- Temps de lecture : 12 min.
“Team Jorge”: In the heart of a global disinformation machine
In Part 2 of the “Story Killers” project, which continues the work of assassinated Indian journalist Gauri Lankesh on disinformation, the Forbidden Stories consortium investigated an ultra-secret Israeli company involved in manipulating elections and hacking African politicians. We took an unprecedented dive into a world where troll armies, cyber espionage and influencers are intertwined.
Par Cécile Andrzejewski
Translated by Annie Hylton
Have contributed to the investigation: Gur Meggido (The Marker), Omer Benjakob (Haaretz), Frédéric Métézeau (Radio France), Damien Leloup (Le Monde), Florian Reynaud (Le Monde), Christo Buschek (Paper Trail Media), Paul Lewis (The Guardian), Stephanie Kirchgaessner (The Guardian), Manisha Ganguly (The Guardian), Carole Cadwalladr (The Guardian), Roman Lehberger (Der Spiegel), Max Hoppenstedt (Der Spiegel), Marcel Rosenbach (Der Spiegel), Heiner Hoffmann (Der Spiegel), Fritz Zimmermann (Die Zeit), Kira Zalan (OCCRP), Antonio Baquero (OCCRP), Alina Tsogoeva (OCCRP), Khadija Sharife (OCCRP), Kristof Clerix (Knack).
Technical consultant: Donncha O Cearbhaill
“Things don’t necessarily have to be true, as long as they are believed” is a quote that could be attributed to many philosophers, but instead originates from a man named Alexander Nix. If his name is unfamiliar, the company he ran is not: Cambridge Analytica.
In 2018, the eponymous scandal revealed how the British company acquired the personal data of nearly 87 million Facebook users to influence voters on “an industrial scale.” The company, which sold its services in some 60 states—from the Iranian regime to the Malaysian national oil company—is accused of manipulating numerous elections; it contributed to Donald Trump’s 2016 victory in the US and the Brexit vote in England. When the affair made headlines, the name Cambridge Analytica became synonymous with disinformation worldwide.
However, not everything about this scandal has been revealed. Some of the most feared culprits inside this world have managed to hide in the shadows, among them mysterious Israeli hacking experts. Brittany Kaiser, the company’s former development director and one of the now-famous whistleblowers in the scandal, described the hackers as a team in charge of “opposition research.” In anonymous testimonies published in the British press in 2018, former employees describe “Israeli hackers” barging into the company’s offices with USB drives loaded with what appeared to contain hacked private emails of politicians. “People panicked, they wanted nothing to do with it,” a former employee told the Guardian at the time. According to the Guardian’s reporting, these “hackers offered personal data about future Nigerian president and future PM of St Kitts and Nevis.”
The Cambridge Analytica scandal revealed the existence and methods of these mysterious hackers. But until now, the press has been unable to pierce the anonymity of these shady “opposition researchers” or attribute them to a company. When he refers to “Israeli black ops” in an internal e-mail, Nix mentions neither an identity nor a company name. Instead, he designates an alias for the boss of this ultra-secret entity: “Jorge.”
For over six months, Forbidden Stories and its partners followed Jorge’s trail. In this parallel market of disinformation, companies—both official and underground—have become masters in the art of manipulating reality and diffusing misleading stories. Continuing the work of Gauri Lankesh, an Indian journalist murdered in 2017 who investigated disinformation and “lie factories,” the “Story Killers” project penetrated an industry that uses every weapon at its disposal to manipulate the media and public opinion at the expense of information and democracy.
Almost five years after the Cambridge Analytica scandal, journalists from the Forbidden Stories consortium managed to identify and track down Jorge. Using dubious methods, the Israeli “consultant” still goes by this same pseudonym and continues to sell his influence and manipulation services to the highest bidder. His tools, though, have since adapted to the latest technological developments: artificial intelligence now writes on-demand viral posts and the remote hacking of Telegram accounts has enriched his catalog of services.
In the summer of 2022, a potential client, presenting himself as a representative for an African leader hoping to postpone, or even cancel, an election, asked Jorge for a demonstration. The job, Jorge told him, would cost some 6 million euros. During several Zoom discussions, Jorge maintained his anonymity.
What “Jorge” didn’t know is that the man on his screen was not an intermediary, nor did he work in Africa. He was, in fact, a journalist from Radio France and was soon joined by colleagues from TheMarker and Haaretz, reporters who are members of the Story Killers project.
