Hacking Team Customer in Turkey Was Arrested for Spying on Police Colleagues [or: The Spy Story That Spun a Tangled Web]

An investigation that weaves a winding tale between police in Ankara who were charged with spying on their own colleagues... and the purchase of Hacking Team's surveillance software.

Hacking Team Customer in Turkey Was Arrested for Spying on Police Colleagues [or: The Spy Story That Spun a Tangled Web]
When I Tweeted recently that a story I’d been working on for months fell apart — or at least hit walls that prevented me from advancing it — I was referring to this piece. Readers urged me to write a behind-the-scenes tale about what occurred.
When I began work on it, the story presented itself as a tantalizing tale with political intrigue, cops-spying-on-cops, and questionable practices around the purchase and use of surveillance software made by the Italian firm Hacking Team. Months later, it still has many unanswered questions and a convoluted trail of dots that may or may not connect.
Here's my attempt to connect those dots. Perhaps in telling the tale, more information will shake loose to complete the story.

*******

It all began last March when Juan Andrés Guerrero-Saade, principal threat researcher at SentinelOne, contacted me about a story I wrote back in 2013 about a woman in the U.S. who was targeted in an attempted hacking campaign.

She was a vocal critic of charter schools operated by the Gülen Movement, a religious-political organization led by the U.S.-based Turkish imam and scholar Fethullah Gülen. The movement’s followers long held influential positions in Turkey’s military, police, judicial system and intelligence services but have been accused of plotting coups and framing critics and opponents.

In January 2013, the woman received an email that appeared to come from a trusted Harvard colleague with a link to a website in Turkey. Had she visited the site — she was suspicious and didn’t — it would have infected her computer with a spy tool called Remote Control System (RCS) made by the Italian company Hacking Team. She believed, though she had no proof, that Gülenists in the Turkish police were behind it, since Hacking Team’s surveillance software was only supposed to be sold to law enforcement, intelligence agencies and other government entities.

Guerrero-Saade contacted me because he had evidence of similar attacks against Turkish victims using a different spy tool he found, which he called “Rad.” It appeared to have been developed by a Turkish speaker. Rad had some basic capabilities that RCS had, but it didn’t use RCS code and was much less sophisticated. Guerrero-Saade called it the “mundane” creation of inexperienced developers who weren’t “stealthy or careful.”

What made it interesting was that it was apparently used by rogue police in Turkey to spy on their colleagues — in an operation that had a surprising link to Hacking Team.

Guerrero-Saade found Rad in a roundabout way after reading a 2016 article about Turkish journalists who were arrested for being connected to a terrorist organization. They were framed with documents planted on one of the journalist’s computers.

Investigative journalist Bariş Pehlivan has received numerous death threats and been imprisoned twice. (Courtesy of Pehlivan)

Ahtapot, and the Case of the Framed Journalists

The journalists worked for OdaTV, a top media outlet critical of both President Recep Tayyip Erdoğan’s party and Gülenists. One Monday morning in February 2011, the Turkish National Police (TNP) raided OdaTV’s Istanbul office and the homes of investigative journalist Bariş Pehlivan and colleagues and arrested him and six others, based on incriminating documents found on Pehlivan’s work and personal computers. The documents tied him and colleagues to Ergenekon, an opposition group accused of being a terrorist organization and plotting to overthrow the government.

Pehlivan’s attorney engaged Arsenal Consulting, a US digital investigations firm. They found evidence that on Friday evening before the raid, someone with physical access to Pehlivan's computers planted the incriminating documents — altering date and timestamps to make it look like they had been on his computers for a while — and also planted spyware. Researchers dubbed the spyware Ahtapot because of the Turkish word for “octopus” in the code. Arsenal's findings proved that Pehlivan and his colleagues were framed; they were acquitted in 2017. [Arsenal recently helped solve another case in India, known as the Bhima Koregaon case, that involved planting documents to frame two activists there.]

