Fear This Man
To spies in the age of cyberwarfare, David Vincenzetti was a salesman. To tyrants, he was a savior. How the Italian mogul built a hacking empire.
To read more of my feature stories, as well as posts from my longform project, Masters of Disruption: How the Gamer Generation Built the Future, please subscribe below. Thanks!
As the war in Ukraine unfolds, I thought I’d share another story of mine about the new age of cyberwarfare (ICYMI, here’s a link to the one from last week, “The Geeks on the Front Lines”).
Today, I’m featuring a piece I wrote in 2016 for Foreign Policy magazine about Hacking Team, one of the world’s most notorious spyware makers, and its embattled founder and CEO, David Vincenzetti. Meeting Vincenzetti at his sleek offices in Milan felt like interviewing a Bond villain, or hero, depending on your POV The company, however, is no more. After being acquired by another cybersecurity firm, Memento Labs, in 2019, Vincenzetta left a cryptic post on Linked-In that “Hacking Team is dead.”
Here’s my story below. A version of the article originally appeared in the May/June 2016 issue of Foreign Policy .
As the sun rose over the banks of the Seine and the medieval, half-timbered houses of Rouen, France, on July 13 2012, Hisham Almiraat opened his inbox to find “Denunciation” in the subject line of an email. “Please do not mention my name or anything,” wrote the sender, Imane. “I do not want any trouble.”
The editor and co-founder of Mamfakinch, a pro-democracy website created in Morocco during the Arab Spring, Almiraat was one of his country’s most outspoken dissidents and someone accustomed to cryptic emails: Moroccan activists faced jail time for their views and risked their jobs, or even their lives, for speaking out against their government. From Normandy’s capital city, where Almiraat was in medical school, the bespectacled 36-year-old spent his time — in between classes and hospital shifts — mentoring, coaching, and editing more than 40 citizen journalists. The group covered the roiling unrest back in Almiraat’s homeland, where he would soon return after completing his studies. (Almiraat contributed to Foreign Policy in 2011.)
Almiraat and his colleagues also trained Mamfakinch’s writers to use encryption software, most notably the Onion Router, so that their online activities remained anonymous and shielded. Tor, as it’s widely known, masks a user’s identity and physical location. “People were relying on us to protect their…reputations, their careers, and probably also their freedoms,” Almiraat says. “All of that could be put in jeopardy if that were made public.” It was precisely this forethought that had earned Mamfakinch the Breaking Borders Award, sponsored by Google and the citizen-media group Global Voices, for its efforts “to defend and promote freedom of speech rights on the Internet.”
But on that July morning, just 11 days after receiving the award, Almiraat read the message from Imane and knew “something wasn’t right.” A website link directed him to a document labeled “Scandal,” which, once downloaded, was blank. His associates received the same note.
Suspicious, Almiraat promptly forwarded the email to an activist he knew, who then sent it to Morgan Marquis-Boire, a dreadlocked, tattooed 32-year-old digital activist who’d grown up hacking in New Zealand under the nickname “Mayhem.” A top security researcher at Google, Marquis-Boire had made waves recently as a volunteer detective for Citizen Lab, a technology research and human rights group at the University of Toronto; he and several colleagues had found evidence that suggested Bahrain was using surveillance software — a product intended for government spying on suspected criminals — against supporters of political reform.
After a month-long analysis of the Scandal file, Marquis-Boire contacted Almiraat with disturbing news: Anyone who had opened the document had been infected with highly sophisticated spyware, which had been sent from an Internet protocol address in Morocco’s capital of Rabat. Further research confirmed that the Supreme Council of National Defense, which ran Morocco’s security agencies, was behind the attack. Almiraat and his colleagues had essentially handed government spies the keys to their devices, rendering Tor, or any other encryption software, useless. Morocco’s spooks could read the Mamfakinch team’s emails, steal their passwords, log their keystrokes, turn on their webcams and microphones — and spies likely had been doing exactly those things and more since the intrusion in July.
That wasn’t all. Marquis-Boire and other experts found “a trail of bread crumbs from a surveillance company that, you’d think, would have left no bread crumbs, let alone a trail,” he recalls. Tucked in the source code of the Scandal document, a few small lines had been left behind in error. And they were the first fragments that ultimately led to the most powerful and notorious dealer in online spycraft: the Hacking Team.
