Cyber Mercenaries Are Hacking Elections Globally. Here’s an Example of How They Do It.

A team of reporters uncovers ‘Team Jorge’, a group which claims to have worked on dozens of presidential elections around the world. It employs disinformation campaigns, false intelligence, hacks and blackmail to promote its clients’ interests. 

Across the globe, shadowy groups of cyber mercenaries have been harnessing digital technology to hack elections, employing their dark arts for anyone willing to pay a hefty fee to subvert democracy.

Exposing its secret strategies to the world for the first time, one group of Israeli disinformation experts pitched its services to journalists posing as potential clients interested in disrupting an African election.

“This is our experience… to hurt the logistics of the opponents, to intimidate them, to create an atmosphere that nobody will go to the elections,” said a member of Team Jorge – as the secretive group refers to itself – during a July 2022 video call.

Also read: Congress Demands Probe Into Whether ‘Team Jorge’ Operates in India

In several calls and one in-person meeting, members of the team – led by a man calling himself “Jorge” – described “intelligence and influence” services they said they deployed for their clients. They claimed to have worked on “33 presidential-level campaigns” – 27 of them “successful”.

Their tactics include hacking, forging blackmail material, spreading disinformation, planting false intelligence, physically disrupting elections, and deploying targeted social media campaigns.

Representative image. Photo: Pixabay

Reporters were able to verify that some of those tactics were used. Team Jorge appears to have acquired unauthorised access to Telegram and Gmail accounts of highly-placed officials, and deployed botnet social media campaigns. The evidence viewed by reporters suggests that the group meddled in at least two presidential elections.

The going rate for a presidential campaign was 15 million Euros, “Jorge” informed the undercover reporters, who posed as intermediaries for a prospective African client. For this short-term job – with only two months to spare – Team Jorge was willing to charge a minimum of 6 million Euros. Reporters were told the money could easily be transferred through hidden means, perhaps using a French nongovernmental organisation, a law firm in Dubai, or Islamic schools.

“We like to be behind the scenes, and this is part of our power – that the other side does not understand we exist,” said “Jorge”.

The pseudonym – a Spanish name that didn’t match his accent – was part of an attempt to disguise his identity and location. The desktop screen of the computer he used in the presentation jumped between time zones, and showed a feed from a traffic camera in Lithuania. His contact numbers span the world: Indonesia, Ukraine, US and Israel.

Reporters eventually discovered that his real name is Tal Hanan, a self-described counter-terrorism expert who has been cited in the media as a cyber-security specialist.

Hanan denied any wrongdoing, but did not respond to detailed questions.

Hacking Kenya

During one of the recorded Zoom presentations, Hanan displayed a screen with a Telegram account and clicked through the contacts and personal chats of Kenyan political advisor Dennis Itumbi.

The live demo took place at the end of July 2022, at a critical point in Kenya’s presidential election campaign. Itumbi was the digital strategist for the East African nation’s deputy president at the time, who would be elected president within weeks. Local media describe Itumbi as Ruto’s “right-hand man.”

Kenyan President William Ruto. Photo: US Department of State/Wikimedia Commons, Public Domain

Hanan showed proof that not only could he read Itumbi’s personal chats and files – including an internal polling survey related to the upcoming election – but that he could even pose as Itumbi by sending messages from his account. Hanan opened a recent conversation Itumbi had with a prominent Kenyan businessman and sent a text that read simply: “11.”

This message was meaningless, designed only as a demonstration of his ability to control the account. But Team Jorge claimed to have sent falsified messages to military commanders and government ministers, all in an attempt to influence events and cause chaos for a high-level target.

“Typically, I will wait for him to see it and then I will delete it. Why? Because I want to create confusion,” Hanan said.

In the case of the Itumbi demonstration, Hanan accidentally deleted the text message only for the sender. This meant reporters were able to contact the businessman who received it, and verify that the cryptic message had indeed been sent.

The full extent of Team Jorge’s meddling in the Kenyan election is unclear, but disinformation – from both sides – marred the otherwise peaceful August 2022 vote.

Anonymous videos popped up on social media, alleging vote rigging within the election commission, and accusing western powers of subverting the vote.

Right before the election, three Venezuelans employed by the company that provided the voting equipment to the electoral commission were detained at the airport in Nairobi, purportedly with suspicious election materials. Even though Kenyan police reportedly released the men the next day, the viral story became a topic of hot debate throughout the election period, forming the basis of conspiracy theories claiming the vote was rigged.

Also read: Kenya’s Ruto Declared President-Elect in Chaotic Scenes

“This was likely the dirtiest campaign in our history and we have had our share of dirty campaigns in Kenya,” said John Githongo, a journalist and transparency advocate who supported the opposition, and filed an affidavit on behalf of a whistleblower who alleged vote rigging. (OCCRP works with his news organisation The Elephant.)

“What’s clear is that there are a number of reputation launderers, so-called commercial and political security companies that are increasingly hired to get involved in our elections. Often you have a ‘dark arts’ outfit having a presence in multiple countries impacting our democracy adversely.”

Since Ruto was elected, his opponents have filed numerous complaints in court about election irregularities.

