Israeli Hacker-For-Hire Gets 80 Months for Spearphishing Crimes

Israeli hacker-for-hire Aviram Azari was sentenced in the Southern District of New York to 80 months of incarceration for orchestrating an international cybercriminal scheme on commission. In April 2023, Azari pleaded guilty to multiple charges. From 2014 to 2019, he coordinated spearphishing campaigns on behalf of unidentified clients.

From around November 2014 to September 2019, Azari participated in a widespread phishing campaign targeting individuals and companies globally. Azari owned and operated an intelligence firm in Israel. Clients hired Azari to manage “projects” described as intelligence-gathering efforts but were spearphishing campaigns targeting specific victim groups, including eco-activists, as well as private individuals and financial firms, crucial to the German payment processing company Wirecard A.G.

Azari paid various hacking groups, including a specialized unit in India, to send phishing emails to victims of the projects. These hacking groups informed Azari of the campaign’s progress and notified him when they successfully accessed victims’ accounts and stole information.

During the trial, it was revealed that Azari earned over $4.8 million in five years. He hired hackers, including from India, to access victims’ emails. The hackers employed social engineering methods, including phishing emails that redirected victims to fake web pages to steal their credentials.

Among Azari’s victims were prominent eco-activists, and representatives of organizations such as the Union of Concerned Scientists, the Rockefeller Family Fund, the Nature Rights Defense Fund, and the Climate Research Center. Stolen correspondences from these organizations were published in the media and used in articles related to investigations of Exxon’s influence on climate change.

Prosecutors emphasized that the goal of these publications was to discredit investigations by state attorneys general into Exxon’s case and the activities of non-profit organizations involved in these investigations. Moreover, Exxon, denying any connection with Azari and the spearphishing campaign, used the stolen information in its legal actions.

Investigators confirmed the hacking of over 100 Azari’s victims and identified about 200 potential targets. However, according to prosecutors, the total number of affected individuals and organizations worldwide numbers in the thousands, many of whom remain unidentified. Interestingly, Azari refused to disclose the names of his clients, except for Wirecard. According to Reuters, among the hackers hired by Azari were representatives of the Indian IT company BellTroX, which provided hacking services.

The 52-year-old Azari pleaded guilty to one count of conspiracy to commit computer hacking, one count of electronic fraud, and one count of aggravated identity theft. In addition to imprisonment, Azari was sentenced to three years of supervised release and ordered to pay a forfeiture of $4,844,968.

Azari’s conviction is a significant milestone in combating international cybercrime, particularly in the context of commissioned hacking. The case highlights the grave threat such activities pose to individuals, corporations, and public organizations. It also underscores the necessity of international cooperation and stricter measures in cybersecurity to prevent similar incidents in the future.