Secretive businessmen have established a thriving global market for hacking tools

It’s a shadowy $12bn (£8.8bn) industry, which Microsoft President Brad Smith warned last month is booming – and poses a grave threat to both governments and business.

Perhaps understandably, it’s not easy getting cyber mercenaries to talk. These secretive businessmen have established a thriving global market for hacking tools sold to governments and businesses, giving them the ability to spy on criminals, but also journalists and activists.

The industry is becoming increasingly controversial, leading to lawsuits and scrutiny from activists.

So when an anonymous employee of Memento Labs, a Swiss seller of hacking software, sends an invitation to a video call with the company’s chief executive, it is a rare chance to grill one of the people behind the industry.

Paolo Lezzi, Memento’s chief executive, appears in a grey jumper over a blue shirt. The room behind Lezzi, a middle-aged Italian, is shown for a second before it’s hidden by a virtual background of his company’s logo.

“Our customers are not customers where you can just knock on their door,” Lezzi says, banging his knuckles on an imaginary door.

Businesses like Memento Labs and industry leader NSO Group provide government departments with hacking tools that can give them access to targets’ smartphones for an annual fee.

This access is like being given a key to their digital home. It allows a government to turn on their microphone, view their photographs and read their messages. Modern spyware allows this to be done invisibly, meaning the target often has no idea that they are being watched.

Executives like Lezzi say they have no knowledge of who their customers choose to track. “We have no visibility on what they are doing,” Lezzi says. “We can only check before, and it is written in all the papers they sign, that they cannot use it for mass surveillance.”

Hacking tools are subject to export controls, but blacklisted nations attempt to get their hands on them anyway. Lezzi says countries offer to pay him double or triple his usual rates to illegally gain access to his spying software. 

“We prefer not to make money from them,” he says. “It happens that they ask to do exportation without permission, but this is something that we don’t want to do.”

Open to abuse

While Lezzi is hoping to attract customers for his hacking software, others are scrambling to take down this industry.

“I promise I’m not drawing a bath,” says John Scott-Railton with a laugh as he runs a tap to begin cleaning his groceries following a mid-pandemic trip to a Los Angeles supermarket.

Scott-Railton is a senior researcher at Citizen Lab, part of the University of Toronto’s Munk School. The group works with journalists and activists to examine their smartphones for signs of hacking. Over the years, they have found alarming examples of commercial spyware used to intercept the messages of activists and their families.

“It wasn’t just journalist Carmen Aristegui who was exposing corruption in Mexico. It was also her teenage son away at boarding school in the US,” Scott-Railton recalls. “It wasn’t just a journalist who had been critical of cartels in Sinaloa, it was his widow after he was assassinated.”

Weeks before the call, Citizen Lab published details of a campaign which it said intercepted the messages of 36 Al Jazeera journalists using servers that were partly based in the UK.

“Some of the infections in that targeting were in the UK,” Scott-Railton says. “We have found targets in the UK before.”

The Government is increasingly concerned about the surveillance of people in the UK by foreign governments, sources say.

“We always knew this sort of thing could happen on the dark web surreptitiously but to have it happening legally and overtly is pretty weird,” says a security source.

‘Life-saving tools’

The actions of activists have frustrated sellers of hacking tools who see themselves as providing an essential service to law enforcement organisations that lack digital expertise.

A spokesman for NSO says the company has repeatedly tried to work with Citizen Lab following claims of abuse of its software.

Citizen Lab has declined to turn over data, leading NSO to claim the research organisation “seems to worry more about protecting the privacy of terrorists, paedophiles, and drug cartel bosses than about the safety of citizens around the world.”

Citizen Lab alleged that journalists working at Al Jazeera (pictured) were surveilled using commercial spyware

Credit: AP

“NSO will continue to develop life-saving tools for use by vetted and authorised governmental law enforcement and intelligence agencies,” the company’s spokesman said, adding that the business investigates claims of abuse of hacking tools and has recently shut down customers found to have abused the tools.

Lezzi also believes these activists are misguided. He issues a lengthy exhale of breath when asked about their views. “Do you use the same approach towards a producer of guns? Because even a gun can be used for lawful purposes or not,” he says.

Some in the cybersecurity field sympathise with this view, noting that these companies allow police forces in poorer nations to keep up with hacking tools developed by richer countries.

Nevertheless, concern over the misuse of this technology is growing, with Microsoft president Brad Smith writing in a December blog post that private hacking vendors represent an “evolving threat” that spells “bad news”.

Legal challenges

“What NSO are doing is building things that are not just technically good and sophisticated but if they’re used with the right tradecraft they can be extremely effective. I think that’s why you’re seeing a bit of a reaction,” says Alan Woodward, a computer security expert and visiting professor at the University of Surrey.

the Jeff Bezos hack | Read more

WhatsApp filed a lawsuit against NSO in 2019, accusing the business of hacking 1,400 of its users as part of what it called an “unmistakeable pattern of abuse.” Microsoft, Google and other technology companies filed an amicus brief in support of the lawsuit.

NSO wrote in its filings in response that WhatsApp “conflated” NSO’s work with the actions of what it called its “sovereign customers.”

“Permitting this litigation to proceed would infringe critical national security and foreign policy concerns of sovereign governments,” the company’s lawyers wrote.

Others have taken matters into their own hands. Hacking Team, a well-known Italian cyber mercenary business, was hacked in 2015 and internal correspondence spilled on to the internet.

Lezzi purchased the remains of Hacking Team and is hoping to restore trust in the company, a process that explains why he was the only industry executive willing to talk about his trade. “We had to recover our reputation that had failed,” he says.

Activists now hope to persuade governments to change the rules on the export of hacking technology. 

“We are calling for a moratorium on selling surveillance tools until there is a regulatory framework solid enough to prevent abuse,” says Etienne Maynier, a security researcher at Amnesty International.

Maynier doesn’t believe companies can be trusted to police themselves and turn away countries that wish to pay them. “We cannot trust companies to do something that harms the business,” he continues.

Tel Aviv in Israel has become a key hub of spyware as well as legal attempts to limit its spread

Credit: ABIR SULTAN/EPA-EFE/Shutterstock 

Activists face an uphill struggle convincing governments to block an industry they have spent millions of dollars on since the nineties. 

Last year, a court in Tel Aviv rejected a case supported by Amnesty International that asked Israel’s Ministry of Defence to revoke NSO’s licence to export hacking tools. The judge ruled that the ministry was “thorough and meticulous” in selecting which licences to grant.

Cyber mercenaries are facing greater scrutiny than ever before, but it’s coupled with strong demand from customers for tools that may help them to track down terrorists.

Lezzi is unconcerned about negative headlines about the sector causing problems for his business. Government agencies “have to do their job,” he says. “If they need the technology, they will call you even if the same day there is a big article in the paper.”