Forbidden Stories
Story Killers

“Team Jorge”: In the heart of a global disinformation machine

In Part 2 of the “Story Killers” project, which continues the work of assassinated Indian journalist Gauri Lankesh on disinformation, the Forbidden Stories consortium investigated an ultra-secret Israeli company involved in manipulating elections and hacking African politicians. We took an unprecedented dive into a world where troll armies, cyber espionage and influencers are intertwined.

Disponible en

Par Cécile Andrzejewski

15 February 2023

Translated by Annie Hylton

Have contributed to the investigation: Gur Meggido (The Marker), Omer Benjakob (Haaretz), Frédéric Métézeau (Radio France), Damien Leloup (Le Monde), Florian Reynaud (Le Monde), Christo Buschek (Paper Trail Media), Paul Lewis (The Guardian), Stephanie Kirchgaessner (The Guardian), Manisha Ganguly (The Guardian), Carole Cadwalladr (The Guardian), Roman Lehberger (Der Spiegel), Max Hoppenstedt (Der Spiegel), Marcel Rosenbach (Der Spiegel), Heiner Hoffmann (Der Spiegel), Fritz Zimmermann (Die Zeit), Kira Zalan (OCCRP), Antonio Baquero (OCCRP), Alina Tsogoeva (OCCRP), Khadija Sharife (OCCRP), Kristof Clerix (Knack).

Technical consultant: Donncha O Cearbhaill

“Things don’t necessarily have to be true, as long as they are believed” is a quote that could be attributed to many philosophers, but instead originates from a man named Alexander Nix. If his name is unfamiliar, the company he ran is not: Cambridge Analytica.

In 2018, the eponymous scandal revealed how the British company acquired the personal data of nearly 87 million Facebook users to influence voters on “an industrial scale.” The company, which sold its services in some 60 states—from the Iranian regime to the Malaysian national oil company—is accused of manipulating numerous elections; it contributed to Donald Trump’s 2016 victory in the US and the Brexit vote in England. When the affair made headlines, the name Cambridge Analytica became synonymous with disinformation worldwide.

However, not everything about this scandal has been revealed. Some of the most feared culprits inside this world have managed to hide in the shadows, among them mysterious Israeli hacking experts. Brittany Kaiser, the company’s former development director and one of the now-famous whistleblowers in the scandal, described the hackers as a team in charge of “opposition research.” In anonymous testimonies published in the British press in 2018, former employees describe “Israeli hackers” barging into the company’s offices with USB drives loaded with what appeared to contain hacked private emails of politicians. “People panicked, they wanted nothing to do with it,” a former employee told the Guardian at the time. According to the Guardian’s reporting, these “hackers offered personal data about future Nigerian president and future PM of St Kitts and Nevis.”

The Cambridge Analytica scandal revealed the existence and methods of these mysterious hackers. But until now, the press has been unable to pierce the anonymity of these shady “opposition researchers” or attribute them to a company. When he refers to “Israeli black ops” in an internal e-mail, Nix mentions neither an identity nor a company name. Instead, he designates an alias for the boss of this ultra-secret entity: “Jorge.”

The trailer for “Team Jorge”.

For over six months, Forbidden Stories and its partners followed Jorge’s trail. In this parallel market of disinformation, companies—both official and underground—have become masters in the art of manipulating reality and diffusing misleading stories. Continuing the work of Gauri Lankesh, an Indian journalist murdered in 2017 who investigated disinformation and “lie factories,” the “Story Killers” project penetrated an industry that uses every weapon at its disposal to manipulate the media and public opinion at the expense of information and democracy.

Almost five years after the Cambridge Analytica scandal, journalists from the Forbidden Stories consortium managed to identify and track down Jorge. Using dubious methods, the Israeli “consultant” still goes by this same pseudonym and continues to sell his influence and manipulation services to the highest bidder. His tools, though, have since adapted to the latest technological developments: artificial intelligence now writes on-demand viral posts and the remote hacking of Telegram accounts has enriched his catalog of services.

In the summer of 2022, a potential client, presenting himself as a representative for an African leader hoping to postpone, or even cancel, an election, asked Jorge for a demonstration. The job, Jorge told him, would cost some 6 million euros. During several Zoom discussions, Jorge maintained his anonymity.