Guerrero-Saade went hunting for copies of Ahtapot in the wild to see if the actors who framed Pehlivan targeted additional victims. He wrote a script to search for Ahtapot code or files that were created with similar tools and techniques as Ahtapot. This led him to Rad. The tool shared only small bits of code with Ahtapot, but appeared to come from the same developers — SentinelOne has dubbed them “EGoManiac.” It was riddled with Turkish language and used Turkish phishing emails to lure victims into loading it onto their computers; it also targeted people in Turkey or who had a nexus with Turkish politics or issues.It was developed in 2010 and 2011 and infected victims between 2010 and 2015. [Paid subscribers can access an extensive timeline of events discussed in this story to see patterns and overlaps.]

Guerrero-Saade and colleagues found more than 50 samples of Rad, including sub-components that indicated it had modular functionality that could be swapped in and out based on surveillance needs. Among its capabilities: it could siphon documents or turn on an infected computer’s microphone to record conversations in its vicinity. [Read SentinelOne’s full report on Rad and EGoManiac here.]

One feature of Rad stood out: documents the spyware siphoned from machines got sent to one of seven email addresses hard-coded in the malware. Guerrero-Saade did a Google search on the addresses, and one — johndown@woxmail.com — popped up in a Turkish news story.

The Case of the  Rogue Police

The story described a police-on-police spy operation conducted by rogue officers in the intelligence division of the Turkish National Police in Ankara. A police chief and superintendent accused of being Gülenists, were arrested in 2016 for installing spyware called “Hortum” (“hose” in Turkish) on a police computer and siphoning information about police investigations of Gülenists in order to leak it to the targets of those investigations.

The files and documents Hortum siphoned were sent to johndown@woxmail.com, the address Guerrero-Saade found in Rad. The address, the Turkish article noted, belonged to an IT company in Istanbul called Datalink Analiz, which allegedly forwarded the siphoned documents elsewhere. Two of Datalink's executives were arrested along with the police chief and superintendent, the article said.

The detail was significant because the company’s name showed up in emails that a hacker had stolen from Hacking Team in 2015 and leaked to WikiLeaks. The stolen emails identified for the first time the secretive government customers who had purchased Hacking Team’s spyware — they included the Turkish National Police.

Publicity image from Hacking Team promotional material

The Hacking Team Connection

Among the leaked emails was correspondence for the years 2010-2015 between Hacking Team and Ahmet Koçak, a chief inspector in the IT department of the TNP’s Intelligence Division — the same office where the rogue police chief and superintendent were arrested in 2016.

Koçak met Hacking Team in 2010 at the ISS World conference in Prague — a trade fair where purveyors of surveillance tools show them off to government buyers. He sent Hacking Team an email in December that year, and months later he and three colleagues from his Ankara office visited Hacking Team in Milan for a demo of its spy tool. Later, when Koçak purchased the tool, the emails show that payment came from a Datalink bank account, not from a police account.

This raised an interesting question. If Datalink was used by Koçak to purchase Hacking Team’s software and also used by Hortum to siphon documents from police computers, was it possible Koçak was among those arrested for the Hortum spy operation? And if he used Hortum for illegal spying, had he also used Hacking Team's software for illegal purposes? The Turkish article didn’t name the Ankara police chief who was arrested, but did identify his initials — AK.

If Koçak was behind Hortum, what did it say about Hacking Team’s vetting of customers? The company, which was sold in 2019 and rebranded as Memento Labs, long insisted that it sold only to law enforcement and intelligence agencies for lawful tracking of suspected criminals and terrorists. It also insisted it monitored customer usage for abuses. But RCS has been found on the systems of activists and political dissidents in Morocco and the United Arab Emirates. And the case of the woman in the U.S. also suggested that Turkey might have abused the software as well.

