9 July 2022

How mercenary hackers sway litigation battles

RAPHAEL SATTER and CHRISTOPHER BING

Bodyguard Carlo Pacileo was under mounting pressure. His boss, a direct sales entrepreneur named Ryan Blair, wanted compromising material against a business rival amid a flurry of lawsuits, Pacileo said. Nothing was turning up.

So he turned to a Silicon Valley detective he knew from his days in Afghanistan with the U.S. mercenary firm Blackwater. Nathan Moser, a former North Carolina sheriff’s deputy, arrived days later at Pacileo’s Hollywood apartment with a duffel bag full of surveillance equipment.

Moser showed Pacileo several gadgets, including Israeli-made listening devices that could be hidden in ceilings or behind television sets. One particular service stood out: Moser said he knew an Indian hacker who could break into emails. “My ears perked up,” Pacileo told Reuters recently. “I didn’t know you could do that type of stuff.”

Moser, who confirmed Pacileo’s account, got the job and a $10,000 per month retainer . He went to work for Blair’s company, diet shake distributor ViSalus, as it filed a series of lawsuits against sellers who had jumped ship to go with a competitor named Ocean Avenue.

Starting around February 2013, the Indian hacker – a young computer security expert named Sumit Gupta – broke into the email accounts of Ocean Avenue executives, sending screenshots and passwords back to his ViSalus handlers on the West Coast.

When Ocean Avenue learned of the spying, it filed a federal lawsuit against ViSalus in Utah alleging extortion, intimidation and hacking. ViSalus initially argued that its competitor had not provided enough evidence to back its claims; it later settled the suit on undisclosed terms.

ViSalus executives did not return messages seeking comment. Messages Reuters sent to Blair, who wasn’t named as a defendant in the suit, were marked as “seen” but went unanswered. He did not respond to certified letters sent to his business and home in Los Angeles.

The settlement didn’t end the matter. The Federal Bureau of Investigation learned of the hacking and, in February 2015, agents raided Pacileo’s and Moser’s homes. Both eventually pleaded guilty to computer crimes connected to the Ocean Avenue intrusions.

For Gupta it was just the beginning. Over the next decade, he and a small coterie of Indian colleagues built an underground hacking operation that would become a hub for private investigators, like Moser, who sought an advantage for clients embroiled in lawsuits.

Gupta, also charged with hacking in the California criminal case, was never apprehended by U.S. authorities. Reuters has not been able to reach him since 2020, when he told the news agency that while he did work for private investigators, “I have not done all these attacks.” Recent attempts to speak with or locate him were unsuccessful.

Reuters identified 35 legal cases since 2013 in which Indian hackers attempted to obtain documents from one side or another of a courtroom battle by sending them password-stealing emails.

The messages were often camouflaged as innocuous communications from clients, colleagues, friends or family. They were aimed at giving the hackers access to targets’ inboxes and, ultimately, private or attorney-client privileged information.

PHISHY ‘FRIEND’: A password-stealing email sent by Indian hackers masquerading as Facebook. Identifying details have been blurred./REUTERS research

At least 75 U.S. and European companies, three dozen advocacy and media groups and numerous Western business executives were the subjects of these hacking attempts, Reuters found.

The Reuters report is based on interviews with victims, researchers, investigators, former U.S. government officials, lawyers and hackers, plus a review of court records from seven countries. It also draws on a unique database of more than 80,000 emails sent by Indian hackers to 13,000 targets over a seven-year period. The database is effectively the hackers’ hit list, and it reveals a down-to-the-second look at who the cyber mercenaries sent phishing emails to between 2013 and 2020.

The data comes from two providers of email services the spies used to execute their espionage campaigns. The providers gave the news agency access to the material after it inquired about the hackers’ use of their services; they offered the sensitive data on condition of anonymity.

Reuters then vetted the authenticity of the email data with six sets of experts. Scylla Intel, a boutique cyber investigations firm, analyzed the emails, as did researchers from British defense contractor BAE, U.S. cybersecurity firm Mandiant, and technology companies Linkedin, Microsoft and Google.

