Under an agreement revealed on Tuesday, three former US intelligence agents who worked as cyber spies for the United Arab Emirates (UAE) admitted to breaking US hacking laws and bans on selling classified military technologies.
Marc Baier, Ryan Adams, and Daniel Gericke were members of Project Raven, a covert team that assisted the UAE in spying on its adversaries.
According to reports, the Project Raven team hacked into the accounts of human rights activists, journalists, and competitor nations at the request of the UAE monarchy.
According to court papers filed in federal court in Washington DC on Tuesday, the three individuals admitted to hacking into computer networks in the United States and exporting advanced cyber infiltration tools without first obtaining required approval from the US government.
To escape punishment, the three former intelligence officials agreed to pay a total of $1.69 million and never apply for a security clearance in the US again, which is required for jobs that need access to national security secrets.
“Hackers-for-hire and those who otherwise support such activities in violation of US law should fully expect to be prosecuted for their criminal conduct,” Acting Assistant Attorney General Mark J. Lesko for the Justice Department’s National Security Division said in a statement.
Project Raven revelations in 2019 exposed a rising trend of former CIA officers selling their spycraft overseas with no control or responsibility.
“This is a clear message to anybody, including former US government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company,” Assistant Director Bryan Vorndran of the FBI’s Cyber Division said in a statement.
Former program operatives claimed they thought they were following the law because supervisors assured them that the operation had been sanctioned by the US government.
According to court documents, Baier, Adams, and Gericke admitted to using a sophisticated cyberweapon known as “Karma” that allowed the UAE to hack into Apple iPhones without requiring a target to click on harmful links.
Karma gave users access to tens of millions of devices and was classified as an intelligence collection technology by the US government. The operatives, however, did not receive the necessary clearance from the US government to sell the tool to the UAE, according to authorities.