A timeline of events surrounding the Bezos phone hack
News — almost impossible to believe — broke yesterday that the Crown Prince of Saudi Arabia, Mohammed bin Salman, was somehow involved in the hacking of Amazon CEO Jeff Bezos.
According to reports from the Guardian and the Financial Times, the Saudi royal family member, commonly referred to as MbS, allegedly sent a booby-trapped video to Bezos via a WhatsApp message last year, on May 1, 2018.
According to a report into the hack put together by FTI Consulting, the video supposedly exploited a WhatsApp bug to download and install malware on Bezos’ phone, which then proceeded to exfiltrate data from the Amazon CEO’s personal iPhone.
A day later, the entire affair still seems like a bad Hollywood movie script. However, the reality is that there’s a lot of context and background to these accusations, along with a long history of enmity and antipathy from the side of the Saudi prince.
The Bezos hack is linked to the Amazon CEO, who is the owner of The Washington Post, the newspaper that employed Jamal Khashoggi, an ardent critic of Saudi Arabia’s government, and the Crown Prince, in particular.
Below is a timeline of all the events that tie in with the Khashoggi murder and the Bezos iPhone hack. We took this timeline from a report published today by two human rights experts at the United Nations, and we updated it with today’s most recent revelations.
All the events that predate and then follow the actual Bezos hack make the entire hacking accusations plausible when factoring Saudi Arabia’s long history of targeting perceived critics of the Saudi regime with malware, which culminated with Saudi agents murdering Khashoggi in 2018.
October 2013 – Bezos buys The Washington Post.
December 2016 – At a Washington-based think-tank, Khashoggi makes critical remarks about Donald Trump’s ascent to the US presidency. Soon after, the Saudi regime canceled Khashoggi’s column in the al-Hayat newspaper, and ultimately banned him from writing, appearing on television, and attending conferences. Khashoggi eventually left Saudi Arabia.
September 2017 – The Washington Post publishes Khashoggi’s first column: “Saudi Arabia wasn’t always this repressive. Now it’s unbearable,” a piece highly critical of Crown Prince Mohammed bin Salman.
November 2017 – The Saudi Royal Guard acquires the Pegasus-3 spyware from NSO Group, an Israeli company that sells surveillance tools to governments across the world.
Feb. 7, 2018 – The Washington Post publishes a column by Khashoggi entitled: “Saudi Arabia’s crown prince already controlled the nation’s media. Now he’s squeezing it even further,” another piece critical of the Saudi Crown Prince.
Feb. 28, 2018 – Khashoggi publishes another piece in the Washington Post entitled “What Saudi Arabia’s crown prince can learn from Queen Elizabeth II,” again, criticizing MbS.
March 21, 2018 – Washington Post owner, Jeff Bezos, is invited to attend a small dinner with the Crown Prince in Los Angeles.
April 3, 2018 – Washington Post publishes another column by Khashoggi while the Crown Prince is in the US in which Khashoggi writes: “…replacing old tactics of intolerance with new ways of repression is not the answer.”
April 4, 2018 – Bezos attends dinner with the Crown Prince, in the course of which they exchange phone numbers that correspond to their WhatsApp accounts.
May 1, 2018 – A message from the Crown Prince account is sent to Bezos through WhatsApp. The message is an encrypted video file. It is later established, with reasonable certainty, that the video’s downloader infects Bezos’ phone with malicious code. The video message is believed to be the same as the video in this tweet. Following the execution of the malicious video file, investigators saw a spike of data being sent from the device, a 29,000% jump in traffic, consisting of more than 6GB of egress data. Prior to the infection, Amazon’s CEO had an average of 430KB/day egress data. Following the hack, Bezos’ iPhone maintained a daily average of 101MB/day in egress data for the following months, suggesting a constant state of surveillance.
May 2018 – The phone of Saudi human rights activist Yahya Assiri is infected with malicious code. Assiri was in frequent communication with Khashoggi.
June 2018 – The phone of Saudi political activist Omar Abdulaziz is infected with malicious code, via a texted link on WhatsApp. Omar Abdulaziz was in frequent communication with Khashoggi.
June 2018 – The phone of an Amnesty International official working in Saudi Arabia was targeted for infection via a WhatsApp link that was determined to lead to an NSO Group-controlled website.
