They Wanted to Hold Exxon Accountable. Then They Got Hacked.

Hilary Beaumont / Grist

On a cold January morning in 2016, Kert Davies joined a group of climate advocates and lawyers at the Rockefeller Family Fund’s office in Upper Manhattan to discuss an audacious goal: holding Exxon Mobil, one of the world’s largest fossil fuel companies, accountable for climate change. A few months earlier, a set of explosive media reports had revealed that the company’s own scientists determined as early as 1982 that the extraction and burning of fossil fuels caused climate change — but Exxon went on to fund climate denial campaigns anyway.

For Exxon, it was a public relations crisis that carried potentially devastating legal consequences. Davies, the founder of the Climate Investigations Center, a group that monitors the fossil fuel industry, had been strategizing with other climate advocates to make those consequences stick, using the hashtag #ExxonKnew to raise public awareness.

About a month after the meeting in Manhattan, Davies received the first fishy email. It appeared to be from Facebook and said, “Kert, you have 5 poke.” Similar messages arrived over the next few days — emails that looked like notifications from people on Facebook, Twitter, and LinkedIn.

Not realizing he was being phished, Davies clicked some of the links embedded in the strange messages. But he soon felt a creeping sense of dread. In early March, he asked his colleagues on a climate activist listserv: “Has anybody received weird emails?” They replied that they had. Some had clicked links and entered their passwords.

Inundated with ominous emails, the feeling of constant danger started to stifle the group’s communication. Then, the following month, a Wall Street Journal reporter reached out to Davies about a detailed agenda she had obtained for the January meeting he’d attended at the Rockefeller Family Fund’s office. In April 2016, details from the email were published by the Wall Street Journal and the Washington Free Beacon, a conservative news publication, which alleged “secret coordination” against Exxon by climate activists.

Although Davies didn’t think it was unusual for environmental advocates to meet to strategize against one of the world’s largest polluters, Exxon soon latched onto the media reports to fight subpoenas and lawsuits it was now facing from 17 attorneys general. Defending itself from the investigations, Exxon quoted the meeting agenda in its court filings to argue that activists were conspiring against the company.

A criminal investigation would later reveal that the email obtained by the two publications had been hacked. But details about who ordered the hack have long been a mystery. Now, court documents allege that the hack was ordered by a firm representing Exxon itself — the very company Davies and others were trying to hold accountable for climate deception.

The potential link to the oil company came to light last year, after the U.S. government issued an arrest warrant and attempted to extradite Israeli private investigator Amit Forlit from the U.K. Suddenly, Forlit was facing hacking and wire fraud charges that could land him in prison for up to 45 years. In the indictment from the U.S. attorney’s office in New York, which was unsealed earlier this year, prosecutors alleged that a public affairs firm working on behalf of an oil giant matching Exxon’s description hired Forlit to execute a project that involved hacking climate activists. In court documents, Forlit referenced the indictment and alleged that the hacking was commissioned by DCI group, a public affairs firm with a longtime relationship with Exxon. Separately, Reuters reported that the FBI had investigated DCI Group regarding the hacking operation.

DCI Group and Exxon deny involvement. Exxon Mobil did not reply to a request for comment, however, the company has previously said it has not been “involved in, nor are we aware of, any hacking activities. If there was any hacking involved, we condemn it in the strongest possible terms.” The company has said it acknowledges “climate change is real, and we have an entire business dedicated to reducing emissions.”

“We do and always have directed all our employees and consultants to comply with the law,” Craig Stevens, a partner at DCI Group, wrote in an email. He added that his firm has “been told by the government that neither DCI nor any of its personnel are under investigation” and that they had “no knowledge or understanding” of the alleged hacking activity. “Any insinuation otherwise is completely false and unsubstantiated,” he wrote.

Through his lawyer, Forlit declined to comment. He has pleaded not guilty.

Today, as a direct result of the revelations about what Exxon knew about climate change and when, the fossil fuel giant and others are fighting lawsuits brought by states and cities that could result in hundreds of billions of dollars in damages. And in the past decade, threats to climate advocates have only grown more dangerous; fossil fuel companies have worked with security firms or police to surveil activists who opposed pipeline projects like the Dakota Access Pipeline and Line 3. Cybercrime has grown more sophisticated, and a global hack-for-hire industry has, so far, faced few consequences.

Davies, who is still monitoring Exxon, hopes the Forlit case will reveal whether the oil giant was involved in the hack. “None of that has been proven yet. So any furtherance of that story and that proof is really important to me, personally, and to a lot of the people who were attacked by this operation 10 years ago,” he said. “It’s personal, because I really don’t like bullies or liars or cheaters.”

About a year after Davies began receiving those strange messages, an investigative reporter who was covering financial fraud in Germany began receiving similar emails and flagged them to the University of Toronto’s Citizen Lab, which investigates efforts to surveil civil society. John Scott-Railton, a senior researcher at the lab, quickly determined they were phishing attacks. Citizen Lab researchers noticed that the links in the emails used a custom URL shortener. They then developed a technique to figure out the full unshortened URLs containing target email addresses, giving them a comprehensive list of those targeted.

