In early April, 2014, a spy from the Ecuador's intelligence agency sent a flurry of emails to the support team of Hacking Team, a company of Italian hackers-for-hire that works with government agencies around the world.
The agent, Luis Solis, needed Hacking Team to plant its spyware in a series of PDF documents he planned to send. This episode would've been just another story of a customer asking for help booby-trapping email attachments—which was standard procedure for Hacking Team—if it wasn't for the target of the investigation.
Solis, who worked for the spy agency SENAIN, wasn't trying to hack a drug dealer or an alleged criminal. He was trying to infect Carlos Figueroa, a doctor and well-known activist who's been opposing the government of President Rafael Correa.
"I was incensed to see how an Italian company sold to my country's government software to spy on citizens that, just like me, were critical of the government."
Hacking Team's support engineer Bruno Muschitiello seemed worried—not because his customer wanted to use the company's Remote Control System, or RCS, spyware against a political opponent—but because he thought he'd get caught.
"It is not a good choice send [sic] many exploit documents to the same target, it can be very risky, the target may suspect something," Muschitiello wrote in an email.
It's unclear if Muschitiello or Hacking Team realized these infected documents were intended for Figueroa. But Solis wasn't exactly trying to hide it. In fact, the agent included a screenshot of a fake invitation to a medical conference, one of the booby-trapped documents he wanted to send to Figueroa, in an email to Muschitiello. The screenshot showed the email address "dr.carlosfigue."
"I had four email accounts and problems with all of them," Figueroa told the Associated Press, which first reported on the incident last year. "I also had problems with Facebook. At one point, it seems like they attacked all my communications on social media."
Solis apparently also used Hacking Team's spyware to target judges and other politicians opposing the government of Correa, according to a series of screenshots contained in an email analyzed by a member of the Tor Project.
This is just one example where Hacking Team's technology was used against dissidents or political opponents in Latin America, one of the company's biggest regional markets, where the practice was more common than Hacking Team ever admitted. In fact, in the past, the company repeatedly claimed to vet its customers to make sure they wouldn't abuse its products, and said it simply provides a tool for police to "track criminals and terrorists."
"If you give spyware to the police who makes students disappear, you're practically giving it to the organized crime."
In a new, exhaustive report on the use and legality of Hacking Team's spyware in Latin America, the digital rights organization Derechos Digitales details some cases where the spyware was abused, and argues that in general the use of RCS was against the law.
"It's illegal in the whole region," Gisela Perez de Acha, a lawyer and public policy analyst at Derechos Digitales, and the author of the report, told Motherboard. "And it's illegal because [the use of government malware] is not explicitly authorized."
And even if in some cases there were court orders authorizing it, that doesn't make it legal, the report concluded.
"OK, there's a court order. But is this enough in countries with collapsed democratic institutions and judicial powers that are not independent such as Mexico?" Perez de Acha said.
There is also another problem in countries with pervasive corruption, she added. How can you tell who you're really selling your spyware to?
"In Mexico, the police, the authorities, public officials, and organized crime are the same thing. They work together, they work in collusion, both actively or by omission," Perez de Acha told me. "Considering this, if you give spyware to the police who makes students disappear, you're practically giving it to the organized crime."
For Hacking Team, Latin America was a continent ripe for business. Several government agencies in seven different countries bought RCS at some point in the last few years, and the company negotiated the sale of its spyware in six other countries, practically blanketing the whole continent.
Mexico was by far the best market, with 11 different customers, including the country's intelligence agency CISEN, the Federal Police, the State Attorney, and five state authorities, according to leaked documents from the company. Through the years, Hacking Team grossed 5.8 million euros in Mexico. (For reference, the second and third best markets were Italy, with a combined 4 million, and Morocco, with 3.1 million euros.)
Perhaps it shouldn't come as a surprise that authorities in Mexico thought they'd need software like Hacking Team's RCS, with the country's ongoing and bloody war against drug cartels.