There was no evidence Koçak purchased RCS for illegal purposes, but digging through the leaked Hacking Team emails revealed a number of irregularities around the purchase that made it suspicious:

  • He initially contacted Hacking Team in late 2010  from a personal Gmail account akocak005@gmail.com and gave only his name and vague affiliation — he said he worked for a “security department” in Turkey. When Hacking Team asked him to provide a government address, he switched to akocak@egmidb.gov.tr. But then on June 1, 2011 he abruptly switched back to his Gmail account, saying the TNP email server was down. He never went back to his police address, though he continued to communicate with Hacking Team for years.
  • When Koçak and colleagues were planning their visit to Hacking Team’s Milan office in May 2011, he asked the company to leave its name off the invitation letter he would use to apply for Italian visas. “Letter must not be from HackingTeam, Name of the company must be different. If you have another company you can use it,” he wrote. He also said the letter “must be about network packed analyzing” — suggesting he wanted it to look like they were traveling to Milan to see a network defense tool, not a surveillance tool.
  • Koçak asked Hacking Team if he could purchase the product without an invoice. Hacking Team was so surprised by this that an employee conveyed this request to colleagues with an exclamation point. Hacking Team did send an invoice to Koçak at the TNP office. But when Koçak renewed the license in 2012, he asked for the invoice to go to an Istanbul company named BaseTechno Information Technologies. Then he said he’d given the wrong name and asked for it to go to a different company in the United Arab Emirates called Foresys Information Technology-FZE. When payment arrived to Hacking Team, it came from neither of these companies but from Datalink. Datalink was stood up in late May 2011, just as Koçak was planning his Milan visit, according to Turkish Trade Registry records, and shut down in February 2016, three months before Koçak was detained on the spying allegations.
  • In August 2012, Koçak wrote Hacking Team from a third address — tnpnotcenter2@gmail.com, which had previously been used only to submit tickets to Hacking Team’s tech support portal. Submissions to the portal weren’t generally signed, but this one was signed “Ahmet”. He asked Hacking Team for a second license to install the RCS program on another computer. After much back and forth, Hacking Team complied.
  • Five months after Koçak’s request for a second license, the woman in the US was targeted with Hacking Team’s software. After my story about her published in June 2013, Hacking Team confronted the Turks about it, according to a leaked email from Hacking Team CEO David Vincenzetti. “They categorically deny any involvement,” he wrote. “I told our people to insist and to explain [to] them that such media exposures are not beneficial for anybody. Again, total denial. I am sure that we will not get any help from them.” I reached out to Vincenzetti via email but he didn’t respond.

I was interested in hunting down answers to a number of questions: Was Koçak among the arrested officers? If he was guilty of spying on colleagues, how extensive was the operation? Did he use Hacking Team’s software to spy on behalf of the Gülen Movement? Were Rad and Hortum one and the same?

But just as I was ready to get started, Guerrero-Saade asked me to hold off. He had to finish his technical analysis of Rad and wasn’t ready to hand it off just yet.

I didn’t hear from him for two months. During that time, SentinelOne had decided to take the Rad research to a journalist they thought could get it worldwide publicity. After the journalist turned them down, Guerrero-Saade brought it back to me. But there was a catch: they wanted a story published quickly. This wasn’t the type of piece that could be researched in a day or two, however.

The SentinelOne report on Rad seemed to assume the Turkish police were guilty of spying on colleagues and purchased Hacking Team’s software for illegal purposes. “[D]o we trust lawful intercept vendors to correctly identify legitimate law enforcement entities from pernicious cabals, scam artists, and rogue elements before handing over unsupervised use of powerful surveillance equipment?,” the original report asked.

I couldn’t publish a story without verifying details of the case or speaking with the arrested officers. I needed to confirm that Ahmet Koçak was among them, and that Rad was the Hortum spyware at the center of the Ankara spy case.

