A computer scientist has complained that he was propositioned by the Dutch secret service to lead a new team of nation-state hackers and spy on Dutch citizens and other hackers abroad.
Buro Jansen & Janssen, a journalism non-profit that has been investigating political corruption, police corruption and government surveillance in the Netherlands since 1984, has interviewed an independent Dutch security researcher under condition of anonymity who claims that he was tracked down and offered a job by the Dutch General Intelligence and Security Service, which is also known as AIVD (Algemene Inlichtingen- en Veiligheidsdienst).
The man says that he runs several Tor exit nodes for research purposes and is a Delft University of Technology alumnus. He claims that he was at a gym having a drink in early January when he was approached by a man and a woman, who told him that they worked for AIVD and produced badges representing the Ministry of Internal Affairs.
How about spying on Chaos Computer Club?
The AIVD agents told the man that they had read his university thesis on computer security and were impressed by his research. They then offered him several job opportunities, such as asking if he would like to help run a new unit in the Dutch secret service called "Joint Sight Cyber Unit" and help to lead young IT university students in hacking work for the government, which would include carrying out Distributed Denial of Service (DDoS) attacks on websites.
"They [also] asked me if I was interested in travelling for a couple of years and for example work in Germany at a technology company while visiting the Chaos Computer Club's hackerspaces to see what's going on and report back to them. All my expenditures would be covered," the researcher said.
"Here I should have realised they were trying to recruit me to spy in Germany but I was still in shock because I never thought secret agents would have an interest in me."
The researcher says that the agents also suggested that he could take "paid holidays" to hacker parties in Italy, Austria, Spain and other countries to learn about hacking methods and report back to AIVD: "They were very honest about the fact that they were looking for foreign talent but mostly interested in keeping tabs on Dutch IT professionals and hackers abroad. They emphasised monitoring Dutch people abroad at least three times."
Maybe you'd like to run state-sponsored Tor exit nodes?
The AIVD agents mentioned that they knew he was running Tor exit nodes and asked him how he paid for them. When he replied that he ran them from the cloud, they then asked him if he would like to expand and run a whole network of Tor exit nodes in the Netherlands for the government, with all costs paid for by the Dutch secret service.
Since the Tor anonymity network exists to anonymise and redirect internet traffic through a worldwide network of relays run by volunteers, so that it is impossible to figure out where the user is located, running government-sponsored Tor exit nodes would be a gross invasion of privacy, if not illegal, so the man said no.
"This is where I should have left my drink and walked away but they were clinging on to me and kept talking fast as if they knew I was about leave. The man told me: 'You are not obliged to do anything, just to hear us out. If you work with us there are benefits, for example if we ask you to crash a system in a public place and you would be arrested for that, we make sure you don't get arrested and nobody will know about it, not even the police," said the researcher.
When the researcher again indicated that he was not interested and that he wanted to leave, the agents turned threatening.
If you don't work for us, the police will come seize your stuff
"The old man who showered me with compliments suddenly said: 'Look, we know about your Tor exit nodes, if you run them with us you will be able to make a living out of it, but if you don't and something illegal happens, we can't help you if the police visits your home and seizes your equipment,'" said the researcher.
"I replied, 'I'm not doing anything illegal,' but he didn't care about what I said. He continued: 'We recommend that you not speak to anybody about this because it's punishable by Article 60 of the law and it's too bad you've chosen this route.'"
The researcher told Buro Jansen & Janssen that he wanted his account to be published to warn the Dutch ethical hacking community. The non-profit says they verified that the source is genuine and that they have seen in the past that the Dutch secret service targets people to work for them who they think can easily be influenced, are vulnerable or unstable, or if they think there is anything the person has done that can be used to threaten them with.
"The agents [names redacted] threatened the person who wrote this account not to make it public. This threat has no moral or legal basis. If the secret service tries to recruit you, talk to your friends about it, to fellow hackspace users, community members, acquaintances, family and other people or even better, publish your story," said the agency.