Crown Prince Mohammed bin Salman sent Jeff Bezos a photograph of a woman loosely resembling the one he was having an affair with months before the National Enquirer published a report exposing the liaison, according to a United Nations investigation.
Two United Nations special rapporteurs released a statement Wednesday detailing forensic evidence linking MBS to the Bezos hack, which suggests the future king of Saudi Arabia may have been threatening the owner of The Washington Post and founder and CEO of Amazon.
Saudi Arabia on Tuesday night denied allegations of a politically motivated hack when it emerged that the UN was expected to formally request a response to the extraordinary claim that malware was sent from MBS’ personal WhatsApp account to Bezos.
Saudi officials described as close to the crown prince told The Wall Street Journal they knew of a plan to hack Bezos’ phone but had no knowledge of any attempts to blackmail him. According to them, Saud al-Qahtani, the Saudi spymaster who handled cybersecurity issues for the Saudi government, was involved in the hack as part of an effort to intimidate columnist Jamal Khashoggi.
The alleged hack took place in May 2018, a few months after Khashoggi began writing columns critical of the Saudi regime for the Post. Four months later, Khashoggi was murdered and dismembered inside a Saudi consulate. The CIA concluded that MBS had personally ordered his assassination.
Two UN special rapporteurs released a statement Wednesday laying out forensic evidence personally linking MBS to the hack on Bezos, which would later lead to a special edition of the National Enquirer dedicated to discrediting the newspaper boss.
The statement was drafted by Agnes Callamard, a UN expert on extrajudicial killings who has been probing the murder of Khashoggi, and David Kaye, who has been investigating violations of press freedom.
They wrote: “Mr. Bezos was subjected to intrusive surveillance via hacking of his phone as a result of actions attributable to the WhatsApp account used by Crown Prince Mohammed bin Salman.”
In a detailed timeline of the hack, the UN report says MBS messaged Bezos on Nov. 8, 2018, weeks after the murder of his columnist Khashoggi.
“A single photograph is texted to Mr. Bezos from the Crown Prince’s WhatsApp account, along with a sardonic caption. It is an image of a woman resembling the woman with whom Bezos is having an affair, months before the Bezos affair was known publicly,” the report read.
Bezos’ phone appears to have been compromised on the day that an encrypted video downloader was sent from the prince’s WhatsApp account to Bezos in May 2018.
The two men had been chatting on the messaging app after they met at a dinner in Los Angeles and exchanged numbers. Almost immediately after Bezos opened the video file, the report says, “a massive and unauthorized exfiltration of data from Bezos’ phone began, continuing and escalating for months.”
The UN report on the hacking was drawn up by Anthony Ferrante, a cybersecurity expert at FTI Consulting who conducted a forensic analysis of Bezos’ phone.
In the firm’s technical report, which was obtained Wednesday by Motherboard, analysts wrote that cellular traffic from Bezos’ phone spiked 29,156 percent just hours after he opened the video file. FTI researchers said they found no malware in it, but were unable to determine the contents of the downloader because of encryption.
While they were not able to identify the exact malware used, the UN report concludes, “Experts advised that the most likely explanation for the anomalous data egress was use of mobile spyware such as NSO Group’s Pegasus or, less likely, Hacking Team’s Galileo, that can hook into legitimate applications to bypass detection and obfuscate activity.”
The FTI report pointedly noted that in 2016 Qahtani, who oversaw the killing of Khashoggi, purchased a 20 percent stake in Hacking Team, a security firm that offers offensive hacking services to authoritarian governments. “Customers of Hacking Team,” the FTI report said, “had asked the company to create the capability to infect devices via a video sent in WhatsApp.”
According to the FTI report, the image of the woman that Bezos received was part of meme with the caption: “Arguing with a woman is like reading the Software License agreement—in the end you have to ignore everything and click I agree.”
The analysts reported the Nov. 8, 2018, message was unlike any the Post owner had received from MBS before and “this was after the relationship [with girlfriend Lauren Sanchez] would have been obvious to persons with access to private texts, calls, and images on Bezos’ phone, but months before the relationship was known or reported publicly.
“The photo and caption were sent precisely during the period Bezos and his wife were exploring divorce,” it states, adding, “Memes such as this were available on the Internet, however the content of the text was not typical of any past communication from MBS, making it likely it was sent with reference to Bezos’ personal life events at that time.”
The Bezos hack came to light after private texts showing that he was engaged in an extramarital relationship were published by the National Enquirer. In response, the world’s richest man set out to uncover how the tabloid magazine had gotten access to the most private messages on his phone.
American Media Inc. (AMI), which owns the National Enquirer, publicly stated that its source was Michael Sanchez, the estranged brother of the woman dating Bezos, but last March, Bezos’ experienced security consultant Gavin de Becker wrote an op-ed in The Daily Beast explaining that his investigation had found that the Saudi government had obtained access to the phone.
Not only that, AMI had threatened to release a trove of embarrassing photos of Bezos—also taken from his phone—unless he agreed to make a public statement claiming that the report about his affair was not “instigated, dictated, or influenced in any manner by external forces, political or otherwise.”
The media company was trying to strong-arm Bezos into shutting down reports that the Saudis were somehow involved.
“I’ve seen a lot. And yet, I’ve recently seen things that have surprised even me, such as the National Enquirer’s parent company, AMI, being in league with a foreign nation that’s been actively trying to harm American citizens and companies, including the owner of The Washington Post,” De Becker wrote in The Daily Beast.
After the bombshell op-ed, AMI doubled down on its claim that Michael Sanchez, an associate of Trumpworld insiders including Roger Stone and Carter Page, had been the “single source” of their midweek special edition, which exposed Bezos’ relationship with the TV host Lauren Sanchez.
The targeting of Bezos and The Washington Post fits into a pattern of Saudi aggression against critics, which includes blackmailing, discrediting, and even killing those who speak out against the regime.
Iyad El-Baghdadi, founder of the Kawaakibi Foundation and editor in chief of the website; Arab Tyrant Manual, who lives in exile in Norway, wrote in The Daily Beast early last year that MBS had been targeting Bezos. “There’s mounting evidence that the de facto ruler of the kingdom has been trying to punish Bezos for the fierce coverage by his newspaper, The Washington Post,” he wrote.
David Kaye, the UN special rapporteur on freedom of expression, told The Daily Beast that while the allegations about the Bezos hack were inevitably eye-catching, it shouldn’t obscure the threats to political speech posed by the rapidly expanding availability of commercial surveillance tools like the ones made by NSO Group or Hacking Team.
“There’s a fundamental problem right now with this industry that can export its technology, sell, and transport it with very little constraint. On the user side, it can be used with very little legal framework [and] little rule-of-law standards,” said Kaye, who in June called for a moratorium on the sale of surveillance tech.
“Imagine if you’re Omar Abdulaziz or another activist. What tool do you have to protect yourself?” Kaye said.
As well, Kaye said, the UN officials’ statement on Wednesday was no surprise to the Saudi government. Last week, he said, they sent a letter informing the kingdom of the allegations through the UN Office of the High Commissioner for Human Rights. Then, on Monday—a day before The Guardian broke the story—they sent the Saudis a draft of their Wednesday statement. As far as Kaye knows, Saudi Arabia has yet to formally respond.
The procedure Kaye outlined typically allows 60 days for an accused government to issue a response before proposing an investigation. There are different forms an investigation can take, but Kaye said he and Callamard hope it will include both his prior work on the explosion of commercial surveillance and her prior work investigating the Khashoggi slaying.
“This is just one incident of an abuse by many, many governments,” Kaye said.
Kaye said their involvement started in November, after a source he declined to describe further provided them with the forensic report into the Bezos hack. He said they contacted four infosec experts to stress-test it. “It was a kind of vetting to make sure the allegations are credible enough to raise with the government of Saudi Arabia and to go public with them,” he said.
After The Guardian and the Financial Times reported Tuesday night that MBS’ phone was implicated, Saudi Arabia’s U.S. embassy said reports “that suggest the Kingdom is behind a hacking of Mr. Jeff Bezos’ phone are absurd. We call for an investigation on these claims so that we can have all the facts out.”