The Post-Snowden Cyber Arms Hustle

An Indian hacker promised governments he could supply them with NSA-level technology. But when Mauritania hired him to help spy on its cell networks, things went way, way south.

Kumar in New Delhi.

Photographer: Zishaan Akbar Latif for Bloomberg Businessweek

Just after lunchtime one day in February 2015, Manish Kumar entered the presidential palace in the Mauritanian capital of Nouakchott via the side gate—the one reserved for private business. His government SUV was driven by a gregarious man in a loose-fitting white robe, who navigated the vehicle toward the back of the compound, away from the main palace building’s soaring glass atrium and modern-looking turrets, which give it a Martha Stewart-meets-Gunga Din look. The driver pulled up to a smaller structure with a massive satellite dish on top, where Kumar was to meet Ahmed Bah dit Hmeida, an official with the innocuous-sounding title of counsellor to the president.

A month earlier, Bah, whose responsibilities include overseeing an electronic spying apparatus aimed at his boss’s enemies, had transferred half a million dollars to an account in the British Virgin Islands, as a down payment for a sophisticated technology suite offered by Kumar’s company, Wolf Intelligence. The full contract was worth $2.5 million, plus an annual service agreement. It was the biggest score of Kumar’s blossoming career as a globe-trotting cyberweapons dealer.

A native of India, Kumar was no more than a competent coder, who mostly hired out bug-hunting and other demanding tasks essential to the success of a digital spy contractor. And Wolf Intelligence was still an upstart with little reputation to speak of. But Kumar was ambitious, and his timing was good. Two years after Edward Snowden had revealed the extent of National Security Agency espionage around the globe, most every country on earth wanted to develop its own mini-NSA.

At their most advanced, cyber arms—code that governments use to spy on or sabotage computers—are created by Ph.D.s working for defense contractors such as Raytheon and Northrop Grumman. But the market for those products is limited to the U.S. and the select few allies who can afford them. The rest is dominated by lone-wolf savants and boutique companies whose interactions are characterized by what economists politely call a trust deficit. It’s hard for buyers and sellers to know whether their counterparts are scammers, thieves, or something more dangerous.

Mauritania, a country of 4 million people on Africa’s western coast, has seen 10 coups and attempted coups since independence in 1960 and is perhaps best known to the West as one of the few countries in the world where slavery still exists. It’s also a hot spot for Islamic fundamentalism, which has made its government both an American ally in the war on terrorism and an avid consumer of spy tech—for use against terrorism suspects, but also, potentially, journalists, activists, and political opponents.

From Wolf, Mauritania sought software that would allow it to attack multiple targets connected to a large network. This could include, notably, a nationwide mobile phone provider—an especially attractive mark in a country that has only 51,000 fixed phone lines and where even goat herders have cell phones. Wolf’s promotional literature promised customers the ability to perform a silent SMS attack, a sophisticated technique that allows full control of someone’s smartphone without requiring the target to click on a link or otherwise interact.

Kumar sometimes overpromises—he’s a salesman—and when he arrived at the palace that day, he knew that his company couldn’t yet provide the attack it was promoting. Wolf needed a special piece of code capable of circumventing security measures on both Android and Apple smartphones. Kumar knew that hackers in Israel had developed it. The catch was that it cost $1 million, a fee he’d be able to cover only if he could persuade Mauritania to deliver its next payment.

Bah had other ideas. As one of his assistants poured the men tea, the president’s counsellor presented Kumar with a deadline, backed by a threat: If Wolf’s system wasn’t fully functional by the end of the visit, neither Kumar nor the technician he’d brought with him would be leaving the country. Uncertain if Bah was serious, Kumar, a teetotaler and meditation enthusiast, joked that he’d need a vegetarian menu in prison. Bah didn’t laugh. 

Kumar is 30 years old and over six feet tall, with short-cropped obsidian hair and softly handsome looks that might have landed him on a Bollywood set had he made different life choices. Though he’s still relatively small-time, in a few years he has managed to penetrate deep into the cyber-arms industry, thanks to high demand and an extraordinary amount of hustle.

