How Saudi Arabia Infiltrated Twitter
“Proactive and reactively we will delete evil my brother.”
Ali Alzabarah was panicked. His heart raced as he drove home from Twitter’s San Francisco headquarters in the early evening on Dec. 2, 2015. He needed to leave the country — quickly.
Earlier that day, Twitter’s management accused the unassuming 32-year-old of accessing thousands of user profiles without authorization to pass their identifying information — including phone numbers and IP addresses — reportedly to Bader al-Asaker, the head of Saudi Crown Prince Mohammed bin Salman’s charity and private office. When the conversation concluded, management seized Alzabarah’s laptop, put him on administrative leave, and escorted him out of the building.
Arriving home at San Bruno’s Acappella Apartments — a complex so close to San Francisco International Airport he could hear planes fly overhead — Alzabarah planned his escape. At 5:17 p.m. he called a handler, identified as Associate-1 in the FBI complaint, who arrived in a white SUV two hours later. Driving around Alzabarah’s neighborhood, the two men called “Foreign Official-l” — al-Asaker, according to the Washington Post — at 7:20 p.m., and again at 7:22 p.m. and 7:31 p.m. They then called Dr. Faisal Al Sudairi, the Saudi consul general in Los Angeles, at 8:30 p.m., 8:38 p.m., and 9:26 p.m. Shortly after midnight, the consul general called Alzabarah back and spoke with him for three minutes.
Early the next morning, Alzabarah, his wife, and daughter boarded a plane for Saudi Arabia.
From May 2015 until he was exposed that December, Alzabarah spied for the Saudi Arabian government inside Twitter, a criminal complaint from the FBI alleges. (Unless explicitly attributed to other sources, the details and allegations that follow are taken from the FBI’s criminal complaint.)
"They’re out of the company. You can never talk about it."
Alzabarah and Ahmad Abouammo, a colleague on Twitter’s global media team, regularly accessed and delivered information that could’ve led Saudi intelligence to identify anonymous dissidents. While news of the allegations against them has been public since November 2019, the extent of their roles and abilities inside the company have never previously been reported. Alzabarah, Abouammo, and al-Asaker did not respond to requests for comment.
Though Azabarah fled, he and Abouammo, who remained in the US, are currently indicted in United States federal court on charges of acting as undeclared agents of the Saudi government. No matter the verdict, the case has exposed tech companies’ vulnerability to attempted foreign infiltration. One well-placed employee can potentially do extensive damage.
“The message MBS gets from the world, from powerful countries, from the international community, is that he will get away with whatever he did or will do,” Abdullah Alaoudh, a legal scholar at Georgetown University whose father is imprisoned in Saudi Arabia, told BuzzFeed News. “Because he has money, he can control the process of oil. Therefore, everybody will go back to business as usual.”
Ali Alzabarah’s disappearance didn’t cause a stir inside Twitter. “One day the general counsel came to me and said there was this crazy thing that happened. They’re out of the company. You can never talk about it,” a former Twitter executive told BuzzFeed News. “Inside, it was a total nonthing. No one in the rank and file who had ever heard of it. It was a nonissue.”
Had Twitter’s employees been looking, they would’ve seen little turbulence on the surface.
Alzabarah, a good-natured, diligent employee, joined Twitter in August 2013. He initially came to the US in 2005, on a scholarship from Saudia Arabia, where he is a citizen, and earned degrees in computer science at various US universities, according to the FBI complaint. At Twitter, Alzabarah was a site reliability engineer — or SRE — tasked with keeping the site up and given extensive access to do so. He joined the company at a momentous time, right as the service was growing rapidly outside the United States and emerging as a political force worldwide.
“I worked with him quite a bit,” one former Twitter SRE said. “He was a nice guy. I got along with him. He was helpful. He helped solve problems like everybody else.”
While there, Alzabarah met Abouammo, who joined the company in November 2013.
Abouammo, a gregarious and charismatic operator, joined Twitter just days before the platform’s initial public offering. He landed on its global media team and was responsible for growing usage in the Middle East. Abouammo spent his days speaking and socializing with prominent figures in the Middle East — in news, government, sports, TV, and music — enticing them to post on the site more often, sources on the media team told BuzzFeed News. He was their Twitter concierge.
But in addition to his regular job, Abouammo allegedly had a second task — being a mole for the Kingdom of Saudi Arabia.
Abouammo’s seduction by the Saudi government began innocuously: with a verification request. In April 2014, according to the FBI complaint, a public relations firm representing the Saudi Embassy asked Abouammo to verify an account belonging to a Saudi news personality, whom the FBI complaint did not name. This request for a blue checkmark opened the door to a working relationship with the country’s government.