Pulling Threads

I first tried to contact the prosecutor, whose name appeared in Turkish news stories. But Turkey was in the midst of COVID lockdowns, and my calls went unanswered or were stymied by language barriers; the office worker who answered the phone, hung up twice because I only spoke English. Finding a Turkish translator to broker a call proved to be difficult for a different reason; due to mistrust of Turkey's judicial system, which many believe has been corrupted by both Erdoğan and Gülenists, no one wanted to help me call the prosecutor's office for fear of drawing attention to themselves. I sent the prosecutor a direct message on Twitter, but he didn't respond.

So I focused on trying to obtain court records to identify the defendants and their attorneys. In the U.S., it’s easy to download court documents unless they're sealed. But in Turkey, only parties to a case (defendants, attorneys, prosecutors) can access them. I found someone who thought he might be able to help. It was a long-shot, but after a month I got what appeared to be a prosecutor’s investigation report — a 17-page document in Turkish that was dated May 2017, a year after the arrests. The document had no court markings but listed the criminal case number and, most importantly, identified four suspects/defendants. Ahmet Koçak was among them.

He’d been promoted since his correspondence with Hacking Team and was now deputy manager of the Cyber Crimes Unit (aka J Branch) inside the Intelligence Division of the General Directorate of Security (aka Turkish National Police).

The other defendants included two executives and co-owners of Datalink: Murat Keskin and Veli Özdemir. Özdemir had been a police chief, working in the same division with Koçak, until about mid-2012 when notably he resigned to become part owner of Datalink. Shortly thereafter in August 2012, Datalink sent Hacking Team 140,000 Euros to renew the Turkish National Police’s license for its spyware. Özdemir and Keskin were co-partners in Datalink five months later when the Hortum software was allegedly sending stolen documents to the company from a police computer.

The fourth defendant in the case was a superintendent in the TNP’s J Branch. He was accused of installing the Hortum spyware on the police computer. Turkish news articles identified him only by his initials, MSK. I've agreed not to name him here because while he was initially convicted in the spy case, a superior court reversed the conviction (though the case is back in a lower court to be retried). MSK left Turkey in 2019 with his wife and three children and currently lives in exile. His new employer doesn’t know about the charges, and he doesn't want his name and the case to appear together in a Google search.

The Charges

The prosecutor's report gives a summary of what occurred as well as statements from the interrogation of witnesses and defendants. It also includes technical details about Hortum that match exactly what Guerrero-Saade found in Rad — supporting his theory that Rad is Hortum. Both Rad and Hortum were built using POCO C++, and in both cases, the same starter component - a file named wsms.exe - and eight files containing functionality got installed on infected machines. The spyware stored itself in the same directory on machines and collected information from computers but could not receive commands.

One of the primary witnesses in the case, a police officer named Tuncay Özyigit, told prosecutors that on January 24, 2014, MSK borrowed a laptop from him under the pretense of examining a project Özyigit was developing called SocialCat — an open-source intelligence project for gathering information from social media platforms.

MSK allegedly took the laptop to examine SocialCat in private. Özyigit told prosecutors he became suspicious when MSK behaved uneasily, though he didn’t elaborate. MSK kept the laptop 90 minutes before returning it. Özyigit didn’t use the computer again until February 5, when he noticed it was operating very slowly. He checked the task manager to see what programs were running in the background and saw an application called searchindexer.exe sending data repeatedly to an email server at mail.woxmail.com. He immediately suspected it was spyware.

He sent the laptop to the department's forensic lab where it sat for a day to be imaged; during this time, he said MSK kept visiting the lab to see what investigators had found. The lab concluded that spyware had been installed with a USB flash drive during the time MSK had the laptop in his possession. An outside security firm evidently confirmed this conclusion. Prosecutors traced the IP address for the mail.woxmail.com mail server to Datalinks Bilişim Anonim — which they concluded was the same company that paid for Hacking Team's software.

While Turkish media reported that the spying lasted for a year before being detected, the charges against the defendants indicate it lasted just two weeks — from January 24 to February 5, when the forensic lab discovered it.