In August 2016, a year and a half after his encounter with Bah, Kumar met with a reporter while visiting family in northern India. It’s highly unusual for someone in his business to provide an in-depth look at his work, but in a series of interviews over three days, he discussed everything from his parents’ disappointment in his career path to labor troubles with the hackers he hires. He also spoke extensively about his deal with Mauritania, which had by then spiraled into an international incident.

Delhi’s Ghaffar market, where Kumar learned his trade.
Photographer: Zishaan Akbar Latif for Bloomberg Businessweek

On one of those afternoons, Kumar stood on the wide main street of Ghaffar Market in central New Delhi. The place smelled of roasted lotus seeds, sold by vendors beneath a riotous canopy of power, cable, and phone lines. In the muggy mid-day heat, young men tapped away on laptops, offering to jailbreak older iPhones; a 21-year-old hacker selling this service for 1,000 rupees ($14) was inundated by eager customers. Other technicians pitched passersby on the ability to read the e-mails of a wayward lover or turn a boss’s smartphone camera into a spy device. Kumar spent many of his formative years in Ghaffar, and after 45 minutes of catching up with friends, he remarked that he’d been lucky to get out of Mauritania alive. “One small mistake and everything’s gone—money, life, everything,” he said.

Kumar learned to hack in Pilani, a brutally hot speck of Rajasthan where a successful jute miller founded one of the country’s top technical universities a half-century ago. Kumar’s family wanted him to become a doctor. To please them, he spent afternoons studying, but at night he taught himself how to code by watching YouTube videos. At 20, he launched a web-design business with a $40,000 stake from his family, but it soon went broke. He began considering other options. “Eat, sleep, die—I didn’t want to do that,” he said.

A year after the business went under, he wrote a book called The Secret of Hacking, which gained him some renown. (Not all of it was good: “Targeted at the complete beginner,” one Amazon reviewer wrote, “and when finished you will be a complete beginner with an hour less time on your hands.”) He began running courses for IT outsourcing companies, teaching students to probe their networks for security holes. Soon, he brought some of his most talented pupils into a new, less-straight-and-narrow venture: finding zero days—flaws in popular software that allow hackers to take control of computers and phones—and selling them to buyers in Romania, Russia, and Ukraine.

He soon realized that he’d have to leave India if he wanted to get ahead in the cyberweapons business. The market for offensive technology hadn’t yet experienced its Snowden-era boom, but it was already creating openings for small multinational operators, which tended to be nimbler, hungrier, and less constrained by ethics than the large corporations that make defensive technologies such as antivirus software. Hackers were setting up shop in locations with beautiful beaches, big villas, or friendly laws—Thailand, Spain, the Netherlands. Shadowy middlemen known as exploit brokers pitched their work to government clients, using spec sheets and proof-of-concept videos.

Companies, governments, and individuals work hard to defend their networks from such mischief—the cybersecurity sector sold more than $80 billion worth of defensive technology and services last year alone, according to IT market research firm Gartner. Identifying the vulnerabilities that remain requires powerful computers or unusual skill. The rarity of those finds is reflected in the prices they command. A middling exploit for WordPress, the popular web publishing software, might fetch from $10,000 to $30,000, while an elegant zero day for the Firefox browser recently sold for $500,000, according to a broker familiar with the sale. Exploits for popular consumer technology, such as the latest versions of iOS and Android, can command well over a million dollars. That’s because they can turn mobile devices into location trackers or surreptitious voice recorders, as well as provide access to e-mails and text messages. The targets can be jihadis, journalists, or opposition politicians—enemies of the state, however the state cares to define them.

Kumar filled up three passports with entry stamps trying to find his niche in this world. He traveled to Israel, ground zero for the global cyber-arms industry, to work with a company selling Wi-Fi interception and other surveillance services. He taught classes in Italy and the Middle East. And he made contacts, lots of them. “The right presentation to the right target, that’s how you make money,” he said. “Not the right product.” But he needed to understand what clients wanted, how to get in the rooms where big deals happened.

