Three former U.S. intelligence operatives have admitted to working illegally as mercenary hackers for the United Arab Emirates in operations that included developing sophisticated spyware capable of tapping into mobile devices without any action by their users, the Justice Department announced Tuesday.

The men — charged with conspiring to violate U.S. military export control and computer fraud law — were allegedly part of a clandestine effort that helped the UAE spy on targets around the world, using servers and computers and evading detection by providers of compromised devices, including in the United States.

Such “zero-click remote exploits” are considered a Holy Grail for surveillance by government, corporate and criminal entities because they grant access to devices virtually invisibly. The discovery of a similar advanced hack on a Saudi activist’s iPhone prompted Apple on Monday to issue an emergency software update for its products worldwide.

Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40, entered a deferred prosecution agreement with the federal government in which they admitted their conduct and agreed to give up $1.7 million and U.S. security clearances, restrict their future employment and “cooperate fully” with investigators.

In return, U.S. prosecutors agreed to drop all charges after a three-year period, according to a 48-page agreement signed by the men on Sept. 7.

Court filings did not explicitly say why the government offered the concession. But U.S. officials alluded to the legal novelty of the case, in which the men were allegedly part of Project Raven. First disclosed by Reuters in 2019, the secret project helped the wealthy Persian Gulf nation spy on targets including journalists, foreign leaders, dissidents and even U.S. citizens.

The news service reported that the State Department in 2014 was aware that contractors were helping the emirates launch
cyber-surveillance operations through an American company licensed to access military technical data and services.

“This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States,” said Mark J. Lesko, acting assistant U.S. attorney general for the national security division.

“Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct,” Lesko said in a Justice Department statement.

While Apple disclosed Monday that it acted to close a vulnerability exploited by invasive spyware from Israel’s NSO Group, the Justice Department’s legal action Tuesday spotlighted earlier activity of DarkMatter, an NSO competitor working for another key U.S. Middle East ally in the UAE.

Reuters previously reported that Baier was a program manager for Project Raven, adding Tuesday that Adams and Gericke were operators within the effort.

Reuters reported that Raven started with a Maryland company that had a State Department export license, but in 2015, the U.S. said in court filings, the Emirates government transferred the work to a UAE-based company, DarkMatter, with some American employees making the switch.

According to the Justice Department, the Maryland company was required under its State Department agreement to obtain approval before releasing information regarding “cryptographic analysis and/or computer network exploitation or attack,” and was barred from targeting U.S. people, companies or entities in the United States.

The Maryland company warned employees leaving for the UAE company that they could not continue their work without obtaining a new State Department approval.

However, in court papers, the defendants acknowledged they ignored warnings. Between January 2016 and November 2019, the defendants and other employees expanded the breadth and sophistication of hacking operations, the government said, including by acquiring a powerful tool named Karma — which Reuters reported was used to remotely break into iPhones.

In charging papers, the Justice Department confirmed that the UAE employees created two similar “zero-click” intelligence-gathering systems — which they called Karma and Karma 2. The systems leveraged servers in the United States belonging to a “U.S. Company Two,” apparently Apple, to obtain remote unauthorized access to any of tens of millions of smartphones and mobile devices using the company’s operating system, including in the United States.

The company updated its operating system in September 2016, undercutting Karma, prosecutors said. In summer 2017, the FBI informed the company that its devices were vulnerable to Karma 2, leading to another operating system update that August, the Justice Department said.

In a statement to Reuters, Lori Stroud, a former NSA analyst who worked on Project Raven and then acted as a whistleblower, commended the FBI’s “dedication to justice” and the news service for its investigative journalism, saying, “the timely, technical information reported created the awareness and momentum to ensure justice.”

Attorneys for the three defendants did not immediately respond to an emailed request for comment.

A spokesman for the National Security Agency declined to comment.

A State Department spokesman referred questions to the Justice Department, but added, “The Department takes seriously all alleged violations of the Arms Export Control Act and the International Traffic in Arms Regulations, particularly those that may harm the national security and foreign policy interests of the United States.”

Asked why it agreed to potentially dismiss charges against the men, a Justice Department official said the case is the first of its kind and is intended to serve as a warning to others who could now be fully prosecuted for similar conduct. The official, who spoke on the condition of anonymity because the person was not authorized to speak publicly, said the financial penalties and lifelong employment limitations are significant, as reflected by the criminal resolution for activity not backed by the U.S. government.

In a statement, FBI Washington Field Office head Steven M. D’Antuono said the defendants were informed on several occasions that their work constituted a “defense service” requiring a military export license from the State Department’s Directorate of Defense Trade Controls.

“These individuals chose to ignore warnings and to leverage their years of experience to support and enhance a foreign government’s offensive cyberoperations,” D’Antuono said.

Former U.S. government employees do not enjoy a “free pass” to provide defense services with licenses and oversight, said acting U.S. attorney Channing D. Phillips of Washington.

John Hudson contributed to this report.