The three defendants, Marc Baier, 49, and Ryan Adams, 34, and a former U.S. citizen, Daniel Gericke, 40 – all former employees of the U.S. Intelligence Community or the U.S. military – agreed to pay $1,685,000 in penalties as part of a deferred prosecution agreement.
The agreement also restricts their future activities and employment.
The defendants were part of a "clandestine unit named Project Raven that helped the UAE spy on its enemies," according to Reuters.
The defendants "supported and carried out computer network exploitation operations" – otherwise known as hacking – "for the benefit of the U.A.E government between 2016 and 2019," according to court documents.
The defendants were warned that their work for the U.A.E. company constituted a defense service, which requires a license from the State Department’s Directorate of Defense Trade Controls (DDTC). Despite the warning, the defendants proceeded to provide services without a license.
Worse, one of the services provided is considered a particularly malicious type of hack known as "zero-click," where malware can be downloaded without any user interaction. Typically, a user clicks on a malicious link, for example, to execute the malware.
The U.A.E. company employees then "leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States," the DOJ said.
The provision of so-called mercenary hacking services is not a small problem. This past week a serious iPhone hack was linked to a company providing mercenary hacking services.
"Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct," said acting Assistant Attorney General Mark J. Lesko for the Justice Department’s National Security Division in a statement.
Jake Williams, co-founder and CTO at BreachQuest, an Augusta, Georgia–based company that provides incident response, said that the persons involved should have been aware of the consequences of their work.
"There's little question in my mind that Project Raven crossed a legal boundary. What is less clear is whether the U.S. persons involved knew the project would be used to target other U.S. persons and U.S. organizations," Williams told FOX Business.
"Given that the original mission was slated as counter terrorism, a mission that is very loosely defined by its nature, it was predictable that might be the ultimate outcome," Williams said.
"[When] U.S. companies and U.S. persons were targeted under the program, every U.S. person involved likely knew it was only a matter of time before some legal action was taken," Williams added.