSO spyware on the mobile phone of Ahmed Mansoor, a prominent human rights activist.
After receiving an onslaught of text messages containing links, Mr. Mansoor — a frequent target of Emirati surveillance — grew suspicious and passed the texts to security researchers, who determined the links were NSO lures that exploited vulnerabilities in Apple software to take over Mr. Mansoor’s phone. It was, researchers said, the most sophisticated spyware they had ever uncovered on a mobile device.
The discovery forced Apple to release an emergency patch. But by then, Mr. Mansoor had already been fired from his job, had his passport confiscated, his car stolen, his email hacked, his location tracked, his bank account emptied of $140,000, and was beaten by strangers twice in the same week.
“You start to believe your every move is watched. Your family starts to panic,” he said in an interview before he was arrested in 2017. “I have to live with that.”
Even after the U.A.E. was caught spying on Mr. Mansoor, leaked invoices showed that NSO continued to sell the Emiratis millions of dollars’ worth of spyware and services. As for Mr. Mansoor, he was sentenced to 10 years in prison for damaging national unity and is being held in solitary confinement, where his health is deteriorating.
A flurry of news reports followed about countries using NSO products to spy on their citizens, prompting the company to temporarily rebrand itself “Q,” after James Bond’s gadget guru.
Despite the bad news coverage, NSO’s value continued to skyrocket.
Francisco Partners, a private equity firm, purchased a 70 percent stake in NSO for $130 million in 2013. Last month, NSO’s co-founders raised enough money to buy back a majority stake in NSO at a valuation of just under $1 billion. The London private equity firm Novalpina Capital backed the deal — making its major investors, including the Oregon state employees’ pension fund and Alaska’s sovereign wealth fund, part owners of NSO, according to public records.
The proliferation of companies trying to replicate NSO’s success and compete in an estimated $12 billion market for so-called lawful intercept spyware has set off a fierce competition to hire American, Israeli and Russian veterans of the world’s most sophisticated intelligence agencies — and for the companies to poach talent from one another.
In late 2017, NSO executives grew concerned about a spate of resignations. Private detectives hired to investigate soon found themselves on the Mediterranean island of Cyprus, tailing a group of former NSO employees — all veterans of Israel’s Intelligence Unit 8200 — going back and forth to work at a research facility.
The building was owned by a company affiliated with DarkMatter, an Emirati firm that had quietly hired the Israelis to develop technologies for the U.A.E. to conduct cyberoperations against perceived enemies at home and abroad.
DarkMatter also has offices inside a gleaming tower on the highway connecting Abu Dhabi to Dubai, the same building that houses the U.A.E.’s Signals Intelligence Agency, the Emirates’ version of the N.S.A.
This is not by accident. DarkMatter is effectively an arm of the state that has worked directly with Emirati intelligence operatives on numerous missions such as hacking government ministries in Turkey, Qatar and Iran and spying on dissidents inside the Emirates.
DarkMatter has origins in another company, an American firm called CyberPoint that years ago won contracts from the U.A.E. to help protect the Emirates from computer attacks. CyberPoint obtained a license from the American government to work for the Emiratis, a necessary step intended to regulate the export of military and intelligence services. Many of the company’s employees had worked on highly classified projects for the N.S.A. and other American intelligence agencies.
But the Emiratis had outsize ambitions and repeatedly pushed CyberPoint employees to exceed the boundaries of the company’s American license. CyberPoint rebuffed requests by Emirati intelligence operatives to try to crack encryption codes and to hack websites housed on American servers — operations that would have run afoul of American law.
So in 2015 the Emiratis founded DarkMatter — forming a company not bound by United States law — and lured at least a half-dozen American employees of CyberPoint to join. Marc Baier, a former official with the N.S.A. unit that carries out advanced offensive cyberoperations, became one of the firm’s top executives.
DarkMatter employed several other former N.S.A. and C.I.A. officers, according to a roster of employees obtained by The Times, some making salaries of hundreds of thousands of dollars a year.
