Revealed: the hacking and disinformation team meddling in elections
A team of Israeli contractors who claim to have manipulated more than 30 elections around the world using hacking, sabotage and automated disinformation on social media has been exposed in a new investigation.
The unit is run by Tal Hanan, a 50-year-old former Israeli special forces operative who now works privately using the pseudonym “Jorge”, and appears to have been working under the radar in elections in various countries for more than two decades.
He is being unmasked by an international consortium of journalists. Hanan and his unit, which uses the codename “Team Jorge”, have been exposed by undercover footage and documents leaked to the Guardian.
Hanan did not respond to detailed questions about Team Jorge’s activities and methods but said: “I deny any wrongdoing.”
The investigation reveals extraordinary details about how disinformation is being weaponised by Team Jorge, which runs a private service offering to covertly meddle in elections without a trace. The group also works for corporate clients.
Hanan told the undercover reporters that his services, which others describe as “black ops”, were available to intelligence agencies, political campaigns and private companies that wanted to secretly manipulate public opinion. He said they had been used across Africa, South and Central America, the US and Europe.
One of Team Jorge’s key services is a sophisticated software package, Advanced Impact Media Solutions, or Aims. It controls a vast army of thousands of fake social media profiles on Twitter, LinkedIn, Facebook, Telegram, Gmail, Instagram and YouTube. Some avatars even have Amazon accounts with credit cards, bitcoin wallets and Airbnb accounts.
The consortium of journalists that investigated Team Jorge includes reporters from 30 outlets including Le Monde, Der Spiegel and El País. The project, part of a wider investigation into the disinformation industry, has been coordinated by Forbidden Stories, a French nonprofit whose mission is to pursue the work of assassinated, threatened or jailed reporters.
The undercover footage was filmed by three reporters, who approached Team Jorge posing as prospective clients.
In more than six hours of secretly recorded meetings, Hanan and his team spoke of how they could gather intelligence on rivals, including by using hacking techniques to access Gmail and Telegram accounts. They boasted of planting material in legitimate news outlets, which are then amplified by the Aims bot-management software.
Much of their strategy appeared to revolve around disrupting or sabotaging rival campaigns: the team even claimed to have sent a sex toy delivered via Amazon to the home of a politician, with the aim of giving his wife the false impression he was having an affair.
The methods and techniques described by Team Jorge raise new challenges for big tech platforms, which have for years struggled to prevent nefarious actors spreading falsehoods or breaching the security on their platforms. Evidence of a global private market in disinformation aimed at elections will also ring alarm bells for democracies around the world.
The Team Jorge revelations could cause embarrassment for Israel, which has come under growing diplomatic pressure in recent years over its export of cyber-weaponry that undermines democracy and human rights.
Hanan appears to have run at least some of his disinformation operations through an Israeli company, Demoman International, which is registered on a website run by the Israeli Ministry of Defense to promote defence exports. The Israeli MoD did not respond to requests for comment.
The undercover footage
Given their expertise in subterfuge, it is perhaps surprising that Hanan and his colleagues allowed themselves to be exposed by undercover reporters. Journalists using conventional methods have struggled to shed light on the disinformation industry, which is at pains to avoid detection.
The secretly filmed meetings, which took place between July and December 2022, therefore provide a rare window into the mechanics of disinformation for hire.
Three journalists – from Radio France, Haaretz and TheMarker – approached Team Jorge pretending to be consultants working on behalf of a politically unstable African country that wanted help delaying an election.
The encounters with Hanan and his colleagues took place via video calls and an in-person meeting in Team Jorge’s base, an unmarked office in an industrial park in Modi’in, 20 miles outside Tel Aviv.
Hanan described his team as “graduates of government agencies”, with expertise in finance, social media and campaigns, as well as “psychological warfare”, operating from six offices around the world. Four of Hanan’s colleagues attended the meetings, including his brother, Zohar Hanan, who was described as the chief executive of the group.
In his initial pitch to the potential clients, Hanan claimed: “We are now involved in one election in Africa … We have a team in Greece and a team in [the] Emirates … You follow the leads. [We have completed] 33 presidentiallevel campaigns, 27 of which were successful.” Later, he said he was involved in two “major projects” in the US but claimed not to engage directly in US politics.
It was not possible to verify all of Team Jorge’s claims in the undercover meetings, and Hanan may have been embellishing them in order to secure a lucrative deal with prospective clients. For example, it appears Hanan may have inflated his fees when discussing the cost of his services.
Team Jorge told the reporters they would accept payments in a variety of currencies, including cryptocurrencies such as bitcoin, or cash. He said he would charge between €6m and €15m for interference in elections.
However, emails leaked to the Guardian show Hanan quoting more modest fees. One suggests that in 2015 he asked for $160,000 from the now defunct British consultancy Cambridge Analytica for involvement in an eight-week campaign in a Latin American country.
In 2017 Hanan again pitched to work for Cambridge Analytica, this time in Kenya, but was rejected by the consultancy, which said “$400,000-$600,000 per month, and substantially more for crisis response” was more than its clients would pay.
There is no evidence that either of those campaigns went ahead. Other leaked documents, however, reveal that when Team Jorge worked covertly on the Nigerian presidential race in 2015 it did so alongside Cambridge Analytica.