Each firm independently confirmed the database showed Indian hacking-for-hire activity by comparing it against data they had previously gathered about the hackers’ techniques. Three of the teams, at Mandiant, Google and LinkedIn, provided a closer analysis, finding the spying was linked to three Indian companies – one that Gupta founded, one that used to employ him and one he collaborated with.

Reuters reached out to every person in the database – sending requests for comment to each email address – and spoke to more than 250 individuals. Most of the respondents said the attempted hacks revealed in the email database occurred either ahead of anticipated lawsuits or as litigation was under way.

The targets’ lawyers were often hit, too. The Indian hackers tried to break into the inboxes of some 1,000 attorneys at 108 different law firms, Reuters found.

Among the law firms targeted were global practices, including U.S.-based Baker McKenzie, Cooley and Cleary Gottlieb. Major European firms, including London’s Clyde & Co. and Geneva-based arbitration specialist LALIVE, were also hit. In 2018, the Indian hackers tried to compromise more than 80 different inboxes at Paris-based Bredin Prat alone.

Cleary declined comment. The five other law firms did not return messages.

“It is an open secret that there are some private investigators who use Indian hacker groups to target opposition in litigation battles,” said Anthony Upward, managing director of Cognition Intelligence, a UK-based countersurveillance firm.

The legal cases identified by Reuters varied in profile and importance. Some involved obscure personal disputes. Others featured multinational companies with fortunes at stake.

From London to Lagos, at least 11 separate groups of victims had their emails leaked publicly or suddenly entered into evidence in the middle of their trials. In several cases, stolen documents shaped the verdict, court records show.

Aspects of Gupta’s operation have been reported on previously by Reuters , other media and cybersecurity researchers . But the breadth of his involvement in legal cases – and the role of a wider network of Indian hackers – are being reported here for the first time.

The FBI has been investigating the Indian hacking spree since at least early 2018 to determine who, beyond Moser, hired Gupta’s crew to go after American targets, according to three people briefed on the matter. The FBI declined to comment.

The email trove provides a startling look at how lawyers and their clients are targeted by cyber mercenaries, but it leaves some questions unanswered. The list doesn’t show who hired the spies, for example, and it wasn’t always clear whether the hacking was successful or, if so, how the stolen information was used.

Still, Google’s Huntley said the attempts to steal privileged information were troubling. “These attacks have real potential to undermine the legal process.”

How the Hackers Tried to Fool Lawyers and Steal Their Emails


HACKER HIT LIST: This is an edited version of the data reviewed by Reuters which shows how Indian mercenary hackers hunted lawyers’ inboxes. The far left hand column shows when malicious emails were sent; the left hand column shows who the emails were sent to; the middle column shows the services – such as LinkedIn or YouPorn – that the hackers were imitating; the right hand column shows the subject lines the hackers used to entice their targets.Techniques for breaking into attorneys’ emails varied.Sometimes the hackers tried to pique attorneys’ interest in news about their high-flying colleagues.Sometimes the hackers impersonated social media services.In other cases the hackers tried to masquerade as porn sites.And then there was the old standby: weird or scandalous news to prompt their targets to click.

Deeply impressed

A few weeks after hacking for ViSalus, Sumit Gupta registered BellTroX Infotech Services Private Ltd in May 2013, Indian business records show . Gupta was only 24, but Moser remembers a sharply dressed, self-assured young man at the other end of his Skype calls.

“If you want this information,” Moser recalled him saying, “I can get it.”

Carrying the motto “you desire, we do!” BellTroX was headquartered in west Delhi and openly advertised “ethical hacking” services online. On one business development website, Gupta wrote that the “clients I am seeking” include “private investigators” and “corporate lawyers.”

The hackers’ office resembled a low rent call center, former employees said. Conversation was discouraged, personal phone use was forbidden and surveillance cameras monitored every keystroke, they said.

By 2016, BellTroX employed dozens of workers, according to the former employees and online resumes reviewed by Reuters. A month's salary could be as low as 25,000 rupees (then worth about $370), according to two former workers and company salary records .

