ExxonMobil hired a private investigator to hack the email accounts of climate activists who were trying to hold the company accountable for its decades of climate deception.
That is the accusation at the center of a federal criminal case that landed in a New York courtroom this spring, after years of DOJ investigation and a transatlantic extradition fight. The oil giant denies it. The lobbying firm it paid to manage the operation denies it. The accused hacker, Israeli private investigator Amit Forlit, has pleaded not guilty. But the unsealed indictment tells a story the denials cannot touch: a sequenced transaction chain leading from Exxon’s “headquarters in Irving, Texas” through its longtime lobbying firm DCI Group to Forlit, who allegedly paid Aviram Azari, an Israeli hacker who pleaded guilty in 2022 to running a global phishing operation that successfully breached more than 100 victims’ email accounts.
The statute the DOJ is wielding in this case is the Computer Fraud and Abuse Act — 18 U.S.C. § 1030, enacted in 1986 and amended repeatedly since — supplemented by wire-fraud charges under 18 U.S.C. § 1343. The CFAA criminalizes unauthorized access to protected computers. What Azari did and what Forlit allegedly directed — phishing emails disguised as shared Dropbox documents, deploying a hack-for-hire team to breach accounts and exfiltrate communications — falls squarely within the statute’s prohibitions.
The strongest case for what this prosecution protects begins with the victims themselves. Kert Davies received 80 phishing emails including one labeled “ExxonMobil (confidential).docx.” Lee Wasserman of the Rockefeller Family Foundation found himself whispering in his office, wondering if the bugs were there too. Jennifer Cunningham discovered only on reading the indictment this spring that the hackers who targeted her had been successful. These individuals had a reasonable expectation that their private communications, organizing strategies, and investigative files were their own. The CFAA says they were right. Section 1030(a)(2) criminalizes intentional access to a protected computer without authorization to obtain information; § 1030(b) criminalizes conspiracy to commit the same. The statute protects victim privacy as a concrete, enforceable right — not as a policy aspiration but as a federal felony carrying up to five years per count, or ten years when committed for commercial advantage.
Beyond individual privacy, the CFAA serves a market-level deterrent function. Prosecuting hack-for-hire operators like Azari and the intermediaries who direct them like Forlit sends a signal through the transnational surveillance-for-hire industry: the FBI can reach you regardless of where you sit in the chain. The CFAA’s extraterritorial reach — operationalized here through the extradition proceedings from the United Kingdom that brought Forlit to a New York courtroom — extends that deterrent to the global marketplace. And § 1030(g) preserves victims’ civil right of action, allowing Davies, Wasserman, Cunningham, and the others to pursue damages independent of whether the DOJ’s prosecution reaches the parties they most want held accountable.
The prosecution does what the CFAA was built to do: punish the intrusion and the immediate facilitators. Azari pleaded guilty. Forlit stands indicted. The statute reaches the instrument.
But it was never designed to reach the hand that wrote the check.
The indictment charges Azari and Forlit. It does not charge ExxonMobil. It does not charge DCI Group. There is no conspiracy count naming the corporate client. There is no client-liability theory in the charging documents. The CFAA criminalizes unauthorized access — the act of breaking in — not the act of knowing commission, not the act of receiving stolen intelligence, not the act of deploying that intelligence in legal proceedings. A corporate client can commission the breach, receive the stolen product through an intermediary, and incorporate it into its own litigation strategy, and the statute treats that client as functionally outside the scope of criminal liability. The hired instrument faces prosecution. The entity that hired the instrument faces a denial it can maintain as a “legal posture” precisely because the statute’s architecture makes the posture structurally defensible.
The economics make the structure’s practical consequence visible. Forlit’s firms allegedly earned $7 million between 2014 and 2017, including for the climate hack. Azari’s clients paid him more than $4.8 million over five years. The DOJ has confirmed the successful hacking of more than 100 of Azari’s victims worldwide. These numbers sit in a category of criminal referral that the legal system has shown conspicuously limited appetite to pursue beyond the individual hackers at the bottom of the chain and their immediate handlers. The client paid. The information flowed. No corporate representative has been charged. The CFAA’s gap is not incidental to the statute’s operation; it is the architecture’s defining feature. The statute punishes the act of unauthorized access. It does not criminalize knowledge of the access, benefit from the stolen material, or the commissioning of the access through layers of intermediation. Exxon and DCI operate in the space the statute leaves open.
The DOJ’s sentencing memo for Azari, filed after his guilty plea, confirms that hacked documents stolen from climate advocates’ online accounts were leaked to the press and that articles based on those hacked documents were incorporated into Exxon’s own court filings as it battled state attorneys general. Stolen intelligence — exfiltrated through phishing emails targeting people whose crime was assembling evidence of Exxon’s own climate knowledge — was laundered through the legitimating machinery of the courts. When a company knowingly incorporates stolen material into its litigation strategy, the question extends beyond the CFAA’s gap. It reaches the integrity of the litigation the stolen material entered. The fossil fuel industry’s track record of using the judicial system as a weapon against climate accountability is already documented. What the Forlit indictment adds is the revelation that Exxon was willing to operate outside the judicial system entirely — to hire criminals to do the work the legal briefs could not do, and to launder the stolen product back through the same court filings the activists’ own evidence had been building.
The key evidence, laid out in the unsealed indictment and in UK extradition filings, connects the transaction chain in a way that makes the company’s “we had no knowledge” posture untenable. A principal at DCI Group allegedly emailed Forlit in the fall of 2015 — as the New York attorney general’s investigation into Exxon was taking shape — with a memo laying out how they “would operationalize the research on the bad guys.” The cover email said: “This is what I gave the client yesterday.” Forlit allegedly responded with a $125,000 monthly budget proposal. Azari and his Indian hack-for-hire team then began sending phishing emails disguised as shared Dropbox documents to the inboxes of the activists who had spent the preceding year exposing what Exxon’s own scientists knew about climate change by 1982.
The victims have been waiting since 2016. The case is now in motion.
The trial has not yet begun. The statute the DOJ has deployed will do what it was built to do — punish the intrusion and its immediate facilitators. The CFAA protects the privacy of the 100-plus victims whose accounts were breached. It deters the next hack-for-hire operator calculating whether the money is worth the federal sentence. It preserves the victims’ civil right of action for damages. It reaches the instrument with precision.
What the CFAA does not reach — and was never built to reach — is the entity at the end of the payment chain whose stolen intelligence was absorbed into its own litigation strategy. The indictment, the extradition filings, and the sentencing memo all trace the same chain of payments and the same memo about going “on offense” to the same corporate headquarters. The company’s denial is a legal posture, not a factual mystery. The statute’s silence on the buyer is what makes the posture tenable.