Undercover Spy Exposed in NYC Was 1 of Many

When mysterious operatives lured two cybersecurity researchers to meetings at luxury hotels over the past two months, it was an apparent bid to discredit their research about an Israeli company that makes smartphone hacking technology used by some governments to spy on their citizens.

Mnet 205133 Cybersecurity Private Spying Operatives Ap

LONDON (AP) — When mysterious operatives lured two cybersecurity researchers to meetings at luxury hotels over the past two months, it was an apparent bid to discredit their research about an Israeli company that makes smartphone hacking technology used by some governments to spy on their citizens. The Associated Press has now learned of similar undercover efforts targeting at least four other individuals who have raised questions about the use of the Israeli firm's spyware.

The four others targeted by operatives include three lawyers involved in related lawsuits in Israel and Cyprus alleging that the company, the NSO Group, sold its spyware to governments with questionable human rights records. The fourth is a London-based journalist who has covered the litigation. Two of them — the journalist and a Cyprus-based lawyer — were secretly recorded meeting the undercover operatives; footage of them was broadcast on Israeli television just as the AP was preparing to publish this story.

All six of the people who were targeted said they believe the operatives were part of a coordinated effort to discredit them.

"There's somebody who's really interested in sabotaging the case," said one of the targets, Mazen Masri, who teaches at City University, London and is advising the plaintiffs' attorney in the case in Israel.

Masri said the operatives were "looking for dirt and irrelevant information about people involved."

The details of these covert efforts offer a glimpse into the sometimes shadowy world of private investigators, which includes some operatives who go beyond gathering information and instead act as provocateurs. The targets told the AP that the covert agents tried to goad them into making racist and anti-Israel remarks or revealing sensitive information about their work in connection with the lawsuits.

NSO has previously said it has nothing to do with the undercover efforts "either directly or indirectly." It did not return repeated messages asking about the new targets identified by the AP. American private equity firm Francisco Partners, which owns NSO, did not return a message from the AP seeking comment.

The undercover operatives' activities might never have been made public had it not been for two researchers who work at Citizen Lab, an internet watchdog group that is based out of the University of Toronto's Munk School.

In December, one of the researchers, John Scott-Railton, realized that a colleague had been tricked into meeting an operative at a Toronto hotel, then questioned about his work on NSO. When a second operative calling himself Michel Lambert approached Scott-Railton to arrange a similar meeting at the Peninsula Hotel in New York, Scott-Railton devised a sting operation, inviting AP journalists to interrupt the lunch and videotape the encounter.

The story drew wide attention in Israel. Within days, Israeli investigative television show Uvda and The New York Times identified Lambert as Aharon Almog-Assouline, a former Israeli security official living in the plush Tel Aviv suburb of Ramat Hasharon.

By then, Scott-Railton and the AP had determined the undercover efforts went well beyond Citizen Lab.

Within hours of the story's publication, Masri wrote to the AP to say that he and Alaa Mahajna, who is pursuing the lawsuit against NSO in Israel, had spent weeks parrying offers from two wealthy-sounding executives who had contacted them with lucrative offers of work and insistent requests to meet in London.

"We were on our guard and did not take the bait," Masri wrote.

Masri's revelation prompted a flurry of messages to others tied to litigation involving NSO. Masri and Scott-Railton say they discovered that Christiana Markou, a lawyer representing plaintiffs in a related lawsuit against NSO-affiliated companies in Cyprus, had been flown to London for a strange meeting with someone who claimed to be a Hong Kong-based investor. Around the same time, Masri found out that a journalist who had written about NSO was also invited to a London hotel — twice — and questioned about his reporting.

"Things are getting more interesting," Masri wrote as the episodes emerged.

___

John Scott-Railton, a senior researcher at the Citizen Lab, an internet watchdog group, holds his cell phone which has its camera blocked by an adhesive sticker, as he poses for a photograph, Thursday, Jan. 17, 2019, in New York. In December 2018, he realized that one of his colleagues had been tricked into meeting an undercover spy at a Toronto hotel. When a second operative calling himself Michel Lambert approached Scott-Railton to arrange a similar meeting in New York, the cybersecurity researcher devised a sting operation, inviting AP journalists to crash the lunch and videotape the encounter. (AP Photo/Kathy Willens)John Scott-Railton, a senior researcher at the Citizen Lab, an internet watchdog group, holds his cell phone which has its camera blocked by an adhesive sticker, as he poses for a photograph, Thursday, Jan. 17, 2019, in New York. In December 2018, he realized that one of his colleagues had been tricked into meeting an undercover spy at a Toronto hotel. When a second operative calling himself Michel Lambert approached Scott-Railton to arrange a similar meeting in New York, the cybersecurity researcher devised a sting operation, inviting AP journalists to crash the lunch and videotape the encounter. (AP Photo/Kathy Willens)

Like Almog-Assouline, the undercover operative the AP exposed in New York, the covert agents who pursued the lawyers made a string of operational errors.

