Three former members of the United States military or United States Intelligence Community (USIC) have been fined for providing hacking-related services to a foreign government.
United States citizens, 49-year-old Marc Baier and 34-year-old Ryan Adams, and 40-year-old former US citizen Daniel Gericke were investigated by the Department of Justice (DOJ) over claims that they had violated US export control, computer fraud, and access device fraud laws.
On September 7, the three men entered into a deferred prosecution agreement (DPA) with the DOJ that requires them to pay $1,685,000 in penalties. The agreement also places restrictions on the future activities and employment of the three men.
According to court documents, between 2016 and 2019, all three defendants worked as senior managers at a company based in the United Arab Emirates (UAE) that performed and supported hacking for the benefit of the UAE government.
Services carried out by the defendants included the provision of support, direction and supervision in creating sophisticated “zero-click” computer-hacking and intelligence-gathering systems capable of compromising a device without any action being taken by the target.
The zero-click exploits were later deployed by other employees at the UAE-based company to illegally obtain and use access credentials for online accounts issued by companies in the United States. The exploits were further used to obtain unauthorized access to mobile phones and computers in the United States and worldwide.
The State Department’s Directorate of Defense Trade Controls (DDTC) informed the defendants on multiple occasions that the work they were doing was a “defense service” as defined under the International Traffic in Arms Regulations (ITAR) and that they needed a license from the State to provide the services they were carrying out.
“This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States,” said Acting Assistant Attorney General Mark J. Lesko for the Justice Department’s National Security Division.