Defend Truth

OCCRP/FORBIDDEN STORIES

Hacks, bots and blackmail: How secret cyber mercenaries disrupt elections

Hacks, bots and blackmail: How secret cyber mercenaries disrupt elections
(Image: James O’Brien / OCCRP)

Undercover reporters recorded a group of covert cyber influence specialists as they pitched their services, which included using disinformation campaigns, false intelligence, hacks and blackmail to promote their clients’ interests. The group, which calls itself Team Jorge, claims to have worked on dozens of presidential elections around the world and charges multimillion-dollar fees.

  • Reporters were able to verify Team Jorge’s claims to access messaging accounts of important political targets and deploy social media campaigns orchestrated via fake accounts.
  • Team Jorge appears to have meddled in last year’s Kenyan presidential election, which was plagued by disinformation.
  • The secretive group includes people with experience in Israeli security services.

Exposing its secret strategies to the world for the first time, one group of Israeli disinformation experts pitched its services to journalists posing as potential clients interested in disrupting an African election.

“This is our experience… to hurt the logistics of the opponents, to intimidate them, to create an atmosphere that nobody will go to the elections,” said a member of Team Jorge – as the secretive group refers to itself – during a July 2022 video call.

In several calls and one in-person meeting, members of the team – led by a man calling himself “Jorge” – described “intelligence and influence” services they said they deployed for their clients. They claimed to have worked on “33 presidential-level campaigns”, 27 of them “successful”.

Their tactics include hacking, forging blackmail material, spreading disinformation, planting false intelligence, physically disrupting elections and deploying targeted social media campaigns.

cyber mercenaries jorge
‘Jorge’, whose real name is Tal Hanan. (Photo: Screenshot from undercover recording)

Reporters were able to verify that some of those tactics were used. Team Jorge appears to have acquired unauthorised access to Telegram and Gmail accounts of highly placed officials, and deployed botnet social media campaigns. The evidence viewed by reporters suggests that the group meddled in at least two presidential elections.

The going rate for a presidential campaign was €15-million (about R300-million), “Jorge” informed the undercover reporters, who posed as intermediaries for a prospective African client. For this short-term job – with only two months to spare – Team Jorge was willing to charge a minimum of €6-million. Reporters were told the money could easily be transferred through hidden means, perhaps using a French nongovernment organisation, a law firm in Dubai, or Islamic schools.

“We like to be behind the scenes, and this is part of our power – that the other side does not understand we exist,” said “Jorge”.

The pseudonym – a Spanish name that didn’t match his accent – was part of an attempt to disguise his identity and location. The desktop screen of the computer he used in the presentation jumped between time zones and showed a feed from a traffic camera in Lithuania. His contact numbers span the world: Indonesia, Ukraine, US and Israel.

Reporters eventually discovered that his real name is Tal Hanan, a self-described counter-terrorism expert who has been cited in the media as a cyber-security specialist.

Hanan denied any wrongdoing but did not respond to detailed questions.

Going undercover


The undercover investigation led to a series of recorded meetings that allowed reporters to penetrate aspects of the disinformation-for-hire industry that are not openly advertised.

In July and August 2022, the reporters posed as intermediaries, hinting at a client in Chad. The goal: delay the October election, perhaps indefinitely, to protect his economic interests. Though the election in Chad was indeed delayed for two years, it was not influenced by the undercover investigation – the journalists never contracted any services, and those conversations ceased in August.

An additional in-person meeting with Team Jorge took place in Israel in December.

The journalists who reported undercover are Gur Meggido (TheMarker), Frédéric Métézeau (Radio France), and Omer Benjakob (Haaretz). They were part of a collaborative investigation called “Story Killers”, which was coordinated by Forbidden Stories and involved more than 100 journalists from 30 media organisations, including OCCRP. 

Forbidden Stories is an international consortium of investigative journalists that pursue the work of journalists who have been killed or work under threat. DM

Hacking Kenya

During one of the recorded Zoom presentations, Hanan displayed a screen with a Telegram account and clicked through the contacts and personal chats of Kenyan political adviser Dennis Itumbi.

cyber mercenaries ruto
William Ruto (left) with Dennis Itumbi (centre) shortly after Ruto was sworn in as Kenya’s President in September 2022. (Photo: Instagram / @dennisitumbi)

The live demo took place at the end of July 2022, at a critical point in Kenya’s presidential election campaign. Itumbi was the digital strategist for William Ruto, the East African nation’s deputy president at the time, who would be elected president within weeks. Local media describe Itumbi as Ruto’s “right-hand man”.