Despite police discovering the spyware in February 2014, Koçak and MSK weren’t arrested until 2016. Koçak's wife, a software developer for the TNP, also lost her job as a result of the charges against her husband. The prosecutor’s document identifies Özdemir and Keskin as suspects but says they left the country during the investigation and could not be questioned. An arrest warrant was issued for them.

The charges against Koçak and MSK were: Procuring confidential documents related to state security, entering the IT system of a public institution illegally, and being a member of an armed terrorist organization. In the case of the latter, witnesses said they had direct knowledge that Koçak, Özdemir and MSK were connected to the Fetullah Terrorist Organization (FETÖ/PDY) which is reportedly tied to the Gülen Movement. Prosecutors concluded that “unknown” members of FETÖ/PDY directed Koçak and MSK to install the Hortum spyware.

Police Response to Charges

Koçak is now 43 and graduated from the Turkish police academy in 2000. He began work in the TNP’s Intelligence Division in 2004, initially for the Information Technologies Branch Directorate. He oversaw the department's network infrastructure; the development of software, databases and security procedures; and managed research of developing technologies and technical solutions. Then in August 2011, just as he was purchasing Hacking Team’s spyware, he became deputy head of the Cyber Crimes Unit.

During the interrogation, prosecutors were suspicious about his purchase of Hacking Team’s software and the Datalink connection between that and Hortum. They asked why he purchased the software, why the payment was funneled through Datalink, and how the software was used. He said one of his duties was to procure software for his department and his superiors asked him to buy it. He denied any connection to FETÖ/PDY. He didn’t know how the software was used after its purchase and payment for it was the responsibility of his manager, not him. He also said he had never heard of Datalink and had no contact with its employees or partners, even though his longtime colleague left his police job in 2012 to become partner in the company, weeks before money was funneled through Datalink to Hacking Team.

Much of what Koçak said could have been easily verified by prosecutors, but I was unable to obtain court records to see if they did this. There was, however, one thing Koçak said that was suspect on its face. He told prosecutors he had nothing to do with the Hacking Team software after its purchase. But the leaked Hacking Team emails show this wasn’t true. In an August 2012 email from the address tnpnotcenter2@gmail.com, Koçak complained that the spyware’s keylogger was glitchy. “I see the target write a sentence, I can see this on screenshoot [sic] but in keylog some letter is missing.” This made it clear he was using the program or providing support to those who were, and therefore knew how it was being employed. He even complained at one point that high-value targets were lost because they only had one computer licensed to use the software.

Koçak denied to prosecutors that he had ever used the tnpnotcenter2@gmail.com address, implying that the correspondence came from someone else. But in the leaked emails Hacking Team employees listed this as one of the addresses they should use to contact him.

There were also questions about the reasons Koçak gave for buying the Hacking Team spyware. He said it was “for R&D purposes,” and that they decided to purchase it after Stuxnet began spreading worldwide. He said IT experts everywhere were concerned they might be infected with Stuxnet, and this was one motivation for buying the Hacking Team software.

This made little sense, however. Stuxnet, which was the subject of my book Countdown to Zero Day, was a digital weapon launched by the US and Israel in a targeted attack against industrial control systems used in Iran. Hacking Team’s surveillance spyware wouldn’t help them protect the TNP’s network from a Stuxnet-like attack. And in any case, his leaked emails with Hacking Team contradicted this argument and made it clear the software was purchased for spying.

Koçak mentioned one other intriguing detail. As an example of the kind of R&D work his team performed, he told prosecutors his department researched the hacking group known as the Syrian Electronic Army. Notably, Guerrero-Saade discovered references to SEA in early samples of the Rad spyware. The words “Syrian Electronic Army,” “sea.sy” and “Codename Assad” all appear in the code. Guerrero-Saade believed it was a clumsy attempt by the Turks to make it appear that their spy tool came from the SEA.

