Sensitive and confidential information relating to intelligence, defense and law enforcement agencies across the globe, including the FBI and Interpol, leaked from Israeli firm Cellebrite, according to court documents cleared for publication at Haaretz’s request.
The information is from 2015-2017 and includes almost half a million emails belonging to senior officials and directors at Cellebrite, their internal communications and exchanges with clients, invoices and even contracts.
The company is known for its digital intelligence tools and phone-hacking technology.
The information was transferred from Cellebrite to the Japanese Sun Corporation (the main shareholder in Cellebrite) and then handed over to Japanese officials – all without the knowledge or consent of Cellebrite’s Israeli management or its then-clients.
Cellebrite says the documents and this report do not accurately portray the events, which it says had no effect on the company or its operations.
Just the news of the disclosure of Cellebrite’s clients’ information to unauthorized parties in a foreign country could pose a problem for the firm, whose deals with intelligence, defense and law enforcement agencies often come with a secrecy clause that allows clients to renege on agreements if they are breached.
- Israeli firm Cellebrite sold phone-hacking tools to Uganda's brutal dictatorship
- Israeli Phone-hacking Firm Cellebrite Says 'Has Chosen' to Halt Sales to Bangladesh
- I Worked at Israeli Phone Hacking Firm Cellebrite. They Lied to Us
Furthermore, it is illegal in some countries to publish information that could reveal the tactics of intelligence or defense bodies. It is unclear if this is the case, and if this is the type of information that eventually reached Japanese officials (who were investigating alleged financial misconduct by Sun officials in Japan).
Though Sun is the majority stakeholder in Cellebrite and is in theory privy to all its internal data, the information was passed onto Sun without the knowledge of Cellebrite’s secrecy-sensitive management and clients. Some of it was even passed onto workers within Sun, per the documents.
Moreover, upon learning that it and its clients’ information had reached Sun and was then handed over to Japanese authorities, Cellebrite commissioned law firms to write a legal opinion to try to assess the damage of the leak.
In one of the documents, lawyers hired by Cellebrite wrote: “It is our belief that should the knowledge that such sensitive information was provided to the Japanese authorities be disclosed to Cellebrite customers, it may cause severe reputational damage to Cellebrite (with such clients and others).”
“Cellebrite customers are likely to request to receive from Cellebrite complete disclosure relating to the information disseminated to the foreign authorities, in order to evaluate their exposure,” according to the legal opinion written at Cellebrite’s behest in 2018 and whose publication was cleared by Israeli courts last week.
Some of the data was disclosed to Sun and the Japanese authorities by a Cellebrite official called Eli Yakuel. According to the court documents, he served as the “shadow director” on behalf of the Japanese ownership within the Israeli firm.
Other parts of the data eventually handed over to Japanese authorities were transferred from Cellebrite by senior Sun officials who were privy to the information due to their corporate ownership role. According to the documents, some of the information that reached senior Sun officials was also transferred to employees within the Japanese firm as well – all without the knowledge of the company’s Israeli management at the time or its clients.
According to the documents, which were appended to a financial dispute lawsuit filed against Cellebrite in Israel last month, Sun “knowingly allowed for the dissemination of confidential information of Cellebrite and, even more importantly, of Cellebrite’s customers, without requesting the regulator for any confidentiality undertaking, and without limiting or mitigating such exposure.”
At the time, Cellebrite was not a publicly traded company; however, Sun was trading on the Tokyo Stock Exchange. The investigation into Sun was conducted by the FSA (the Japanese equivalent of the U.S. Securities and Exchange Commission, charged with investigating possible financial crimes). It was looking into suspicions that officials within Sun had made use of internal Cellebrite information – for instance, financial forecasts or pending contracts – in an insider-trading scheme.
According to the legal documents, at the end of 2017 – when Cellebrite first learned that its information had been handed over to Japanese authorities without it or its clients’ knowledge – the firm scrambled to ascertain precisely what information had reached them.
Cellebrite even commissioned a pair of legal opinions by two leading Israeli law firms to try to gauge the damage the disclosure could pose to the firm and its clients.
Though Sun may have had the legal or corporate right to access all of Cellebrite’s data, upon receiving a copy of the information handed over by Sun to the FSA, Cellebrite’s lawyers noted concerns after identifying “sensitive and confidential information relating to Cellebrite and its clients.”
