Three former U.S. National Security Agency employees have been fined after they were found to have worked in the United Arab Emirates for a company that spied on and hacked political dissidents and others.

The three men, Marc Baier, Ryan Adams and Daniel Gericke, allegedly worked for DarkMatter, an Abu Dhabi-based cybersecurity firm run by UAE intelligence officials between 2016 and 2019. DarkMatter has been linked to several hacking campaigns, including a nefarious messaging app in 2019.

The same year, Reuters linked the former NSA employees to “Project Raven,” a team inside DarkMatter that consisted of more than a dozen former U.S. intelligence operatives. The project developed Karma and Karma 2, two iOS zero-click exploits, those that work even without the victim clicking on a link, that were designed to target iPhones. UAE officials used the exploits to spy on dissidents, reporters and government opposition leaders.

However, the hacking did not stop within the borders of the UAE. The Department of Justice claims the zero-click exploits were also used to access credentials for online accounts issued by U.S. companies and gain access to phones around the world, including in the U.S.

As it turns out, former NSA employees working in a foreign country require a special license. None of the three accused had a license issued under the International Traffic in Arms Regulations. Under the regulation, companies and individuals who provide defense-related services to a foreign government must obtain a license from the State Department’s Directorate of Defense Trade Controls.

The fines imposed on the three accused were part of a settlement in lieu of pursuing criminal charges. As part of the settlement, all three must fully cooperate with relevant departments and the Federal Bureau of Investigation and relinquish foreign and U.S. security clearances. They’re also banned from future employment that involves computer network exploitation. Finally, they were given a lifetime ban on future U.S. security clearances and are restricted from working for certain UAE organizations.

“This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States,” Acting Assistant Attorney General Mark J. Lesko said in a statement. “Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct.”

The fines totaled $1.685 million, with Baier, Adams and Gericke agreeing to pay $750,000, $600,000 and $335,000, respectively, over a three-year term.

Photo: Wikimedia Commons