The Blackwater of surveillance, the Hacking Team is among the world’s few dozen private contractors feeding a clandestine, multibillion-dollar industry that arms the world’s law enforcement and intelligence agencies with spyware. Comprised of around 40 engineers and salespeople who peddle its goods to more than 40 nations, the Hacking Team epitomizes what Reporters Without Borders, the international anti-censorship group, dubs the “era of digital mercenaries.”
The Italian company’s tools — “the hacking suite for governmental interception,” its website claims — are marketed for fighting criminals and terrorists. But there, on Marquis-Boire’s computer screen, was chilling proof that the Hacking Team’s software was also being used against dissidents. It was just the latest example of what Marquis-Boire saw as a worrying trend: corrupt regimes using surveillance companies’ wares for anti-democratic purposes.
When Citizen Lab published its findings in the October 2012 report “Backdoors are Forever: Hacking Team and the Targeting of Dissent?” the group also documented traces of the company’s spyware in a document sent to Ahmed Mansoor, a pro-democracy activist in the United Arab Emirates. Privacy advocates and human rights organizations were alarmed. “By fueling and legitimizing this global trade, we are creating a Pandora’s box,” Christopher Soghoian, the principal technologist with the American Civil Liberties Union’s Speech, Privacy, and Technology Project, told Bloomberg.
The Hacking Team, however, showed no signs of standing down. “Frankly, the evidence that the Citizen Lab report presents in this case doesn’t suggest anything inappropriately done by us,” company spokesman Eric Rabe told the Globe and Mail.
As media and activists speculated about which countries the Italian firm served, the founder and CEO of the Hacking Team, David Vincenzetti — from his sleek, white office inside an unsuspecting residential building in Milan — took the bad press in stride. He joked with his colleagues in a private email that he was responsible for the “evilest technology” in the world.
A tall, lean 48-year-old Italian with a taste for expensive steak and designer suits, Vincenzetti has transformed himself over the past decade from an under-ground hacker working out of a windowless basement into a mogul worth millions. He is nothing if not militant about what he defines as justice: Julian Assange, the embattled founder of WikiLeaks, is “a criminal who by all means should be arrested, expatriated to the United States, and judged there”; whistleblower Chelsea Manning is “another lunatic”; Edward Snowden “should go to jail, absolutely.”
“Privacy is very important,” Vincenzetti says on a recent February morning in Milan, pausing to sip his espresso. “But national security is much more important.”
Vincenzetti’s position has come at a high cost. Disturbing incidents have been left in his wake: a spy’s suicide, dissidents’ arrests, and countless human rights abuses. “If I had known how crazy and dangerous he is,” Guido Landi, a former employee, says, “I would never have joined the Hacking Team.”
On March 11, 2004, four commuter trains cruising through Madrid’s early-morning rush hour were hit by 10 large explosions. The bombings, which left nearly 200 people dead and 1,800 injured, marked the deadliest terrorist attack in Spain’s history. The incident was all the more frightening because the perpetrators likely were inspired by reading about al Qaeda online, and they had at their disposal an arsenal of new, cheap digital technologies — social media platforms, instant-messenger programs, video-conferencing software — that they could use to plot. Police, who lacked in-house computer-security teams at the time, were not equipped to fight back. And private contractors typically specialized in defensive technology, such as anti-virus software, not programs that could attack and decrypt criminals’ tools.
For Vincenzetti, the tragedy was a business opportunity. With only one client so far — Milan’s Polizia Postale, the local law enforcement branch that focuses on Internet crime — the budding entrepreneur set out to convince Spain’s government just how crucial his spyware could be in the fight against terrorism.
The son of a teacher and agricultural chemicals salesman, Vincenzetti was a self-taught hacker, seduced by cryptography at the age of 14. The teenager spent hours reading computer forums online. Deciphering codes reminded him of the chess tournaments in which he often competed: a complex series of offensive and defensive moves until the shrewdest player won. “A hacker is someone who passes through gaps. A hacker never breaks the front door,” Vincenzetti says. “I was a hacker,” he adds. “A good hacker.”
