Spyware dealer who sold WhatsApp-hacking tech pleads guilty

A Mexican businessman admitted in federal court this week to selling spyware and hacking tools from Italy and Israel to customers in the United States and Mexico.

The Justice Department said Carlos Guerrero, who owns several businesses in the U.S. and Mexico, pleaded guilty to conspiracy to sell signal jammers, Wi-Fi interception tools, IMSI catchers — known as “stingrays,” which can track a person’s phone — and tools that have “the ability to hack WhatsApp messages” to prospective clients in both countries.

Prosecutors accused Guerrero of brokering sales of interception and surveillance tools to both Mexican government customers, as well as to private customers who would use the tools for commercial and personal reasons. The prosecutors said Guerrero “knowingly arranged” for a Mexican mayor to gain unauthorized access to a political rival’s email and social accounts. Guerrero also used the equipment himself to intercept phone calls of a U.S. rival who was in Southern California and Mexico at the time.

Between 2014 and 2015, Guerrero worked as a distributor for an unnamed Italian company, referenced only as Company A in the indictment, which prosecutors said sold hacking devices and geolocation tools. It’s believed that the company is Hacking Team, a defunct Milan-based company that made offensive intrusion tools, which was hacked in 2015 and had internal emails published online, including a trove of messages referencing Guerrero.

Guerrero is also accused of using his company, Elite by Carga, to import hacking tools developed by unnamed companies in Israel and other countries. The indictment did not name the other hacking tool makers, including the company that could hack WhatsApp messages.

One of the most active and documented hacking tools used in Mexico is Pegasus, a powerful mobile spyware developed by Israeli company NSO Group, which can gain near-complete access to data on a target’s device. Mexico spent some $61 million on contracts over the past two decades, often targeting journalists, activists and human rights defenders. According to a leaked list of phone numbers believed to be surveillance targets of NSO, which NSO has repeatedly denied, Mexico has the highest number of targets — about 700 phones — of any country on the list.

NSO is one of several Israeli companies that can reportedly hack into a person’s phone using WhatsApp, and is currently embroiled in a legal battle with Facebook for using a previously-undisclosed exploit in WhatsApp to hack into 1,400 phones belonging to members of civil society. NSO has long said it sells its spyware only to law enforcement and intelligence agencies, and repeatedly claimed Pegasus cannot target U.S. phone numbers, though it is known that foreign numbers can still be targeted while inside the United States. NSO also offers a near-identical spyware for U.S. law enforcement, dubbed Phantom, through a U.S.-based subsidiary called Westbridge Technologies.

NSO spokesperson Liron Bruck said in an email: “NSO does not sell to private persons or entities, and [Guerrero] is not associated with our company in any way.”

“Today’s guilty plea helps stem the proliferation of digital tools used for repression and advances the digital security of both U.S. and Mexican citizens,” said U.S. Attorney Randy Grossman. “This office is committed to disrupting malicious cyber activities and mitigating unlawful surveillance.”

Guerrero’s director of technology, Daniel Moreno, who is also referenced in the Hacking Team emails, is expected to enter a similar plea next week, according to The San Diego Union-Tribune.

Updated with comment from NSO.