What “Jorge” didn’t know is that the man on his screen was not an intermediary, nor did he work in Africa. He was, in fact, a journalist from Radio France and was soon joined by colleagues from TheMarker and Haaretz, reporters who are members of the Story Killers project.

Excerpt from Team Jorge’s presentation.

“33 presidential campaigns, 27 of which were successful”

Between July and December 2022, journalists posing as clients attended several meetings with Jorge: three online and one in his office in Israel. The consortium decided it was in the public interest to go undercover, which was the only method to gain access to this closed world and obtain evidence of global manipulation. To reach Jorge, reporters needed to pass through a series of intermediaries, from former intelligence officers to communications and security experts. This method presented an otherwise-impossible opportunity to discuss Jorge’s manipulation services–“mainly intelligence and influence,” he said–and attend live demonstrations. Apart from the “technological” “capacities” Jorge presented, he explained how to “build a narrative,” which he could then propagate with an impressive range of services: bot networks, false information, and hacking of opponents.

Jorge boasted of having used such tactics on “33 presidential campaigns, 27 of which were successful,” a claim that is difficult to verify. Jorge did not reveal any details about his clients, preferring instead to demonstrate his impressive range of services.

He eventually divulged information on secret operations, including one that had provoked a recent media storm in France. Earlier this month, the French press disclosed the existence of an internal investigation at BFM TV, a popular television channel after one of its most prominent figures, Rachid M’Barki, allegedly broadcast unverified content.

Protect your stories

Are you a journalist under threat because of your reporting? Secure your information with Forbidden Stories.

Rachid M’Barki, well-known BFM TV host currently at the heart of the scandal. (Photo: Facebook).

What the French press didn’t know was that Jorge, a loquacious salesman, was simultaneously bragging to undercover journalists at an office in Modiin, Israel, that he could get his stories placed on French television. To prove his point, he pulled up an excerpt of a report broadcast on BFM TV in December 2022. “The European Union announces a new set of sanctions against Russia,” it read, adding that the sanctions “make yacht builders in Monaco fear the worst” and that “the freezing of assets of oligarchs puts their sector in great difficulty.” The text of this brief broadcast – not in keeping with the channel’s editorial line – was read by M’Barki at midnight.

To verify the authenticity of this video and others that Jorge’s network of bots had shared, the consortium submitted them to BFM TV’s management in January, which quickly suspended the journalist and launched an internal audit. In a statement to Forbidden Stories, Marc-Olivier Fogiel, the channel’s managing director, said: “I have an ethical suspicion [about why the] news was broadcast while it had no editorial consistency with the rest of the channel.” In response, M’Barki asserted his “editorial free will” and explained that he had followed the instructions of Jean-Pierre Duthion, an intermediary. Media consultant and lobbyist, Duthion is known in the world of influence agencies. In internal documents, one agency described him as a disinformation “mercenary,” who is “mainly motivated by profit.” When contacted by Forbidden Stories, he confirmed that he “worked on the seizing of Russian yachts in Monaco, which led to job losses at the local level,” but declined to reveal his client, arguing such a deal goes through a series of intermediaries, “who do not themselves know who the final client is.”

He claims he did not pay M’Barki, who also told BFM TV management that he did not receive payment to broadcast these stories. According to a source familiar with the industry, such services could be worth some €3,000 for a journalist. M’Barki, who declined to answer our questions, acknowledged that he “did not necessarily follow the usual editorial line,” and said: “Maybe I was tricked. I did not have the impression that was the case, or that I was participating in an operation, otherwise I wouldn’t have done it.”

The AIMS platform, which hosts Jorge’s army of avatars. The profile pictures seem to have been stolen.