Hanan showed proof that not only could he read Itumbi’s personal chats and files – including an internal polling survey related to the upcoming election – but that he could even pose as Itumbi by sending messages from his account. Hanan opened a recent conversation Itumbi had with a prominent Kenyan businessman and sent a text that read simply: “11.”

This message was meaningless, designed only as a demonstration of his ability to control the account. But Team Jorge claimed to have sent falsified messages to military commanders and government ministers, all in an attempt to influence events and cause chaos for a high-level target.

“Typically, I will wait for him to see it and then I will delete it. Why? Because I want to create confusion,” Hanan said.

In the case of the Itumbi demonstration, Hanan accidentally deleted the text message only for the sender. This meant reporters were able to contact the businessman who received it and verify that the cryptic message had indeed been sent.

Cracking comms


“I know in some countries they believe Telegram is very safe,” Hanan said in a Zoom demo. “So, here, I’ll show you how safe it is… So this is also some minister of some country, I can go [and] I can check all his calls.”

Hanan also displayed the Gmail account of Mozambique’s Agriculture Minister, Celso Correia, who confirmed to reporters that the email address and contents appear to be his. The folders on the minister’s personal Google Drive were also visible during the presentation.

Crucial to hacking email accounts and messaging services like Telegram is Signaling System 7, an international standard “protocol” for cellphone communications, which is supposed to ensure that a call or SMS sent by one user is transferred to the correct number of the intended recipient. It was introduced in the 1980s, in the early days of digital security and encryption, so it contains flaws that can allow third parties to impersonate a specific user and receive their messages and calls.

This is what Hanan claims his team can do. He told undercover reporters Team Jorge goes directly to a telecom service provider in the country they are working in and instals a physical device that allows his team to insert faked commands through SS7 into the system. This tricks the telecom operator into sending an SMS to authenticate the spoofed target account, allowing Team Jorge to read their target’s messages and even send messages.

While the loopholes are generally known and most telecommunication providers have put countermeasures in place, some operators still run vulnerable networks. DM


The full extent of Team Jorge’s meddling in the Kenyan election is unclear, but disinformation – from both sides – marred the otherwise peaceful August 2022 vote.

Anonymous videos popped up on social media, alleging vote rigging within the election commission, and accusing western powers of subverting the vote.

Right before the election, three Venezuelans employed by the company that provided the voting equipment to the electoral commission were detained at the airport in Nairobi, purportedly with suspicious election materials. Even though Kenyan police reportedly released the men the next day, the viral story became a topic of hot debate throughout the election period, forming the basis of conspiracy theories claiming the vote was rigged.

“This was likely the dirtiest campaign in our history, and we have had our share of dirty campaigns in Kenya,” said John Githongo, a journalist and transparency advocate who supported the opposition, and filed an affidavit on behalf of a whistle-blower who alleged vote rigging. (OCCRP works with his news organisation, The Elephant.)

“What’s clear is that there are a number of reputation launderers – so-called commercial and political security companies – that are increasingly hired to get involved in our elections. Often you have a ‘dark arts’ outfit having a presence in multiple countries impacting our democracy adversely.”

cyber mercenaries kenya
An election official walks by stacks of ballot boxes after the Kenyan general election in August 2022. (Photo: Zuma Press, Inc)

Since Ruto was elected, his opponents have filed numerous complaints in court about election irregularities.

One came from Githongo’s anonymous whistle-blower, who claimed Itumbi – the strategist targeted by Team Jorge – orchestrated a ballot manipulation campaign. Also named in the complaint was Davis Chirchir, who was Ruto’s chief of staff when Hanan displayed his apparently hacked account. But the whistle-blower and the evidence he provided have been discredited.

In the end, the Kenyan Supreme Court rejected not only the whistle-blower’s claims, but all the other petitions, and in September upheld the election results.

Then, in January, a new whistle-blower website appeared, purporting to have fresh evidence of fraud. But this too bears the hallmarks of a disinformation campaign.

Digital security experts were unable to identify who set up the new website. And it was impossible to tell the origin of the documents posted there – polling results that had been doctored to show supposed fraud – because metadata had been scrubbed from them.

