News — almost impossible to believe — broke yesterday that the Crown Prince of Saudi Arabia, Mohammed bin Salman, was somehow involved in the hacking of Amazon CEO Jeff Bezos.
According to reports from the Guardian and the Financial Times, the Saudi royal family member, commonly referred to as MbS, allegedly sent a booby-trapped video to Jeff Bezos via a WhatsApp message last year, on May 1, 2018.
According to a report into the hack put together by FTI Consulting, the video supposedly exploited a WhatsApp bug to download and install malware on Bezos’ phone, which then proceeded to exfiltrate data from the Amazon CEO’s personal iPhone.
A day later, the entire affair still seems like a bad Hollywood movie script. However, the reality is that there’s a lot of context and background to these accusations, along with a long history of enmity and antipathy from the side of Saudi prince.
The Bezos hack is linked to the Amazon CEO being the owner of the Washington Post, the newspaper that employed Jamal Khashoggi, an ardent critic of Saudi Arabia’s government, and the Crown Prince, in particular.
Below is a timeline of all the events that tie in with the Khashoggi murder and the Bezos iPhone hack. We took this timeline from a report published today by two human rights experts at the United Nations, and we updated it with today’s most recent revelations.
All the events that predate and then follow the actual Bezos hack make the entire hacking accusations plausible, when factoring Saudi Arabia’s long history of targeting perceived critics of the Saudi regime with malware, which culminated with Saudi agents murdering Khashoggi in 2018.
December 2016 – At a Washington-based think-tank, Jamal Khashoggi makes critical remarks about Donald Trump’s ascent to the US presidency. Soon after, the Saudi regime cancelled Mr. Khashoggi’s column in the al-Hayat newspaper, and ultimately banned him from writing, appearing on television, and attending conferences. Khashoggi eventually left Saudi Arabia.
October 2013 – Jeff Bezos buys the Washington Post.
September 2017 – The Washington Post publishes Mr. Khashoggi’s first column: “Saudi Arabia wasn’t always this repressive. Now it’s unbearable,” a piece highly critical of Crown Prince Mohammed bin Salman.
November 2017 – The Saudi Royal Guard acquires the Pegasus-3 spyware from NSO Group, an Israeli company that sells surveillance tools to governments across the world.
February 7, 2018 – The Washington Post publishes a column by Mr. Khashoggi entitled: “Saudi Arabia’s crown prince already controlled the nation’s media. Now he’s squeezing it even further,” another piece critical of the Saudi Crown Prince.
February 28, 2018 – Mr. Khashoggi publishes another piece in the Washington Post entitled “What Saudi Arabia’s crown prince can learn from Queen Elizabeth II,” again, criticizing MbS.
March 21, 2018 – Washington Post owner, Mr. Bezos, is invited to attend a small dinner with the Crown Prince in Los Angeles.
April 3, 2018 – Washington Post publishes another column by Mr. Khashoggi while the Crown Prince is in the US in which Mr. Khashoggi writes: “…replacing old tactics of intolerance with new ways of repression is not the answer.”
April 4, 2018 – Mr. Bezos attends dinner with the Crown Prince, in the course of which they exchange phone numbers that correspond to their WhatsApp accounts.4
May 1, 2018 – A message from the Crown Prince account is sent to Mr. Bezos through WhatsApp. The message is an encrypted video file. It is later established, with reasonable certainty, that the video’s downloader infects Mr. Bezos’ phone with malicious code. The video message is believed to be the same as the video in this tweet. Following execution of the malicious video file, investigators saw a spike of data being sent from the device, a 29,000% jump in traffic, consisting of more than 6GB of egress data. Prior to the infection, the Amazon’s CEO had an average of 430KB/day egress data. Following the hack, Bezos’ iPhone maintained a daily average of 101MB/day in egress data for the following months, suggesting a constant state of surveillance.
May, 2018 – The phone of Saudi human rights activist Yahya Assiri is infected with malicious code. Yahya Assiri was in frequent communication with Mr. Khashoggi.
June, 2018 – The phone of Saudi political activist Omar Abdulaziz is infected with malicious code, via a texted link on Whats App. Omar Abdulaziz was in frequent communication with Mr. Khashoggi.
June, 2018 – The phone of an Amnesty International official working in Saudi Arabia was targeted for infection via a WhatsApp link that was determined to lead to an NSO Group-controlled website.
June 23, 2018 – Two phones belonging to Saudi dissident Ghanem al-Masarir al-Dosari, a Saudi human rights activist and a popular political satirist active on YouTube, is targeted via a text link leading to NSO infrastructure.
October 2, 2018 – Mr. Khashoggi is killed by Saudi government officials. The Washington Post begins reporting on the murder, publishing ever-expanding revelations about the role of the Saudi government and of the Crown Prince personally.
October 15, 2018 – A massive online campaign against Mr. Bezos begins, targeting and identifying him principally as the owner of The Washington Post. In November, the top-trending hashtag in Saudi Twitter is “Boycott Amazon.” The online campaign against Mr. Bezos escalates and continues for months.
November 8, 2018 – A single photograph is texted to Mr. Bezos from the Crown Prince’s WhatsApp account, along with a sardonic caption. It is an image of a woman resembling the woman with whom Bezos is having an affair, months before the Bezos affair was known publicly.
February 9, 2019 – Jeff Bezos publishes a Medium blog post describing an attempt by the National Enquirer to extort and blackmail him with nude photos. Bezos hints at a connection between the National Enquirer and the Saudi government.
February 25, 2019 – The Daily Beast runs an op-ed by Iyad el Baghdadi entitled “How the Saudis Made Jeff Bezos Public Enemy No. 1” detailing “mounting evidence that the de facto ruler of the kingdom has been trying to punish Bezos for the fierce coverage by his newspaper, The Washington Post, of the murder of Saudi journalist Jamal Khashoggi.”
March 31, 2019 – Hundreds of major news outlets around the world report on the allegation that Saudi Arabia had access to Mr. Bezos’ phone and had obtained private data. The allegation was first published in a Daily Beast op-ed by Gavin de Becker, entitled “Bezos Investigation Finds the Saudis Obtained His Private Data”, and subsequently reported by the NY Times, CNN, al Jazeera, BBC, Bloomberg, Reuters, and others.
April 1, 2019 – The entire Saudi online campaign against Mr. Bezos stops abruptly, strongly indicating inauthentic and coordinated hashtags and tweets.
April 25, 2019 – Intelligence officials in Norway advise Iyad el Baghdadi (The Daily Beast reporter, see Feb 25, 2019 entry) of a CIA warning that he is being targeted by the Saudis and move him from his home. Intelligence sources believe the threats are connected to Mr. Baghdadi’s work on Jeff Bezos.
May 1, 2019 – Mr. el Baghdadi is advised by a source in Saudi Arabia that the Saudis have successfully targeted his phone.
September 20, 2019 – Twitter suspends 5,000 Saudi accounts for “inauthentic behavior,” including that of an advisor to the Crown Prince, Saud al Qahtani.
October 1, 2019 – Mr. Bezos attends the one-year anniversary memorial for Mr. Khashoggi held outside the Saudi Consulate in Istanbul where Mr. Khashoggi was murdered.
October 2, 2019 – The Saudi online campaign against Mr. Bezos resumes after being dormant for months, specifically citing Mr. Bezos’ attendance of the memorial event, and again calling for boycott of Amazon.
October 29, 2019 – Facebook sues the NSO Group in US federal court for trying to compromise the devices of up to 1,400 WhatsApp users’ in just two weeks.
November 5, 2019 – The US Department of Justice charges three people with serving as Saudi spies inside Twitter. One of the three had left Twitter and gone to work at Amazon.
November 14, 2019 – Facebook confirms that “sending a specifically crafted MP4 file to a WhatsApp user,” is a method for installing malicious spyware; exactly as was sent to Mr. Bezos. See Facebook security advisory for CVE-2019-11391.
December 20, 2019 – Twitter suspends 88,000 accounts linked to Saudi spying case, saying that the accounts were associated with “a significant state-backed information operation” originating in Saudi Arabia.
January 21, 2020 – The Guardian and the Financial Times publish articles claiming the message that hacked Bezos’ phone came from the Crown Prince’s phone number. The articles are based on a still-private report put together by FTI Consulting, a company Bezos hired to investigate how the National Enquirer got hold of his nude photos.
January 22, 2020 – Saudi Arabian government denies the media reports. The United Nations calls for an investigation into Saudi Arabia hacking a citizen of another country. Vice’s Motherboard leaks the full FTI Consulting private investigative report. The report is available for download from here.