Lawsuit alleges $100 million payday for ex-CIA hackers who targeted Americans for Qatar

A lawsuit filed in a New York federal court last week illuminates an alarming new trend: foreign governments are increasingly able to hire US-based cybersecurity firms with elite training from the CIA, NSA and other intelligence agencies to target Americans and others who are hostile to their interests.

The lawsuit claims that the Muslim Brotherhood-promoting Gulf emirate of Qatar sought out American intelligence operatives—many of whom were trained by the American military and Intelligence Community—to surveil, hack and intimidate influential Qatari critics in tandem with coordinated public relations campaigns.

The suit was filed by Elliott Broidy, a venture capitalist and former Republican National Committee finance chairman, who has been described as "an influential Qatari critic" of Qatar’s support for anti-American and anti-Israel Islamists like Hamas, the Taliban and the Muslim Brotherhood.

American firms with lucrative Qatari retainers allegedly hacked and disseminated Broidy’s personal communications to the public in early 2018, part of what he alleges was a systematic smear campaign funded by the Qatari government and carried out by a litany of American private security and public relations firms.

Qatar has invested heavily in efforts to recast its image in Washington since 2017, when a coalition of neighboring countries – including Saudi Arabia, the United Arab Emirates and Egypt – severed diplomatic relations with Doha, embargoed travel to the country and imposed a naval blockade. Qatar has since sought to solicit US support to end the blockade.

"Qatar has embarked upon a strategy of gaining influence in Western nations, including the United States, through a campaign of retaining Western political lobbyists and operatives," the lawsuit said. "These efforts have often employed illegal means, most prominently in Qatar’s procurement of the 2022 World Cup through widespread bribery."

Qatar allegedly worked with Global Risk Advisors (GRA) LLC, to hack high-level American critics and disseminate their personal communications.

GRA markets itself as a "an international strategic consultancy specializing in cybersecurity, military and law enforcement training, and intelligence-based advisory services," according to its website. It operates a number of subsidiaries involved in cyber and physical security and has operated in Doha since 2017, according to the lawsuit. Founded by Yale adjunct professor and former CIA operative Kevin Chalker, GRA recruits heavily from the US security and intelligence agencies.

GRA first ingratiated itself with the Qatari Royal Family by helping it to illicitly coerce officials at FIFA, the international governing body of soccer, to vote to award Qatar the 2022 World Cup, according to the suit.  GRA black operations helped "Qatar maintain its blatantly corrupt bid for the 2022 World Cup," using "astroturfing and paid extensive bribes to win the privilege of hosting the 2022 World Cup," according to the lawsuit. When a German FIFA official later referred to Qatar as a "cancer" on the sport, GRA hacked and "covertly neutralized," the individual, according to the complaint. "This was a precursor to the hacking, surveillance and attempted neutralizing of Mr. Broidy," the lawsuit said.

The complaint posited that "GRA was perfectly suited for this work because it employs former National Security Agency, Central Intelligence Agency, and US Armed Forces personnel with extensive offensive hacking expertise."

Chalker is an expert in cybersecurity, and holds two patents related to resonant cryptography, a method for the secure transmission of data across any network. The complaint documents GRA’s expertise in this area points out that company produced a promotional video in 2015 touting its "advanced techniques to penetrate target networks," and methods to "intrude into servers," including "spear phishing" campaigns.

According to the complaint, GRA received more than $500 million for its work on Qatar’s World Cup project and received consulting contracts worth at least $100 million to attack American citizens, primarily for illegal activity. It alleges that Mr. Chalker and GRA "identified and proposed multiple national security enhancements and surveillance work."

Broidy alleges that GRA began to use its expertise to target American citizens, beginning with himself, in 2017. At the behest of GRA’s Qatari handler, Ali al-Thawadi, GRA allegedly used a spear phishing campaign to hack his personal communications in early 2018, stealing confidential information that was subsequently divulged to a team of American media consultants on Doha’s payroll. He claims Qatar coordinated with GRA and a litany of American-based public relations firms to orchestrate a smear campaign that would impugn his image and, ultimately, discredit his message.

The Broidy hack, according to the suit, was one of GRA’s "special projects," illegal operations ordered by al-Thawadi – chief of staff to the Qatari Emir and codenamed "Shep" by Chalker – to procure incriminating information on the Qatari Royal Family’s international foes.  The report alleged that "GRA compartmentalized its 'special projects' because it well knew that the special projects involved extensive criminal conduct."

"One of the special projects involved hacking into private servers to spy on politically active American citizens seen by Qatar as potential threats to its interests, like Mr. Broidy," the lawsuit said.

"For purposes of the special projects, GRA’s US-based teams would regularly compile and synthesize the results of their hacking and other covert intelligence gathering and produce a glossy dossier which was transmitted to GRA’s office in Doha and hand delivered to Shep every two to three months. The information GRA brought to Shep included highly personal information on American citizens."

Chalker, GRA and its subsidiaries were all named as defendants in Broidy’s lawsuit, which was filed in the Southern District of New York Federal Circuit Court on June 29. Broidy’s legal team is expected to argue that GRA, at the expressed direction of the Qatari government, conducted cyber attacks on American citizens to advance Qatari interests.