Unjustified: Former NSA employees who created Pegasus-like tools for UAE will pay $1.6 million to avoid jail time

In a controversial decision, the U.S. Department of Justice (DOJ) announced that it reached an agreement with three former US intelligence agents, who will pay a millionaire fine due to their collaboration with the government of the United Arab Emirates (UAE) for the development of sophisticated espionage tools.

Marc Baier (49), Ryan Adams (34), and Daniel Gericke (40) will pay a total of $1.6 million as a fine after acknowledging their participation in Project Raven, a UAE government plan aimed at spying on activists, dissidents and political opponents using hacking tools implemented on the smartphones of persons of interest. With this agreement, developers will avoid spending time in federal prison.

After one of the developers of these tools expressed concern about the kind of activities the UAE government required them to perform, investigative and journalism agencies began digging into Project Raven.

According to the DOJ, the three individuals were part of the board of an Arab company, from where they developed hacking tools similar to Pegasus and organized the attacks: “Their functions included the direction, deployment and supervision of advanced intelligence work and ‘zero-click’ hacking,” the report states. As some users will recall, a zero-click cyberattack allow attackers to compromise an affected system without the need for interaction with the target, so it is considered a very dangerous hacking variant.

Inside Project Raven, the hacking tools developed by the defendants were known as KARMA and KARMA 2. This tool was capable of obtaining login credentials, messages, call history, and authentication tokens issued by email providers, cloud storage services, and social media platforms.

The defendants also ignored a U.S. government order and violated export control laws because they failed to notify the disclosure of information and deployment of cryptographic analysis, and their targets of attack included some U.S. citizens.

While Baier must pay $750,000 USD, Adams was fined $600,000 USD and Gericke will pay $335,000 USD, in addition to cooperating with the Federal Bureau of Investigation (FBI) in subsequent investigations potentially related to his participation in Project Raven. The agreement also prohibits the defendants from seeking any work related to national security, computer infrastructure development and defense issues in the U.S.

Although some consider this to be an excessive penalty, the settlement has already been recognized by the DOJ, making the decision irreversible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.