Alexander Nix, who was the chief executive of Cambridge Analytica, declined to comment in detail but added: “Your purported understanding is disputed.”
Team Jorge also sent Nix’s political consultancy a video showcasing an early iteration of the social media disinformation software it now markets as Aims. Hanan said in an email that the tool, which enabled users to create up to 5,000 bots to deliver “mass messages” and “propaganda”, had been used in 17 elections.
“It’s our own developed Semi-Auto Avatar creation and network deployment system,” he said, adding that it could be used in any language and was being sold as a service, although the software could be bought “if the price is right”.
Team Jorge’s bot-management software appears to have grown significantly by 2022, according to what Hanan told the undercover reporters. He said it controlled a multinational army of more than 30,000 avatars, complete with digital backstories that stretch back years.
Demonstrating the Aims interface, Hanan scrolled through dozens of avatars, and showed how fake profiles could be created in an instant, using tabs to choose nationality and gender and then matching profile pictures to names.
“This is Spanish, Russian, you see Asians, Muslims. Let’s make a candidate together,” he told the undercover reporters, before settling on one image of a white woman. “Sophia Wilde, I like the name. British. Already she has email, date birth, everything.”
Hanan was coy when asked where the photos for his avatars came from. However, the Guardian and its partners have discovered several instances in which images have been harvested from the social media accounts of real people. The photo of “Sophia Wilde”, for instance, appears to have been stolen from a Russian social media account belonging to a woman who lives in Leeds.
The Guardian and its reporting partners tracked Aims-linked bot activity across the internet. It was behind fake social media campaigns, mostly involving commercial disputes, in about 20 countries including the UK, US, Canada, Germany, Switzerland, Mexico, Senegal, India and the United Arab Emirates.
This week Meta, the owner of Facebook, took down Aims-linked bots on its platform after reporters shared a sample of the fake accounts with the company. On Tuesday, a Meta spokesperson connected the Aims bots to others that were linked in 2019 to another, now-defunct Israeli firm which it banned from the platform.
“This latest activity is an attempt by some of the same individuals to come back and we removed them for violating our policies,” the spokesperson said. “The group’s latest activity appears to have centred around running fake petitions on the internet or seeding fabricated stories in mainstream media outlets.”
In addition to Aims, Hanan told reporters about his “blogger machine” – an automated system for creating websites that the Aims-controlled social media profiles could then use to spread fake news stories across the internet. “After you’ve created credibility, what do you do? Then you can manipulate,” he said.
‘I will show you how safe Telegram is’
No less alarming were Hanan’s demonstrations of his team’s hacking capabilities, in which he showed the reporters how he could penetrate Telegram and Gmail accounts. In one case, he brought up on screen the Gmail account of a man described as the “assistant of an important guy” in the general election in Kenya, which was days away.
“Today if someone has a Gmail, it means they have much more than just email,” Hanan said as he clicked through the target’s emails, draft folders, contacts and drives. He then showed how he claimed to be able to access accounts on Telegram, an encrypted messaging app.
One of the Telegram accounts he claimed to penetrate belonged to a person in Indonesia, while the other two appeared to belong to Kenyans involved in the ongoing general election, and close to the then candidate William Ruto, who ended up winning the presidency.
“I know in some countries they believe Telegram is safe. I will show you how safe it is,” he said, before showing a screen in which he appeared to scroll through the Telegram contacts of one Kenyan strategist who was working for Ruto at the time.
Hanan then demonstrated how access to Telegram could be manipulated to sow mischief.
Typing the words “hello how are you dear”, Hanan appeared to send a message from the Kenyan strategist’s account to one of their contacts. “I’m not just watching,” Hanan boasted, before explaining how manipulating the messaging app to send messages could be used to create chaos in a rival’s election campaign.
“One of the biggest thing is to put sticks between the right people, you understand,” he said. “And I can write him what I think about his wife, or what I think about his last speech, or I can tell him that I promised him to be my next chief of staff, OK?”
Hanan then showed how – once the message had been read – he could “delete” it to cover his tracks. But when Hanan repeated that trick, hacking into the Telegram account of the second close adviser to Ruto, he made a mistake.
After sending an innocuous Telegram message consisting only of the number “11” to one of the hacking victim’s contacts, he failed to properly delete it.
A reporter in the consortium was later able to track down the recipient of that message and was granted permission to check the person’s phone. The “11” message was still visible on their Telegram account, providing evidence that Team Jorge’s infiltration of the account was genuine.
Hanan suggested to the undercover reporters that some of his hacking methods exploited vulnerabilities in the global signalling telecoms system, SS7, which for decades has been regarded by experts as a weak spot in the telecoms network.
Google, which runs the Gmail service, declined to comment. Telegram said “the problem of SS7 vulnerabilities” was widely known and “not unique to Telegram”. They added: “Accounts on any massively popular social media network or messaging app can be vulnerable to hacking or impersonation unless users follow security recommendations and take proper
precautions to keep their accounts secure.”
Hanan did not respond to detailed requests for comment, claiming that he needed “approval” from an unspecified authority before doing so. However, he added: “To be clear, I deny any wrongdoing.” Zohar Hanan, his brother and business partner, added: “I have been working all my life according to the law!”