Gupta, as BellTroX co-owner, could charge from a few thousand dollars per account to up to $20,000 for “priority” targets, said Chirag Goyal, a former BellTroX executive who split from Gupta in 2013 and has since launched several tech startups in India.

Goyal said repeat customers comprised much of BellTroX’s income. “In this industry, genuine work comes only from recommendations,” Goyal said. Reuters was unable to determine the total annual revenue of Gupta’s firm.

Before launching BellTroX, Gupta had worked for Appin, an Indian company that initially made its name in cybersecurity training franchises and mainstream IT security work.

By 2010 a division of Appin began hacking targets on behalf of governments and corporate clients, according to six ex-employees, a former U.S. intelligence official, private detectives and Appin surveillance proposals seen by Reuters.

Matthias Willenbrink, a German private investigator and former president of the World Association of Detectives, said he received one such spy proposal from Appin around that time.

Willenbrink said he would not normally use hackers and worked with Appin only once, amid a high-stakes inheritance dispute in 2012 for a wealthy German businessman. The client, who Willenbrink declined to name, wanted to know who was trying to blackmail him anonymously.

HACKER HELP: Matthias Willenbrink turned to a hacker to unmask an alleged blackmailer of his client. REUTERS/Annegret Hilse

Willenbrink was tasked with identifying the culprit. He said he paid Appin about $3,000 to successfully get into the target’s email account. “I was deeply impressed,” said Willenbrink, who solved the case. “They sent me all their communications in three days.”

The Indian hackers were recruited in big name lawsuits too.

Around the time that Willenbrink was hunting the blackmailer, Israeli private detective Aviram Halevi hired Appin for a “considerable amount” to hack a Korean businessman amid a legal dispute over the rights to distribute KIA Corp cars in Israel, according to a court ruling issued last year in Tel Aviv.

The judge overseeing the case ordered Halevi to pay compensation and destroy the hacked data. Halevi, who admitted to hiring the Indian hackers in an affidavit , declined to comment. A KIA spokesperson also declined to discuss the case. An attorney for the Korean victim didn’t return emails.

Several India-based cyber defense training outfits still use the Appin name – the legacy of a previous franchise model – but there’s no suggestion those firms are involved in hacking. Appin itself largely disappeared from the internet after the publication of a 2013 cybersecurity research report which connected it to alleged hacking.

Rajat Khare, Appin’s co-founder and the former head of several Appin companies, including the Appin Security Group, did not respond to messages seeking an interview. His attorney denied any wrongdoing and said Khare “will not comment on a company he left ten or so years ago.”

As Appin’s reputation grew, so did its competition. Gupta was part of a cohort of Appin alumni who left the firm around 2012 to found similar companies.

“If you want this information, I can get it.”Hacker Sumit Gupta to private detective Nathan Moser, according to Moser.

Another Indian spy firm registered within a few months of BellTroX was CyberRoot Risk Advisory Private Ltd, based in the Delhi suburb of Gurugram, two former employees and two private investigators familiar with the matter told Reuters.

Appin, BellTroX and CyberRoot have shared computer infrastructure and staff, according to court records and cybersecurity researchers. LinkedIn, Google and Mandiant researchers who reviewed Reuters’ data said it shows a mix of hacking activity linked to the companies between 2013 and 2020.

CyberRoot has not responded to messages seeking comment. There was no trace of CyberRoot or BellTroX at the addresses listed for the firms when a Reuters reporter visited recently. Neighbors said they were unfamiliar with the companies.

When Reuters contacted Gupta two years ago, he denied wrongdoing. He was no spy, he said, although he acknowledged he helped private detectives with their IT. “It's not a big deal to provide them a little technical support,” he said. “Downloading mailboxes can be a part of it.”

In 2017, one of those mailboxes found its way into a $1.5 billion international legal battle.

Hacking the ‘real truth’

That June 11, an explosive email landed in the inbox of international arbitrators weighing the fate of lucrative Nigerian oil fields.