"All evil begins with a verification request."
“All evil begins with a verification request,” one of Abouammo’s former colleagues at Twitter joked. After the initial exchange, a representative from a US Saudi Arabian business council in Virginia asked Abouammo to set up a tour at Twitter headquarters. The tour, supposedly for entrepreneurs, reportedly included Bader al-Asaker, an official working for Crown Prince Mohammed, who was then in the middle of a fast ascent to power.
Abouammo and al-Asaker met in London a few months later, according to the complaint. At the meeting, al-Asaker gave Abouammo a Hublot Unico Big Bang King Gold ceramic watch. The watch was expensive. In January 2015, Abouammo tried to sell it on Craigslist, claiming it was worth $35,000, but that he’d take $20,000.
Abouammo was eager to please and had a taste for money, a counterpart at a rival company who knew him told BuzzFeed News. “I think it was an extremely cash-based relationship,” he said.
A week after returning to Twitter’s San Francisco headquarters, Abouammo logged into the system he used to verify users, according to the complaint. That system, sources who’ve accessed it told BuzzFeed News, stores information including email addresses, telephone numbers, and last log-in time — sufficient personal data to track down a user in real life.
Accessing two Saudi dissidents’ information — one a prominent critic with more than 1 million followers, the other an impersonator of a Saudi Royal family member — Abouammo allegedly passed the information to al-Asaker. Twitter had long been a godsend to dissidents: Unlike Facebook, it had no policy requiring people to use their real names, allowing critics of repressive government to speak more freely. The allegations threw its value as a tool of anonymous dissent into question.
When it built its global media team, Twitter didn’t prepare for possible scenarios in which employees with access to sensitive data and close relationships with foreign governments might use it to spy, according to former employees.
“The people running onboarding didn’t do much training in terms of the specificities of the challenges that we would be facing,” an ex-Twitter employee who worked alongside Abouammo told BuzzFeed News. “Nobody told us that we would be approached, that we would be — I don’t know if ‘seduced’ is the right word — that we would be intimidated into giving any kind of Twitter information.” Twitter has not responded to questions regarding this issue.
State agents pressuring Twitter employees to deliver private information wasn’t uncommon at the company, former employees tell BuzzFeed News.
A former colleague of Abouammo said US, UK, and Israeli security agencies pressed employees of Twitter’s media team for private information, including the Pentagon and CIA. “I can tell you, I’ve said no a lot,” he said. A spokesperson for the Pentagon declined to comment; a CIA spokesperson did the same.
Over the course of two years, al-Asaker paid Abouammo — via wire transfers to various accounts and a close relative — more than $300,000, some of which he used for a down payment on a house in Seattle. To al-Asaker, Abouammo provided private information on at least two dissidents, which the FBI complaint refers to as User-1 and User-2. But he could only take the Saudis so far.
If you want to extract data — lots of it — from a tech company, a site reliability engineer can be quite helpful. SREs keep websites and apps up and running, and by necessity, often have extraordinary access into their companies’ internal systems.
Abouammo could access a user record here and there, but nothing close to what an SRE could get. And so, in February 2015, a few months after accepting the watch, he made an introduction, putting his handlers in contact with Alzabarah, a Saudi citizen living in San Bruno and a Twitter SRE.
Unlike Abouammo, Alzabarah blended into the background at Twitter. He was quiet and pleasant. Good at his job. Inconspicuous.
Alzabarah’s aspirations were simple: In an Apple Note typed on July 18, 2015, and recovered by the FBI in a search of his Apple account, he wrote that he wanted a high-level position in a “charitable organization run by Foreign Official-I,” according to the bureau complaint. He later became CEO of the Misk Initiatives Center, an arm of Mohammed bin Salman’s Misk Foundation, a nonprofit the crown prince founded in 2011, the secretary-general of which is al-Asaker.
“I would like to become a member in it by any means or take training classes in leadership and business administration,” he wrote. “I want a permanent position ... something that secures my future and my family's, strengthens my relationship with them, and [makes me] feel reassured.”
"He goes back and forth between Turkey and Iraq."
In May 2015, Alzabarah “began to access without authorization private data of Twitter users en masse,” according to the FBI complaint. Within six months, Alzabarah had pulled data on more than 6,000 users. This group included 33 users whose private data the Saudis had asked the social media platform to share through emergency disclosure requests. Twitter, the FBI complaint says, did oblige in at least five instances. Not only did Alzabarah hand over IP addresses of an undisclosed number of these users, but he also took detailed notes, tracking the movements of users of interest.