Shortly after Vincenzetti enrolled at the University of Milano-Bicocca in 1993, the school hired him as a network and security administrator, a job for which he should have qualified only after he received his degree. “He was very well known,” recalls former classmate Stefano Zanero, now an associate professor at the university. “He was one [of the] geeks that were beginning to understand how the Internet worked.”
Vincenzetti saw the nascent technological landscape as requiring a new kind of gamesmanship. The security industry was dominated by companies focused on defending businesses and governments against hackers. But, he wondered, what would happen if hackers were instead unleashed as a mode of security? “I was trying to foresee the future,” he says.
Between 2003 and 2004, Vincenzetti and two college friends worked in their dank, underground apartment and coded what would become the Hacking Team’s flagship software. Called the Remote Control System (RCS), it commandeers a target’s devices without detection, allowing a government to deploy malware against known enemies. (The product was later dubbed Da Vinci, then Galileo.) Think of it as a criminal dossier: A tab marked “Targets” calls up a profile photo, which a spy must snap surreptitiously using the camera inside the subject’s hacked device. Beside the picture, a menu of technologies (laptop, phone, tablet, etc.) offers an agent the ability to scroll through the person’s data, including email, Facebook, Skype, online aliases, contacts, favorite websites, and geographical location. Over time, the software enables government spooks to build a deep, sprawling portfolio of intelligence.
Installing RCS isn’t always easy. Spies must get it into technology quickly and secretly — say, in the seconds a phone passes through security at a border checkpoint. Moreover, each device a target uses must be infected separately. Yet there are myriad options for delivery: a USB, DVD, public Wi-Fi network, or even a QR code disguised as something enticing (such as an ad for an escort service).
In the early days, Vincenzetti framed the Hacking Team as important defenders of international security — a modern-day Justice League dreaming up technology that governments could use to protect their citizens. Alberto Pelliccione, the lead developer of RCS for mobile devices and a former artificial-intelligence researcher, was among those who eagerly joined Vincenzetti’s cause. “This was supposed to be used against terrorists and criminals,” Pelliccione explains. “It was very exciting to be part of this.”
For potential clients, Vincenzetti crafted an elevator pitch, boasting RCS’s security features: To guarantee anonymity, customers would only use code names when calling the Hacking Team’s product-support line, and the company’s crew would not have access to clients’ collected data. “It would be very dangerous for the people working here,” he says now.
At Vincenzetti’s start-up, days burned by as employees coded. Then, a few months after the terrorist attack in Madrid, Vincenzetti’s pitch landed. Spain’s Secret Service became the Hacking Team’s second customer. With his newest deal sealed, Vincenzetti remembers thinking to himself, “‘Hey, David, this company is going to have a future.’”
In Vincenzetti’s mind, RCS wasn’t a sinister technology; however, its dual-use potential — for both peaceful and military applications — was not lost on the businessman. “We were very quick to understand the power of a tool like ours,” he says. Existing international arms regulations did not cover spyware, so Vincenzetti and his colleagues were responsible for gauging the ways clients might use the company’s products. His employees, he says, never took this lightly.
The Hacking Team’s existing customer policy — posted on its website one year after Citizen Lab exposed the Italian firm — vows to sell only to governments, not to corporations or individuals. (Vincenzetti says the company declines frequent requests from people who want to spy on their spouses.) Yet it will not, under any circumstances, sell to a country blacklisted by the United States, European Union, United Nations, NATO, or the Association of Southeast Asian Nations. To help Vincenzetti review clients in advance of sales, he says he hired Bird & Bird, an international law firm headquartered in London.
Though the Hacking Team does not track how clients use RCS after a sale, Vincenzetti says he does monitor the media to ensure clients do not commit crimes. “Should questions be raised about the possible abuse of HT software in human rights cases,” the company states in its customer policy, “HT will investigate to determine the facts to the extent possible. If we believe one of our customers may be involved in an abuse of HT software, we will contact the customer as part of this investigation. Based on the results of such an investigation, HT will take appropriate action.” (By way of example, Vincenzetti tells me he severed his contract with Russia in 2014, before the invasion of Crimea, after reading reports about corruption, murder, and other news of what, he says, “Russia was becoming.”)