One came from Githongo’s anonymous whistleblower, who claimed Itumbi – the strategist targeted by Team Jorge – orchestrated a ballot manipulation campaign. Also named in the complaint was Davis Chirchir, who was Ruto’s chief of staff when Hanan displayed his apparently hacked account. But the whistleblower and the evidence he provided have been discredited.

In the end, the Kenyan Supreme Court rejected not only the whistleblower’s claims, but all of the other petitions, and in September upheld the election results.

Then, in January, a new whistleblower website appeared, purporting to have fresh evidence of fraud. But this too bears the hallmarks of a disinformation campaign.

Digital security experts were unable to identify who set up the new website. And it was impossible to tell the origin of the documents posted there – polling results that had been doctored to show supposed fraud – because metadata had been scrubbed from them.

However, documents appearing to be nearly identical had been sent months earlier to journalists, claiming they proved the Kenyan election was stolen. Those documents contained metadata that revealed the author: Henry Mien, CEO of the consulting company Risk Africa Innovatis. Mien is an ally of opposition leader Raila Odinga, according to two sources in his campaign. He has also openly supported Odinga and shared anonymous fraud allegations on social media.

Even though analysts said the documents were suspicious, the opposition in Kenya has used them as a justification to call for protests. Within days of the documents being posted online, defeated candidate Odinga held a political rally in Nairobi, where he called Ruto’s administration “illegitimate”. He demanded that the five-month-old administration resign, and declared that “the resistance starts today.”

Dennis Itumbi, Davis Chirchir, Raila Odinga, and Henry Mien did not respond to requests for comment.

Murky relationships

While Hanan told reporters he was working on an “African election” – and showed them evidence that it was in Kenya – it is unclear who hired him. Team Jorge’s involvement comes after years of targeted disinformation in Kenyan politics, making it especially challenging to trace a particular event or conspiracy to a specific perpetrator.

Undercover reporting revealed that the disgraced political consultancy firm Cambridge Analytica had worked to help elect former President Uhuru Kenyatta in 2013 and 2017. That latter year, leaked emails show Hanan offered his services in Kenya to Cambridge Analytica’s parent company, SCL Group. The initial offer was rejected because of his pricing, though the conversation seems to have continued.

Also read: Congress Demands Probe Into Whether ‘Team Jorge’ Operates in India

But Team Jorge did appear to get involved in Odinga’s 2022 campaign. Kenyatta could not by law seek another term in the August 2022 election, so he joined forces with his former rival Odinga to try to beat Ruto – the candidate targeted by Hanan during his demo.

The leaked emails also show Cambridge Analytica had worked with Hanan in the past.

And in 2018, Brittany Kaiser, former director of programme development at SCL, told British MPs looking into the Cambridge Analytica election meddling scandal that she had introduced former Nigerian president and SCL client Goodluck Jonathan to Israeli consultants. These consultants had done intelligence gathering for governments, she said, and provided services that SCL didn’t officially offer.

Kaiser, who later blew the whistle on Cambridge Analytica’s controversial tactics, said she had no role in decision making at SCL, that the consultants were not commissioned “to undertake illegal activity,” and denied any suggestion that she had run, condoned or “knowingly colluded” in any illegality.

Kenyatta did not respond to a request for comment.

Emma Briant, an expert on information warfare and Cambridge Analytica, says companies in this industry “regularly throw each other work” for deniability and legal cover.

Cambridge Analytica was among 65 firms identified by Oxford University’s Computational Propaganda Project that have openly offered to governments their services for influencing elections. But there are a host of others – like Team Jorge – who prefer to stay in the shadows.

The deals they strike are “intentionally obfuscated, and the relationships are quite secret,” said Samantha Bradshaw, an assistant professor at American University in Washington, D.C., who participated in that research.

Tech toolbox

Team Jorge said two-thirds of the presidential campaigns they’ve meddled in were in Africa, but their promotional material also includes countries in Europe, Latin America, Southeast Asia, and the Caribbean.

Hanan’s brother, Zohar, said in a meeting in December that there are only three jobs Team Jorge will not take on: Nothing in Israel (“We don’t want to shit where we are sleeping.”); no American party-level politics (they claim to have turned down an invite to help elect former US President Donald Trump); and “nothing against Mr. Putin.”

During demonstrations to the undercover reporters, Tal Hanan was eager to show off the tech tools his team deploys to help clients.

He displayed an article with headlines from Nigeria that described attacks on opposition phone lines, as part of their “Team Jorge Presents: Intelligence on Demand” sales video. These attacks overwhelm the telephone network.

“We want to have some people silenced, we want some people to have miscommunications,” he said during one call where he referred to an election day as “D-day”. “So we have the capacity on D-Day to defuse hundreds of phones… a specific chief of police, or army people that are not in our favour. All the phones will cease from working.”

And Hanan claimed to have used a similar tactic against computer networks.

“We can take out websites, anything with IP, servers. If they have their own servers, applications, sometimes two, three news agencies – we can take them out,” he bragged.

The capabilities Hanan described resemble “distributed denial of service” or DDOS attacks. These attacks typically involve overwhelming the systems of a target by flooding them with requests, forcing them to produce a “denial-of-service” response to legitimate requests.