There's evidence that Hacking Team's Mexican customers weren't just using it to hunt down drug lords.
"Hacking Team continues to market especially to governments in places where there is the need to investigate serious crime," the company's spokesperson Eric Rabe told me in March, in response to a previous story. "As one example—the drug cartel issues in Latin America are well known and have a wide impact well beyond the region."
But there's evidence that Hacking Team's Mexican customers weren't just using it to hunt down drug lords. The governor of Puebla was perhaps the worst offender, using RCS to spy on several political rivals, academics and journalists, according to leaked emails reported in the local press.
Most of the local customers, according to Derechos Digitales, were not legally authorized to use spyware like Hacking Team's RCS, given that only federal authorities, and not state ones, can request judicial permission to intercept communications according to the Mexican constitution. Strangely, among Hacking Team's customers in Mexico was one client that isn't strictly a government agency, the state-owned oil company PEMEX.
Other customers, not just in Mexico and Ecuador, apparently used Hacking Team's software to spy on targets who weren't criminals or terrorists.
In Panama, the company's products were part of a high-level political scandal. The government bought the surveillance software in 2011, spending $680,000, under the direct order of former President Ricardo Martinelli. It's unclear who the government surveilled using RCS, but in 2014, Martinelli's government got Hacking Team to extend its spyware license ahead of the local presidential elections in May of that year, leading many to speculate the government wanted to use them to spy on political opponents.
Later that year, after Martinelli's hand-picked successor surprisingly lost the elections to outsider candidate Juan Carlos Varela, Hacking Team's surveillance equipment in Panama mysteriously went missing. Panamanian anti-corruption authorities then launched an investigation, but nothing has come out of it so far.
"As a Panamanian, I was incensed to see how an Italian company sold to my country's government software to spy on citizens that, just like me, were critical of the government," Alvin Weeden, a lawyer who worked in the Panama government as a comptroller in the early 2000s, and who filed a separate lawsuit against former government officials and Hacking Team employees last year, told me. "Given that none of the Panamanian citizens I sued have been detained, it looks like there's no real intention to prosecute them."
Other than in Panama, however, no other countries have announced any inquiry into the purchase or the use of Hacking Team's spyware. Other countries, such as Colombia, simply denied having any relationship with Hacking Team, while admitting buying spyware from one of Hacking Team's many resellers in the region. In Chile, the Investigations Police, which paid 2.2 million euros for it, publicly admitted buying RCS after Hacking Team was breached by an outside hacker last year, revealing most of its internal secrets, including its relationship with the Latin American country. The agency defended its use, saying it was "exclusively used to prosecute crimes with prior judicial authorization."
In a way, it seems all the revelations from the leaks have fallen on deaf ears in Latin America. Human rights activists such as Perez de Acha and Derechos Digitales Director Claudio Ruiz hope that can still change, especially considering the continent's "history of authoritarianism and repression," as the report put it.
"The main goal of criminal investigation and intelligence systems is to safeguard security, peace and the principles of each country," the organization's report concluded. "However, when you use methods like malware, these goals are reached via secret and potentially illegal mechanisms—with little public discussion—when, given its democratic goal, they ought to be object of citizen control and accountability."
Months after the hack, Hacking Team is now back in business—although struggling to stay afloat. And the company has not given up on the continent. Earlier this year, a representative of the company travelled to one of the few countries in Latin America that hasn't bought RCS before. After an unimpressive pitch, however, the new potential customer turned down Hacking Team's offer.
But Hacking Team isn't the only company selling spyware to governments. There's now an entire industry around helping police, intelligence and other agencies use hacking tools to track targets. One of its competitors, FinFisher, also allegedly sold spyware in Latin America, to Venezuela, Paraguay and Mexico. Given its history, Latin America will likely remain a juicy target for the flourishing, and mostly underground, spyware vendors such as Hacking Team and FinFisher.
Check out more of our extensive Hacking Team coverage here.