The learning process didn’t always go smoothly. Once, he approached Raoul Chiesa, a Rome-based broker, with a Microsoft Office exploit he’d acquired, offering it for a laughably low €5,000 (about $6,000). Chiesa took a chance on it, but following an elaborate handoff in the Milan airport, he found that the code worked only if it was embedded in a file type that rendered it nearly useless for stealth attacks. (Recalling the incident later, Chiesa heaped a particularly Italian version of scorn on Kumar. The Indian broker had showed up, Chiesa said, in a yellow-and-white button-up shirt “that I would never give to my worst enemy” and “terrible” black sport shoes. “He is totally unprofessional.”)

Undaunted, in 2014 Kumar founded Wolf Intelligence and began working to make it worthy of discerning buyers. When he became aware that India was viewed as the economart of spy technology, he hired Europeans to man booths at military equipment trade shows around the world. When he noticed an Israeli exploit dealer wearing shoes made by Geox, an Italian brand, he started wearing them, too. (Chiesa presumably would have approved.)

Wolf established a global headquarters in Munich and offices in Dubai and Romania, hiring a Swiss chief executive officer named Martin Wyss. Kumar (who is formally the company’s director) was pitching just about anything an aspiring spy operation could want, from encryption-cracking software to a hackproof $4,000 mobile handset. His sexiest offering was an automated platform that could scan a target network’s traffic to identify users of encryption and privacy tools, flag them, and search a library of exploits to recommend attacks.

But for all Kumar’s hustle, he lacked a major client—a government or a big defense contractor. So, toward the end of 2014 he made a bid for the big time, renting a booth at one of the main industry trade shows, Milipol Qatar, where he’d previously been an attendee. There, giants such as Raytheon, Glock, Northrop Grumman, IBM, and Cisco Systems would be angling for a piece of the booming Middle East and Africa defense markets, pitching countries like Egypt, Qatar—and Mauritania. 

That October, in the sprawling 65,000-square-foot show floor at the Doha Exhibition and Convention Center, more than 250 companies vied for the attention of representatives from at least 60 countries. Among the officials was Bah, who led a Mauritanian contingent to Wolf’s booth. Kumar’s presentation impressed them enough that they requested a more extensive demo off the show floor. Six weeks later, they signed the $2.5 million contract. “That was the best moment of my life,” Kumar recalled over dinner at a restaurant in Connaught Place. He sent Shammi Kapoor, a contractor from New Delhi, to Nouakchott to deliver a server and laptops, then made the journey himself to install the software. Soon, he was on the palace grounds, sitting across from Bah.

Kumar tried to explain that he didn’t have the silent SMS exploit yet, but Bah didn’t believe him. After Bah delivered his threat to prevent Kumar and Kapoor from leaving Mauritania, the pair returned to their hotel. Believing they were being monitored, they decided escape would be too risky. The next day, in a hastily arranged phone call between Bah and Wyss, the Swiss executive reiterated that Wolf didn’t have the exploit. He also pointed out that the Mauritanians didn’t have much of a spy system without it. Bah relented.

Hackers pitch services to passersby in the Ghaffar market.
Photographer: Zishaan Akbar Latif for Bloomberg Businessweek

Kumar flew to Europe, where he spent weeks scrambling to salvage the deal. In April he flew with Wyss to meet the Mauritanians at a luxurious home in central Paris. Waiting for them were Bah and Ahmedou Ould Abdel Aziz, the son of President Mohamed Ould Abdel Aziz, a former general who’d helped depose two governments before winning election in 2009. Bah sat on the floor while Aziz sat on the sofa, a sign of the son’s status.

The Mauritanians agreed to pay the remaining balance of $2 million if Kumar would send someone to the country until the software was operational. According to Kumar, Bah said he needed this sign of good faith to keep the bookkeepers happy. Kumar agreed to send a different Indian technician, Nafees Ahmed, then got back to work trying to acquire the missing code.

An Israeli acquaintance had put Kumar in touch with a Tel Aviv-based exploit broker named David “Dudi” Sternberg, who said he could provide what Kumar needed. The deal Sternberg demanded was peculiar. Before even getting a meeting, Kumar would have to deposit $100,000 in a Hong Kong bank account. He would then have to pay an additional $400,000 to see a proof-of-concept video demonstrating the exploit. To get the product itself, he would have a month to pay a final half-million dollars. Miss the deadline, and the deal was off. (Sternberg didn’t respond to inquiries sent to a cell number provided by Kumar.)

