FBI wanted Maltese hacker extradited over sale of Pegasus, Warzone trojans

The Zabbar man who, earlier this week, consented to being extradited to the United States, will face indictment for allegedly hawking  spyware, including the notorious Pegasus trojan, online.

The Pegasus remote access trojan (RAT), developed by Israel-based cyber surveillance specialist NSO Group, had already been in use for years by the time it was yanked from the shadows. It was in 2021 that Forbidden Stories revealed that it had been used to spy on more than 50,000 phone numbers belonging to activists, journalists and other people deemed “of interest” to some of the world’s most repressive regimes.

Russian-Israeli citizen and former Israeli military engineer Anatoly Hurgin is the founder of Ability Ltd, which cooperated with NSO Group on Pegasus, handling the network side of NSO’s operations. A report compiled by the European Parliament notes Hurgin as having acquired Maltese citizenship for himself and three family members in 2015 at a cost of €750,000, despite having been under investigation by the US and Israeli authorities for various crimes at the time.

Daniel Meli, 27, was arrested on February 7 at the request of the United States, in a coordinated operation by the Malta Police Force and the Office of the Attorney General of Malta, supported by the FBI and the US Justice Department. 

The Northern District of Georgia sought Meli’s extradition to the United States after he was indicted by a federal grand jury in the Northern District of Georgia on Dec. 12, 2023, for offences which include causing unauthorised damage to protected computers, illegally selling and advertising an electronic interception device, and participating in a conspiracy to commit several computer intrusion offences. 

US prosecutors accuse Meli of having offered malware products and services for sale to cybercriminals through online computer-hacking forums “since at least 2012.”

He is alleged to have assisted cybercriminals who wanted to use RATs for malicious purposes and offered teaching tools for sale, including an eBook. In addition to this, he is also alleged to have sold both the Warzone RAT and, before that, malware known as the Pegasus RAT, which was sold through an online criminal organisation that called itself “Skynet-Corporation”,  as well as providing online customer support to purchasers of both RATs. 

The charges which Meli will face in America: conspiracy, obtaining unauthorised access to protected computers to obtain information, illegally selling an interception device, and illegally advertising an interception device, each provide for a sentence of up to five years in prison, three years of supervised release and a fine of $250,000, or twice the gross gain or loss, whichever is greater. The charge of causing unauthorised damage to protected computers provides for a sentence of up to 10 years in prison, three years of supervised release, and a fine of $250,000, or twice the gross gain or loss, whichever is greater.

Contacted for comment on Saturday, Meli’s lawyer, Joe Giglio, explained that his client wanted to tackle the charges head on and clear his name. “He was motivated by a mindset of cooperation and facing down the charges, Giglio said, summing up Meli’s attitude as ‘since we are going to have to face it, let’s get it done.’”

In a related announcement yesterday, the US Justice Department said that federal authorities in Boston had seized internet domains used to sell the malware, which is used by cybercriminals to secretly access and steal data from victims’ computers, as part of an international law enforcement effort. 

“Federal authorities in Atlanta and Boston unsealed indictments, charging individuals in Malta and Nigeria for alleged involvement in the sale of malware and supporting cybercriminals’ use of it for malicious purposes,” it said.

“Agents from the FBI’s Boston office seized www.warzone.ws and three related domains, which were selling the Warzone RAT malware, described as “a sophisticated remote access trojan (RAT) capable of enabling cybercriminals to surreptitiously connect to victims’ computers for malicious purposes.” 

The DOJ said that court documents authorising the seizures show that the Warzone RAT allowed cybercriminals to browse victim file systems, take screenshots, record keystrokes, steal victim usernames and passwords, and watch victims through their web cameras, all without the victims’ knowledge or permission.

The FBI described the operation to disrupt the Warzone RAT infrastructure as the result of an international law enforcement effort led by FBI special agents in Boston and Atlanta and coordinated with international partners, in large part through Europol. 

The bureau said court documents showed instances where the RAT had been used to attack computers in the US. FBI agents had also covertly purchased and analysed the Warzone RAT malware, confirming its multiple malicious functions. 

As part of the operation, police forces in Canada, Croatia, Finland, Germany, the Netherlands and Romania had seized servers hosting the Warzone RAT infrastructure.

In a reaction to the arrests and raids, acting U.S. Attorney Joshua S. Levy for the District of Massachusetts said they demonstrated “tenacious and unwavering commitment to dismantling the malware tools used by cybercriminals,” promising to “turn over every stone” to prevent cyber attacks on American computer networks, hunt down those who support such cybercriminals and hold them accountable. “Those who sell malware and support cybercriminals using it should know that they cannot hide behind their keyboards or international borders.”

“Daniel Meli will no longer escape accountability for his actions selling malware,” said U.S. Attorney Ryan K. Buchanan for the Northern District of Georgia. “This alleged cybercriminal facilitated the takeover and infection of computers worldwide. Our office was proud to partner with our federal and international counterparts to find Meli and bring him to justice. We will continue to diligently investigate and prosecute cybercrime in the Northern District of Georgia, and in all parts of the globe where our district is impacted.”

Assistant U.S. Attorneys James R. Drabick and Carol E. Head, for the District of Massachusetts obtained the seizure warrants. Assistant U.S. Attorneys Bethany L. Rupert and Michael Herskowitz for the Northern District of Georgia are prosecuting Meli.

The US Federal authorities acknowledged the cooperation and assistance of the FBI Boston and Atlanta Field Offices; Malta Police Force; Office of the Attorney General of Malta; Malta Ministry for Justice; Australian Federal Police; Croatian Ministry of the Interior Criminal Police Directorate; Dutch National Police; Europol European Cybercrime Center; Finland’s National Bureau of Investigation; State Police Force of Saxony, Germany; Japan Ministry of Justice; Port Harcourt Zonal Command of Nigeria's Economic and Financial Crimes Commission (EFCC); Romanian National Police; and Royal Canadian Mounted Police and thanked them for their assistance.