Omer Benjakob Phineas Rueckert
Avatars are not used just to push out disinformation. A massive leak of 500,000 documents reveals how fake online accounts are also used to spy on journalists and activists
Like most of the public, A., a former Israeli journalist, knows little to nothing about the OSINT industry. However, the OSINT system sold by an Israeli-owned cyber firm being revealed here for the first time knows a lot about her – and about all of us, too.
Forbidden Stories, a non-profit dedicated to following up on the work of journalists who are killed or threatened for their reporting, found the firm and a brochure detailing their suite of digital surveillance tools in a trove of more than 500,000 documents belonging to the Military Forces of Colombia. They were leaked to Forbidden Stories by a collective of hackers known as Guacamaya and investigated as part of a global investigation involving different media outlets – among them Haaretz.
The leaked documents reveal the so-called social media surveillance industry and how just one mistaken friend request on Facebook can expose you and your entire network.
The technology this firm and others like it offer is part of what is called the OSINT – or Open Source Intelligence – industry. It’s a wide term, originating in the world of military intelligence and referencing intelligence collected through open sources like public databases or online maps as opposed to human or electronic sources like wiretapping.
However, in recent years, its usage in the private sector has been somewhat perverted to now include sources that are not really open. For example, information scraped from social media platforms like Facebook and Instagram go to great lengths to protect user data – for both privacy and financial reasons
A Haaretz investigation with Forbidden Stories reveals an entire digital surveillance industry that siphons personal data and gathers private information off the internet using fake online accounts known as avatars. Unlike avatars aimed at amplifying content, these avatars serve a different purpose – collection.
As exposed in our “agents of chaos” investigation last week, the avatars used in the disinformation industry play a public role by acting as agents of influence. OSINT industry avatars, on the other hand, are secret agents tasked with collecting as much information as they can from as many social networks as possible – all without being detected.
The firms active in the OSINT industry sell their technology to defense, law enforcement and intelligence agencies across the world. This includes militaries who have abused the technology and used it against journalists. The Colombian military, for example, was involved in such a scandal in 2020 and, as this investigation shows, was actively looking to obtain OSINT technology again last year.
It all starts with a notification – a new friend or follower request. The account looks real. Nothing suspicious. If you’re Israeli, maybe they look Israeli, too. Maybe it’s a face you recognize from last night’s protest. You accept the request and forget about it – but their work has only just begun. They now have authorized access to the information on your profile – and to that of your friends and family.
“People need to stop talking about bots – the real threat today is avatars,” said Danny (Dennis) Citrinowicz, an Israel-based OSINT researcher, industry expert and non-resident fellow at the Atlantic Council.
“The goal in the industry is to have avatars, as many well developed and mature avatars as possible. The technology used in this context is called ‘mass avatar management systems’. And we’re not talking about one or two accounts, but thousands of them that you need to manage in a way that will not get caught by the social media platforms.”
In 2021, Meta, the parent company of Facebook and Instagram, began cracking down on OSINT firms and companies in the private surveillance sector.
In its report on the “surveillance-for-hire” industry, Meta’s threat intelligence team identified three stages of surveillance – reconnaissance (silently collecting information), engagement (contacting targets) and exploitation (hacking and phishing). The investigation concluded that “targeting is in fact indiscriminate and includes journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists.”
In January, Meta sued Voyager Labs for using 38,000 fake Facebook accounts to scrape information from 600,000 users for at least three months. The lawsuit also alleges that, in addition to Facebook and Instagram, Voyager Labs employed fake accounts to gather data from Twitter, Youtube, LinkedIn and Telegram as well. The data included posts, likes, friends, photos, comments and information from groups and pages.
“This industry covertly collects information that people share with their community, family and friends, without oversight or accountability, and in a way that may implicate people’s civil rights,” a Meta representative said in a statement.
These were the exact capacities pitched by then-Israel-based Voyager Labs to Colombia, where OSINT surveillance tools have been used to profile and intimidate journalists and activists. Between 2018 and 2019, dozens of journalists were targets of Colombian military intelligence using an open-source monitoring tool sold by Voyager Labs called VoyagerAnalytics.
Documents show the company met again with Colombian intelligence officials in Spring 2022, though Voyager Labs did not respond to requests for comment.
Cognyte, another Israeli firm, also pitched their technology – albeit for an interception system – to the Colombian military, according to the leaked documents.
In February 2021, U.S.-Israeli company Verint spun-off its intelligence-cyber solutions division into a standalone company traded on the Nasdaq called Cognyte.
Verint today is focused on artificial intelligence and data analysis technology, but in the past it sold advanced monitoring technology to repressive regimes in Azerbaijan, Indonesia, South Sudan, Uzbekistan and Kazakhstan.
Cognyte currently shares the same address in the central Israeli city of Herzliya with Verint and provides the cyberintelligence services Verint once did. A Haaretz investigation revealed its mass surveillance technology was sold to Myanmar in recent years.
Cognyte was also called out by Meta in its December 2021 report on the surveillance industry for its use of avatars, which Meta says were employed to target journalists in countries like Chile.
The current leak revealed that the firm pitched its OSINT system to the Chilean army, though it is unclear if anything came of either of the pitches. Cognyte did not respond for comment.
