Hacking Team by the Numbers

We're now getting a sense of the scale of the company's operations.

Jul 8 2015, 6:45pm

Image: Jonathan McIntosh/Flickr

Days after the release of Italian surveillance company Hacking Team's internal files, new revelations are still coming out. By reviewing client lists and information from a source with knowledge of Hacking Team, it's possible to establish a sense of the scale of the company's operations.

Hacking Team's revenue from its government clients stretches into the tens of millions of euros, and potentially thousands of devices across the world have been infected with the company's spyware.

On Sunday, a hacker dumped 400GB of Hacking Team contracts, invoices, emails, and source code onto the internet. In the wake of this, the company asked its customers to stop using its premiere product, Remote Control System (RCS), which is capable of siphoning off a target's Skype calls, emails, social media messages, and more.

Potentially 6,550 devices could have been infected with RCS since 2008, according to an internal spreadsheet reviewed by Motherboard. The file, dated May 2015, includes details on seemingly all of Hacking Team's government clients. It contains a column titled "Total # Targets."

"Targets" refers to licenses bought by a customer to use Hacking Team's software, according to a source with knowledge of the company. The number of licenses dictates how many devices may be spied on: For example, purchasing 25 licenses would allow a Hacking Team client to install malware on 25 devices.

Typically, a customer will purchase as many licenses as they think they will need, even if they ultimately target fewer individual devices, the source said.

According to the document, Morocco, a notorious Hacking Team customer, has had the ability to hack into 2,300 separate devices. Saudi Arabia comes in second, with 1,250 licenses spread across three different government departments, and the United Arab Emirates has purchased licenses for 1,115 devices.

Other notable customers are Sudan's National Intelligence and Security Service, which has 240 licenses, and Mongolia which has purchased 200 of its own. The majority of Hacking Team's customers had fewer than 100 targets.

These figures are not conclusive. In the spreadsheet, the total number of targets is left blank for some customers. This includes several Mexican agencies, as well as the Royal Thai Army and one Vietnamese client.

An Italian police force and two intelligence agencies apparently have "unlimited" targets available to them.

Also, because the column relates to the total number of targets, it is not known whether all of those licenses were all active at one point in time.

It is also unclear how many purchased licenses have led to actual infections of a device.

Regardless, Hacking Team has sold its products to 23 intelligence agencies, 30 law enforcement agencies, and 11 institutions listed as "other", according to the spreadsheet. "Other" does not appear to be a consistent characterization: it includes the Egyptian Ministry of Defense, the United States' Drug Enforcement Administration, and the United Arab Emirates intelligence agency. A few client entries are not given any classification.

In all, Hacking Team has generated 40,059,308 euros ($44,358,072) "total client revenues" from its government clients, according to the spreadsheet.

Before this recent flood of information, it was already known that Hacking Team dealt with some of the most authoritarian regimes on the planet. Now, an idea of how global their business really was, and how large, is coming into view.

Additional reporting by Lorenzo Franceschi-Bicchierai