“The assumption used to be that when you left the N.S.A., you’d never do that kind of offensive work again. Now, clearly there is a market for it,” said Mr. Johnston, the security expert. He worked in the military’s Cyber Command, which works closely with the N.S.A., while serving in the Marines.
“The N.S.A. should consider it their responsibility to ensure that the hacking techniques taught to employees cannot be used against the United States,” he said.
The company did not respond to a request to comment, nor did a spokesman for the Emirati government. Asked whether the ministry had given a license for the former Israeli intelligence operatives working for DarkMatter, a spokesman for the Israeli Ministry of Defense declined to comment. A lawyer for Mr. Baier also declined to comment.
Current and former employees of the spy agency have a lifelong obligation to protect the United States’ secrets, said Greg Julian, a spokesman for the N.S.A. They are also required to report employment or representation with foreign governments for two years after they leave the agency, he said.
Besides its breaches of foreign government ministries, DarkMatter also broke into Gmail, Yahoo and Hotmail accounts, according to former employees. DarkMatter operatives posed as family and friends of the people they targeted to lure them into opening emails that contained malware.
Former employees said that DarkMatter targeted Mr. Mansoor, hacking his child’s baby monitor to eavesdrop on his family. In another operation, the company’s operatives pursued Rori Donaghy, a British activist critical of the Emirati government and its human rights record, who had also been a target of NSO spyware. DarkMatter also targeted Citizen Lab, the Canadian research organization, a former employee said.
DarkMatter told the employees that spying on American citizens would be off limits, but it proved to be an empty pledge.
In one operation, not previously reported, a DarkMatter subsidiary began an expansive effort to intercept cellular communications in Qatar, occasionally catching communications of Americans in the surveillance net in late 2015. One American working on the project said he raised concerns with his superiors, including a former C.I.A. officer in charge of the effort. The American, along with another, was pulled off the project and asked to sign a nondisclosure agreement.
In repeated instances, DarkMatter collected information about Americans, a second former employee said. Most of those cases involved Americans who worked for foreign organizations — including human rights groups — that DarkMatter targeted because they had been critical of the Emirati government, the former employee said.
DarkMatter operatives would occasionally collect passport information, applications or résumés belonging to Americans who applied to work at these organizations. One former employee said that the collection was accidental, and the records were expunged from the company’s databases.
In 2017, a former N.S.A. hacker began providing F.B.I. agents with information about the company’s activities, according to the Reuters report. Foreign Policy first reported the F.B.I. investigation.
The informant, Lori Stroud, said she had become concerned about the company’s surveillance of Americans. She later left the firm along with several other Americans because they could not be sure that DarkMatter was not deliberately targeting citizens. Soon, F.B.I. agents began stopping American employees at airports as they entered the United States and questioned them about DarkMatter’s operations, according to former company employees.
The Justice Department’s case, run by prosecutors in Washington, focuses on internet fraud and the possibly illegal transfer of spying technology to a foreign country.
But the prosecutors face headwinds, including diplomatic concerns about jeopardizing the United States’ relationship with the U.A.E. — an influential country that has developed close ties to the Trump administration — and worries about how pursuing the case could expose embarrassing details about the extent of the cooperation between DarkMatter and American intelligence agencies.
And there is the reality that American laws governing this new age of digital warfare are murky, outdated, and ill-equipped to address rapid technological advances. The rules governing what American intelligence and military personnel can and cannot provide to foreign governments were meant to keep a leash on 20th-century warfare — selling missiles or planes overseas or training foreign forces on Army tactics.
But they do not address hacking skills that can be honed in front of a laptop, or at the world’s most advanced intelligence agencies, and sold to the highest bidder.
“The worst part of it is the weapons are easier to get,” said Brian Bartholomew, the principal security researcher at Kaspersky Lab, a digital security company.
“You’ve got a lot of people entering the arena that are new and don’t play by the same rules,” he said. “It’s like putting a military-grade weapon in the hands of someone off the street.”