Home Environment & Climate A decade after climate activists’ emails were breached, a court case is shedding new light on who allegedly orchestrated the hacking.

A decade after climate activists’ emails were breached, a court case is shedding new light on who allegedly orchestrated the hacking.

by Ali Ikhwan

The genesis of this digital espionage campaign dates back to a cold January morning in 2016, when Kert Davies, founder of the Climate Investigations Center, joined a cadre of environmental lawyers and advocates at the Rockefeller Family Fund’s office in Upper Manhattan. Their objective was as clear as it was ambitious: to devise a strategy for holding Exxon Mobil, a titan of the global fossil fuel industry, legally accountable for its role in the climate crisis. This meeting followed explosive investigative reports by Inside Climate News and the Los Angeles Times, which revealed that Exxon’s own scientists had confirmed as early as 1982 that fossil fuel combustion would lead to catastrophic global warming—yet the company spent the following decades funding sophisticated climate denial campaigns.

For Exxon, the "Exxon Knew" movement represented an existential public relations and legal threat. For the activists, it was a moment of unprecedented momentum. However, just weeks after the Manhattan meeting, the momentum was met with a silent, digital counter-offensive. Davies began receiving a series of unusual emails. One, purportedly from Facebook, notified him that he had "5 pokes." Others mimicked notifications from Twitter and LinkedIn. Unknowingly, Davies had become the target of a sophisticated phishing operation designed to infiltrate the communications of the world’s leading climate advocates.

They wanted to hold Exxon accountable. Then they got hacked.

The Architecture of a Digital Ambush

The phishing campaign was not limited to Davies. Across the climate advocacy landscape, dozens of individuals began reporting "fishy" digital activity. The psychological toll was immediate; a sense of constant surveillance began to stifle the group’s internal communications. The gravity of the breach became undeniable in April 2016, when a reporter from the Wall Street Journal contacted Davies regarding a detailed, internal agenda from the January meeting at the Rockefeller Family Fund. Shortly thereafter, the Wall Street Journal and the Washington Free Beacon published articles alleging "secret coordination" between activists and state attorneys general.

Exxon Mobil quickly weaponized these reports. In court filings, the company cited the leaked meeting agenda to argue that the investigations launched by 17 state attorneys general were not legitimate law enforcement inquiries but were instead the product of a politically motivated conspiracy. This "hack-and-leak" operation effectively turned the activists’ own strategic planning against them, providing Exxon with a potent narrative of victimhood in the face of mounting legal pressure.

For years, the identity of the person or entity that commissioned the hack remained a mystery. However, recent developments in federal court have provided a roadmap leading from the hackers in India to private investigators in Israel, and finally to a prominent lobbying firm in Washington, D.C., that counts Exxon Mobil as a primary client.

They wanted to hold Exxon accountable. Then they got hacked.

Uncovering "Dark Basin" and the Hack-for-Hire Industry

The breakthrough in the case began not with the climate activists, but with an investigative reporter in Germany who was tracking financial fraud. After receiving similar phishing emails, the reporter alerted the University of Toronto’s Citizen Lab, a research group specializing in digital surveillance. John Scott-Railton, a senior researcher at the lab, identified a pattern: the phishing links utilized a custom URL shortener, which allowed researchers to reverse-engineer the list of targets.

The investigation revealed a massive, global "hack-for-hire" operation dubbed "Dark Basin." The group behind it, an Indian firm known as BellTroX InfoTech Services, had targeted thousands of individuals across six continents, including CEOs, journalists, and government officials. However, the #ExxonKnew activists formed a distinct and heavily targeted cluster. Citizen Lab’s 2020 report, The Mercenary Under the Hood, documented over 10,000 targeted accounts, noting that the hackers possessed a "highly detailed understanding" of the relationships between the climate advocates, suggesting they were working from a curated list provided by a client.

The legal dominoes began to fall in September 2019, when federal agents arrested Israeli private investigator Aviram Azari at John F. Kennedy International Airport. Azari was eventually charged with managing the hacking projects and pleaded guilty in 2022. Sentencing documents revealed that Azari had been paid more than $4.8 million over five years to manage intelligence-gathering and phishing campaigns. Crucially, the Department of Justice (DOJ) noted that some of the materials stolen by Azari’s hackers were leaked to the press and subsequently used in Exxon Mobil’s court filings.

They wanted to hold Exxon accountable. Then they got hacked.