The attempt to ensnare Alaa Mahajna, the lead lawyer in the Israeli suit, was a case in point.

On Nov. 26 he heard from a man who said his name was Marwan Al Haj and described himself as a partner at a Swedish wealth management firm called Lyndon Partners. Al Haj offered Mahajna an intriguing proposition. Al Haj said one of his clients, an ultra-rich individual with family ties to the Middle East, needed legal assistance recovering family land seized by Jewish settlers following the 1967 Arab-Israeli war.

"I believe you may be a good fit for this challenging task," Al Haj wrote.

The request made sense. As a human rights lawyer based in Jerusalem, Mahajna has defended Palestinian activists and others at the receiving end of the Israeli government's ire. But Mahajna became suspicious as he tried to learn more about the case. Al Haj was cagey about his client and seemed unwilling to provide any paperwork, Mahajna told the AP.

"Not even the basic stuff," Mahajna said. "Usually people flood you with documents and stories."

Mahajna said he was unsettled when Al Haj suddenly offered him an all-expenses-paid trip to London; no one had even asked him whether the case had any hope of success.

"At some point it was abundantly clear that this is not a bona fide approach," Mahajna said.

Ten days later, Masri, the legal adviser in the Israeli lawsuit, received an email offering him a place on the advisory board of a Zurich-based company called APOL Consulting.

Masri became skeptical after he checked out the company's website. Consulting firms typically trade on their employees' intelligence and skill, so Masri expected the company's site to prominently display the names, headshots and qualifications of its staff.

"Here there wasn't even a name of one human," he said.

When Masri turned down the position on APOL's board, the representative who'd contacted him — a man who called himself Cristian Ortega — pressed Masri to see him in London anyway.

"I would consider it a privilege to have a chance to meet you in person for a friendly chat," Ortega said in a Jan. 7 email. "No strings attached of course."

Masri said that by then he and Mahajna had come to believe that Ortega and Al Haj were fictions and that their companies were imaginary.

But they didn't yet know how widespread the covert operations were.

___

The undercover agents got a little further with Christiana Markou, the lawyer who is pursuing the Cypriot case against NSO-affiliated entities.

Her lawsuit, like Mahajna's, draws heavily on reports by Citizen Lab that found that NSO spyware had been used to break into the phones of the Mexican activists and journalists who are the plaintiffs in both cases.

Markou told the AP she was approached over email Dec. 21 by a man who presented himself as Olivier Duffet, a partner at Hong Kong-based ENE Investments.

Duffet was ostensibly interested in inviting Markou — a leading data protection and privacy lawyer in Cyprus — to give a lecture at a conference. Markou said she proposed discussing the lecture over Skype, but he insisted on an in-person meeting in London, eventually flying her out, putting her up in a fancy hotel and chatting for a little more than an hour.

Most of the discussion revolved around the proposed lecture — but then Duffet suddenly pivoted to the NSO case, asking her whether she felt the lawsuit was winnable and who was funding it.

Markou said she "gave either incorrect answers or expressly refused to answer" because she found his questions suspicious.

Yet another target, Eyad Hamid, a London-based journalist who wrote a story about NSO, said he was also invited to a London hotel on two separate occasions to discuss his coverage of the Israeli company.

The purported company used in the operation targeting him was Mertens-Giraud Partners Management, which was described as a Brussels-based wealth management firm.

Neither MGP — nor any of the other companies — truly existed. The AP's searches of the Orbis database of some 300 million companies, local corporate registries and trademark repositories turned up no trace of a Swiss firm called APOL, a Swedish company called Lyndon partners, a Belgian company called Mertens-Giraud or a Hong Kong-based firm named ENE Investments. Local phone books didn't carry listings for a Zurich-based man named Cristian Ortega, a Hong Kong-based man named Olivier Duffet or anyone in Sweden bearing the name Marwan Al Haj.