According to Vincenzetti, China, Nigeria, Pakistan, and Iraq, to name a few repressive states, have requested the Hacking Team’s services. He has had “countless chances” to sell to them, he says, but he has declined every time. Even still, he admits vetting has been an imperfect process. In 2011, Sudan — the president of which the International Criminal Court had indicted on genocide charges — came calling. The following year, the country’s National Intelligence and Security Service paid 960,000 euros (around $1.3 million) for RCS.
Vincenzetti says his life had become exceedingly busy at that point. It wasn’t uncommon for him to think that a month had passed when it had been only a week. He awoke regularly at 3 a.m. to exercise — whether that day he was meeting with the FBI in Washington, negotiating a seven-figure deal in South Korea, helping cops infiltrate cartels in Mexico, or working from his Milan office — and then spent the rest of his waking hours in a nonstop whirlwind of deal-making and coding.
By 2013, Vincenzetti counted around 40 governments, including the United States, among his clients, each of which spent between $50,000 to over $2 million a year for the Hacking Team’s software. In August 2012, the Drug Enforcement Administration (DEA) sunk $2.4 million into RCS in order to spy on 17 “foreign-based drug traffickers and money launderers,” according to its contract, which the government agency released to the website Motherboard this February.
Vincenzetti was jet-setting around the world, entertaining international dignitaries, and sharing his company’s wealth with his trusted team. The Hacking Team did not publicly disclose its earnings, but “when I wanted more money,” Landi, a former employee, recalls, “he always said OK.”
In the wake of Citizen Lab’s explosive report in October 2012, some members of Vincenzetti’s staff began questioning whether the “people we are selling to are using [the software] in the right way, within the boundaries of law or not,” explains Pelliccione. The RCS developer was not part of Vincenzetti’s customer-review process. But when Pelliccione posed this query to his superiors, he says he was reassured that “they were checking everyone to make sure there were no abuses.”
Outside critics were anything but sanguine. The company’s notoriety grew, particularly among privacy advocates. In March 2013, Reporters Without Borders included Vincenzetti’s operation in its annual “Enemies of the Internet” report, warning that online surveillance posed “a growing danger for journalists, bloggers, citizen-journalists, and human rights defenders.” That autumn, about 20 activists stormed their way past the Hacking Team’s frosted glass door in Milan. One protester shouted through a microphone, while others waved fliers with slogans like, “United We Stand” and “#Stop Watching Us.” Many of the demonstrators wore white plastic masks with wide smiles, rosy cheeks, and Van Dykes — the guise of Anonymous, the international collective of activists and hackers.
According to Vincenzetti, who was in Rome at the time, the intruders stole whatever they could grab — papers, notes, personal items — while filming their invasion, which they later posted online. “It was a full assault,” he says. (No one was injured.) Three days later, when the CEO returned to Milan, he got into his gray Smart car to find its battery exposed and the fuel cap missing. “It was a warning,” he insists. Vincenzetti’s rise had not come without a growing opposition, wishing and working for his fall.
In June 2014, the Hacking Team received a fax from the U.N.’s Security Council Committee, referencing another Citizen Lab report released earlier that year. International sanctions prohibited the sale of “arms…including military equipment,” wrote Lipika Majumdar Roy Choudhury, coordinator of the U.N.’s panel of experts on Sudan. The company’s dealings with that country may have constituted a violation of this ban.
Vincenzetti’s team pushed back. Alessandra Tarissi De Jacobis, a lawyer from Cocuzza & Associati Studio Legale who advised Vincenzetti on the matter, informed him in an email that selling RCS to Sudan was akin to hawking it Tortas de Milanesa. “If one sells sandwiches to Sudan, he is not subject, as far as my knowledge goes, to the law,” she wrote. “HT should be treated like a sandwich vendor.” The U.N. had a different opinion: “The view of the panel is that as such software is ideally suited to support military electronic intelligence (ELINT) operations it may potentially fall under the category of ‘military…equipment’ or ‘assistance’ related to prohibited items,” Choudhury wrote. “Thus its potential use in targeting any of the belligerents in the Darfur conflict is of interest to the Panel.”
