Three former members of the American intelligence or military forces who later were paid to hack computers for the United Arab Emirates (UAE) will not be criminally prosecuted after the U.S. Department of Justice granted a “deferred prosecution agreement” that has them pay $1,685,000 “to resolve a Department of Justice investigation regarding violations of U.S. export control, computer fraud and access device fraud laws.”
Marc Baier, Ryan Adams, and Daniel Gericke worked for a UAE-based company that “carried out computer network exploitation” for the benefit of the UAE government between 2016 and 2019, including sophisticated “zero-click” hacking that could “compromise a device without any action by the target.” These hacks were used to break into computers and phones around the world, including within the U.S., and to gain passwords from U.S. companies, the DOJ said Tuesday.
They did so despite being repeatedly informed that such work required approval from the State Department under the International Traffic in Arms Regulations, the department said.
Mark J. Lesko, Acting Assistant Attorney General for the National Security Division, said in a press release that the money-instead-of-prison deal is “the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States.”
“Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct,” he said, even though the men were not prosecuted.
Acting U.S. Attorney for D.C. Channing D. Phillips indicated that the men were not given favorable treatment because of their connections to national security entities — which work closely with prosecutors such as Lesko — saying, “A U.S. person’s status as a former U.S. government employee certainly does not provide them with a free pass in that regard.”
The department described Gericke as a “former U.S. citizen.”
The deal says:
Under the terms of the DPA, Baier, Adams and Gericke agreed to pay $750,000, $600,000, and $335,000 respectively, over a three-year term, which they may not be reimbursed for without the express approval of the U.S. government. In addition to the financial penalties, as part of the DPA, the defendants agreed to full cooperation with the relevant Department and FBI components; the immediate relinquishment of any foreign or U.S. security clearances; a lifetime ban on future U.S. security clearances; and certain future employment restrictions, including a prohibition on employment that involves CNE activity or exporting defense articles or providing defense services under the ITAR (e.g., CNE techniques), and restrictions on employment for certain U.A.E. organizations.
In 2019, Reuters detailed the “Secret Hacking Team of American Mercenaries” called Project Raven, which “utilized a powerful new hacking tool called Karma, which allowed operatives to break into the iPhones of users around the world.”
The same year, The Intercept said the firm DarkMatter discussed targeting one of its journalists.