Optiv spokesperson Jeremy Jones wrote in an email that his company has “cooperated fully with the Department of Justice” and that Optiv “is not a subject of this investigation.” That’s true: The subjects of the investigation are the three former US intelligence and military personnel who worked illegally with the UAE. However, Accuvant’s role as exploit developer and seller was important enough to be detailed at length in Justice Department court filings.
The iMessage exploit was the primary weapon in an Emirati program called Karma, which was run by DarkMatter, an organization that posed as a private company but in fact acted as a de facto spy agency for the UAE.
Reuters reported the existence of Karma and the iMessage exploit in 2019. But on Tuesday, the US fined three former US intelligence and military personnel $1.68 million for their unlicensed work as mercenary hackers in the UAE. That activity included buying Accuvant’s tool and then directing UAE-funded hacking campaigns.
The US court documents noted that the exploits were developed and sold by American firms but did not name the hacking companies. Accuvant’s role has not been reported until now.
“The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity,” Bryan Vorndran, assistant director of the FBI’s Cyber Division, said in a statement. “This is a clear message to anybody, including former US government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company—there is risk, and there will be consequences.”
Prolific exploit developer
Despite the fact that the UAE is considered a close ally of the United States, DarkMatter has been linked to cyberattacks against a range of American targets, according to court documents and whistleblowers.
Helped by American partnership, expertise, and money, DarkMatter built up the UAE’s offensive hacking capabilities over several years from almost nothing to a formidable and active operation. The group spent heavily to hire American and Western hackers to develop and sometimes direct the country’s cyber operations.
At the time of the sale, Accuvant was a research and development lab based in Denver, Colorado, that specialized in and sold iOS exploits.
“The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity. This is a clear message to anybody… there is risk, and there will be consequences.”
Brandon Vorndran, FBI
A decade ago, Accuvant established a reputation as a prolific exploit developer working with bigger American military contractors and selling bugs to government customers. In an industry that typically values a code of silence, the company occasionally got public attention.
“Accuvant represents an upside to cyberwar: a booming market,” journalist David Kushner wrote in a 2013 profile of the company in Rolling Stone. It was the kind of company, he said, “capable of creating custom software that can enter outside systems and gather intelligence or even shut down a server, for which they can get paid up to $1 million.”
Optiv largely exited the hacking industry following the series of mergers and acquisitions, but Accuvant’s alumni network is strong—and still working on exploits. Two high-profile employees went on to cofound Grayshift, an iPhone hacking company known for its skills at unlocking devices.
Accuvant sold hacking exploits to multiple customers in both governments and the private sector, including the United States and its allies—and this exact iMessage exploit was also sold simultaneously to multiple other customers, MIT Technology Review has learned.
iMessage flaws
The iMessage exploit is one of several critical flaws in the messaging app that have been discovered and exploited over recent years. A 2020 update to the iPhone’s operating system shipped with a complete rebuilding of iMessage security in an attempt to make it harder to target.
