Private detective who led a hacking operation against climate activists, short sellers and others sentenced
Several years ago, we investigated a sprawling hack-for-hire operation targeting a cross section of civil society, lawyers, journalists, activists, & short sellers. That investigation resulted in the 2020 Citizen Lab report, Dark Basin: Uncovering a Massive Hack-For-Hire Operation. Now, a key figure involved in that operation, a private investigator named Aviram Azari, has been sentenced to 80 months in U.S. prison.
Here’s the story.
Starting around 2017, we were alerted to what appeared to us on first blush to be a phishing campaign targeting victims in the energy sector with some kind of Eurasian nexus. We had just finished a major report analyzing a Russian hack-and-leak operation, which was entitled “Tainted Leaks,” and some of the characteristics of this new campaign seemed to match tactics used by the perpetrators in that other investigation. (We suspected Russian threat actors, in other words). But as we began digging further and identifying more victims, we realized that what we were unearthing went far beyond Russia and Eurasia.
There was an ingenious investigatory technique then-Citizen Lab researcher Adam Hulcoop employed in the Tainted Leaks investigation that came in handy in the Dark Basin investigation. The hackers used a free, web-based link shortener to craft their phishing emails. Hulcoop figured out that we could systematically unravel those links which allowed us to identify and notify numerous additional victims. (It wasn’t the first mistake that the operators made – more on that later). The details on that particular technique are explained in more detail here.
One of the victims we worked with was Matthew Earl, a UK-based short-seller. A short seller is someone who bets on companies being overvalued and their stocks dropping. Earl was short selling a German-based financial processing firm called Wirecard, which seemed to him to be grossly overvalued and involved in some shady business dealings. He wrote about it at the time and they didn’t like it, so they went out and hired Azari, who in turn hired a hack-for-hire firm to hack into Earl’s email accounts and publish incriminating things about him. Earl faced all sorts of other types of harassment because of his dealings with Wirecard. You can listen to Earl and Citizen Lab researcher John Scott-Railton recounting our investigation in this riveting NPR episode.
Shortly after our report was published in June 2020, Wirecard filed for insolvency, exposed as a massive fraud. German authorities launched a criminal investigation. One of the principals of Wirecard, Jan Marselak, became a fugitive from law and fled to Russia where he appears to be living free under some kind of Russian security service protection. Meanwhile, the former CEO, Markus Braun, is facing numerous criminal charges in Germany, including fraud, breach of trust and accounting manipulation.
But Earl and Wirecard weren’t the only pieces to this puzzle. We identified numerous other victims of this phishing operation, including activists working on net neutrality in the United States and environmental and climate crisis advocates involved in the so-called ExxonKnew campaign – so-called, that is, because the campaigners alleged the oil giant was aware of fossil fuel’s contributions to the climate crisis but actively sought to bury their evidence in order not to hurt their bottom line.
Our sleuthing eventually ID’d a Delhi, India-based hack-for-hire firm called BellTroX, which was being contracted to hack the targets we were investigating. The hackers at BellTroX made a number of sloppy operational mistakes which allowed us to identify them, including boasting about their computer hacking skills on their LinkedIn profiles and using their own resumes as bait for test phishing messages.
In the end, some of the victims we notified were rightfully upset about the hacking they experienced and filed complaints with law enforcement. The U.S. Southern District of New York began an investigation. At the request of the victims, we cooperated with that investigation and turned over some of the relevant data we collected to the prosecutors. The SDNY investigation eventually led to the arrest and conviction of Azari.
So what’s Aziri’s role in all of this? Bottomline is he was a middleman. There are good details in the DOJ’s press release and you can read the U.S. government’s sentencing memorandum here, which has even more details.
Born in Israel, Azari was a former policeman who left the force and spun up a private investigation service, called “Aviram Hawk” or “Aviram Netz.” Clients contracted Azari when they had a problem to fix. He then hired BellTroX to hack peoples’ emails, which would then be used in whatever ways the clients wanted. We know from the U.S. conviction that Wirecard was one such client. But who contracted Azari to engineer the hacking of the ExxonKnew campaigners, the net neutrality advocates, or the other victims we identified in our Dark Basin investigation is not known since Azari kept his mouth shut (and paid the price in jail time). By the way, the U.S. authorities say Azari made about $4.8 million over this time running his schemes, which he’s now being required to turn over to the U.S. government.
There are some excellent investigations around the Indian hack-for-hire industry that have been undertaken since our Dark Basin investigation. Journalists Raphael Satter, Chris Bring, and their colleagues at Reuters spent years digging into the Indian hack-for-hire marketplace, showing how such firms are routinely employed in litigation battles, and just last week published a deep dive on one such firm, called Appin, veterans of which formed BellTroX. David Kirkpatrick of The New Yorker also published a very detailed profile of BellTrox and the Indian hack-for-hire industry. I highly recommend their stories for more on this sordid underbelly of global subversion.
Implications
What do we learn from all of these investigations? The private intelligence and hack-for-hire industry is spreading wildly, largely unregulated, and implicated in all sorts of abuses and criminal acts. Although we can chalk up a win for law enforcement in this particular case, the victory is partial since Azari was only a middleman. The ultimate perpetrators (i.e those who hired Azari) remain unpunished. And for every successful conviction like this, no doubt countless other schemes like it go undetected. That gap leaves many victims understandably frustrated. “While it’s satisfying to see Azari sentenced for these crimes committed many years ago,” explained Kert Davies of the Center for Climate Integrity, and a victim of the hacking scheme we exposed, “we would still love to know who paid him to target me and my climate activist and lawyer colleagues.”
Sadly, it is normal today for big corporations, law firms, private investigators and those they hire to brazenly violate the law and hack targets in order to stymie some bad publicity or interfere in political advocacy efforts. It’s a real mess and I think it’s going to get a lot worse before it gets better, unfortunately. However, it is also gratifying to know that our research efforts helped to bring about even a small measure of justice.
Media and Other Related Coverage
New York Times (2020)
Union of Concerned Scientists’ Statement
Citizen Lab senior researcher John Scott-Railton, who led our Dark Basin investigation, has an X thread on the sentencing here.