I wasn’t able to locate Koçak to speak with him. The attorney who handled his case said he no longer represents Koçak and believes he left Turkey. He wouldn’t speak about the case without Koçak’s permission, but he didn’t know how to contact him.

MSK told me he didn't know anything about Koçak’s purchase of Hacking Team’s software. He acknowledged, though, that it didn’t make sense for Koçak to spend 140,000 Euros to purchase a powerful surveillance tool just to study it for R&D.

As for the allegations against MSK, he denied all of them.

MSK is now 37 and graduated from the police academy in 2007, after which he was assigned to work in the IT division of the TNP’s Intelligence Division. He worked there until 2012 when the Cyber Crime unit opened and he was assigned to become a forensic investigator for it. He had no experience and took courses on how to use Encase, Cellebrite and other forensic tools; he also traveled to the US for training, he told me. He eventually became so proficient he got a master’s degree in digital investigations in 2012, and in 2014 did a PhD in computer science. His job was great, he said, until things changed in December 2013 when Erdoğan began cracking down on Gülenists.

Erdoğan Scandal and Crackdown

For years, Erdoğan reportedly partnered with Gülenists to get rid of his opposition. But in 2011 Gülenists sought more power and representation in government, which threatened Erdoğan. By 2013, the relationship had deteriorated so much, Gülenists working in intelligence began to investigate Erdoğan and his allies. In December 2013, the Erdoğan government was racked with a corruption scandal over the involvement of cabinet members and their family in a “gold for gas” scheme to purchase oil and gas from Iran, bypassing sanctions. An investigation conducted by the Financial Crimes Unit of the Istanbul Security Directorate exposed the role that sons of government ministers allegedly played in the money laundering, which led to dozens of arrests on December 17. When news leaked that more arrests were imminent and the money laundering extended to Erdoğan and his son, 350 police officers were pushed out of their positions.

The prosecutor’s document cited this as the motive for MSK to install the Hortum software on the police computer the next month — to track who else might be targeted by Erdoğan’s people. MSK told me he was vocal to colleagues at the time that the investigation into Erdoğan should continue despite the crackdown on police aimed at halting the investigation. This made him an easy target for prosecutors to use the December 2013 crackdown to accuse him of spying. He says the fact that he was only accused of spying in 2016, two years after prosecutors say the spying was discovered, supports his claim that the charges were manufactured.

“I asked the prosecutor in court, it is logical that they suspect me as a spy, as a terrorist, but they didn’t stop me to work in police department [for two years]?” he says. MSK says the prosecutor sidestepped the question.

MSK believes prosecutors brought the charges in 2016 because new managers who were Erdoğan supporters took over the Intelligence Division earlier that year and wanted to install their own people in the jobs held by Koçak and MSK.

“[T]his case and claim is totaly [sic] slander,” he wrote me. “I didnt try to steal any data/files of my staff…. The court and Ankara Police Department accused of me because I am dissident of Erdoğan and i dont agree with his policies in Turkey."

MSK says the allegation that they installed Hortum to siphon information about counter-intelligence investigations of Gülenists also doesn’t make sense because the cyber crime unit had just two communal computers, one for intelligence work on the internal Polnet network and the other for work on the internet. The Polnet system had information about investigations, but this was never connected to the internet or to other computers. Installing spyware on the internet-connected computer, which was the basis of the charges, would not have provided access to police investigations. What’s more, he says prosecutors never cited which documents the Hortum software siphoned.

I, unfortunately, was not able to obtain court records from the trial to confirm these details. MSK told me he didn’t have copies of the records and had lost his password to the court system to download them again. He also told me his attorney couldn’t provide the records because by law attorneys have to destroy records once a case concludes and they’re no longer representing a client. But sources in Turkey scoffed at this and also said that as the defendant, MSK would be able to create a new password to access court records at any time.

