A startup that claims to sell surveillance and hacking technologies to governments around the world left nearly all its data—including information taken from infected targets and victims—exposed online, according to a security firm who found the data.
Wolf Intelligence, a Germany-based spyware company that made headlines for sending a bodyguard to Mauritania and prompting an international incident after the local government detained the bodyguard as collateral for a deal went wrong, left a trove of its own data exposed online. The leak exposed 20 gigabytes of data, including recordings of meetings with customers, a scan of a passport belonging to the company’s founder, scans of the founder’s credit cards, and surveillance targets’ data, according to researchers.
Security researchers from CSIS Security discovered the data on an unprotected command and control server and a public Google Drive folder. The researchers showed screenshots of the leaked data during a talk at the Virus Bulletin conference in Montreal, which Motherboard attended.
“This is a very stupid story in the sense that you would think that a company actually selling surveillance tools like this would know more about operational security,” CSIS co-founder Peter Kruse told Motherboard in an interview. “They exposed themselves—literally everything was available publicly on the internet.”
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
In an online chat, Wolf Intelligence founder Manish Kumar told me that it wasn’t his company that left the data online, but a reseller he refused to identify. He also said that he plans to sue CSIS for hacking his reseller; CSIS is adamant that it did not hack anything, as everything was exposed and open to anyone
“They claim wrong that it’s for hacking innocent people, and damage our image.” Kumar said, but refused to answer additional questions about who was the reseller, and who his customers are.
CSIS researcher Benoît Ancel told Motherboard the researchers “have many indications that it was not a reseller,” and was instead a mistake by Wolf Intelligence. To support this, he shared pictures from the servers such as a screenshot of an exposed database that shows one of Kumar’s cellphone numbers and a series of intercepted text messages, and a screenshot of a Slack conversation between Kumar and one of his employees.
A slide from CSIS talk, showing Kumar’s headshot, which was stored in the exposed server.
Wolf Intelligence is part of the so-called “lawful intercept” industry. This is a relatively unregulated—but legal—part of the surveillance market that provides hacking and spy software to law enforcement and intelligence agencies around the world. Hacking Team, FinFisher, and NSO Group are the more well-known companies in this sector. According to a recent estimate, this market is expected to be worth $3.3 billion in 2022.
These companies generally sell spyware that infects computers and cell phones with the goal of extracting evidence for police or intelligence operations, which can be particularly useful when authorities need to get around encryption and have a warrant to access the content of a target’s communications. But in the past, companies like Hacking Team, FinFisher, and NSO Group have all sold their malware to authoritarian regimes who have used it against human rights defenders, activists, and journalists.
This mistake, however, may be the worst we’ve ever seen.
“Maybe they were thinking that the server was secure, I don't know, but it was definitely stupid,” Kruse said. “Everything was just floating around on the internet. That's why I thought this story was too good to be true.”
Kruse’s colleagues Benoît Ancel and Aleksejs Kuprins found the data as they were investigating a banking malware sold on the internet underground and used by several cybercriminals, the two said during a talk at the Virus Bulletin conference in Montreal in early October. They said that banking malware had shared infrastructure with a malicious Remote Access Trojan or RAT.
The researchers said they were able to find a Windows, an Android, and an iOS variant of that RAT, and figured out that it was produced by Wolf Intelligence. They also found data belonging to several victims in countries such as Egypt, Saudi Arabia, and Turkey. One of the victims, they said, is a human rights defender.
The malware itself, according to the researchers, is pretty rudimentary.
“It’s very shitty and it’s just copy paste from open source projects,” Ancel told Motherboard in a phone interview, referring specifically to Wolf Intelligence’s iOS malware. Motherboard did not independently analyze the malware, and Kumar stopped responding to Motherboard soon after I began talking to him.
During the public presentation in Montreal, Ancel said that Kumar “seems to be the kind of criminal who try to scam people with a shitty product.”
Ancel and Kuprins are not the first to publicly question the quality of the Wolf Intelligence’s products and to slam its founder.
“Manish is a walking scam,” security researcher Agostino Specchiarello told me, who once met with Kumar to consider a business deal with him. “He used to claim that stuff made by others was his.”
A map showing the location of targets of Wolf Intelligence customers. Image: CSIS Security
In early 2017, Hacking Team’s CEO David Vincenzetti told Motherboard that Kumar is a "criminal of the worst kind."
Yet, Hacking Team worked with Kumar once, according to a former company employee who asked to remain anonymous to discuss details of his previous job.
Kumar did not respond to questions regarding his deals with Hacking Team.
The CSIS researchers said that after their talk at Virus Bulletin, Wolf Intelligence shut down the exposed servers.
“They are here and still in the business,” Ancel told me.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.