June 23, 2018 – Two phones belonging to Saudi dissident Ghanem al-Masarir al-Dosari, a Saudi human rights activist and a popular political satirist active on YouTube, are targeted via a text link leading to NSO infrastructure.
Oct. 2, 2018 – Khashoggi is killed by Saudi government officials. The Washington Post begins reporting on the murder, publishing ever-expanding revelations about the role of the Saudi government and the Crown Prince personally.
Oct. 15, 2018 – A massive online campaign against Bezos begins, targeting and identifying him principally as the owner of The Washington Post. In November, the top-trending hashtag in Saudi Twitter is “Boycott Amazon.” The online campaign against Bezos escalates and continues for months.
Nov. 8, 2018 – A single photograph is texted to Bezos from the Crown Prince’s WhatsApp account, along with a sardonic caption. It is an image of a woman resembling the woman with whom Bezos is having an affair, months before the Bezos affair was known publicly.
Feb. 9, 2019 – Bezos publishes a Medium blog post describing an attempt by the National Enquirer to extort and blackmail him with nude photos. Bezos hints at a connection between the National Enquirer and the Saudi government.
Feb. 25, 2019 – The Daily Beast runs an op-ed by Iyad el Baghdadi entitled “How the Saudis Made Jeff Bezos Public Enemy No. 1” detailing “mounting evidence that the de facto ruler of the kingdom has been trying to punish Bezos for the fierce coverage by his newspaper, The Washington Post, of the murder of Saudi journalist Jamal Khashoggi.”
March 31, 2019 – Hundreds of major news outlets around the world report on the allegation that Saudi Arabia had access to Bezos’ phone and obtained private data. The allegation was first published in The Daily Beast op-ed by Gavin de Becker, entitled “Bezos Investigation Finds the Saudis Obtained His Private Data“, and is subsequently reported by the NY Times, CNN, al Jazeera, BBC, Bloomberg, Reuters, and others.
April 1, 2019 – The entire Saudi online campaign against Bezos stops abruptly, strongly indicating inauthentic and coordinated hashtags and tweets.
April 25, 2019 – Intelligence officials in Norway advise el Baghdadi (The Daily Beast reporter, see Feb 25, 2019 entry) of a CIA warning that he is being targeted by the Saudis and move him from his home. Intelligence sources believe the threats are connected to el Baghdadi’s work on Bezos.
May 1, 2019 – El Baghdadi is advised by a source in Saudi Arabia that the Saudis have successfully targeted his phone.
Sept. 20, 2019 – Twitter suspends 5,000 Saudi accounts for “inauthentic behavior,” including that of an advisor to the Crown Prince, Saud al Qahtani.
Oct. 1, 2019 – Bezos attends the first anniversary memorial for Khashoggi held outside the Saudi Consulate in Istanbul where he was murdered.
Oct. 2, 2019 – The Saudi online campaign against Bezos resumes after being dormant for months, specifically citing Bezos’ attendance of the memorial event, and again calling for a boycott of Amazon.
Oct. 29, 2019 – Facebook sues the NSO Group in US federal court for trying to compromise the devices of up to 1,400 WhatsApp users’ in just two weeks.
Nov. 5, 2019 – The US Department of Justice charges three people with serving as Saudi spies inside Twitter. One of the three had left Twitter and gone to work at Amazon.
Nov. 14, 2019 – Facebook confirms that “sending a specifically crafted MP4 file to a WhatsApp user,” is a method for installing malicious spyware; exactly as was sent to Bezos. See Facebook security advisory for CVE-2019-11391.
Dec. 20, 2019 – Twitter suspends 88,000 accounts linked to the Saudi spying case, saying that the accounts were associated with “a significant state-backed information operation” originating in Saudi Arabia.
Jan. 21, 2020 – The Guardian and the Financial Times published articles claiming the message that hacked Bezos’ phone came from the Crown Prince’s phone number. The articles are based on a still-private report put together by FTI Consulting, a company Bezos hired to investigate how the National Enquirer got hold of his nude photos.
Jan. 22, 2020 – Saudi Arabian government denies the media reports. The United Nations calls for an investigation into Saudi Arabia hacking a citizen of another country. Vice’s Motherboard leaks the full FTI Consulting private investigative report. The report is available for download from here.