The message , entitled “The real truth about Pan Ocean Oil vs Nigeria,” seemed to torpedo the Nigerian government’s case in a lawsuit that pitted it against the heirs of Italian businessman Vittorio Fabbri over control of the Pan Ocean Oil Corporation Ltd.

Fabbri had bought the company in 1983, allowing him to pump crude oil in a block of Niger Delta fields known as OML-98. A power struggle later saw him frozen out of the company in favor of local management. After he died in 1998, his heirs fought to regain control, eventually accusing government officials of supporting efforts to oust them.

HACKING LITIGATION: A phony email complicated a legal fight in Nigeria over the Pan Ocean Oil Corp. REUTERS/Tife Owolabi

In 2013 the Fabbris took the fight to the Washington-based International Centre for Settlement of Investment Disputes, which arbitrates legal fights between investors and governments. Patrizio Fabbri, Vittorio’s son, told Reuters it was a bid to pull the litigation out of slow-moving Nigerian courts and extract $1.5 billion in compensation.

The mysterious June 11 email appeared to promise victory for the Fabbri side. Attached were documents from Nigeria’s legal team addressed to the managing director of Pan Ocean, asking him to reimburse the government’s legal fees. “I wish to remind you of the outstanding fees due to my firm,” one of the documents said , requesting that “a sizeable portion” be “paid immediately.”

The Fabbris saw the request as a key admission because their case hinged on proving that Pan Ocean and the Nigerian government had colluded to deny the family control of the company.

Bizarrely, the email appeared to have been sent to the arbitrators by Oluwasina Ogungbade, an attorney for the Nigerian government. The lawyer seemed to be sabotaging his client’s case. Patrizio said he was thrilled to learn of the apparent admission.

“Wow,” he recalled thinking. “Finally somebody in Nigeria is honest.”

In interviews with Reuters, Ogungbade declined to address the documents’ authenticity but did say he never sent them to the tribunal. Instead, he said, hackers stole the documents, created a fake email in his name and used it to send the material to the arbitrators.

An October 2017 Nigerian police report reviewed by Reuters backs his account, saying “there is a strong suspicion that some unknown suspect(s) were the authors” of the message.

Pan Ocean and Nigerian officials did not respond to messages seeking comment.

The Indian hacking records reviewed by Reuters fill the gaps in the story.

Gupta’s BellTroX made repeated attempts to hack Ogungbade’s account. Also targeted were more than 100 employees of Pan Ocean and other lawyers for the Nigerian government, according to the Indian hit list and other data gathered by cybersecurity researchers.

Shortly after, BellTroX created a WikiLeaks-style website titled Nigeriaoilleaks.com, promising to expose corrupt Nigerian politicians and sharing a larger cache of stolen Pan Ocean emails for download.

Over Ogungbade’s objections, the tribunal accepted the files sent under his name, although it warned that it “may decide to give the documents little or no weight” if their provenance remained in doubt.

In 2020 the tribunal ruled against the Fabbri family, finding that the government wasn’t a party to the takeover; the stolen emails were barely mentioned in the judgment .

Still, Ogungbade believes the leaks convinced arbitrators to deny the Nigerian government most of its legal costs. While Reuters couldn’t independently verify that claim, the government was awarded just $660,000 of the $3.8 million it had sought.

Reuters wasn’t able to learn who commissioned the hack. Patrizio Fabbri said he had “nothing to do” with it. His family’s Nigerian lawyer, Olasupo Shasore, said he and colleagues were “all confounded” by their sudden stroke of luck.

Such high-stakes court cases can feature multiple third parties, including litigation financiers, with an interest in the outcome. Two of the tribunal’s arbitrators – Boston University professor William Park and arbitrator Julian Lew – did not respond when contacted by Reuters. The third, former Kenyan High Court judge Edward Torgbor, declined comment.

Torgbor had aired concerns about the leak, however. In a 2018 minority opinion he warned that accepting documents of “dubious character” posed a “grave risk” to the tribunal’s integrity. “How does the Tribunal discover or uncover the ‘real truth’ from an unknown person whose own identity and probity are under cover?”