“33 presidential campaigns, 27 of which were successful”
Between July and December 2022, journalists posing as clients attended several meetings with Jorge: three online and one in his office in Israel. The consortium decided it was in the public interest to go undercover, which was the only method to gain access to this closed world and obtain evidence of global manipulation. To reach Jorge, reporters needed to pass through a series of intermediaries, from former intelligence officers to communications and security experts. This method presented an otherwise-impossible opportunity to discuss Jorge’s manipulation services–“mainly intelligence and influence,” he said–and attend live demonstrations. Apart from the “technological” “capacities” Jorge presented, he explained how to “build a narrative,” which he could then propagate with an impressive range of services: bot networks, false information, and hacking of opponents.
Jorge boasted of having used such tactics on “33 presidential campaigns, 27 of which were successful,” a claim that is difficult to verify. Jorge did not reveal any details about his clients, preferring instead to demonstrate his impressive range of services.
He eventually divulged information on secret operations, including one that had provoked a recent media storm in France. Earlier this month, the French press disclosed the existence of an internal investigation at BFM TV, a popular television channel after one of its most prominent figures, Rachid M’Barki, allegedly broadcast unverified content.
Protect your stories
Are you a journalist under threat because of your reporting? Secure your information with Forbidden Stories.
To verify the authenticity of this video and others that Jorge’s network of bots had shared, the consortium submitted them to BFM TV’s management in January, which quickly suspended the journalist and launched an internal audit. In a statement to Forbidden Stories, Marc-Olivier Fogiel, the channel’s managing director, said: “I have an ethical suspicion [about why the] news was broadcast while it had no editorial consistency with the rest of the channel.” In response, M’Barki asserted his “editorial free will” and explained that he had followed the instructions of Jean-Pierre Duthion, an intermediary. Media consultant and lobbyist, Duthion is known in the world of influence agencies. In internal documents, one agency described him as a disinformation “mercenary,” who is “mainly motivated by profit.” When contacted by Forbidden Stories, he confirmed that he “worked on the seizing of Russian yachts in Monaco, which led to job losses at the local level,” but declined to reveal his client, arguing such a deal goes through a series of intermediaries, “who do not themselves know who the final client is.”
He claims he did not pay M’Barki, who also told BFM TV management that he did not receive payment to broadcast these stories. According to a source familiar with the industry, such services could be worth some €3,000 for a journalist. M’Barki, who declined to answer our questions, acknowledged that he “did not necessarily follow the usual editorial line,” and said: “Maybe I was tricked. I did not have the impression that was the case, or that I was participating in an operation, otherwise I wouldn’t have done it.”
Advanced lie-spreading technologies
Support us so that we can continue investigating
We need your help to expose what the enemies of the press try to keep quiet.
Ministry of hacking
To demonstrate one of his most effective weapons, Jorge took control of the private messaging systems of several high-level African officials. “We are inside,” Jorge told the reporters, who observed two Gmail accounts,a Google Drive and an address book, as well as a string of Telegram accounts. (Hacking victims were unaware of the infiltration.) Once inside the messaging system of a victim, Jorge was then able to impersonate conversations with their contacts. Jorge proceeded to send messages to the victims’ relatives from their hacked Telegram accounts.
Jorge, though, made an error. Attempting to remove his traces, he deleted the messages sent from the infiltrated account but forgot to delete the messages for the recipient. We identified one of these recipients, who kept records of Jorge’s operation. Through the error, we could confirm that in the summer of 2022, as the Kenyan presidential election was approaching, Jorge looked through the accounts of people close to future president William Ruto. Two hacking victims—Dennis Itumbi and Davis Chirchir, then in charge of digital strategy for Ruto’s campaign and Ruto’s chief of staff, respectively—were accused, following the elections, of having hired hackers to manipulate the results of the presidential election. The Supreme Court rejected the accusation and said the evidence had been “falsified.” (Nevertheless, there is no definitive proof that Team Jorge was behind attempts to manipulate the Kenyan presidential election.)
Jorge and his galaxy
Also present during two meetings with the journalists, but not with Hanan, was Yaakov Tzedek, head of the Tzedek Media Group, who presented himself as “a digital and advertising expert for over a decade.” Ishay Shechter, Strategy Director at Goren Amir, a major Israeli lobbying firm, participated in a meeting with the journalists that led them to Hanan. Responding to questions from the consortium, he wrote that he “never had a business relationship with Jorge or Tal Hanan” and that he was “not familiar with or aware of their illegal or improper activity.”
Finally, Zohar Hanan, Tal’s brother, is the CEO of a private security company and a polygraph specialist. He told the consortium he “[has] been working all his life according to the law.”
According to a biography on Demoman’s website, Hanan served in the Israeli Special Forces in an elite explosive ordnance disposal unit. His career, like his business, moved from explosives disposal to intelligence. Even if “Jorge” has remained invisible for years, Hanan became of interest to at least one European intelligence service in 2008, according to a police source, for offers of dubious security services following various counter-terrorism, intelligence and counter-espionage conferences. According to the same source, he operates on the “border between private security and mercenaries.” When contacted by the consortium, Tal Hanan simply denied “any wrong doing”.