There was no hint of APOL when the AP visited its supposed office not far from Zurich's central train station; tenants said they'd never heard of the company. It was the same story in Hong Kong; a management representative at the Central Building, where ENE Investments was supposedly located, said he didn't know anything about the company. An AP journalist wasn't able to speak to anyone at Mertens-Giraud's alleged office on Brussels' Rue des Poissoniers; the entire building was boarded up for renovations.

At the modern office block in downtown Stockholm where Lyndon Partners claimed to have its headquarters, service manager Elias Broberger said he could find no trace of the wealth management firm.

"It says they are located here," Broberger said as he examined Lyndon Partners' professional-looking website. "But we don't have them in any of our systems: not the booking system; not the member system. We don't bill them; they don't bill us.

"I can't find them."

___

This Tuesday, Feb. 5, 2019 photo shows the exterior of the address Rue des Poissonniers 13 in Brussels. The boarded-up building was supposedly the home of Mertens-Giraud Partners Management, but an Associated Press investigation has found that the firm is little more than a front for an elaborate undercover operation targeting security researchers, lawyers and a journalist. (AP Photo/Sylvain Plazy)This Tuesday, Feb. 5, 2019 photo shows the exterior of the address Rue des Poissonniers 13 in Brussels. The boarded-up building was supposedly the home of Mertens-Giraud Partners Management, but an Associated Press investigation has found that the firm is little more than a front for an elaborate undercover operation targeting security researchers, lawyers and a journalist. (AP Photo/Sylvain Plazy)

Who hired the undercover agents remains unclear, but their operational and digital fingerprints suggest they are linked.

The six operatives all began approaching their targets around the same time with individually tailored pitches. Their bogus websites followed the same patterns; all of them were hosted on Namecheap and many were bought at auction from GoDaddy and used the Israeli web design platform Wix. The formatting of the websites was similar; in at least two instances — MGP and Lyndon Partners — it was identical. Even the operatives' email signatures were the same — consisting of three neatly packed, colorful lines consisting of a phone number, web address and email.

The operatives' LinkedIn pages were similar, too, featuring men in sunglasses shot from a distance, facing away from the camera, or at unusual angles — a tactic sometimes use to frustrate facial recognition algorithms.

Despite the indications that the undercover agents are all linked, there is no conclusive evidence who they might work for. An Israeli television channel, Channel 12, broadcast a report on Saturday claiming that an Israeli private investigation firm, Black Cube, had been investigating issues around the lawsuits against NSO. The TV channel showed secretly shot footage of the Cypriot lawyer, Markou, and the London journalist, Hamid, which matched the pair's description of their encounters with undercover agents.

The TV segment was critical of the lawyers suing NSO, and quoted NSO founder Shalev Hulio in an interview accusing Markou and her colleagues of pursuing the lawsuits as a "PR exercise."

NSO has previously denied hiring Black Cube, and Black Cube in a letter sent last month to the AP said it was not involved in the effort to ensnare researchers at Citizen Lab. "Black Cube had nothing to do with these alleged events," the letter said, adding that no one acting on the company's behalf did either.

Black Cube does have a possible tie to Almog-Assouline, the man who held the hotel meeting about NSO in New York. During a long-running Canadian legal battle between two private equity firms — Catalyst Capital and West Face Capital — one man caught up in the litigation said he recognized Almog-Assouline because he'd been approached by the same operative under a different identity several years ago.

"I recognized the individual, down to the accent and the anecdotes," said the man, who spoke on condition of anonymity for fear of retaliation.

In court filings, Black Cube has acknowledged dispatching agents to meet with "various individuals" involved in the private equity firms' feud. But it's unclear if other investigations firms might also have done work connected to the two companies' legal battle.

Black Cube did not respond to repeated questions about whether it had ever employed Almog-Assouline. The firm previously drew international opprobrium for its unrelated work protecting the reputation of disgraced Hollywood mogul Harvey Weinstein.

Almog-Assouline himself denied working for Black Cube when two AP reporters confronted him in New York last month.

He has refused to answer any questions since.

When an AP reporter rang the door at his penthouse in Tel Aviv suburb of Ramat Hasharon a week ago, a woman who identified herself as his wife said he wasn't home. When the reporter followed up with a phone call to Almog-Assouline, he said: "I have no interest in speaking to you."

___

Aron Heller in Ramat Hasharon, Israel, David Keyton in Stockholm, Sweden, Jamey Keaten in Zurich, Vincent Yu in Hong Kong, Sylvain Plazy in Brussels, Josef Federman in Jerusalem and Meneloas Hadjicostis in Nicosia, Cyprus, contributed to this report.

More in Cybersecurity