A whistleblower alleges that the scandal-ridden spyware firm NSO Group once offered a telecom security company “bags of cash” to buy access to its cellular networks, ostensibly so its clients could track specific mobile users within the United States.
The claims come from Gary Miller, a cybersecurity professional who previously served as a vice president at network security firm Mobileum. Miller, who has since left the company, said that during a 2017 conference call between the firm and NSO representatives, one of the spyware executives pushed for access to SS7—an insecure networking protocol that has been known to allow for covert surveillance of unsuspecting phone users. When queried as to how such a transaction would occur, NSO co-founder Omri Lavie is reputed to have told Mobileum officials: “We drop bags of cash at your office.”
Miller claims that he originally reported this encounter to the FBI via an online tip portal back in 2017 but never heard back. Then, last year, amidst an ongoing DOJ investigation into NSO, he formally handed over his claims again—this time directly to the Justice Department. He says he has also provided detailed information about the incident to both the Securities and Exchange Commission and the Federal Communications Commission.
SS7 has reportedly been a vector for shady surveillance for years. The protocol has well-known security flaws that hackers can use to listen in on phone calls and track devices. The Saudi and Chinese governments, as well as Israeli hacker-for-hire firms, have been accused of using these security flaws to hack unsuspecting mobile users—including Americans. In December, a global messaging contractor, Mitto AG, was similarly accused of selling SS7 access to private security firms which, in turn, would allegedly sell it to law enforcement agencies.
In response to Miller’s claims, NSO recently told the Washington Post that they had “never done any business with” with Mobileum, and that it “does not do business using cash as a form of payment.” It also claimed it was not “aware of any DOJ investigation.” Mobileum similarly disavowed any connection to the spyware vendor: “Mobileum does not have — and has never had — any business relationship with NSO Group,” the company’s top executive, Bobby Srinivasan, told the newspaper.
The allegations come at a dire time for NSO, as ongoing scandals tied to its products continue to roil its reputation and threaten future business. Most recently, controversies have emerged in places as far-flung as Finland, Poland, Israel, Hungary, El Salvador, and Uganda, though allegations of misconduct exist in many, many other countries.
On Friday, the New York Times published a sweeping investigation into the company’s ties to the U.S. government, revealing that, among other things, the FBI had considered buying and deploying one of NSO’s surveillance systems for “domestic” use back in 2019. The revelations make it somewhat ironic that the Justice Department is now investigating NSO, since, according to the paper, DOJ lawyers also spent two years trying to determine a legal pretext for FBI deployment of NSO tools inside the United States.