Three former US intelligence operatives, who worked as mercenary hackers for the United Arab Emirates, agreed to pay fines of US$1.685 million (A$2.3 million) and cooperate with federal prosecutors to avoid trial, the US Justice Department.
Defendants Marc Baier, Ryan Adams, and Daniel Gericke were part of a clandestine unit named Project Raven, first reported by Reuters, that helped the United Arab Emirates spy on its enemies.
The three entered into an agreement, known as a deferred prosecution agreement, with US prosecutors who accused them of conspiring to violate hacking laws, the Justice Department said in court documents.
The three also agreed to give up foreign or US security clearances and face future employment restrictions.
They agreed to "cooperate fully" and provide "full, complete, and truthful information to the FBI or any other US government organisation" and provide documents sought by the government.
Acting US Assistant Attorney General Mark J. Lesko said in a news release: "This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorisation from computers worldwide, including in the United States.”
Reuters previously reported that Baier was a program manager for Project Raven. Adams and Gericke were operators within the effort, helping the UAE hack its targets.
Text messages sent to Baier and Adams requesting comment went unanswered. A social media message to Gericke also did not receive an immediate response.
Lawyers for the three defendants did not immediately respond to a request for comment.
The court document states: "Defendants used illicit, fraudulent, and criminal means, including the use of advanced covert hacking systems that utilised computer exploits obtained from the United States and elsewhere, to gain unauthorised access to protected computers in the United States and elsewhere and to illicitly obtain information."
Lori Stroud, a former US National Security Agency analyst who worked on Project Raven and then acted as a whistleblower, said on Tuesday: “The Bureau’s dedication to justice is commendable, and I have the utmost respect for the agents assigned to this case."
"However, the most significant catalyst to bringing this issue to light was investigative journalism - the timely, technical information reported created the awareness and momentum to ensure justice," she said.
The court documents describe how the three men helped the UAE design, procure and deploy hacking capabilities over multiple years.
Their victims allegedly included US citizens, which Reuters previously reported based on information provided by Stroud.
Former program operatives told Reuters they believed they were following the law because superiors promised them the US government had approved the work.
The documents describe how the Project Raven operatives acquired and wielded an elite hacking tool named Karma, which Reuters reported was used to remotely break into iPhones.
The Justice Department said the hacking tool was acquired from two unnamed U.S. companies.
Karma was used to break into the iPhones of prominent activists who spoke out against the UAE's human rights record, Reuters reported.