The US Crackdown on Spyware Vendors Is Only Beginning

On Tuesday, the Department of Justice announced that a Mexican businessman had pleaded guilty to conspiring to sell surveillance and hacking tools made by Hacking Team, a notorious spyware vendor that is now defunct. 

The case, according to experts, shows that the U.S. government is willing to go after individuals who acted as middlemen between well-known international spyware vendors and foreign countries like Mexico, signaling a potential escalation in the U.S. government’s crackdown on spyware vendors. 

In its press release, U.S. authorities made it clear that this case wasn’t just about Guerrero.

“Today’s guilty plea helps stem the proliferation of digital tools used for repression and advances the digital security of both U.S. and Mexican citizens,” U.S. Attorney Randy Grossman is quoted as saying. 

In the plea agreement, Carlos Guerrero, who was the head of a company that distributed surveillance technology called Elite by Carga, admitted that he sold Hacking Team spyware knowing that the Mexican authorities who were purchasing it “could and likely would” use it for “political purposes, not just for law enforcement purposes.” 

The agreement cites a few cases in particular. In one, Guerrero and his employee Daniel Moreno helped the mayor of a town in the state of Morelos to hack a political rival and access their Twitter, Hotmail, and iCloud accounts. In another case in December 2015, Guerrero and one of his employees used “an interception device” to wiretap the phone calls of “a business competitor.” And in another instance in February 2017, “one or more Elite by Carga employees agreed to hack the phone and email account of a Florida- based sales representative of a large Mexican business in exchange for an approximately $25,000 payment from the Mexican business.”

The plea agreement doesn’t include more details about the two cases. 

Guerrero’s lawyer did not immediately respond to a request for comment and a spokesperson for the U.S. Attorney’s Office of the Southern District of California, which prosecuted the case, declined to comment, saying “that’s all the information that is publicly available at this time.”

But a person with knowledge of the case, who asked to remain anonymous as they were not authorized to speak to the press, told Motherboard that the investigation is still ongoing and there will be more developments in the next few months. 

John Scott-Railton, a senior researcher at the Citizen Lab, a digital rights watchdog housed at the University of Toronto's Munk School that has investigated companies like Hacking Team and Israeli spyware vendor NSO Group for years, told Motherboard that he was pleased with the news, and that this case “sends another signal” that the U.S. government is very interested “in mercenary spyware abuses.”

“Clearly, they have a long memory,” he said in an online chat. “I bet a few spyware distributors will have a terrible sleep tonight, and think twice before flying to the U.S. any time soon.”

The indictment of Guerrero, according to Scott-Railton and another researcher who has been investigating surveillance in Mexico, is yet another case that shows abuses in the country were rampant. 

“It also helps cement our understanding of Mexican spyware customers as serial abusers. Nobody should be selling them spyware right now,” Scott-Railton said. 

“The acquisition and use of surveillance tech by mexican authorities is out of control, full of corruption, abuse and impunity,” Luis Fernando García, the director of Red en Defensa de los Derechos Digitales (R3D), a Mexican digital rights organization, said in an online chat. “Although I can’t speculate on what the USG motives or strategy is, certainly any actions by the US justice system that hold vendors and abusers accountable are very welcomed.”

According to Mexican news outlet El Punto Norte, Guerrero and his government contacts were investigated in the country as well, but the inquiry was closed. 

Guerrero’s case comes months after the US government announced that it had added NSO to a list of companies that are restricted from purchasing products and services from US companies, effectively making it hard for them to procure crucial equipment and technology. More recently, a European watchdog suggested that European governments should halt the development and purchase of any technology like the spyware developed by NSO. 

Guerrero is out of jail awaiting the sentencing hearing, which is scheduled for May 13.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.