DarkMatter / Project Raven
DarkMatter Group · United Arab Emirates
Confidence 5/5
Technical capabilities
Reuters reporting (January 30, 2019) by Joel Schectman and Christopher Bing exposed an active offensive cyber operation conducted from the UAE that recruited ex-NSA personnel under contractor cover. The operation, internally branded “Project Raven”, developed and deployed custom mobile-device exploitation tools against political targets.
Capabilities documented through Reuters, Bloomberg and US DOJ filings include the “Karma” zero-click iOS exploit (used against Apple devices with no user interaction, observed in field operation 2016 to 2017), “Phantom” Android exploitation, “Tapir” collection and analysis platform, and a broader infrastructure for telephone-number-based device compromise.
Documented victims
- Ahmed Mansoor: UAE human-rights activist, repeatedly targeted with mercenary spyware including by Project Raven operators per Reuters. Sentenced 2018 to ten years imprisonment in the UAE.
- Rori Donaghy: British journalist who covered UAE human-rights issues. Targeted with Project Raven tooling, per Reuters January 2019 disclosure.
- US citizens: ex-NSA contractors warned company management that targeting Americans was unlawful under US law. DOJ filings confirmed unauthorized intrusions into US-citizen accounts and devices.
- Foreign nationals: journalists, dissidents, business figures across the Middle East and Western states.
DOJ deferred prosecution
On September 14, 2021, the US Department of Justice announced a deferred prosecution agreement against three ex-NSA contractors: Marc Baier, Ryan Adams and Daniel Gericke. The three admitted to International Traffic in Arms Regulations (ITAR) violations and to violating the Computer Fraud and Abuse Act through their work on Project Raven. The penalty included USD 1.685 million in fines and a lifetime ban from US security-clearance work. Critics including Senator Ron Wyden have argued the penalty was inadequate given the scale of documented intrusion.
The corporate entity DarkMatter was not directly prosecuted. The UAE government has not acknowledged the operation publicly. Successor entities including Beacon Red, EDGE Group (Abu Dhabi defense conglomerate) and others continue to operate in the UAE cyber market.
Legal and sanctions status
- Not on the US Department of Commerce Entity List.
- Not designated by US OFAC.
- Three ex-NSA contractors subject to DOJ deferred prosecution agreement (September 14, 2021).
- The Mozilla Foundation refused inclusion of DarkMatter root certificates in Firefox in 2019 over surveillance concerns.
- Subject to US ITAR and EAR enforcement regarding hacking-tool exports by US persons.
Technical countermeasures
- iOS Lockdown Mode: introduced after Karma’s most active period, blocks substantial classes of zero-click delivery.
- Daily reboot: removes most non-persistent implants from current iOS.
- Phone-number compartmentation: Karma keyed off iCloud-linked phone numbers. Sensitive workflows benefit from numbers not publicly associated with the user.
- Apple Threat Notifications: Apple notifies users of detected mercenary spyware targeting. Deployed worldwide since 2021.
- Forensic verification: Amnesty Mobile Verification Toolkit detects known indicators of mercenary spyware activity, including legacy Project Raven artifacts where present.
- Apparent retirement: Karma’s effectiveness is reduced on post-iOS 15 devices, but successor capabilities are presumed under continuing UAE programs.
Sources
- Reuters, Inside the UAE’s secret hacking team of US mercenaries (January 30, 2019)
- Reuters, American hackers helped UAE spy on Al Jazeera chairman, BBC host (April 1, 2019)
- US Department of Justice, Three former intelligence community contractors agree to deferred prosecution (September 14, 2021)
- Mozilla Foundation, Distrust of DarkMatter root certificates (July 9, 2019)
- The Intercept, Project Raven and US mercenary hacking
- Senator Wyden, Statement on DOJ DPA inadequacy (September 2021)
- Bloomberg, DarkMatter successor entities coverage
Update log
April 4, 2026: First publication. Sourced from Reuters Project Raven investigations (January 2019), US Department of Justice deferred-prosecution-agreement documents (September 14, 2021), Citizen Lab targeting reports, and follow-up reporting from Bloomberg, The Intercept and the Associated Press.
There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.
