PORTLAND, Ore. (CN) — Attorneys for Saudi human rights activist Loujain al-Hathloul met before a federal judge Tuesday on a motion to dismiss against an Emirati cyber-surveillance company and three former U.S. intelligence operatives, asserting they aided Saudi Arabia in hacking al-Hathloul’s iPhone before her arrest in 2018, leading to her imprisonment and torture for her activism.
Al-Hathloul, 33, rose to prominence after launching a campaign to give Saudi women the right to drive — a right they were denied until June 2018. Yet, al-Hathloul’s activism did not come without dire costs to her safety.
According to al-Hathloul’s complaint filed in December 2021, DarkMatter Group and its former senior executives — former U.S. intelligence operatives Marc Baier, Ryan Adams and Daniel Gericke — hacked her iPhone to surveil her movements and used her confidential communications against her by the security services of the United Arab Emirates, leading to her arrest and extradition to Saudi Arabia, where she was “detained, imprisoned and tortured.”
The three operatives were a part of the same DarkMatter surveillance unit called Project Raven, also known as the “Development Research Exploitation and Analysis Department” or “Project DREAD.” As first reported by Reuters in 2019, Project Raven aided the UAE in spying on human rights activists, academics, journalists and government critics, with the source later revealing the project assigned al-Hathloul the codename “Purple Sword.”
In 2021, the three men entered into a deferred prosecution agreement with the U.S. Department of Justice, where they admitted to hacking into computer networks in the U.S. and exporting cyber intrusion tools without necessary permission from the U.S. government.
Al-Hathloul is now suing DarkMatter and the three men for computer fraud violations and crimes against humanity under the Alien Tort Statute.
Right off the cusp, Judge Karin J. Immergut addressed Tuesday's video hearing stating that she was inclined to dismiss the case for lack of jurisdiction, but noted that she had concerns about the issue brought forth and interested to learn what tortious conduct specifically occurred in Oregon.
Al-Hathloul argues the hackings are inextricably linked to the U.S., as they were carried out with cyber-technology developed in the country by domestic companies, and the technology specifically targeted Apple’s U.S. servers to infect al-Hathloul’s phone with malware.
Going back further, the complaint alleges the UAE sought out U.S. corporations in 2008 to build a cyber-surveillance program to hack perceived dissidents from the UAE and Saudi Arabia. Around 2009, CyberPoint International became the UAE’s primary contractor, recruiting Americans, including those from the National Security Agency and others in the U.S. intelligence community. Then, around December 2015, the UAE transitioned services under Project Raven from CyberPoint to DarkMatter — bringing Baier, Adams and Gericke with it — who went on to upper management positions within the company at various levels.
Under the operative’s direction, DarkMatter developed a new exploit to target al-Hathloul, “exploit” meaning computer code that exploits a vulnerability to install undetectable malware. The “zero-click” exploit, which can run without a target taking any action, such as clicking a link, browsing a website or installing an app, allowed DarkMatter to hack hundreds of iPhones to obtain emails, location data, messages and photographs.
On behalf of DarkMatter, al-Hathloul claims Baier acquired two “zero-click” iMessage exploits from two U.S. companies around May and October 2016 to create and upgrade an espionage system known as “Karma” to overcome evolving iOS security upgrades. From there, DarkMatter paid $750,000 and $1.3 million for each exploit by transferring funds from bank accounts outside the U.S. to accounts belonging to companies in the U.S.
It is through these accounts, al-Hathloul says, that the men and DarkMatter created the Karma hacking system “that relied on the obtained exploits and other U.S. technology, including anonymization services and computer hardware located or built in the United States.”