Last December, the panel presented the U.N. Security Council with a report accusing the Hacking Team of failing to cooperate with its inquiry, saying “it found it difficult obtaining accurate information” from the firm. The Hacking Team “certainly obstructed the work with the panel by consistently and deliberately failing to provide the specific information at its disposal as requested by the panel,” according to an unpublished U.N. report leaked to Foreign Policy’s senior diplomatic reporter Colum Lynch in April. The U.N. has not taken any action against the Hacking Team. Vincenzetti, though, says he ended the company’s contract with Khartoum in November 2014.
Looking back, Vincenzetti claims that had he been more informed about Sudan, he “would have never sold to them.” But he will not say he regrets the deal. “We didn’t break any law,” he goes on, nonplussed about the experience. “It just happened.” In other words, the company made an error in judgment — nothing more. But even that wouldn’t be tolerated for much longer.
Italy implemented the Wassenaar Arrangement, a multinational pact that controls the export of dual-use goods, on Jan. 1, 2015. The arrangement, originally created in 1996, had been amended to include surveillance software, which meant the Italian government would now vet the Hacking Team’s clients. After previous run-ins over what he calls his “inefficient” information on customers, Vincenzetti considered the Wassenaar a relief. “Now they tell me exactly what is allowed and what is not allowed,” he explains, “and I’m very happy about that.”
Behind the scenes, however, Vincenzetti had attempted to work around the rules before they even came into effect. In late 2013, according to leaked emails, the businessman was negotiating with the Saudi Arabian government to sell the kingdom a majority stake in the Hacking Team, which would give the Saudis controlling interests. Though Vincenzetti won’t confirm or deny the talks, part of the appeal, it seems, was to set up shop beyond the Wassenaar’s scope. “The newco should be away from countries adhering to the new, forthcoming export regulations on ‘offensive technologies’ which will [be] dictated by the recent Wassenaar Arrangement,” Vincenzetti wrote to his contact in Saudi Arabia. “We would like the newco to be in a country which will not impair the export of our technology.” (Vincenzetti says he does not recall the correspondence or this particular comment.)
The negotiations fell apart for unknown reasons. Vincenzetti insists only that his company has taken an unfair beating about other dealings in Saudi Arabia, which Citizen Lab disclosed in its 2014 report. “We have clients in Saudi Arabia,” he says. “Is Saudi Arabia a democracy? No, it’s a kingdom. You can approve or not approve this. I am not the judge of this. Still, there is something which is very clear: There is al Qaeda in the Arabian Peninsula. It is very strong, very organized, very active…and invariably strikes in Saudi. These terrorists can be fought over there.” He would not comment on Riyadh’s human rights record.
Yet the discussions with Saudi Arabia telegraphed to many Hacking Team employees that the company might be “a sinking ship,” Landi says. “They were trying to sell the company so there was not much attention on making a good product.” Pelliccione agrees: “The company became more and more opaque,” he says. “I decided I don’t need to do this for a living.”
Pelliccione quit in February 2014, followed by Landi and others. Landi claims that when he gave notice, Vincenzetti said it wasn’t new information. In other words, as Landi and others had already believed, Hacking Team employees were under surveillance too. “We accepted this,” Pelliccione says. “They know where you are and where you go.” But Rabe, the Hacking Team spokesman, rebuts this claim: “No surveillance of Hacking Team employees has occurred.”
Angered by the rising tide against him, and frustrated by Citizen Lab’s reports condemning the Hacking Team, Vincenzetti publicly defended his company. In a November 2014 letter to the Intercept, which had published Marquis-Boire’s analysis of the Hacking Team’s technology, Vincenzetti dismissed his foe as “a tireless wolf-crier on the issue of privacy as he defines it—apparently requiring anyone to be allowed to do anything without fear of detection.” (In an email, Marquis-Boire described his reaction to Vincenzetti’s words as one of “amusement?”.) Reporter Brian Donohue fired off a response on the security blog Threat Post, which read, “Interestingly, Vincenzetti does not directly say in his letter that his company does not sell products to despots.”
