← Back to database

Predaxia Research

DarkMatter / Project Raven

DarkMatter Group · United Arab Emirates

Active (rebranded)Project Raven 2019DOJ DPA 2021
5

Confidence 5/5

VendorDarkMatter Group (rebranded to Pillar Defense / Beacon Red / multiple successor entities)
Country of originUnited Arab Emirates (Abu Dhabi)
Founded2014 / 2015
Founder and CEOFaisal Al Bannai
CapabilitiesCustom iOS and Android zero-click exploitation (Karma / Phantom), collection platforms (Tapir)
Current statusOperating under rebranded entities. UAE government contracts continue
US Entity ListNo (despite DOJ enforcement action)
DOJ enforcementSeptember 14, 2021 deferred prosecution agreement against three US contractors

Technical capabilities

Reuters reporting (January 30, 2019) by Joel Schectman and Christopher Bing exposed an active offensive cyber operation conducted from the UAE that recruited ex-NSA personnel under contractor cover. The operation, internally branded “Project Raven”, developed and deployed custom mobile-device exploitation tools against political targets.

Capabilities documented through Reuters, Bloomberg and US DOJ filings include the “Karma” zero-click iOS exploit (used against Apple devices with no user interaction, observed in field operation 2016 to 2017), “Phantom” Android exploitation, “Tapir” collection and analysis platform, and a broader infrastructure for telephone-number-based device compromise.

Documented victims

  • Ahmed Mansoor: UAE human-rights activist, repeatedly targeted with mercenary spyware including by Project Raven operators per Reuters. Sentenced 2018 to ten years imprisonment in the UAE.
  • Rori Donaghy: British journalist who covered UAE human-rights issues. Targeted with Project Raven tooling, per Reuters January 2019 disclosure.
  • US citizens: ex-NSA contractors warned company management that targeting Americans was unlawful under US law. DOJ filings confirmed unauthorized intrusions into US-citizen accounts and devices.
  • Foreign nationals: journalists, dissidents, business figures across the Middle East and Western states.

DOJ deferred prosecution

On September 14, 2021, the US Department of Justice announced a deferred prosecution agreement against three ex-NSA contractors: Marc Baier, Ryan Adams and Daniel Gericke. The three admitted to International Traffic in Arms Regulations (ITAR) violations and to violating the Computer Fraud and Abuse Act through their work on Project Raven. The penalty included USD 1.685 million in fines and a lifetime ban from US security-clearance work. Critics including Senator Ron Wyden have argued the penalty was inadequate given the scale of documented intrusion.

The corporate entity DarkMatter was not directly prosecuted. The UAE government has not acknowledged the operation publicly. Successor entities including Beacon Red, EDGE Group (Abu Dhabi defense conglomerate) and others continue to operate in the UAE cyber market.

Legal and sanctions status

  • Not on the US Department of Commerce Entity List.
  • Not designated by US OFAC.
  • Three ex-NSA contractors subject to DOJ deferred prosecution agreement (September 14, 2021).
  • The Mozilla Foundation refused inclusion of DarkMatter root certificates in Firefox in 2019 over surveillance concerns.
  • Subject to US ITAR and EAR enforcement regarding hacking-tool exports by US persons.

Technical countermeasures

  • iOS Lockdown Mode: introduced after Karma’s most active period, blocks substantial classes of zero-click delivery.
  • Daily reboot: removes most non-persistent implants from current iOS.
  • Phone-number compartmentation: Karma keyed off iCloud-linked phone numbers. Sensitive workflows benefit from numbers not publicly associated with the user.
  • Apple Threat Notifications: Apple notifies users of detected mercenary spyware targeting. Deployed worldwide since 2021.
  • Forensic verification: Amnesty Mobile Verification Toolkit detects known indicators of mercenary spyware activity, including legacy Project Raven artifacts where present.
  • Apparent retirement: Karma’s effectiveness is reduced on post-iOS 15 devices, but successor capabilities are presumed under continuing UAE programs.
For at-risk individuals. Ahmed Mansoor remains imprisoned in the UAE in conditions criticized by UN human rights bodies. If you operate in or around UAE political opposition, dissident or journalism networks, assume sustained mercenary cyber capability is operational against you.

Update log

April 4, 2026: First publication. Sourced from Reuters Project Raven investigations (January 2019), US Department of Justice deferred-prosecution-agreement documents (September 14, 2021), Citizen Lab targeting reports, and follow-up reporting from Bloomberg, The Intercept and the Associated Press.


There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.