A million dollars is a lot for an exploit, but Sternberg was offering something extraordinary. Few users realize it, but all mobile phones allow silent SMS, in the form of invisible text messages that carriers send to load updates or perform other administrative tasks. Sternberg said his exploit would corrupt this process to deliver spyware that could surreptitiously send e-mails, location data, and conversation recordings back to the hacker.

Kumar still didn’t have Mauritania’s next payment, so to get the first $100,000 he turned to an old friend, Manish Kukreja, a New Delhi hotel owner who was something of a mentor to him as well as an investor in Wolf Intelligence. Kukreja agreed to put up the money on the condition that he go along to Tel Aviv, to protect his investment and watch the action.

They visited Sternberg at his office on Tel Aviv’s tech-dominated Raoul Wallenberg Street. The room was a high-priced man cave, replete with black leather sofas, expensive PCs, and a small fridge. Sternberg, a giant of a man who appeared not far shy of being Donald Trump’s proverbial 400-pound hacker, wore a dark shirt and blue jeans. For about two hours, the three talked about the deal and the surveillance business while Sternberg chain-smoked and quaffed energy drinks from his packed mini-fridge, offering the same fare to his guests. “We’re all drinking Red Bull, and it’s creating emotions inside. Kukreja is looking at my face, and I know he’s thinking, ‘We get this technology and sell to five or six customers,’ ” Kumar said. “We thought we’d be rich. We figured we could make $20 million minimum, maybe $50 million.”

Nonetheless, they left Israel without putting down the next $400,000. Mauritania was still delaying payment, and Bah was peppering Kumar with complaints. According to Kumar, Bah said the software Wolf had so far installed wasn’t functioning properly and that Ahmed wasn’t helping. Kumar also learned that Mauritanian officials had held onto Ahmed’s passport rather than returning it promptly, as they’d previously done with Kumar’s. He concluded that Bah hadn’t wanted someone there to please the bean counters so much as he had wanted a hostage.

Mauritania’s security forces are regularly accused by human-rights groups of torture, illegal detention, and extrajudicial killings. Usually their targets are individuals accused of terrorism, but occasionally they’re journalists or protesters, too. Kumar generally preferred not to think about the morality of his profession, but this time his client’s darker tendencies were threatening him, his employee, and his company.

Bah, who hung up on Bloomberg Businessweek when reached by cell phone and didn’t respond to messages, told Kumar that if he wanted the money Wolf was owed, he’d have to come back to Mauritania and demonstrate the company’s technology to President Aziz, who could then sign off on the next payment. It was clearly risky, but while Kumar was on a brief trip to India he consulted a spiritual adviser, who told him that though he was dealing with unscrupulous people, they needed him as much as he needed the money. Kumar decided to fly back to Mauritania.

He arrived in Nouakchott accompanied by Kukreja and Wolf’s Dubai-based distributor, Rohit Bhomia. Kumar spent two weeks waiting, mostly at the beach, to give his demo before finally being summoned to the same command center where he had met with Bah. He set up four laptops and connected them to a central display, then ran through some basics, like how to gain control of a Windows computer. President Aziz, whom Kumar calls “very intelligent,” left without saying a word. Within a few days, Bah paid Wolf the next $1 million installment.

More accurately, Bah paid Bhomia, who acted as a kind of fixer for Wolf. Closing big deals in the region usually involves graft, and according to Kumar, Bhomia was Wolf’s chief palm-greaser. Bhomia got a 30 percent cut of any deal he worked on, about a third of which, Kumar said, went to payments for officials. (Bhomia said via e-mail that he hadn’t spoken to Kumar in more than a year and declined to answer questions. A spokesman for the Mauritanian president didn’t reply to messages left on his cell phone.)

