Three former US intelligence operatives have admitted to breaking US laws by carrying out hacking operations for the United Arab Emirates.
US prosecutors said the men had agreed to pay $1.7m (£1.2m) to resolve charges of computer fraud, access device fraud and violating export controls.
They worked for an unnamed UAE-based firm and allegedly hacked into servers, computers and phones around the world.
There was no immediate comment from the men or Emirati officials.
Earlier this year, the UAE was accused of using malware from the Israeli company NSO Group to spy on journalists, dissidents and rival governments.
Dubai princesses’ phone numbers ‘on Pegasus list’
Are we all becoming unknowing spies?
The US justice department said the former intelligence officers – US citizens Marc Baier and Ryan Adams, and former US citizen Daniel Gericke – initially worked for a US company that provided cyber services to a UAE government agency in compliance with the International Traffic in Arms Regulations (ITAR).
The regulations require companies to obtain pre-approval from the US government prior to releasing information regarding a hacking operation and to agree not to target US citizens and permanent residents or US entities.
In 2016, the three men joined the UAE-based company as senior managers and began carrying out hacking operations for the benefit of the UAE government without obtaining the required licences from the US, according to the justice department.
Over the next three years, it alleged, they supervised the creation of two similar sophisticated “zero-click” computer hacking and intelligence gathering systems – “Karma” and “Karma 2” – that could compromise a device without any action by the target and allowed users to access tens of millions of devices made by a US technology company that was not identified.
The justice department said employees of the company had leveraged the systems to illegally obtain and use credentials for online accounts issued by US companies, and to obtain unauthorised access to computers and mobile phones around the world, including in the US.
“Hackers-for-hire and those who otherwise support such activities in violation of US law should fully expect to be prosecuted for their criminal conduct,” said Acting Assistant Attorney General Mark Lesko of the justice department’s National Security Division.
The justice department said it filed the charges against the three men under a deferred prosecution agreement that requires them to pay financial penalties, sever ties with UAE intelligence or law enforcement agencies, and never again seek a US security clearance.