Advanced lie-spreading technologies

The BFM TV example, meant to illustrate Jorge’s ability to reach French news channels, is not the only selling point he advanced. In addition to having journalists on his payroll, Jorge also explained how he could spread stories using an army of avatars hosted in and run with an online platform. (Forbidden Stories and its partners subsequently verified the existence of these fake accounts.) This tool, not searchable on the web, is called AIMS: “Advanced Impact Media Solutions.” As early as 2017, Jorge had offered Cambridge Analytica a “Semi-Auto Avatar creation and network deployment system,” accompanied by a demo video illustrating how simple it was to create avatars on a platform that allowed for seamless navigation from one account to another. In 2022, Jorge had a catalog of more than 30,000 automated profiles of virtual people with real accounts on Facebook, Twitter, Instagram, Amazon, and Bitcoin. Jorge used these fake accounts to post a flurry of comments on social networks, stir up controversy and even purchase sex toys on Amazon. Jorge recounted how one pretty, blond-haired avatar named Shannon Aiken used an Amazon account to order sex toys to the house of a political rival of one of his clients, leaving the rival candidate’s wife to believe he had been unfaithful. “After that, the story was leaked, and he couldn’t go home. The campaign turned around,” Jorge said.

Emmanuel the emu, at the center of the #RIP_Emmanuel campaign. (Photo: @hiitaylorblake)

To prove the effectiveness of his digital army, Jorge agreed to trend a hashtag on behalf of the undercover reporters. The journalists suggested “#RIP_Emmanuel,” named after an emu that became an internet star in the summer of 2022. The goal: spread a rumor about the death of the animal to test the success of the AIMS avatars. (The emu’s owner has since been notified.) With the social media campaign fully rolled out, our consortium then traced the hashtag to identify additional accounts controlled by Team Jorge. From here, we tracked some 20 disinformation campaigns on almost every continent. (Identifying the clients of these campaigns, however, was not always possible.)
In the UK, in Fall 2021, AIMS avatars took a hard line against the UK Health Safety Agency. The agency had launched an investigation into a laboratory accused of providing some 43,000 false negative Covid test results to its patients. The group that owns this laboratory denied any link with “Jorge,” arguing that it was unaware of his existence. In 2020, some of the same avatars participated in an aggressive smear campaign against Hong Kong businessman George Chang, who owns 90 percent of the Port of Panama. The same year, AIMS bots came to the rescue of Tomás Zerón de Lucio, a former high-level Mexican official who was the subject of an international arrest warrant. The former director of the agency in charge of criminal investigations in Mexico between 2013 to 2016, Zerón is accused of kidnapping, torture and tampering with evidence in the investigation of the disappearance of 43 students in 2014. Zerón authorized the acquisition of Pegasus spyware in Mexico and is now on the run in Israel, which has refused to extradite him. But according to Jorge’s bots, these accusations are merely a campaign orchestrated against an “innocent” man by Mexico’s “corrupt president,” Andrés Manuel López Obrador. (“M. Zerón is not responsible for any advertising campaign on his behalf, and doesn’t know who is behind each comment on social media,” his lawyer Liora Turlevsky said.)

Tomás Zerón, the former director of Mexico’s criminal investigation agency from 2013 to 2016, is accused of kidnapping, torture and tampering with evidence in the investigation into the disappearance of 43 students in 2014. (Photo: CC BY-SA 4.0)

The AIMS tool doesn’t just offer avatar creation. The latest version, shown to the undercover journalists, can also create and disseminate automated content. Using keywords, the tool can create posts, articles, comments or tweets in any language with a “positive,” “negative,” or “neutral” tone. After entering the words “Chad,” “president,” “brother,” and “Déby,” for instance, Jorge commanded the tool to produce 10 negative tweets about the Chadian government. Twelve seconds later, they appeared. “Enough is enough, we need to put an end to incompetence and nepotism of president of Chad brother Déby,” one read. “The Chad people have suffered enough under the rule of President Brother Déby,” read another. “One operator can hold 300 profiles, so in two hours, all the country will speak the messages or the narrative [we] want,”one of Jorge’s associates said.

Support us so that we can continue investigating

We need your help to expose what the enemies of the press try to keep quiet.

Ministry of hacking

To demonstrate one of his most effective weapons, Jorge took control of the private messaging systems of several high-level African officials. “We are inside,” Jorge told the reporters, who observed two Gmail accounts,a Google Drive and an address book, as well as a string of Telegram accounts. (Hacking victims were unaware of the infiltration.) Once inside the messaging system of a victim, Jorge was then able to impersonate conversations with their contacts. Jorge proceeded to send messages to the victims’ relatives from their hacked Telegram accounts.