As India’s mercenary hacking industry grows, lawyers around the globe are increasingly grappling with similar questions.

WeWork, Wirecard

As Reuters contacted victims of the Indian spy campaign, targets involved in at least seven different lawsuits have each launched their own inquiries.

One of the most prominent was WeWork co-founder Adam Neumann, who hired New York’s Seiden Law Group after learning from Reuters that he and other company executives’ email accounts were targeted by the Indian hackers starting in August 2017, according to four people familiar with the matter.

The hacking attempts against Neumann unfolded as WeWork prepared to announce a $4.4 billion investment from Japan’s SoftBank, a giant infusion for a startup then burning through capital.

By the time Neumann learned of the hacking in 2020, the partnership had collapsed and he was suing SoftBank after being ousted from WeWork. SoftBank executives were quizzed by Neumann’s lawyers about the hacking in depositions just weeks before he received a roughly $500 million settlement from the Japanese investment giant, according to four people familiar with the matter. The executives denied any knowledge of the spying, the sources said.

Reuters was unable to determine who hired the Indian hackers to spy on Neumann or his colleagues. Representatives for Neumann and SoftBank did not return messages. WeWork said the hacking attempts were blocked but did not elaborate. The Seiden Law Group confirmed it had been hired by Neumann to investigate a cybersecurity issue; it declined further comment.

INVESTIGATED HACKS: Adam Neumann, former CEO of WeWork, hired a law firm after learning from Reuters that spies had targeted his emails and those of his coworkers. REUTERS/Eduardo Munoz

Private eyes alleged to have worked as middlemen between their clients and the Indian hackers are coming under increased pressure as victims and law enforcement push for answers.

One of them is former Israeli policeman Aviram Azari, who was arrested by the FBI in 2019. He recently pleaded guilty in New York to wire fraud, identity theft and hacking-related charges after hiring Indian spies to target “a large number” of people, including New York hedge fund employees, prosecutors said in a court filing .

Authorities have released few other details about Azari’s scheme, but four people familiar with the matter say he hired BellTroX to carry out the hacking. Azari’s lawyer, Barry Zone, told Reuters in April that the private eye was prosecuted in relation to his work for the now-defunct German financial firm Wirecard. Zone has not responded to follow-up emails.

Former Wirecard boss Markus Braun was arrested in June 2020 following revelations that 1.9 billion euros were missing from the company’s accounts. The firm collapsed shortly thereafter.

Braun’s legal team declined to comment on Wirecard’s relationship with Azari or BellTroX. Braun has been accused of fraud and market manipulation, charges he denies. His trial is ongoing. Five lawyers for other former top Wirecard executives didn’t return messages.

The hit list seen by Reuters shows BellTrox heavily targeted short sellers, reporters and financial analysts who had voiced skepticism of Wirecard’s business practices before it went bust. In several instances, these hacks coincided with legal threats made by Wirecard.

Azari had other customers, U.S. prosecutors alleged in their filing, saying the Israeli also worked on behalf of numerous undisclosed American clients. “There are thousands of potential victims,” the filing notes . Azari is due to be sentenced later this year, when he faces a prison term of at least two years plus expulsion from the country, prosecutors have said.

Yet the publicity around Azari’s arrest has not deterred India’s mercenary hacking industry. As recently as December, security researchers at Facebook said BellTroX-linked spies were still trying to penetrate the private files of unidentified attorneys across the world.

Jonas Rey, whose Geneva-based company Athena Intelligence is investigating Indian hacks on behalf of several victims, believes some officials in Delhi turn a blind eye to the country’s hack-for-hire market.

Asked about the hacker-for-hire industry, an official with India’s Ministry of Justice referred Reuters to a cybercrime hotline, which did not respond to a request for comment. Delhi police did not return repeated messages seeking comment on Gupta or his hacking business.

He remains a fugitive from U.S. justice. ViSalus, the company that Gupta worked for in 2013, is currently challenging an up to $925 million class action judgment for placing unsolicited robocalls. Ryan Blair, ViSalus’ CEO, left the firm in 2016.