Privately, Vincenzetti dialed back his cavalier attitude. Later that November, a client asked in an email whether it would be possible to record a Hacking Team training for later use. “Definitely NOT!!!” Vincenzetti responded. “Imagine this: a leak on WikiLeaks showing YOU explaining the evilest technology on earth! You would be demonized by our dearest friends the activists, and normal people would point their fingers at you.” Yet he couldn’t help but continue to savor his company’s reputation. “Definitely, we are notorious, probably the most notorious name in the offensive security market,” he emailed Daniele Milan, his operations manager in May 2015. And that, Vincenzetti added, “is great.”
One early morning in July 2015, Vincenzetti was mid-pushup when his operations manager called his cell phone. “We’ve been attacked,” Vincenzetti recalls Milan saying.
A hacktivist known as Phineas Fisher had hijacked the Hacking Team’s official Twitter account and posted an ominous message: “Since we have nothing to hide, we’re publishing all our emails, files, and source code.” Following the message was a link to more than 400 gigabytes of the company’s most sensitive data. (A year prior, Phineas Fisher had attacked Hacking Team competitor Gamma Group, leaking 40 gigabytes of marketing and technical information on the company’s surveillance software, FinFisher, which was then being used in Turkey, Oman, and elsewhere.)
In the coming hours, spies around the world awoke to find their webs of surveillance laid bare. The Hacking Team’s technology had been rendered useless: The leak had made some 80 percent of the company’s source code visible online, meaning antivirus companies would soon get to work patching fixes. “It will become dead,” Vincenzetti told his staff. The code that he had built on invisibility now glowed in the dark. Writing in the IB Times, security analyst John McAfee described the hack as “a uniquely monumental event that threatens to bring down a well-known name in the mass surveillance industry.”
The leak exposed a trove of customer invoices confirming links to repressive regimes, including Ethiopia, Bahrain, Egypt, Kazakhstan, Saudi Arabia, Russia, and Azerbaijan. After years of claiming it evaluated customers, it became glaringly clear that the Hacking Team either did not care about human rights abuses or had been negligent in assessing them. As Bruce Schneier, a leading security analyst, wrote on his blog shortly after the leak, the “sleazy company…has been lying.”
For Marquis-Boire, the breach was validation of what he had been arguing for years: “The leadership was dismissive over human rights and privacy, which [Vincenzetti] saw as negative to their business interests.” Marquis-Boire was also surprised to find surveillance photographs of himself in the Hacking Team files, taken when he was giving a lecture in Italy.
Vincenzetti saw things very differently. The leak potentially foiled countless hours and millions of dollars his customers had spent gathering intelligence. Dangerous targets — terrorists, murderers, and kingpins — could learn that they were under watch and slip into hiding or, worse, retaliate.
Vincenzetti says some clients told him their investigations ground to a halt; others reported that they had to move in on targets early, using whatever limited evidence they had collected. Last August, Italy’s Chief of National Police Alessandro Pansa testified at a government intelligence hearing about the leak’s aftermath. “Italian law enforcement was forced to stop its activity,” he said, “causing great damages to many critical investigations, especially regarding terrorism.”
Much of this government panic happened behind closed doors, but a scandal in South Korea provided a rare, public portal into the leak’s fallout. South Korea’s main intelligence agency, the National Intelligence Service (NIS), had been under fire since September 2014, when a Seoul court found a former intelligence chief, Won Sei-hoon, guilty of using agents to post 1.2 million negative messages online in an effort to destroy the 2012 presidential campaign of an opposing political party. The Hacking Team breach fanned these flames by confirming that South Korea had purchased spyware, which activists worried was being used to keep tabs on government opponents.
Less than two weeks after the hack, an NIS spy — whom police identified only by the last name Lim — was found dead of carbon monoxide poisoning in his car, which was parked on a mountainside road outside Seoul. On his passenger seat, he left a three-page suicide note written on yellow paper in which he took responsibility for buying the Hacking Team’s technology but vowed that it had been used only to spy on North Korea. “It was a mistake on my part,” he wrote. “But there is nothing to be worried about over any of my actions.”