After reviewing the full extent of the disclosure to the Japanese authorities, the lawyer said it contained “confidential information relating to Cellebrite itself [and] confidential information relating to Cellebrite’s clients, including but not limited to agreements entered into with the clients as well as the products used by the clients.”
The lawyers also expressed alarm at the “dissemination of internal Cellebrite emails by Sun Corporation executives to Sun Corporation employees,” and also that “confidential information relating to Cellebrite,” ranging from “financial documentation” to “product information” were also handed over.
NASA and a Russian embassy
Cellebrite provides a number of different digital intelligence tools to government and state clients around the world. Its flagship product line is the UFED: a device that can break into cellphones attached to it.
Unlike the remote hacking technologies provided by spyware such as the NSO Group’s Pegasus – which can infect a device through digital means without the target knowing – Cellebrite’s tool is much more physical. An apprehended suspect’s phone is plugged into Cellebrite’s device and the entirety of its contents, including encrypted messages, are scrapped from the phone (even if it is locked with a passcode).
The use of such technology is supposed to be conducted only by agents or officers in accordance with local and international law.
The FBI and Interpol were among the organizations revealed in the documents. The FBI, it was noted, signed a $439,000 agreement with Cellebrite for what was called an “unlock deal.” Also revealed were invoices for the Russian Embassy in Japan for a UFED Touch, as well as those belonging to the Tokyo Metropolitan Police Department.
The information is about services provided by 2017 and it is unclear if these organizations are still Cellebrite clients.
Communications between Cellebrite and the National Crime Agency (Britain’s equivalent to the FBI), the British Ministry of Defence and the American military regarding “data extraction as part of classified investigations” were also disclosed to the Japanese authorities.
Also revealed to be among Cellebrite’s clients: the U.S. Department of Homeland Security, the U.S. Marshals Service and U.S. Immigration and Customs Enforcement. These, as well as the Royal Canadian Mounted Police, were specifically noted as clients who would be concerned by the disclosure.
Details of how Cellebrite had also aided NASA and even Russian police forces were also included, the documents noted.
Cellebrite sells its technology through a license model. Requests for license extensions were also among the communications exposed, including those by the Japanese defense ministry, the national Japanese police and the police forces in the prefectures of Hyogo and Aichi, and the customs office at Narita International Airport, per Cellebrite’s legal assessments at the time.
Until now, most of what we knew about Cellebrite’s operations came from human rights reports and the work of Israeli human rights lawyer Eitay Mack, who exposes abuse of Israeli technology. Just this week Haaretz revealed, based on allegations raised by Mack, that Cellebrite had sold phone-hacking tools to the dictatorship in Uganda.
In the past, Cellebrite also sold tech to Russia and China, where the technology was reportedly used against pro-democracy protesters in Hong Kong. However, following reports exposing the misuse, Cellebrite cut ties with these countries and others.
Since going public in 2021, it frequently touts its clients in democratic countries such as Japan, the United States and even Israel. However, much of its activity still remains secret due to the nature of its clientele. Unlike the NSO Group and others in the cyberoffense industry, Cellebrite only fell under the auspices of the Israeli defense establishment in around 2020.
The documents were cleared for publication at the request of Haaretz’s lawyers Paz Moser and Maya Katz from the law firm Lieblich-Moser-Gluck, Advocates. They were attached to a lawsuit filed last month as part of a convoluted financial dispute between Cellebrite and a strategic consultant called David Spector.
Spector was briefly hired by the firm and claims he is still owed funds. Cellebrite claims Spector included the now-revealed documents in his suit to attract media attention to his case and embarrass Cellebrite.
In response to this report, Cellebrite said that “the two legal documents appended to the lawsuit provide an inaccurate and partial portrayal of the events in question and their potential ramifications.”
The documents, Cellebrite said, were added to the lawsuit by Spector “for PR purposes only, and with the clear knowledge that this suit is baseless, does not hold water and does not hold any public interest.”
Cellebrite stressed that “the event described in this report happened five years ago and did not have any effect whatsoever on the company’s activities.”
Yakuel did not respond to a request for comment via Linkedin.