Hanan has cultivated an impressive international network over his years working in intelligence. According to a Bloomberg investigation, in 2006, while on assignment for a Panamanian bank, Hanan alerted Martin Rodil, then a data analyst with the International Monetary Fund, to money moving from PDVSA, the Venezuelan state oil company, to Iran, in violation of US sanctions. Hanan then allegedly asked Rodil to track down the money for him, according to Bloomberg. A year later, the two decided to share their information with the Israeli government and spent two days answering questions from the secret service. Together, they founded Global Resources Solutions, which offered security and financial intelligence. Rodil is now under investigation in Spain for allegedly extorting former Venezuelan officials. He did not respond to multiple requests for comment.
During a meeting with journalists in August 2022, Hanan named Roger Noriega, the former deputy secretary of state under President George W. Bush, as a former associate. (Noriega also worked with Rodil and publicly defended him in the press.) When contacted by our consortium, Noriega, who also helped establish a hard political stance toward the Chavez regime, admitted to knowing Hanan but said: “Since six or seven years, [I haven’t had] any substantial conversation with him. We had common clients related to Venezuela, [but] I never had any serious business with Tal.”
An interconnected market
Hanan claims to use the most advanced tools on the market for his manipulation services. During his live demonstrations, he presented services from TA9, a subsidiary of the company Rayzone, whose logo he had erased in his presentation. Contacted by Forbidden Stories, TA9 said that it has never had any business dealings with Hanan or his associates and explained that screenshots of its products were readily available on its website or during online presentations.
Rayzone also markets tools that allow for collecting personal data and location via the Internet or telephone networks. It relies on the SS7 network, which is used to direct calls and SMS messages from telephone users to their customers and locate their devices. This system, meant for telephone operators, suffers from vulnerabilities that allow hackers to access the information of cellphone users. Hanan repeatedly raised the potential exploitation of these vulnerabilities during meetings with the journalists.
When asked about its offerings, Rayzone only mentioned one product, which, they said, “[offers] location only without any active interception capabilities” and is regulated by the Israeli defense ministry.
Using additional slides from TA9 brochures, the Rayzone subsidiary, Hanan also cited its “facial recognition” and “interception of GSM satellite” capacities as available tools for the most sophisticated surveillance of potential targets.
According to the Israeli daily Calcalist, David Avital, a shareholder in one of Rayzone’s subsidiaries, is currently harboring Zerón, the former Mexican official subject to an international arrest warrant and whose innocence the AIMS avatars defended. (“Mr. Zerón is indeed in Israel. However, he never lived in an apartment belonging to David Avital,” Turlevsky, Zerón’s lawyer, said.)
Investigating this network, Forbidden Stories repeatedly confronted the blurred lines between states and private companies, and the interconnected worlds of intelligence, influence and cyber-surveillance. But questions remain as to how Hanan is paid for his services.
Forbidden Stories and its partners gained access to a brochure, sent by Hanan as part of a pitch to Cambridge Analytica in 2015, that provided a picture of how much these services might cost. This rather vague document of just over three pages is entitled “elections, intelligence and special operations,” and suggests that the author had field experience since 1999. This is the same year that Demoman, the company of which Hanan is CEO, was founded. In the brochure, Hanan proposes options that “feed and enhance each other,” combining “strategic intelligence,” “public perception,” “information warfare,” “communication security,” and a “special package” for “D-Day.” The brochure praises his team, composed of former intelligence services and special forces from Israel, the United States, Spain, the United Kingdom and Russia. According to the brochure, the team also includes “experts in media and mass media” who know “the best way to use the information to deliver a story, a message, or a scandal, to create the desired effects.” According to the brochure, Hanan charged $160,000 for an eight-week “initial research and preparation phase,” plus $40,000 for travel expenses. (This rate was much lower than what he had proposed to the consortium’s reporters in 2022: 6 million Euros for one campaign.)
However, it was not through Demoman that Hanan marketed his hacking services. And for good reason: the company is registered with the Israeli Ministry of Defense. According to Israeli law, it is illegal to sell hacking services to private individuals or businesses, or for use in foreign political campaigns.
During various meetings with the undercover journalists, Hanan claimed to have about 100 employees globally. Although this number is impossible to confirm, the Demoman website claims to have offices and representatives in Israel, the United States, Switzerland, Spain, Croatia, the Philippines and Colombia. Mexican and Ukrainian addresses were also mentioned, but, according to Hanan, they were closed due to a business slowdown and war, respectively.
During the same meeting, Hanan’s brother also claimed to be using AIMS bots to bet on the crypto-currency market, and thus reap additional gains. Anything to make a dollar.