Many of the victims were people at environmental groups and advocates campaigning against Exxon, but Scott-Railton and his colleagues found that the hundreds of targets also included the families and friends of activists. Non-environmental groups — for example, hedge funds, short sellers, and financial journalists — were targeted as well.

“We began toying with the idea that perhaps this was a mercenary group and they were taking commissions,” Scott-Railton said.

Scott-Railton contacted Davies in the fall of 2017. By then, Davies was experiencing another wave of phishing attacks. This time, a number of emails mentioned Exxon, including one pretending to be his colleague sharing a Dropbox document titled “ExxonMobil (confidential).docx”.

Davies still had no idea where the messages were coming from. When he met with Scott-Railton, the researcher showed Davies that he was on a long list of targets — one that included far more activists than just those in his circle of Exxon critics.

“It was really a relief to know that I wasn’t imagining that we were being targeted,” Davies recalled.

As he investigated the hacking group, Scott-Railton helped Davies and other potential targets search their inboxes for evidence that the strange messages were phishing attempts that could be traced to a single hacking group. Davies alone had received more than 80 such emails. Armed with this evidence, several targets of the phishing attacks shared Citizen Lab’s findings with the Department of Justice, or DOJ, which then began gathering evidence of a coordinated scheme.

The Justice Department uncovered correspondence that showed a group of unnamed co-conspirators had emailed Israeli private investigator Aviram Azari, suggesting “we can make some money working together” and inviting him to a business meeting in India. The group then used phishing attacks to successfully hack into the email accounts of various targets located in the U.S. Based on this evidence, in September 2019, federal agents arrested Azari at the John F. Kennedy International Airport while he was on his way to Disneyland with his family. He was charged with managing hacking projects and pleaded not guilty. (Azari’s attorney did not reply to requests for comment.)

As the government continued to build its case, Davies met with DOJ investigators in early 2020 and told them everything he knew. A few months later, Citizen Lab published a groundbreaking report revealing that the phishing emails came from Dark Basin, a hack-for-hire group based in India. The climate advocates were just one group of targets among many; the hackers had attacked thousands of people across six continents, including politicians, prosecutors, CEOs, journalists, and human rights defenders. The report revealed the hackers had a highly detailed understanding of the Exxon critics and their relationships — suggesting they’d been provided with instructions. But the client who ordered the hack was still unknown.

After languishing in a New York prison for years awaiting trial, Azari pleaded guilty to the hacking charges in 2022, but denied knowledge of the client. Sentencing documents revealed that he played a crucial role in a global hacking campaign that targeted thousands of people — stretching well beyond the #ExxonKnew campaign — with clients paying him more than $4.8 million over almost five years for managing intelligence-gathering and phishing campaigns. He directed hackers, including the group in India, to target specific victims’ online accounts.

The DOJ investigation confirmed the successful hacking of more than 100 of Azari’s victims, including those involved in the #ExxonKnew campaign. The government’s sentencing memo said that some of the hacked documents that were stolen from climate advocates’ online accounts were leaked to the press, and that articles about those hacked documents were incorporated into Exxon’s court filings as it battled state attorneys general investigations. DOJ investigators also asked Davies and others to write victim impact statements for Azari’s sentencing. Davies wrote that the attack had caused “anxiety, paranoia, depression, sleeplessness, and fear.”

But despite the revelations from the Azari case, the client who allegedly ordered the hack remained unknown — until the DOJ issued a warrant for the arrest of Israeli private investigator Amit Forlit and requested his extradition.

Forlit’s extradition case sent shockwaves through the U.S. climate community and began providing the answers Davies and others had been waiting for. Davies knew that Exxon had a long working relationship with DCI Group, a strategic communications firm based in Washington, D.C. Public documents show Exxon was a major client of DCI Group, spending more than $3 million on lobbying, including $320,000 in 2015, the year the hacking was allegedly commissioned.

In a filing arguing against his extradition last year, Forlit’s lawyer named the alleged client for the first time: “The hacking is alleged to have been commissioned by DCI Group, a lobbying firm representing ExxonMobil, one of the world’s largest fossil fuel companies.”

Davies was elated. Finally, what he had suspected all along was trickling out in court documents. “There’s been periods of time where I thought, ‘Oh, that’s over. There’s no way to ever figure it out.’ And then all of a sudden — this breakthrough,” he said.

With Forlit potentially facing decades in prison if extradited to the U.S., his lawyer referenced the then-sealed DOJ indictment and named the companies in a legal filing. The lawyer argued that one of the reasons for his prosecution in the U.S. was to “advance the politically-motivated case of pursuing ExxonMobil, with Mr. Forlit a form of collateral damage in that endeavor.” But the court didn’t find this argument persuasive, and in April, Forlit was extradited to the U.S.