Subsequent reporting revealed that, in a closed-door meeting, the NIS admitted to using the spyware more than 200 times to track North Korea’s illegal arms trade, as well as Pyongyang’s spooks in South Korea. The NIS also claimed to have arrested Chinese drug dealers thanks to intelligence gleaned with the technology. In response, the editorial board of the English-language JoongAng Daily wrote in support of the government’s deal with the Hacking Team. “Intelligence gathering, surveillance and cyber activities through hacking techniques are necessary for a state spy agency in today’s world,” the board wrote. “Cyberskills and technology are crucial to fight North Korea and criminal groups that are getting more and more sophisticated.”
Phineas Fisher’s identity is unknown, but Vincenzetti has said the hack was an inside job. (Italian authorities have not yet brought charges against anyone.) Whatever the case may be, the attack hurt the company’s bottom line. Vincenzetti says the Hacking Team lost around 20 percent of its customers in the months after the leak, including the United States; in 2015, the company reported $14 million in revenue. “I respect the clients who decide to stop working with us,” he says.
That his private emails were exposed does not faze him. “If you want to read it, read it,” Vincenzetti says. “I don’t care. I’m myself.” Of much more concern has been fixing his company’s goods. For three months after the breach, the Hacking Team rewrote its spyware from scratch into what Vincenzetti calls a “much better” product.
In addition to the latest RCS, he has three new tools. He won’t discuss two of them in great detail; however, when pressed, he hints at what’s to come with one of the tools, saying, “If you can get close to a Wi-Fi device, irrespective of the protection of the network, we can extract a lot of information from it.” Then, in what may be Vincenzetti’s boldest, most controversial claim to date, he says his company can now decrypt Tor. No longer will his clients have to bait a Tor user in order to circumvent the anonymity software — as Morocco did with the Scandal file it sent to Mamfakinch. Now, Vincenzetti boasts, his software can “break” Tor. “I can put a box in this room which will decode all your encrypted traffic on the fly,” he tells me. “Logins, passwords, locations, real user name, real site names…. It’s black magic.”
This kind of decryption would not only transform law enforcement, but also threaten to destroy the protection that private citizens, namely political dissidents, have come to expect online. Jeff Moss, a security analyst and founder of the Def Con hacker conference, is dubious of Vincenzetti’s claim — but if true, he says, it would be “a severity 10” bug that the Tor community would have to race to fix.
This device, Vincenzetti insists, is in use already. He cannot say who, exactly, is employing it: Once he sells his tools to agencies, he does not know which spies are using them, where, or why. “I don’t even have their phone numbers most of the time,” he says. “They have mine.”
While Vincenzetti’s team touts its updated RCS, Almiraat is still feeling the effects of the company’s older version. The activist is awaiting trial for “threatening the internal security of the state,” in the words of the Moroccan penal code, a crime that carries a five-year sentence. Four other Mamfakinch contributors now face similar charges.
This is just the latest fallout of Morocco’s use of Hacking Team software against Mamfakinch. In the months that followed that July day, when Almiraat first knew something had gone terribly wrong, volunteers, the lifeblood of his group, dwindled from 30 to five. “By showing they can violate the privacy of our work,” he says of the Hacking Team, “they sent a chilling effect over the whole business of online dissent.”
Morocco remains a Hacking Team client. Vincenzetti says his company lawfully engaged with a government that, he notes in an email, “is an ally of the U.S. and a partner in the fight against terrorism. Morocco is also an ally of most European nations, and Moroccan intelligence agencies recently provided France with essential information to locate the terrorists in Paris and in Bruxelles.”
What lessons, if any, he takes from instances in which his clients have committed abuses is not clear. Perhaps he is not concerned with learning any. “Having the tools to fight terrorism in states where terrorists may operate,” he writes in his email about Rabat, “protects innocent people there and elsewhere.”
These days, Vincenzetti is busy traveling the world to recruit new customers, following a schedule resembling his earliest, frenetic Hacking Team days. As with his big break after the Madrid attacks, he sees an increasingly urgent demand to hack and track criminals — from San Bernardino to Paris to Brussels to Istanbul.
He may have lost business in last summer’s breach, but as much as the incident hit his company, it may also have hyped it; he’s gained four new contracts in the past year. So is he indebted to Phineas Fisher for forcing the Hacking Team to improve its wares?
Vincenzetti smiles sheepishly. For him, the answer is easy.