He displayed headlines about such an attack during the 2014 referendum in Catalan. Spanish investigators told OCCRP they had no evidence of Hanan’s involvement, but said it was plausible.

Team Jorge’s tech toolbox also includes “a platform of influence” called Advanced Impact Media Solutions, or AIMS, which Hanan claims to have sold to the intelligence services of more than 10 countries.

The AIMS software is designed to create convincing avatars for social media campaigns. The avatars, or bots, use stolen photos of real people, operate on any social media platform, and can be connected to functioning Amazon and Bitcoin accounts. They also appear to have a longstanding presence online, including Gmail accounts and trite comments on celebrity YouTube videos, to give investigators the impression they are real people.

“We imitate human behaviour,” Hanan told the undercover reporters.

Most online accounts require a phone number and email address verification to keep out bots like those deployed by AIMS. But there are websites set up specifically to allow one-off SMS-verification services, for 50 cents or less. Many accounts – such as Gmail and WhatsApp – can be registered with “verified” phone numbers. Team Jorge appears to be using a service called SMSpva.com for phone number verifications. SMSpva.com did not respond to a request for comment.

AIMS also relies on residential proxies that reroute internet traffic from bots through peoples’ homes so it appears authentic in order to avoid detection and shut-downs by social media platforms like Twitter and Facebook. This makes it difficult for social media platforms to identify a coordinated disinformation campaign.

Representative Image. Photo: Pixabay

Analysis by reporting partners Le Monde and the Guardian identified clusters of avatars, including those seen in Hanan’s pitch presentations, that appear to have been used for coordinated Twitter campaigns. Reporters found over 1,700 Twitter accounts connected to 21 AIMS-related campaigns, whose networks had produced tens of thousands of tweets.

In the December in-person meeting with undercover reporters, Team Jorge showed off a new capability of AIMS: Artificial intelligence tools to generate fake news using specified keywords, tone and topic.

“One operator can have like 300 profiles,” Zohar Hanan said during the demo. “So within two hours the whole country will speak the message, the narrative I want.”

Unmasking Team Jorge

The identities of Team Jorge are almost as mysterious as their tactics. But reporters managed to piece together some background information on members of the clandestine group. Some of it lines up with claims Team Jorge made about team members in calls with journalists.

“Some of us are former senior information officers,” said Mashy Meidan, who went by “Max.” “Some of us are former senior financial info and warfare experts. Some of us work with the psychological warfare specialists.”

Multiple Israeli security sources, who spoke to TheMarker on condition of anonymity, confirmed that Meidan has worked with Israel’s internal security service Shabak. They said another team member, Shuki Friedman, had also worked with Shabak. Friedman did not respond to a request for comment.

Yaakov Tzedek is a digital entrepreneur who is listed as co-founder of the Israeli real estate company Proptech Investments. Ishay Shechter is a “strategy director” at Goren Amir, a prominent Israeli lobbying firm that has worked with international clients including Visa, Uber and IKEA.

Despite appearing in the Zoom call with undercover reporters, Meidan and Shechter separately said they had never worked with Team Jorge or Tal Hanan.

Tal Hanan’s brother Zohar, who was introduced as the company’s CEO “Nick,” is publicly identified as a polygraph expert who worked with an Israeli company called Sensority LTD, which is now in liquidation. Another company, Pangea IT, bought Sensority’s technology, which detects psychological stress in a subject. Zohar said he had “been working all my life according to the law” but did not respond to specific questions.

Tal Hanan served in the Israeli special forces as an explosives expert, according to an online biography. He is listed as CEO of at least two Israeli companies, Tal Sol Energy and Demoman International Ltd., an intelligence firm included in a register of defense companies on the website of the Israeli Ministry of Defence.

Hanan indicated that he had orchestrated lobbying operations in the US despite not registering as a “foreign agent,” as required by law. He said he worked via consultants and companies that are already registered, and told reporters he had recently set up a public relations firm called Axiomatics to promote Team Jorge with “existing lobby groups.”

In the years following the September 2001 attacks on the World Trade Center in New York, Hanan positioned himself as an expert on counter-terrorism. He claims to have trained law enforcement bodies including US federal agencies, according to an archived page from his now-defunct website suicide-terrorism.com. In 2010, Hanan was quoted in The Jerusalem Post as a cyber security expert, commenting on hacking capabilities.

During calls with undercover reporters, Team Jorge went into depth about the technology they say the group uses to swing elections. They added that they have six offices and employ at least 100 people, emphasising that they draw on the backgrounds of colleagues with experience in the intelligence services. This pushes Team Jorge’s activities far beyond the realm of public relations strategies that are commonly deployed in elections.

“This is intelligence work more than anything. It’s not PR work. It’s intelligence work,” Hanan emphasised.

This article first appeared on the Organized Crime and Corruption Reporting Project (OCCRP) website. It was also published by OCCRP’s partners: Haaretz (Israel, in English), Der Spiegel (Germany, in German), Der Standard (Austria, in German), Le Monde (France, in French) and The Guardian (UK, in English).