In any case, in 2018, the court convicted him of attempted spying (a lesser charge) and membership in a terrorist organization, and sentenced him to 12 years and two months. But MSK says it’s a measure of the judge’s ambivalence about the case that he also released MSK on time served, which was 28 months. MSK says he thinks the judge convicted and sentenced him because he feared losing his job otherwise, but then set MSK free because he also didn't believe the charges. Last December, a superior court ruled that the evidence presented by prosecutors was flimsy and reversed the convictions of both Koçak and MSK. The judge sent the case back to the lower court to be retried, and the case remains open.

MSK says that in January, the lower court judge ordered prosecutors to provide a list of the files allegedly stolen with Hortum, but there has been no response.

Summary

After three months of trying to figure out what was the truth, I had exhausted what I could do with the time and resources I had. In the end, my investigation answered some questions, but left others unanswered and raised new ones. One thing it did do was highlight the difficulty with investigating stories that involve nation-state spyware — especially in a country as politically complicated as Turkey, where authorities charged with investigating a crime might themselves be perpetrators of the crime or simply be making it up. Given the unreliability of a legal system that can bestow favor or punishment based on a defendant’s political leanings, it’s difficult to known what is what.

The investigation also highlighted the constraints that prevent threat-hunters from fully connecting dots to answer underlying questions. The SentinelOne report that I read when I began my research speculated connections between Ahtapot, Rad, Hortum and Hacking Team, but couldn’t move beyond this. It required an ability to gather information through other means to see the larger picture.

“Despite hunting this threat group for years, since the OdaTV case first came on our radar, I couldn’t have guessed that the story would be this convoluted, fascinating, and troubling,” Guerrero-Saade told me. “From a threat-hunting perspective, it’s an enthralling tale, but also one that highlights the limits of the certainty we can derive from technical analysis alone. [T]here’s nothing clear-cut about the motivations behind this nor the specific forces involved.”

I had answered many of the questions I had when I began, but others were still unanswered. Was Rad/Hortum planted on the police computer to frame Koçak and MSK? [Unknown.] Who developed Rad/Hortum? [Unknown.] Did the TNP use Hacking Team’s software to spy illegally on political adversaries? [The software was used to target a woman in the U.S., and the TNP were Hacking Team’s only Turkey customer at the time. But it’s not clear who used the software to target the woman.]

Pehlivan, the investigative journalist who was framed in 2011 with false documents, has no doubts about who was behind the hack of his computer. He’s been an investigative journalist 17 years, most of which he has spent reporting on Erdoğan’s AKP party and the Gülen Movement, including authoring four books. He says he has no doubt that Gülenists were behind the hack that framed him.

“I knew it was a plot orchestrated by members of the Fethullah Gülen Movement within the state,” he says. “The same methods I have reported on so many times were used on me. At the time, although it looked like the AKP was the government, it was actually the Gülenists who ruled the state.”

As for whether he believes Koçak and MSK are guilty of spying, he couldn’t say. But he cautioned against trusting court rulings.

“[T]rials conducted in Turkey are far from just and fair,” he says. “This causes criminals to either appear innocent and get away unpunished, or get away with less punishment than they deserve. “

In the end, Guerrero-Saade says it’s a cautionary tale about law enforcement’s use of spyware.

“We are talking about an actor that has no problem incriminating journalists and throwing them in prison,” he said. “I wish we could view this as an isolated incident, but with the ongoing Bhima Koregaon case [in India], it seems [the actor behind Ahtapot and Rad] was just an early adopter of unscrupulous tactics, and we have to ask ourselves if, half a decade later [after the OdaTV incident], we are any better prepared to handle such an enemy.”

See  also:

An extensive timeline of events discussed in this story, which includes additional details, is available to paid subscribers, to help you see patterns, context and overlap.

If you liked this article or found it useful, feel free to share it:

If you’d like to receive other articles like this directly to your inbox, subscribe here: