
On a frigid morning in January 2016, a small group of climate advocates and legal strategists gathered in the Upper Manhattan offices of the Rockefeller Family Fund. Their objective was as specific as it was ambitious: to devise a legal and public relations framework to hold Exxon Mobil accountable for decades of climate change denial. This meeting followed explosive investigative reports by Inside Climate News and the Los Angeles Times, which revealed that Exxon’s own scientists had warned the company about the catastrophic potential of fossil fuel combustion as early as 1982. Despite this internal knowledge, the corporation had spent millions funding campaigns to sow doubt about climate science.

The meeting was intended to be a private strategy session, but the consequences of that gathering would ripple through the legal and digital worlds for the next decade. Within weeks of the session, attendees began receiving a barrage of suspicious emails. Kert Davies, founder of the Climate Investigations Center, was among the first to notice the anomalies. One email, disguised as a notification from Facebook, informed him he had "5 pokes." Others appeared to be standard alerts from LinkedIn or Twitter. These were the opening salvos of a sophisticated, multi-year phishing campaign designed to infiltrate the communications of the #ExxonKnew movement.
The Anatomy of a Mercenary Cyberattack
The digital assault on climate activists was not a random act of cybercrime but a targeted "hack-for-hire" operation. As the phishing emails intensified, the psychological toll on the activist community grew. Communication channels that were once open became fraught with suspicion. The dread was validated in April 2016, when the Wall Street Journal and the Washington Free Beacon published articles detailing the private agenda from the Rockefeller Family Fund meeting. The publications alleged "secret coordination" between activists and state attorneys general, a narrative that Exxon Mobil immediately adopted to fight off a growing wave of subpoenas and lawsuits.

For years, the origin of the hack remained a mystery. However, recent court filings and criminal indictments have begun to peel back the layers of a global conspiracy involving private investigators in Israel, tech workers in India, and powerful interests in the United States. At the center of this web are two Israeli private investigators, Aviram Azari and Amit Forlit, and an Indian hacking group known as "Dark Basin."
Chronology of the Hacking Campaign and Investigation
The timeline of the operation reveals a calculated effort to align digital espionage with legal and political maneuvers:

- October 2015: Investigative reports reveal Exxon’s early knowledge of climate change. A major U.S. lobbying firm is allegedly hired by an "oil giant" to go "on offense" against climate activists.
- January 2016: Climate advocates meet in Manhattan to strategize.
- February–March 2016: Phishing attacks begin targeting meeting attendees. The accounts of at least two climate nonprofit employees are successfully breached.
- April 2016: Leaked documents from the hack appear in national media outlets. Exxon Mobil cites these reports in court to argue that investigations by state attorneys general are politically motivated.
- 2017: The University of Toronto’s Citizen Lab begins investigating the phishing links, discovering a massive global operation they name "Dark Basin."
- September 2019: Aviram Azari is arrested at JFK International Airport.
- June 2020: Citizen Lab publishes its "Dark Basin" report, linking thousands of hacks across six continents to the Indian firm BellTroX InfoTech Services.
- 2022: Azari pleads guilty to wire fraud and conspiracy to commit hacking.
- April 2024: Amit Forlit is extradited from the United Kingdom to the United States to face charges related to the same conspiracy.
The Digital Paper Trail and Financial Data
Supporting data uncovered during the Department of Justice (DOJ) investigation paints a picture of a lucrative industry built on corporate espionage. Sentencing documents for Aviram Azari revealed that he received more than $4.8 million over five years to manage various intelligence-gathering and phishing campaigns. The broader scheme, involving Amit Forlit’s firms, allegedly generated $7 million between 2014 and 2017.
The connection to the fossil fuel industry is detailed in the indictment against Forlit. Prosecutors describe a client matching Exxon Mobil’s description—a massive oil and gas corporation then headquartered in Irving, Texas. The indictment alleges that a "lobbying firm," identified in UK court filings as DCI Group, acted as the intermediary. Public records show that Exxon Mobil has a long-standing relationship with DCI Group, spending more than $3 million on the firm’s services for lobbying, including $320,000 in 2015 alone, the year the hacking project was allegedly commissioned.

The technical precision of the attacks was notable. The hackers utilized custom URL shorteners to track which targets clicked on links, allowing them to refine their phishing lures. When activists became wary of social media notifications, the hackers pivoted to more sophisticated lures, such as sharing fraudulent Dropbox links titled "ExxonMobil (confidential).docx" to entice those monitoring the company.
Official Responses and Denials
As the legal net closes around the operatives, the corporate entities involved have maintained a stance of total denial. Exxon Mobil has consistently stated that it was not involved in, nor aware of, any hacking activities. In a previous statement, the company asserted, "If there was any hacking involved, we condemn it in the strongest possible terms." The company has shifted its public messaging in recent years to acknowledge that climate change is real while simultaneously fighting nearly 40 ongoing lawsuits brought by states and cities seeking damages for climate-related disasters.

DCI Group has been equally firm in its denials. Craig Stevens, a partner at the firm, stated that DCI directs all employees and consultants to comply with the law. He noted that the firm had been informed by the government that neither DCI nor its personnel were under investigation, dismissing any insinuations of involvement as "false and unsubstantiated."
For his part, Amit Forlit has pleaded not guilty to charges of hacking and wire fraud. His defense team in the UK argued that the U.S. prosecution was "politically motivated," suggesting Forlit was "collateral damage" in an attempt by the U.S. government to build a case against Exxon Mobil.

Broader Impact and Implications for Civil Society
The #ExxonKnew hacking scandal is not an isolated incident but part of a growing trend of corporate surveillance directed at civil society. The implications for democratic discourse and environmental advocacy are profound.
- Chilling Effect on Advocacy: The use of stolen materials in court filings and media "hit pieces" creates a high-pressure environment for activists. Lee Wasserman of the Rockefeller Family Fund noted that the breach forced advocates to change their behavior, switching to burner phones and whispering in offices for fear of bugs.
- The Rise of Hack-for-Hire: The "Dark Basin" revelations show that mercenary hacking is a global commodity. Organizations no longer need internal "black ops" teams; they can outsource deniable espionage to firms in jurisdictions where legal oversight is lax.
- Legal Precedent: The extradition of Amit Forlit and the conviction of Aviram Azari signal that the U.S. Department of Justice is willing to pursue international "mercenary" hackers who target U.S. citizens. However, the question remains whether the "clients" who fund these operations will ever face similar accountability.
- Security Evolution: The tactics used against Davies and his colleagues—phishing and credential harvesting—have evolved. Today’s activists face "zero-click" exploits and sophisticated spyware like Pegasus, which can infect a phone without any action from the user.
As Kert Davies continues his work monitoring the fossil fuel industry, the shadow of the 2016 breach remains. For him, the case is about more than digital security; it is about the integrity of the movement to address the climate crisis. The ongoing legal proceedings against Forlit may finally provide the "missing link" between the hackers and the corporate interests that sought to silence the #ExxonKnew campaign. Until then, the case serves as a stark reminder of the lengths to which powerful entities may go to protect their interests in the face of existential environmental challenges.