The Forlit Indictment: Connecting the Final Links

The most recent and significant development occurred in early 2024 with the extradition of another Israeli private investigator, Amit Forlit, to the United States. Forlit faces charges of hacking and wire fraud that carry a potential 45-year prison sentence. The unsealed U.S. indictment alleges that Forlit was a leader of a "sprawling cybercriminal enterprise" and that the operation targeting climate activists was commissioned by a "lobbying firm" on behalf of a "client" matching Exxon Mobil’s description.

In his own defense filings in the United Kingdom, Forlit’s legal team explicitly named the entities involved. The filings allege that the hacking was commissioned by the DCI Group, a powerful Washington-based public affairs and lobbying firm. According to the indictment, a principal at the lobbying firm sent a memo to Forlit in October 2015, outlining a plan to "operationalize the research on the bad guys"—referring to the climate activists—and stating that there was an "opportunity to go ‘on offense’" following the "recent attacks" on the oil company regarding climate change.

Public records show that Exxon Mobil has a long-standing relationship with the DCI Group. In 2015 alone, Exxon spent approximately $320,000 on the firm’s services, part of a broader multi-million dollar lobbying expenditure. The indictment alleges that Forlit proposed a $125,000 monthly budget for the project, which involved gathering intelligence for the client’s use in "lobbying and legal proceedings."

They wanted to hold Exxon accountable. Then they got hacked.

Denials and Official Responses

Both Exxon Mobil and the DCI Group have vehemently denied any involvement in illegal hacking activities. Exxon Mobil, while declining specific requests for comment on the recent court filings, has previously stated that it "has not been involved in, nor are we aware of, any hacking activities." The company has emphasized its commitment to reducing emissions and its acknowledgement that climate change is a real and pressing issue.

Craig Stevens, a partner at the DCI Group, stated in an email that the firm directs all employees and consultants to comply with the law. He noted that the government had informed DCI that neither the firm nor its personnel were under investigation. "Any insinuation otherwise is completely false and unsubstantiated," Stevens wrote. Amit Forlit has pleaded not guilty to the charges against him.

Chronology of Key Events

  • 1982: Exxon scientists conclude that fossil fuel use will cause significant global warming, according to internal documents later revealed by investigators.
  • October 2015: Inside Climate News and the Los Angeles Times publish investigations into Exxon’s early climate research.
  • January 2016: Climate advocates meet at the Rockefeller Family Fund to discuss legal strategies against Exxon.
  • February–March 2016: Phishing attacks target Kert Davies and other activists.
  • April 2016: The Wall Street Journal publishes leaked details of the activists’ strategy meeting.
  • June 2016: Exxon quotes the leaked meeting agenda in court filings to fight subpoenas from state attorneys general.
  • September 2017: Citizen Lab begins investigating the phishing links, identifying "Dark Basin."
  • September 2019: Aviram Azari is arrested at JFK Airport.
  • June 2020: Citizen Lab publishes its comprehensive report on the BellTroX hack-for-hire operation.
  • April 2024: Amit Forlit is extradited to the U.S. and his indictment is unsealed, naming a lobbying firm and an "Irving, Texas-based" oil giant as the ultimate beneficiaries of the hack.

Broader Implications and the Future of Climate Litigation

The revelation that a major corporation may have been the ultimate beneficiary of a global hacking scheme has sent shockwaves through both the legal and environmental communities. The case highlights the growing dangers faced by civil society organizations in an era of "mercenary" cyber-surveillance. As cybercrime becomes more sophisticated, the "hack-for-hire" industry offers powerful actors a layer of plausible deniability while providing them with weaponized information to derail legal and regulatory challenges.

They wanted to hold Exxon accountable. Then they got hacked.

The "chilling effect" described by activists like Lee Wasserman and Jennifer Cunningham is a primary goal of such operations. By forcing advocates to switch to encrypted apps, whisper in their own offices, or doubt the security of their personal lives, the perpetrators can effectively slow the pace of advocacy and litigation.

Despite these obstacles, the legal pressure on the fossil fuel industry continues to mount. Today, dozens of cities and states are pursuing lawsuits against oil majors, seeking hundreds of billions of dollars in damages for climate-related disasters. The outcome of the Amit Forlit case may determine whether corporations can be held vicariously liable for the actions of the private investigators and lobbying firms they employ. For Kert Davies and the other targets of the 2016 breach, the court case is more than a legal proceeding; it is a long-awaited quest for accountability in a decade-long digital war.

You may also like

Leave a Comment