Jorge, though, made an error. Attempting to remove his traces, he deleted the messages sent from the infiltrated account but forgot to delete the messages for the recipient. We identified one of these recipients, who kept records of Jorge’s operation. Through the error, we could confirm that in the summer of 2022, as the Kenyan presidential election was approaching, Jorge looked through the accounts of people close to future president William Ruto. Two hacking victims—Dennis Itumbi and Davis Chirchir, then in charge of digital strategy for Ruto’s campaign and Ruto’s chief of staff, respectively—were accused, following the elections, of having hired hackers to manipulate the results of the presidential election. The Supreme Court rejected the accusation and said the evidence had been “falsified.” (Nevertheless, there is no definitive proof that Team Jorge was behind attempts to manipulate the Kenyan presidential election.)

Jorge and his galaxy

It wasn’t until our consortium’s journalists visited Jorge’s offices in Modi’in, the headquarters of Israel’s high-tech industry, that they saw his face. Even to his most eminent partners, Jorge has managed to hide details about himself. Nix, the director of Cambridge Analytica, who knew him only by his alias, asked as early as May 2015, in an internal email to which we obtained access: “What is Jorge’s (from Israel black-ops co) surname please and also the name of his company.” Brittany Kaiser, the whistleblower in the scandal, sent an e-mail the next day with a response: “Tal Hanan is CEO of Demoman International.”

Tal Hanan.

After months of investigating, Forbidden Stories and its partners traced Hanan’s career path and mapped the contours of his galaxy.

A combination of former intelligence officers and communications and security experts confirmed the extent of his activities and the nature of his business.

Mashi Meidan.

Mashi Meidan, who in the 2010s ran an Israeli security company in Panama, featured prominently in the meetings with journalists, suggesting proximity with Hanan. Meidan is a former member of the Shabak, the Israeli domestic intelligence service, also known as the Shin Bet, according to several sources. According to his lawyers, Meidan “was an Israeli government employee until 2006, at which time he retired,” but he “is not, and has never been, associated with a company or entity named ‘Team Jorge,’ and is definitely not a ‘business partner’ in such a venture.” Meidan was, however, at in-person meetings with Hanan and most online meetings with him, during which his colleagues presented the scope of their services.
Shuki Friedman, also present during one meeting with the journalists and another with Hanan, is allegedly a former officer of the Israeli domestic intelligence service. He oversaw intelligence in Ramallah, Palestine, for many years, and according to at least one legend, recruited the “Green Prince,” the son of a Hamas leader, to spy for the Shin Bet.

Zohar Hanan.

Also present during two meetings with the journalists, but not with Hanan, was Yaakov Tzedek, head of the Tzedek Media Group, who presented himself as “a digital and advertising expert for over a decade.” Ishay Shechter, Strategy Director at Goren Amir, a major Israeli lobbying firm, participated in a meeting with the journalists that led them to Hanan. Responding to questions from the consortium, he wrote that he “never had a business relationship with Jorge or Tal Hanan” and that he was “not familiar with or aware of their illegal or improper activity.”

Finally, Zohar Hanan, Tal’s brother, is the CEO of a private security company and a polygraph specialist. He told the consortium he “[has] been working all his life according to the law.”

According to a biography on Demoman’s website, Hanan served in the Israeli Special Forces in an elite explosive ordnance disposal unit. His career, like his business, moved from explosives disposal to intelligence. Even if “Jorge” has remained invisible for years, Hanan became of interest to at least one European intelligence service in 2008, according to a police source, for offers of dubious security services following various counter-terrorism, intelligence and counter-espionage conferences. According to the same source, he operates on the “border between private security and mercenaries.” When contacted by the consortium, Tal Hanan simply denied “any wrong doing”.

Hanan has cultivated an impressive international network over his years working in intelligence. According to a Bloomberg investigation, in 2006, while on assignment for a Panamanian bank, Hanan alerted Martin Rodil, then a data analyst with the International Monetary Fund, to money moving from PDVSA, the Venezuelan state oil company, to Iran, in violation of US sanctions. Hanan then allegedly asked Rodil to track down the money for him, according to Bloomberg. A year later, the two decided to share their information with the Israeli government and spent two days answering questions from the secret service. Together, they founded Global Resources Solutions, which offered security and financial intelligence. Rodil is now under investigation in Spain for allegedly extorting former Venezuelan officials. He did not respond to multiple requests for comment.