However, documents appearing to be nearly identical had been sent months earlier to journalists, claiming they proved the Kenyan election was stolen. Those documents contained metadata that revealed the author: Henry Mien, CEO of the consulting company Risk Africa Innovatis. Mien is an ally of opposition leader Raila Odinga, according to two sources in his campaign. He has also openly supported Odinga and shared anonymous fraud allegations on social media.

Even though analysts said the documents were suspicious, the opposition in Kenya has used them as a justification to call for protests. Within days of the documents being posted online, defeated candidate Odinga held a political rally in Nairobi, where he called Ruto’s administration “illegitimate.” He demanded that the five-month-old administration resign, and declared that “the resistance starts today.”

Dennis Itumbi, Davis Chirchir, Raila Odinga and Henry Mien did not respond to requests for comment.

cyber mercenaries odinga
Odinga addresses a rally in Nairobi in January 2023 to demand election reforms and lower taxes. (Photo: Reuters)

Murky relationships

While Hanan told reporters he was working on an “African election” – and showed them evidence that it was in Kenya – it is unclear who hired him. Team Jorge’s involvement comes after years of targeted disinformation in Kenyan politics, making it especially challenging to trace a particular event or conspiracy to a specific perpetrator.

Undercover reporting revealed that the disgraced political consultancy firm, Cambridge Analytica, had worked to help elect former President Uhuru Kenyatta in 2013 and 2017. That latter year, leaked emails show Hanan offered his services in Kenya to Cambridge Analytica’s parent company, SCL Group. The initial offer was rejected because of his pricing, though the conversation seems to have continued.

But Team Jorge did appear to get involved in Odinga’s 2022 campaign. Kenyatta could not by law seek another term in the August 2022 election, so he joined forces with his former rival Odinga to try to beat Ruto – the candidate targeted by Hanan during his demo.

The leaked emails also show Cambridge Analytica had worked with Hanan in the past.

And in 2018, Brittany Kaiser, former director of programme development at SCL, told British MPs looking into the Cambridge Analytica election meddling scandal that she had introduced former Nigerian president and SCL client Goodluck Jonathan to Israeli consultants. These consultants had done intelligence gathering for governments, she said, and provided services that SCL didn’t officially offer.

Kaiser, who later blew the whistle on Cambridge Analytica’s controversial tactics, said she had no role in decision-making at SCL, that the consultants were not commissioned “to undertake illegal activity,” and denied any suggestion that she had run, condoned or “knowingly colluded” in any illegality.

Kenyatta did not respond to a request for comment.

cyber mercenaries kaiser
Former SCL employee Brittany Kaiser, who blew the whistle on Cambridge Analytica. (Photo: Wikimedia)

Emma Briant, an expert on information warfare and Cambridge Analytica, says companies in this industry “regularly throw each other work” for deniability and legal cover.

Cambridge Analytica was among 65 firms identified by Oxford University’s Computational Propaganda Project that have openly offered to governments their services for influencing elections. But there are a host of others – like Team Jorge – who prefer to stay in the shadows.

The deals they strike are “intentionally obfuscated, and the relationships are quite secret,” said Samantha Bradshaw, an assistant professor at American University in Washington, DC, who participated in that research.

Tech toolbox

Team Jorge said two-thirds of the presidential campaigns they’ve meddled in were in Africa, but their promotional material also included countries in Europe, Latin America, Southeast Asia and the Caribbean.

Hanan’s brother, Zohar, said in a meeting in December that there were only three jobs Team Jorge would not take on: Nothing in Israel (“We don’t want to shit where we are sleeping.”); no American party-level politics (they claim to have turned down an invite to help elect former US president Donald Trump); and “nothing against Mr Putin.”

cyber mercenaries zohar
Zohar Hanan, Tal Hanan’s brother, also known as ‘Nick’ in Team Jorge. (Photo: Screenshot from undercover recording)

During demonstrations to the undercover reporters, Tal Hanan was eager to show off the tech tools his team deploys to help clients.

He displayed an article with headlines from Nigeria that described attacks on opposition phone lines, as part of their “Team Jorge Presents: Intelligence on Demand” sales video. These attacks overwhelm the telephone network.

“We want to have some people silenced, we want some people to have miscommunications,” he said during one call where he referred to an election day as “D-Day.”

“So we have the capacity on D-Day to defuse hundreds of phones… a specific chief of police, or army people that are not in our favour. All the phones will cease from working.”

And Hanan claimed to have used a similar tactic against computer networks.

“We can take out websites, anything with IP, servers. If they have their own servers, applications, sometimes two, three news agencies – we can take them out,” he bragged.

The capabilities Hanan described resemble “distributed denial of service” or DDOS attacks. These attacks typically involve overwhelming the systems of a target by flooding them with requests, forcing them to produce a “denial-of-service” response to legitimate requests.

He displayed headlines about such an attack during the 2014 referendum in Catalan. Spanish investigators told OCCRP they had no evidence of Hanan’s involvement, but said it was plausible.

cyber mercenaries ddos
A Team Jorge presentation, showing a DDOS attack on the 2014 Catalan referendum. (Image: Screenshot from presentation during undercover recording)

Team Jorge’s tech toolbox also includes “a platform of influence” called Advanced Impact Media Solutions, or AIMS, which Hanan claims to have sold to the intelligence services of more than 10 countries.

The AIMS software is designed to create convincing avatars for social media campaigns. The avatars, or bots, use stolen photos of real people, operate on any social media platform, and can be connected to functioning Amazon and Bitcoin accounts. They also appear to have a longstanding presence online, including Gmail accounts and trite comments on celebrity YouTube videos, to give investigators the impression they are real people.

“We imitate human behaviour,” Hanan told the undercover reporters.

Most online accounts require a phone number and email address verification to keep out bots like those deployed by AIMS. But there are websites set up specifically to allow one-off SMS verification services for 50 cents or less. Many accounts – such as Gmail and WhatsApp – can be registered with “verified” phone numbers. Team Jorge appears to be using a service called SMSpva.com for phone number verifications. SMSpva.com did not respond to a request for comment.

cyber mercenaries bots
Shannon Aiken’s profile on AIMS: Her data is fake, but the image is stolen from a real person. (Image: Screenshot from presentation during undercover recording)

AIMS also relies on residential proxies that reroute internet traffic from bots through peoples’ homes so it appears authentic in order to avoid detection and shut-downs by social media platforms like Twitter and Facebook. This makes it difficult for social media platforms to identify a coordinated disinformation campaign.

Analysis by reporting partners Le Monde and The Guardian identified clusters of avatars, including those seen in Hanan’s pitch presentations, that appear to have been used for coordinated Twitter campaigns. Reporters found more than 1,700 Twitter accounts connected to 21 AIMS-related campaigns, whose networks had produced tens of thousands of tweets.

In the December in-person meeting with undercover reporters, Team Jorge showed off a new capability of AIMS: Artificial intelligence tools to generate fake news using specified keywords, tone and topic.

“One operator can have like 300 profiles,” Zohar Hanan said during the demo. “So within two hours the whole country will speak the message, the narrative I want.”

Avatar activities


An avatar campaign seen on a Team Jorge computer during a sales pitch was found to have promoted the activities of Alexander Zingman, a businessman close to the authoritarian Belarusian President Aleksandr Lukashenko.

In March 2021, Zingman was arrested in Democratic Republic of the Congo for alleged arms trafficking but was later released. In October of that year, OCCRP revealed how Zingman and another crony of the Belarusian president used shell companies to hide a lucrative gold mining deal with Zimbabwe’s state-owned mining company.

The year prior, AIMS avatars promoted favourable stories about Zingman and his business in a concerted and automated campaign. Some were used to target his rival, Vitaly Fishman. Journalists identified 35 more avatars linked to Team Jorge via a US defamation suit that Fishman won.

Zingman’s lawyer said his client had never worked with companies that engaged in disinformation campaigns and had in fact himself been a victim of such a scheme.

Elsewhere, accounts that strongly resemble AIMS bots were used to promote suspicious stories accusing Burgess Yachts of servicing sanctioned oligarchs with ties to Russian President Vladimir Putin. 

So-called “sock puppet” accounts – avatars on social media – appear to have been behind Reddit threads promoting the same narrative. And a video claiming to show a protest in Monaco against Burgess Yachts appears to have actually been a staged protest filmed in London and uses looped footage.

It’s unclear who is behind the campaign, but some of the bot accounts linked to AIMS avatars promoted glowing articles about Julia Stewart, director of rival yacht company, Imperial Yachts. Imperial Yachts was in fact sanctioned by the US in June for providing services to Putin’s inner circle.

A legal representative for Imperial Yachts said the company had “never participated… in any online disinformation network or campaign” and acts “in full compliance with applicable laws and regulations.” DM

Unmasking Team Jorge

The identities of Team Jorge are almost as mysterious as their tactics. But reporters managed to piece together some background information on members of the clandestine group. Some of it lines up with claims Team Jorge made about team members in calls with journalists.

“Some of us are former senior information officers,” said Mashy Meidan, who went by “Max”. “Some of us are former senior financial info and warfare experts. Some of us work with the psychological warfare specialists.”

Multiple Israeli security sources, who spoke to TheMarker on condition of anonymity, confirmed that Meidan has worked with Israel’s internal security service, Shabak. They said another team member, Shuki Friedman, had also worked with Shabak. Friedman did not respond to a request for comment.

Yaakov Tzedek is a digital entrepreneur who is listed as a co-founder of the Israeli real estate company, Proptech Investments. Ishay Shechter is a “strategy director” at Goren Amir, a prominent Israeli lobbying firm that has worked with international clients including Visa, Uber and IKEA.

Despite appearing in the Zoom call with undercover reporters, Meidan and Shechter separately said they had never worked with Team Jorge or Tal Hanan.

Tal Hanan’s brother Zohar, who was introduced as the company’s CEO “Nick,” is publicly identified as a polygraph expert who worked with an Israeli company called Sensority LTD, which is now in liquidation.

Another company, Pangea IT, bought Sensority’s technology which detects psychological stress in a subject. Zohar said he had “been working all my life according to the law”, but did not respond to specific questions.

cyber mercenaries office
Team Jorge’s office in Modi’in, Israel, where reporters went undercover. (Photo: ZDF)

Tal Hanan served in the Israeli special forces as an explosives expert, according to an online biography. He is listed as CEO of at least two Israeli companies, Tal Sol Energy and Demoman International Ltd, an intelligence firm included in a register of defence companies on the website of the Israeli Ministry of Defence.

Hanan indicated that he had orchestrated lobbying operations in the US despite not registering as a “foreign agent,” as required by law. He said he worked via consultants and companies that are already registered, and told reporters he had recently set up a public relations firm called Axiomatics to promote Team Jorge with “existing lobby groups.”

In the years following the September 2001 attacks on the World Trade Center in New York, Hanan positioned himself as an expert on counter-terrorism. He claims to have trained law enforcement bodies, including US federal agencies, according to an archived page from his now-defunct website suicide-terrorism.com. In 2010, Hanan was quoted in The Jerusalem Post as a cyber security expert, commenting on hacking capabilities.

During calls with undercover reporters, Team Jorge talked in depth about the technology they say the group uses to swing elections. They added that they had six offices and employed at least 100 people, emphasising that they drew on the backgrounds of colleagues with experience in the intelligence services. 

This pushes Team Jorge’s activities far beyond the realm of public relations strategies that are commonly deployed in elections.

“This is intelligence work more than anything. It’s not PR work. It’s intelligence work,” Hanan emphasised. DM

First published by OCCRP  and its partners.

Haaretz (Israel, in English)

Der Spiegel (Germany, in German)

Der Standard (Austria, in German)

Le Monde (France, in French)

The Guardian (UK, in English).

Gallery

Comments - Please in order to comment.

  • Johan Herholdt says:

    I understand that politics is a dirty business, but this is outrageous. Hopefully there is somebody somewhere in the world hard at work to at least stymie, if not stop, this kind of cyber crime. A job for the UN I should think. Oh wait! Russia and China would probably block this at the UN Security Council.

Please peer review 3 community comments before your comment can be posted

X

This article is free to read.

Sign up for free or sign in to continue reading.

Unlike our competitors, we don’t force you to pay to read the news but we do need your email address to make your experience better.


Nearly there! Create a password to finish signing up with us:

Please enter your password or get a sign in link if you’ve forgotten

Open Sesame! Thanks for signing up.

We would like our readers to start paying for Daily Maverick...

…but we are not going to force you to. Over 10 million users come to us each month for the news. We have not put it behind a paywall because the truth should not be a luxury.

Instead we ask our readers who can afford to contribute, even a small amount each month, to do so.

If you appreciate it and want to see us keep going then please consider contributing whatever you can.

Support Daily Maverick→
Payment options

Become a Maverick Insider

This could have been a paywall

On another site this would have been a paywall. Maverick Insider keeps our content free for all.

Become an Insider