Three years ago, several environmental groups noticed that they had been receiving suspicious emails with fake Google News articles and other links related to their climate-change campaign against Exxon Mobil. The emails came from accounts that impersonated their own colleagues and lawyers.
Those phishing emails have now led to a federal criminal investigation into a sprawling hacking-for-hire operation that for years has targeted the email accounts of government officials, journalists, banks, environmental activists and other individuals, according to people briefed on the inquiry.
As part of the investigation, federal prosecutors in Manhattan conducted interviews earlier this year with environmental groups that received the emails, including the Rockefeller Family Fund, some of the people familiar with the inquiry said.
Prosecutors are investigating the hackers behind the operation and who hired them, the people said, speaking on the condition of anonymity so they could discuss an ongoing investigation. Exxon Mobil has not been accused of any wrongdoing.
Details of the hacking campaign were made public on Tuesday in a report by Citizen Lab, a cybersecurity watchdog group at the University of Toronto. The report said that thousands of people on six continents had been targeted by phishing emails for at least four years in the same operation.
Citizen Lab has provided its information to federal prosecutors in Manhattan to assist them in their criminal investigation. A spokesman for the United States Attorney’s Office in Manhattan declined to comment.
The investigation, along with Citizen Lab’s findings, pointed to a growing hacker-for-hire industry used by individuals and companies to target the email accounts of their adversaries.
“In our investigation, we determined that hiring hackers may be a relatively common practice for many private investigators,” said John Scott-Railton, the report’s lead author. “The sheer scale of it is remarkable to us.”
The phishing emails were sent to a wide range of targets, including government officials in multiple countries, pharmaceutical companies, law firms, hedge funds, banks, nonprofits and even people involved in divorce proceedings.
Citizen Lab’s report concluded with “high confidence” that the operation was carried out by a company in India, which the report said advertised “ethical hacking” services on its website and in social media.
Hacking companies based overseas are often hired through a series of intermediaries, such as law firms and private investigators, to mask the ultimate clients and give them plausible deniability, the Citizen Lab report said.
In this operation, the targets of the hacking were often “on one side of a contested legal proceeding, advocacy issue or business deal,” suggesting the hackers had been hired by customers seeking to collect information and private emails from their adversaries in criminal cases, financial transactions and other high-profile events, the report said.
Although thousands were targeted, Citizen Lab has not determined how many people clicked on the emails and exposed their accounts to hackers. The operation is believed to still be active, Mr. Scott-Railton said.
One of the most troubling findings, he said, was that phishing emails had been sent to dozens of journalists in the United States and around the world in an apparent attempt to figure out their sources.
Citizen Lab, which has helped victims of digital surveillance, began its investigation in 2017 after a journalist received a suspicious email and brought it to the group’s attention.
The group then uncovered thousands of other targeted individuals bearing the same digital fingerprints and provided the information to the federal prosecutors.
Citizen Lab’s report said a large group of targets in the hacking campaign were American nonprofit groups that had been battling publicly with Exxon Mobil for years over whether the oil company engaged in an effort to mislead the public about climate science, which the company has denied.
The targeted organizations included the Rockefeller Family Fund, the Climate Investigations Center and Greenpeace. The report could not say with certainty whether the hackers had successfully broken into their networks.
Some of the phishing emails were tailored to the organizations’ work on Exxon and climate change, the report said. For instance, multiple emails invited recipients to click on links to fake Google News articles about Exxon, and many of the messages were sent from email accounts impersonating people involved in the advocacy campaign against Exxon, including lawyers.
The report did not accuse Exxon Mobil of wrongdoing and said Citizen Lab had no strong evidence linking the hacking to a corporate sponsor. A spokesman for Exxon Mobil said the company had no immediate comment because it had not seen the report.
One person has already been arrested as part of the federal criminal investigation: a man who ran a private investigations company in Israel. He was taken into custody last year after he traveled to Florida for a family vacation.
The defendant, Aviram Azari, was indicted in Manhattan and charged with four criminal counts, including wire fraud, identity theft and conspiracy to commit computer hacking.
The indictment alleged that he worked with unnamed co-conspirators who sent phishing emails that allowed them to successfully penetrate certain electronic accounts in 2017 and 2018, including ones that belonged to an unnamed victim in New York.
One of the co-conspirators invited Mr. Azari to India to “conduct business meetings with our senior management,” the indictment said.
Mr. Azari, who served in the 1990s in an Israeli police unit that focused on covert surveillance, was one of the most sought-after private investigators in Israel, according to two clients who said they had used his services several times. He was often hired by customers to gather intelligence about their business competitors, according to a friend of Mr. Azari.
The charging documents against Mr. Azari did not identify his clients. He has pleaded not guilty.
His lawyer, Barry S. Zone, said Mr. Azari maintains his innocence.
“We look forward to addressing the charges in due course,” Mr. Zone said, adding that his client has not entered into any cooperation agreement with the government.