During a meeting with journalists in August 2022, Hanan named Roger Noriega, the former deputy secretary of state under President George W. Bush, as a former associate. (Noriega also worked with Rodil and publicly defended him in the press.) When contacted by our consortium, Noriega, who also helped establish a hard political stance toward the Chavez regime, admitted to knowing Hanan but said: “Since six or seven years, [I haven’t had] any substantial conversation with him. We had common clients related to Venezuela, [but] I never had any serious business with Tal.”

An interconnected market

Hanan claims to use the most advanced tools on the market for his manipulation services. During his live demonstrations, he presented services from TA9, a subsidiary of the company Rayzone, whose logo he had erased in his presentation. Contacted by Forbidden Stories, TA9 said that it has never had any business dealings with Hanan or his associates and explained that screenshots of its products were readily available on its website or during online presentations.

Rayzone also markets tools that allow for collecting personal data and location via the Internet or telephone networks. It relies on the SS7 network, which is used to direct calls and SMS messages from telephone users to their customers and locate their devices. This system, meant for telephone operators, suffers from vulnerabilities that allow hackers to access the information of cellphone users. Hanan repeatedly raised the potential exploitation of these vulnerabilities during meetings with the journalists.

When asked about its offerings, Rayzone only mentioned one product, which, they said, “[offers] location only without any active interception capabilities” and is regulated by the Israeli defense ministry.

Using additional slides from TA9 brochures, the Rayzone subsidiary, Hanan also cited its “facial recognition” and “interception of GSM satellite” capacities as available tools for the most sophisticated surveillance of potential targets.

A brochure from TA9, a subsidiary of the Rayzone Group, presented by Tal Hanan.

According to the Israeli daily Calcalist, David Avital, a shareholder in one of Rayzone’s subsidiaries, is currently harboring Zerón, the former Mexican official subject to an international arrest warrant and whose innocence the AIMS avatars defended. (“Mr. Zerón is indeed in Israel. However, he never lived in an apartment belonging to David Avital,” Turlevsky, Zerón’s lawyer, said.)

Investigating this network, Forbidden Stories repeatedly confronted the blurred lines between states and private companies, and the interconnected worlds of intelligence, influence and cyber-surveillance. But questions remain as to how Hanan is paid for his services.

Forbidden Stories and its partners gained access to a brochure, sent by Hanan as part of a pitch to Cambridge Analytica in 2015, that provided a picture of how much these services might cost. This rather vague document of just over three pages is entitled “elections, intelligence and special operations,” and suggests that the author had field experience since 1999. This is the same year that Demoman, the company of which Hanan is CEO, was founded. In the brochure, Hanan proposes options that “feed and enhance each other,” combining “strategic intelligence,” “public perception,” “information warfare,” “communication security,” and a “special package” for “D-Day.” The brochure praises his team, composed of former intelligence services and special forces from Israel, the United States, Spain, the United Kingdom and Russia. According to the brochure, the team also includes “experts in media and mass media” who know “the best way to use the information to deliver a story, a message, or a scandal, to create the desired effects.” According to the brochure, Hanan charged $160,000 for an eight-week “initial research and preparation phase,” plus $40,000 for travel expenses. (This rate was much lower than what he had proposed to the consortium’s reporters in 2022: 6 million Euros for one campaign.)

However, it was not through Demoman that Hanan marketed his hacking services. And for good reason: the company is registered with the Israeli Ministry of Defense. According to Israeli law, it is illegal to sell hacking services to private individuals or businesses, or for use in foreign political campaigns.

During various meetings with the undercover journalists, Hanan claimed to have about 100 employees globally. Although this number is impossible to confirm, the Demoman website claims to have offices and representatives in Israel, the United States, Switzerland, Spain, Croatia, the Philippines and Colombia. Mexican and Ukrainian addresses were also mentioned, but, according to Hanan, they were closed due to a business slowdown and war, respectively.

During the same meeting, Hanan’s brother also claimed to be using AIMS bots to bet on the crypto-currency market, and thus reap additional gains. Anything to make a dollar.

À lire aussi