DOJ: Former US intel personnel fined $1.68M for providing hacking services to foreign gov

The agreement restricts their future activities and employment

Parlaying a U.S. government intelligence career into providing unlicensed hacking services for a foreign government is a definite no-no, the Department of Justice said this week. 

The services provided by three U.S. citizens working as senior managers at a United Arab Emirates–based company violated U.S. Export Control and Computer Fraud and Abuse Laws, the DOJ said

The three defendants, Marc Baier, 49, and Ryan Adams, 34, and a former U.S. citizen, Daniel Gericke, 40 – all former employees of the U.S. Intelligence Community or the U.S. military – agreed to pay $1,685,000 in penalties as part of a deferred prosecution agreement. 

Three former intelligence employees agreed with the The U.S. Department of Justice to pay $1.68 million for offering hacking services to a United Arab Emirates company. (Photo by Kevin Dietsch/Getty Images / Getty Images)

DURHAM'S RUSSIA 'ORIGINS' PROBE: REQUEST FOR GRAND JURY INDICTMENT MAY BE HOURS AWAY

The agreement also restricts their future activities and employment.

The defendants were part of a "clandestine unit named Project Raven that helped the UAE spy on its enemies," according to Reuters

The defendants "supported and carried out computer network exploitation operations" – otherwise known as hacking – "for the benefit of the U.A.E government between 2016 and 2019," according to court documents.

The defendants were warned that their work for the U.A.E. company constituted a defense service, which requires a license from the State Department’s Directorate of Defense Trade Controls (DDTC). Despite the warning, the defendants proceeded to provide services without a license.

 LAW ENFORCEMENT LEADERS RIP BIDEN DOJ AS 'ANTI-POLICE' DUE TO NEW ACTIONS MONITORING POLICE DEPARTMENTS

Worse, one of the services provided is considered a particularly malicious type of hack known as "zero-click," where malware can be downloaded without any user interaction. Typically, a user clicks on a malicious link, for example, to execute the malware. 

The U.A.E. company employees then "leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States," the DOJ said.

The provision of so-called mercenary hacking services is not a small problem. This past week a serious iPhone hack was linked to a company providing mercenary hacking services.

"Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct," said acting Assistant Attorney General Mark J. Lesko for the Justice Department’s National Security Division in a statement.

DOJ LAUNCHES INVESTIGATION INTO GEORGIA PRISONS OVER ALLEGED CIVIL RIGHTS VIOLATIONS

Jake Williams, co-founder and CTO at BreachQuest, an Augusta, Georgia–based company that provides incident response, said that the persons involved should have been aware of the consequences of their work.

"There's little question in my mind that Project Raven crossed a legal boundary. What is less clear is whether the U.S. persons involved knew the project would be used to target other U.S. persons and U.S. organizations," Williams told FOX Business.

 CLICK HERE TO GET THE FOX NEWS APP

"Given that the original mission was slated as counter terrorism, a mission that is very loosely defined by its nature, it was predictable that might be the ultimate outcome," Williams said. 

"[When] U.S. companies and U.S. persons were targeted under the program, every U.S. person involved likely knew it was only a matter of time before some legal action was taken," Williams added.