After taking his cut from Mauritania’s latest payment, Bhomia told Kumar he thought it unlikely that they’d see the final $1 million Wolf was owed. If so, the company would make almost no profit on the deal after deducting the cost of the silent SMS exploit. The two argued, with Kumar shouting that Bhomia should return his cut temporarily so the company could pay Sternberg. Kumar promised Bhomia twice his usual fee on the last payment from Mauritania. Bhomia said he was walking away and advised Kumar to do the same.

Not ready to abandon the deal of a lifetime, Kumar and Kukreja returned to Israel. Kukreja told Kumar he was willing to put up the $400,000 to see the demo of the silent SMS exploit, but Kumar had doubts. What if Sternberg was scamming them? If the exploit turned out to be useless, Kukreja would be out $500,000 and Kumar’s deal would collapse with his worker being held as collateral. And even if the hack was real, the Mauritanians might take it and refuse to pay anyway. Bhomia was right, Kumar decided—the final $1 million would never arrive. But he still needed to get Ahmed out of the capital. That’s when the international incident began.

In mid-August 2015 a bodyguard named Cristian Provvisionato was on a beach in Savona, Italy, enjoying the start of the country’s summer holiday season with his girlfriend, when he got a call. On the line was Davide Castro, his boss at Vigilar Group, a Milan-based security company. Provvisionato could make an easy €1,500 a week, Castro told him, if he would cut his vacation short, pack a dark suit, and jump on a flight to Mauritania. He would then help a guy from a company called Wolf Intelligence give a presentation to government officials. His passport might be taken at the airport, but it would be kept safely and returned quickly. He’d be gone less than two weeks.

A burly former vinyl flooring installer, Provvisionato had recently completed a bodyguard training course in England, and he was now on a six-month contract for Vigilar. The jobs so far had been pleasingly uneventful and glamorous, especially Giorgio Armani’s corporate 40th anniversary party, whose guest list had included then-Italian Prime Minister Matteo Renzi, Leonardo DiCaprio, and Cate Blanchett.

Provvisionato wanted to keep Castro happy, so he took the job in Mauritania. Two days later, he landed in Nouakchott. He was met at the airport by a toothless man who took his passport and drove him to an apartment Wolf was renting in a dingy part of the city. Inside, he found another Italian, Leonida Reitano, who told him he’d been hired by Castro for the same job, fresh off another gig passing out brochures for Wolf at a surveillance show in Johannesburg. Now he needed to go home. Reitano said he hadn’t met anyone from the government and only one person from Wolf: Nafees Ahmed, a technician who’d left the country a few days earlier, saying he was sick. Provvisionato found Reitano’s story strange, but he liked and trusted his colleague and the money was good. He spent his week in Nouakchott sitting around Wolf’s apartment, enduring its slow internet and broken air conditioning.

Aware that Castro was hoping to parlay some minor logistical work his firm had been doing for Wolf into a bigger partnership, Kumar had asked for Castro’s help getting “a European” to Mauritania for a presentation of Wolf’s technology. He’d added that the Mauritanian government had expressed interest in a weapons deal and that Bah was intrigued by Vigilar’s ties with Italian law enforcement and European arms makers. It was a desperate move. In his mind, Kumar said, he was trying to buy time as he looked furiously for an alternative version of the silent SMS exploit. He’d also calculated that, in the event he couldn’t find it, the Mauritanians would be less likely to disappear an Italian citizen than an Indian one. Kumar had effectively slipped Ahmed out of the country by trading him for a stranger.

With the date of Provvisionato’s return flight approaching, Kumar advised Castro that the presentation was off and that he should get his guy out of Mauritania. There was no risk, Kumar assured him, but there was also no point in wasting more money keeping Provvisionato there. To address the issue of Provvisionato’s passport, which was still being held, he told Castro to advise his employee to contact Italy’s diplomatic representatives and tell them he was a commercial fish exporter whose passport had been stolen and that he needed an emergency exit document.

Provvisionato was alarmed and confused by Castro’s instructions. He tried to get help, but Italy’s honorary consul wasn’t at the office when he went in. Over the next several days, his exchanges with Castro became increasingly frantic. On Sept. 1, Kumar flew to Milan, where, with Castro sitting next to him, he reached Bah on a secure chat. Kumar proposed another meeting in Europe, but Bah wasn’t interested. So Kumar tried a threat: If Bah didn’t return Provvisionato’s passport and let him leave the country, he would go to the Italian authorities with the whole story.