The U.S. indictment was unsealed in April, offering tantalizing new details. It alleged Forlit was “a leader of a sprawling cybercriminal enterprise” via Israel-based intelligence-gathering firms, and that his actions involved co-conspirators in the U.S., U.K., Israel, and India. The indictment says the operation targeting climate activists was carried out on behalf of a client: “one of the world’s largest oil and gas corporations, with headquarters in Irving, Texas.” (When the indictment was first filed in 2022, Exxon Mobil was the only major global oil company with headquarters in Irving, Texas.)

The indictment described allegations using ciphers instead of specific names of people and companies, but the names were clear to anyone who had read Forlit’s U.K. court filings opposing his extradition. The indictment laid out a chain of events connecting Forlit and Azari to a “lobbying firm” — which Forlit’s U.K. filings say was DCI Group — and in turn the lobbying firm’s “client,” which the U.K. filings say was Exxon Mobil. The indictment alleged that in October 2015, the client asked the lobbying firm for help responding to civil investigations it was facing related to climate change.

According to the indictment, a principal at the lobbying firm contacted Forlit about a project that would target people working on climate and environmental issues. In a memo to Forlit, the principal laid out a plan for how they “would operationalize the research on the bad guys.” The principal sent the memo to Forlit with a cover email that said: “This is what I gave the client yesterday.” The memo referenced “recent attacks” on the client — the oil and gas company in Irving, Texas — “over climate change by groups on the left” and the “opportunity to go ‘on offense.’”

Prosecutors alleged that Forlit then emailed the principal a proposal for the climate change project, with a $125,000 monthly budget, outlining how his firms would gather intelligence for the client’s use in lobbying and legal proceedings. Forlit then allegedly contracted Azari and others who, in turn, hired hackers.

The indictment alleges that the hackers successfully breached the accounts of two targets who worked for a climate advocacy nonprofit in February and March of 2016 (around the time that Davies heard from the Wall Street Journal reporter) and continued their phishing spree, successfully hacking more targets, until late 2017. The indictment alleges the stolen materials were funneled through Azari and Forlit to the principal at the lobbying firm and ultimately used in lobbying work and climate litigation filings for the client. Between 2014 and 2017, Forlit’s firms allegedly earned $7 million through the scheme, including work on the climate hack.

A decade after they received a flood of phishing attempts, the targets are now poring over the unsealed indictment, trying to piece together the identity and motivations of those who attacked them a decade ago. Although the government investigation confirmed the successful hacking of 100 victims, the Forlit indictment focuses on five unnamed victims.

Lee Wasserman, director and secretary of the Rockefeller Family Foundation, has reason to believe he is “Victim 5.” He and others received letters from the DOJ stating that they were victims of the scheme, although the government never confirmed to them whether they were successfully hacked.

Wasserman believes he was targeted because he supported a Columbia Journalism School investigation into what Exxon knew about climate change that was published in the Los Angeles Times. He also met with the New York attorney general to talk about Exxon. “We think Exxon and their allies’ conduct was the most consequential corporate deception of all time,” Wasserman said.

But the phishing attempts had a chilling effect on their accountability efforts, he added. They switched from email to phone calls, and at times, Wasserman found himself whispering because he wondered if someone had bugged his office or home. He pondered whether cars could be lurking outside to follow him or his colleagues.

Wasserman hopes the court process will reveal how the idea was hatched, who directed the operation, and who paid for it. “We’re all sitting on the edge of our seats waiting to see if we hear that at trial,” he said.

In 2016, Jennifer Cunningham was a partner with SKDKnickerbocker, a public affairs firm, and a policy consultant to the New York Attorney General. She was involved in the climate litigation work and recalled receiving phishing emails, which she believes were attempts to obtain information about the litigation strategy.

In an interview with Grist, she initially said the hackers were not successful. “I remember there were a couple that I really narrowly avoided, because [they appeared to be] from a colleague,” she said. Her office turned over the phishing emails to federal prosecutors.

But later, after reviewing the Forlit indictment, she was fairly certain she recognized herself in it. “Wait — I must be Victim 3?” she wrote in a text message. “If so, I guess they were successful in hacking in, which I never knew.” She hopes the court case will reveal more details, including the communication between the companies and the hackers.

Scott-Railton, who first exposed the hacking operation, said, “The #ExxonKnew hacking campaign stands out, in my mind, as one of the largest and most brazen hacking attempts I’ve ever seen against environmental organizations — or for that matter, U.S. advocacy organizations in general.” These groups continue to face digital threats, he explained; phishing attempts still occur, and hacking has progressed to include more sophisticated methods of intrusion that don’t require targets to click on anything. For instance, the Israeli cyber-intelligence firm NSO Group’s Pegasus spyware had been used to target human rights defenders and journalists. “I have no doubt that a version of this is going to come again,” he said.

This year, Davies received a letter from the DOJ stating that he was a “victim” in the Forlit case. He hopes that the people who ordered the hacking operation are named and held accountable.

“I still live not knowing if I was hacked,” Davies said. “I don’t have proof that they did hack me, that they did get my password. I don’t have proof that they didn’t. And that’s the thing that still rests with me: Am I secure?”