Blair’s former director of security, Carlo Pacileo, now runs a fitness retreat deep in the mountains of Japan’s Shikoku Island. Nathan Moser, the former private eye, is working on his mental health at a Utah rehabilitation facility following his time in Iraq and Afghanistan.

Reflecting on the Gupta episode recently, Moser said private eyes face immense pressure because they work in “a results-based industry.”

Indian mercenary hackers have worked in the shadows for at least a decade, helping private detectives get an edge in litigation, a Reuters investigation found. Now one victim – an aviation executive named Farhad Azima – is exposing the secretive industry, with potential ripple effects for legal battles on both sides of the Atlantic.

The outlook for Azima once looked grim. In 2020 a judge in London found the Iranian-American liable for cheating his former business partner, an investment fund based in the emirate of Ras Al Khaimah. In a ruling, Judge Andrew Lenon said Azima had been guilty of “seriously fraudulent conduct” in relation to a pair of aviation and tourism-related business deals.

FIGHTING BACK: Aviation executive Farhad Azima said U.S. law enforcement should do more to stop hackers seeking to obtain emails of lawyers and litigants. REUTERS/Raphael Satter

But the case relied heavily on hacked emails that had mysteriously been posted to the web by an apparent whistleblower. Azima – who has long denied the fraud allegations – believed that allies of Ras Al Khaimah’s ruler, Sheikh Saud bin Saqr al-Qasimi, had masterminded the leak in a bid to win at trial.

Witnesses called by the investment fund, known as RAKIA, did nothing to convince him otherwise.

Azima told Reuters he shook his head in disbelief after Israeli journalist Majdi Halabi told the judge he innocently discovered the stolen material “in one of my regular Google searches” for the tycoon’s name in 2016.

Halabi testified that he sent web links to the material to an old friend, British private investigator Stuart Page, who was working for Sheikh Saud and who had asked Halabi to keep an eye out for any Azima-related news. But when cross-examined, Halabi struggled to recall how often he had searched Google for Azima’s name or explain why Page had given him such a peculiar task. Even the judge seemed baffled.

“The hack-for-hire companies may be thousands of miles away, but the victims are often U.S. citizens on U.S. soil.”Farhad Azima, who aims to expose the industry that hacked him.

In his May 2020 judgment , Lenon found Halabi’s testimony “not credible” and Page’s account of how he passed Halabi’s information to Sheikh Saud’s allies “both internally inconsistent and at odds with the contemporary documents.” The judge ruled there was no doubt a hack-and-leak took place and said the explanations provided by RAKIA’s witnesses for how they found the documents were full of “unexplained contradictions.”

Nevertheless, Lenon said Azima had failed to provide sufficient evidence that RAKIA had hacked his messages. He refused to throw out the emails and ordered him to pay $4.2 million in restitution.

Hit list

As the ruling was being prepared, Reuters began sifting through a database of more than 80,000 emails Indian hackers had sent between 2013 and 2020. Obtained exclusively by Reuters, the file provides a down-to-the-second look at who the cyber mercenaries targeted in legal battles around the world. It’s effectively a hit list. Azima featured prominently.

The Indian hackers had aggressively tried to break into the businessman’s emails starting in March 2015. Accounts belonging to Azima’s associates, lawyers and friends were also pursued, the records show.

After being contacted by Reuters seeking comment, Azima launched his own inquiry. His legal team combed his inbox and those of his associates, finding more than 700 malicious emails sent over a 16-month period alone. Azima’s legal team said his data was breached around March 2016.

In subsequent legal filings , Azima’s lawyers accused Indian tech firms CyberRoot Risk Advisory Private Ltd and BellTroX Infotech Services Private Ltd of being behind the espionage campaign.

CyberRoot’s hackers created anonymous websites to disseminate Azima’s stolen emails using blogs titled “Farhad Azima Scammer” and “Farhad Azima Exposed Again,” the court records allege. It was one of those sites that Halabi said he innocently stumbled across in August of 2016.

No comments: