'World's Most Wanted Man' Involved in Bizarre Attempt to Buy Hacking Tools

Leaked emails and an allegedly fraudulent letter mention Jan Marsalek in a bizarre attempt to purchase hacking tools.
July 21, 2020, 2:39pm
49054670061_11f37d3509_o
Image: Web Summit/Flickr

The fugitive executive of the embattled payment startup Wirecard was mentioned in a brazen and bizarre attempt to purchase hacking tools and surveillance technology from an Italian company in 2013, an investigation by Motherboard and the German weekly Der Spiegel found.

Jan Marsalek, a 40-year-old Austrian who until recently was the chief operating officer of the rising fintech company Wirecard, seems to have taken a meeting with the infamous Italian surveillance technology provider Hacking Team in 2013. At the time, Marsalek is described as an official representative of the government of Grenada, a small Caribbean island of around 100,000 people, in a letter that bears the letterhead of the Grenada government. The documents were included in a cache published after Hacking Team was hacked in 2015. In recent days, Marsalek has been described as the 'world's most wanted man.'

It is unclear from the documents alone whether Marsalek played any role in the attempt to procure hacking tools, or whether his name was simply used. However, months before Marsalek appears to have contacted with Hacking Team, several websites with official sounding names such as StateOfGrenada.org were registered under the name of Jan Marsalek, as Der Spiegel reported last week. Some of the sites were registered with Marsalek’s phone number and his Munich address at the time, and the servers were apparently operated from Germany.

Wirecard provided digital payment services and was considered one of the most important companies in the financial tech industry. Wirecard offered a mobile payment app called Boon, which was essentially a virtual MasterCard card, it also offered a prepaid debit card called mycard2go, and worked with companies such as KLM, Rakuten, and Qatar Airways to manage their online transactions. The company suddenly collapsed in June after German regulators raided its headquarters as part of an investigation into fraudulent stock price manipulation and 1.9 billion euros that are missing from the company’s books. Marsalek is now a fugitive and a key suspect in the German investigation. He reportedly fled to Belarus, and is now hiding in Russia under the protection of the FSB, according to German news reports. In the past, he was involved in other strange dealings: he bragged about an attempt to recruit 15,000 Libyan militiamen, and about a trip to Syria along with Russian military, according to the Financial Times.

“Further to your discussion with our representative, Mr. Jan Marsalek, we would like to hereby confirm the interest of the Government of Grenada in exploring a potential acquisition of the smartphone interception platform of your company,” reads what appears to be an official Grenada government letter dated October 31, 2013 allegedly signed by the Minister for Foreign Affairs Nickolas Steele.

grenada_letter

A letter that was attached to emails between a Mexican intermediary and Hacking Team.

Along with a Mexican intermediary, Marsalek appears to have brokered a meeting in Milan at Hacking Team’s headquarters on November 27, 2013, according to the leaked emails. An email dated November 28 mentions a “fruitful meeting” with Marsalek and an associate “regarding Grenada.”

“Mr. Marsalek will report his impressions to the Grenada officers, if positive, the process will take around three weeks. Please keep us updated,” wrote Marco Bettini, one of Hacking Team’s founders and the then sales manager.

A former Hacking Team employee, who asked to remain anonymous, confirmed receiving the emails regarding the meeting. He said, however, that he was not present at the meeting.

As it turns out, Marsalek was never a Grenada government representative, Der Spiegel and Motherboard have found.

In a phone call, Steele, who is now the Minister Health in Grenada said the document leaked in the Hacking Team emails is fraudulent.

“I can categorically state that the letter in your attachment bearing a resemblance to my signature and office at that time is a fraudulent document,” Steele said in the phone call, referring to the apparent business deal between Grenada and Hacking Team. “I certainly did not make that request or any such request.”

Do you work or used to work at Hacking Team or another surveillance vendor? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzo@motherboard.tv.

Steele confirmed to Spiegel and Motherboard that he had met Marsalek and another person whose name is mentioned in the document in the summer 2013. “He was a very charismatic young man and a smooth talker,” Steele remembers. The meetings were about a business proposal from Marsalek involving Wirecard technology. In the end, however, no deal was made, Steele said.

The head of Encryptech, a Mexican company that is mentioned in the letter, and which worked as an intermediary between Hacking Team and some government customers, called the letter “fake.”

“They used the name of my company without authorization,” Alfonso Ayensa said in an online chat.

The spyware deal, however, never went through. It is impossible to say from the documents alone who was attempting to procure these hacking tools, what they were going to be used for, or how involved Marsalek was. Hacking Team has always maintained that it only sold its products to government agencies, after obtaining an export license from the Italian government. Had this deal gone through, it would have been the first known case where Hacking Team’s powerful spyware ended up in the hands of private citizens.

Paolo Lezzi, the head of Memento Labs, the company that was born out of Hacking Team’s ashes, said Grenada was never a customer, based on the company’s internal documents he has access to. Two other former Hacking Team employees who worked there in 2013 and onwards, said Grenada never purchased the company's products.

Subscribe to our new cybersecurity podcast, CYBER .