Later that day, Provvisionato disappeared. Castro, Cristian’s twin brother, Maurizio, and Cristian’s girlfriend, Alessandra Gullo, all tried to reach him without success. The landlord of Wolf’s apartment told the family that some men had shown up, put Provvisionato in a car, and driven away. That was all they could find out for months, until finally Mauritanian officials acknowledged that they knew where Provvisionato was. On Nov. 23, the country’s Moroccan embassy sent the Italian ambassador a two-sentence memo confirming that Provvisionato had been detained for participating in fraud against the Mauritanian government. Six months later, he was formally charged with fraud and money laundering.

Provvisionato, pictured in February 2015 as a free man; in April 2016 after losing weight while incarcerated; in January 2017 during a visit with Gullo.
Source: Alessandra Gullo and Maurizio Provvisionato

Provvisionato remains in Mauritania, held at a military barracks on the outskirts of the capital, where his family has visited him several times. According to Maurizio, Provvisionato has lost as much as 60 pounds, his gums are infected, and he’s suffering from untreated diabetes. In a handwritten note in English to Bloomberg Businessweek, Provvisionato said Castro had “used and swindled me” to save Reitano. “I always showed my innocence and my good faith in this event,” he wrote. “I was in the dark on the real situation and the sale was already gone, but in spite of all this I continue to stay under arrest for one year and four months.”

Castro declined to comment, while Reitano, reached by e-mail, said he knew nothing of Wolf’s troubled deal. He said he’d come away from his job in Johannesburg unimpressed with Kumar and that whatever the Wolf founder had planned in Mauritania had probably fallen apart. “The guy is a total disaster,” Reitano said. “I cannot understand how he still manages to keep his business going.”

In a meeting last year with Mauritania’s justice minister and an Italian vice ambassador to Morocco, the Mauritanians told Maurizio that they wouldn’t release his brother unless someone returned the $1.5 million the country believed Wolf Intelligence had taken under false pretenses. (Kumar said the money was for Wolf’s technology alone and that Bah always knew he needed to buy the silent SMS exploit from a third party.)

Paolo Bonissone, a spokesman for Italy’s Ministry of Foreign Affairs, said in a phone interview that the case had been discussed in a meeting between the two countries at the United Nations General Assembly in New York in September, but that it hadn’t been resolved. “Every Italian in danger is our concern. This is a dangerous situation,” Bonissone said.

Maurizio Provvisionato said Mauritanian officials told an Italian delegation a few months after the UN meeting that they can hold his brother for up to three years while they conduct their investigation. “Why, if the Mauritanian government thinks he is guilty ... do they never send him to the jail?” Maurizio wrote in an e-mail. “Because after their investigations they know that he is a victim, but the Mauritanian government wants revenge.”

Kumar, for his part, said he’s still working to get Provvisionato out of Mauritania. During one of his last communications with Bah, in October, he suggested that the two sides seek a resolution at that year’s Milipol Qatar conference in Doha, where he and Bah had first met two years earlier. Bah agreed, Kumar said, then didn’t show up.

Still, the conference was a big success for Wolf. Business had been booming since cybersecurity researchers discovered that an Israeli company, NSO Group, was selling a tool that used three zero-day exploits to hack iPhones via text message. The vulnerabilities had been fixed, leaving NSO Group’s clients scrambling for new equipment. Kumar was pursuing deals with Thailand and Qatar. In December, he said, he’d landed a $500,000 contract with the Egyptian government, after months of pitching.

The deal would have closed more quickly had he showed up in person, but he’d been afraid it would expose him to a snatch-and-grab by Mauritanian security forces. “There have been some bad moments, but the company needs to be grown,” Kumar said. He added that Egypt had paid him half the money upfront. He would get the other half when he met a familiar, lofty demand: delivering a suite of software and exploits that allowed the government to silently hack mobile phones.
 
With reporting from Pauline Bax in Johannesburg and Gwen Ackerman in Jerusalem