No one can explain why A.’s name, photo and personal details appeared in a report produced by S2T Unlocking Cyberspace, a shadowy cybersecurity company being revealed here for the first time. Her name appears in a sample “target report” included in the S2T pitch deck, part of the massive trove of leaked documents belonging to the Military Forces of Colombia. It is unclear whether her Facebook account was compromised or her data was automatically scraped for a target report to present to clients.
Reporters working on the investigation traced the brochure to S2T, a digital service firm with current or former offices in Singapore, Sri Lanka, the U.K. and Israel by matching graphics and tech descriptors on their website with those in the brochure. (S2T did not respond to requests for comment.)
S2T was founded in 2002 by entrepreneur Ori Sasson. It claims to have dozens of clients across five continents and employs people from intelligence agencies in the U.K., the U.S., Russia and Israel, as well as local law enforcement in the Middle East, South and Central America and Asia.
The “target report” with A.’s details was part of a wider pitch to the Colombian military intelligence. It was intended to show their program’s ability to not just collect data but also automatically create reports about targets.
The firm bills itself as an open-source intelligence (OSINT) company, yet the brochure advertises tools beyond typical OSINT, including an automated phishing tool to remotely install malware; massive advertising databases to track targets; and automated influence operations using fake accounts to trick unsuspecting targets.
S2T’s brochures show a clear funnel of surveillance that also involves actual spyware: First a target or potential targets are located on social media, and then the mass avatar system begins to engage. The information they collect then leads to more targets – for example social groups.
In the next phase, the avatars are even used as digital agents of sorts to try to penetrate closed groups or even actively engage with a target via private message, such as trying to get them to click an infected hyperlink. The documents suggest that once infected, the spyware can even remotely turn on the camera of its victim’s phone and secretly record them – a far cry from any definition of an open source.
The use of avatars in such a targeted way is called “cyber HUMINT” – or digital human intelligence, with the fake account playing the role of the human agent making contact with the real human target.
“A good avatar is like an agent,” explains a senior source in the Israeli open source and social media intelligence industry. “You need to develop them like you would a real agent to be able to send them into the field or in this case to actually have the avatar engage with a target.”
Once a friend request is accepted, once entrance to a group is granted, the avatars have access. On a Facebook or WhatsApp group for political activists, for example, the access gained by the digital agent working on behalf of a local police or intel agency could have devastating effects in the real world.
A former employee at S2T who spoke with Haaretz on condition of anonymity said the firm has long offered cyber-HUMINT capabilities. “People think that because it’s supposedly open sources that are being scraped to create this type of intelligence then it’s okay, that it can’t be misused. But if you’re using data that people don’t understand they’ve given you access to then that’s not really okay.”
In a cover letter addressed to Colombian military intelligence, S2T promotes its tools as helping to fight “malicious” groups, including: “terrorists, cyber criminals, [and] anti-government activists.” The brochure later shows how operators can “identify targets for further investigation” starting from a “database of known activists.”
One screenshot suggests an Indian client may have been interested in acquiring this tool for monitoring protest movements on social media. Among at least a dozen case studies from February 2020 are examples showing how the tool was used to analyze “dynamic keywords” related to student protests in 2020 against India’s 2019 Citizenship Amendment Act and what is likely a reference to 2019’s Jammu and Kashmir internet shutdowns.
Forbidden Stories identified clients in Singapore and Israel and possible customers in Bangladesh, Turkey, Sri Lanka, India and Malaysia. According to a brochure from one its resellers, S2T appears to have worked on behalf of a “Turkish political party,” using social media avatars to join closed groups and collect intel on opponents.
According to S2T’s website, other clients include “a Media group in Central America” and a “South American nation” where its tools were used to find “relevant information about the mastermind behind a kidnapping.” The brochure also discusses demos perhaps given in 2020, including to the Indian Navy and Dato’ Mohamed Lofty Bin Mohamed Noh, a businessman in Malaysia.
The former employee said the firm has long wanted to enter the South American market and was aiming for private sector clients as well.
While it is unclear whether these entities purchased S2T’s platform, Forbidden Stories and its partners identified one probable client: Bangladesh’s Directorate General of Forces Intelligence (DGFI).
An S2T subsidiary appears to have made a shipment to the DGFI in December 2021 or January 2022, which Forbidden Stories confirmed through concordant trade data. The revelation follows a Haaretz investigation that found Bangladesh’s intelligence services purchased other Israeli-linked tech in 2022, including spying vehicles that could intercept mobile and internet traffic.
Bangladesh’s solicitation of such tools aligns with its public statements. In January, according to The Business Standard, the country’s Home Minister announced that it would be introducing an integrated lawful interception system “in a bid to monitor social media platforms and thwart various anti-state and anti-government activities.”
Sasson and S2T refused to respond to this report.
When asked if the Israeli Defense Ministry oversees or regulates the sales and exports of such intelligence systems to military bodies, as it does with cyber arms, the ministry said in response: “Cyber technologies that are regulated in Israel [based on the Wassenaar Arrangement] are systems and equipment used to wiretap or monitor audio or data communications, as well as products related to penetrative programs,” or spyware. “As a policy, the Defense Ministry does not comment about its defense export policies for defense, national and strategic considerations.”