Alzabarah’s fellow SRE wasn’t surprised at the level of detail his colleague was allegedly able to access. “If you're a foreign government looking to spy on other people, perhaps your own citizens, having that gives you an unprecedented level of access to the data,” he told BuzzFeed News.
“He goes back and forth between Turkey and Iraq,” Alzabarah wrote in a note to himself in his email account about one user on June 6, 2015, according to the complaint.
“He is in Turkey and has a friend, or something, and they use the same Michigan State University account,” he wrote about another.
“He signed up for the service but he does his own encryption. We tracked him and found that 12 days ago he signed in once without encryption from IP [redacted],” he wrote of a third.
Even outside of Saudi Arabia, the dissidents weren’t necessarily safe. On Oct. 2, 2018, Saudi agents with close ties to the crown prince murdered Washington Post journalist Jamal Khashoggi, a critic of the regime, at the Saudi consulate in Istanbul. The Riyadh government has denied Crown Prince Mohammed knew about the assassination, but United States officials have said it could not have been carried out without his approval.
On Feb.17, 2016, Omar Abdulaziz, a Saudi dissident with a popular YouTube channel and Twitter page who applied for asylum in Canada in 2014 and received it, got an email. The message from Twitter’s security team informed him a “bug” had exposed his and a small number of other accounts’ personal information. “The email address and phone number linked to your account was viewed by another account,” it read. “We wanted to alert you as soon as possible.”
Abdulaziz, a friend of Khashoggi’s, told BuzzFeed News this email was the closest Twitter came to telling him Alzabarah accessed his information. He is now suing the social media platform over what he claims is a lack of disclosure about the incident. Twitter denies the charges. Abdulaziz believes he subsequently identified himself in the FBI complaint. “Twitter User-9 is a well-known and influential critic of the government with asylum in Canada,” the FBI complaint said.
“I’m user number nine,” Abdulaziz told BuzzFeed News. Twitter has not responded to questions regarding this claim.
Although the alleged spying put Abdulaziz at risk, the deeper damage was done to those Twitter users in Saudi Arabia, he said. He believes some were arrested and tortured.
BuzzFeed News could not independently confirm Abdulaziz’s account, as the full list of user profiles that Alzabarah and Abouammo allegedly accessed has still not been made public. But Abdulaziz believes that speaking out against the Saudi Arabian government on the platform is now dangerous. “Ten years ago, we were using Twitter to expose our opinion on what's really going on there, and we felt safe,” he said. “It was a secure platform for us. It's not like that anymore.”
Abouammo left Twitter in 2015 for a job at Amazon in Seattle. It was there that FBI agents visited him on Oct. 20, 2018. An Amazon spokesperson did not immediately respond to a request for comment.
Agent Letitia Wu of the FBI’s Palo Alto office arrived at his house with questions about his alleged actions. Asked about the watch, Abouammo called it "plasticky,” "junky,” and worth only $500. Asked about the Saudi money, he said he only received $100,000, while the FBI says he received much more.
"Twitter was a secure platform for us. It's not like that anymore."
In a bungled attempt to show he was paid for work he did after he left Twitter, Abouammo falsified a document the day the FBI agents visited him, according to the complaint. With agent Wu waiting, he went into his bedroom and returned with an invoice between him and al-Asaker. It said he worked for al-Asaker in 2015 and 2016, but according to the FBI, which reviewed its metadata, the document had been created on Oct. 20, 2018, the day of the visit.
When the FBI arrested Abouammo for failing to register as a foreign agent, it added charges of falsifying an invoice in an attempt to obstruct a federal criminal investigation.
Twitter, after learning of Alzabarah and Abouammo’s actions, installed safeguards to prevent employees from misusing their access.
“We are constantly working to ensure our processes, systems, and checks protect the people that use our services,” a Twitter spokesperson told BuzzFeed News. “This includes learning from incidents like this. For example, we have made changes to our backend systems, our employee training, and our security and infrastructure to guard against this type of situation.”
“Company data access is limited to those with a business justification for access and is constantly reviewed,” the spokesperson continued. “It's clear from incidents such as this that threats will evolve and change, but we will remain vigilant. Our proactive efforts — and the efforts of the entire industry — are never done.”
A federal court in San Francisco has its next hearing scheduled in the case today. When his trial starts, Abouammo’s defense may struggle to explain the fake invoice. And then there’s a Twitter direct message he allegedly sent al-Asaker. “Proactive and reactively,” he said, “we will delete evil my brother.” ●