This blog is an excerpt from the UCS Report ‘Decades of Deceit,’ which Kathy Mulvey coauthored with Delta Merner, Laura Peterson, and Seth Shulman. Read the full report here.
Much evidence has surfaced about the tactics to which fossil fuel companies have resorted to distort the facts, intimidate their opponents, and block climate action that might hurt their bottom lines.
One still-developing criminal conspiracy case seems to take such underhanded activities to new heights, however. The alleged scheme involved hacking into the email accounts of staff members at UCS and several other public interest organizations, all of whom were working to hold fossil fuel companies accountable for their role in climate change. Court documents and related reporting suggest that the US government possesses evidence that the criminal scheme was indirectly paid for by ExxonMobil and that one of its lobbying firms, the Washington, DC-based DCI Group, provided a list of “targets” to a middleman linked to the hackers and sent the fruits of the hacking to the oil and gas company. The hacking, occurring between 2015 and 2018, targeted at least 128 individuals.
One of the hackers who carried out this scheme, Aviram Azari, an Israeli private detective, was arrested in 2019 and pleaded guilty in US district court in 2023 to three counts: conspiracy to commit computer hacking, wire fraud, and aggravated identity theft. According to the US government’s sentencing memo, clients of Azari’s firm paid him approximately $4.8 million from November 2014 through his arrest in September 2019 for managing intelligence-gathering and multiple hacking campaigns (including the attack on UCS) (United States District Court, Southern District of New York 2023). Azari was sentenced to over six years in prison for his part in the conspiracy but was released from prison on January 3, 2025, after serving only a portion of his sentence.
More recently, however, a court filing in Britain has revealed critical new allegations about the hacking scheme and who was behind it. A US government filing in Britain’s Westminster Magistrates’ Court requested the extradition from Britain to the United States of another Israeli citizen named Amit Forlit, who is being held in custody in London (United States District Court, Southern District of New York 2025b). Forlit’s hearing in British court began on January 22, 2025, and continued with court dates in early February, early March, and on April 30, 2025, when the extradition was granted (John 2025).
The filing reveals that a multiyear investigation by the US Department of Justice and conducted by the Federal Bureau of Investigation led to a sealed grand jury indictment of Forlit for his alleged involvement in several criminal hacking schemes, as well as a US warrant for his arrest. To support the government’s case that Forlit should be extradited to the United States to face trial, the document publicly reveals many new details about the hacking scheme alleged by the US government. According to court filings and related reporting, the US government’s allegations include:
- Forlit’s clients included a consulting firm in Washington, DC, later identified by Forlit’s attorney in a court filing as the DCI Group, which has a long history of working for ExxonMobil (United States District Court, Southern District of New York 2025b). (ExxonMobil reportedly ended its contract with the DCI Group in 2020. This was after the hacking investigation became public [Matthews, Strasburg, and Hope 2024]).
- The DC-based lobbying group paid Forlit’s multiple firms a total of $16 million between 2013 and 2018 (United States District Court, Southern District of New York 2025b).
- For one of its projects, the DC-based lobbying group “acted on behalf of one of the world’s largest oil and gas corporations, centred in Irving, Texas, in relation to ongoing climate change litigation being brought against it” (United States District Court, Southern District of New York 2025b). Forlit’s attorney stated in a January filing that the corporation in question is ExxonMobil (United States District Court, Southern District of New York 2025a).
Both ExxonMobil and the DCI Group have so far publicly denied involvement in the hacking scheme. At the time of Azari’s sentencing, an ExxonMobil spokesperson said that the company “has no knowledge of Azari, had no involvement in any hacking activities and has not been accused of any wrongdoing” (Matthews 2023). In subsequent media reports, ExxonMobil has said it “has not been involved in or aware of any hacking activities,” while DCI Group has said: “We direct all our employees and consultants to comply with the law” (Satter and Bing 2024).
But the US government’s recent filing suggests it is in possession of evidence to the contrary against DCI Group. According to the extradition filing, the US government’s evidence includes:
“(i) dozens of email accounts, including four used by [Forlit], obtained via judicially authorised search warrants; (ii) financial and business records; (iii) the product of the searches of Azari’s two mobile telephones.” (United States District Court, Southern District of New York 2025b)
The extradition filing claims that the US government possesses evidence that Forlit met in person with the DC-based lobbying group (which, per Forlit’s attorney, is DCI Group), that the perpetrators referred to the hacking scheme as “Operation Fox Hunt,” and that it included at least 128 individual hacking targets (United States District Court, Southern District of New York 2025b).
The extradition filing claims that the US government possesses email evidence of a November 2015 memo between “the D.C. Lobbying Group” (revealed as the DCI Group) and “the oil and gas corporation” (revealed as ExxonMobil), forwarded by the group’s managing partner to Forlit. The memo explicitly refers to “going on the offense” after what it calls “attacks” on the oil and gas corporation “over climate change” (United States District Court, Southern District of New York 2025b). According to the filing, this November 2015 memo specifically references some of the victims of the hacking that would subsequently take place. The filing also alleges the US government has a record of the lobbying firm’s payments Forlit received for the job, which he deposited into US bank accounts controlled by him and his companies.
Furthermore, the filing states that prosecutors possess evidence that hacked materials were subsequently published: “From early 2016, shortly after the hacking, emails show the D.C. Lobbying Group sent the fruits of the hacking to the oil and gas corporation and it was published” (United States District Court, Southern District of New York 2025b). The US government’s sentencing memo for Azari stated that the published articles about the stolen and leaked documents appeared designed to undermine the integrity of investigations by state attorneys general into ExxonMobil or of individual victims of the hacking scheme, and were incorporated into ExxonMobil’s court filings litigating against the state investigations (United States District Court, Southern District of New York 2023). According to reporting by Reuters and NPR, DCI Group allegedly shared some of the stolen material with ExxonMobil before leaking it to the media, and an executive at the DC-based lobbying group is also alleged to have emailed a published article featuring a private memo belonging to an environmental lawyer to colleagues with the subject line “BOOM” (Satter and Bing 2024; Copley 2025).
As the filing concludes, its “summary of the evidence provided by the USA, taken with the financial records, presents a compelling case” for Forlit’s extradition. The evidence was sufficient to have convinced a New York grand jury in 2022 to indict Forlit on three counts, including conspiracy to commit computer hacking, conspiracy to commit wire fraud, and wire fraud. It was also sufficient for the US District Court for the Southern District of New York to find probable cause to issue a warrant for Forlit’s arrest. The maximum sentences Forlit would face if found guilty are 5, 20, and 20 years’ imprisonment, respectively.
Much was previously known about the hacking scheme, thanks in part to the work of the Citizen Lab, a Canadian cybersecurity group based at the Munk School of Global Affairs & Public Policy at the University of Toronto. The group issued a detailed report on the case in 2020, calling it a “massive hack-for-hire operation” (Scott-Railton et al 2020).
By identifying several telltale “cyber fingerprints,” the Citizen Lab determined with high confidence that the hackers had, between 2015 and 2018, attempted to infiltrate the email accounts of key staff members of at least 10 nonprofits, including UCS, 350.org, the Climate Investigations Center, Greenpeace, and the Rockefeller Family Fund. Notably, all of these groups are involved in work aiming to hold ExxonMobil and other major fossil fuel companies accountable for their deception about climate science and their efforts to block climate action.
Between 2015 and 2018, several senior staff members at UCS had their email accounts hacked through a sophisticated phishing campaign that indicated the perpetrator had a good deal of knowledge about these individuals’ interests and contacts. After conducting an internal investigation, UCS found that, while no fundraising files or member or donor accounts had been breached, the perpetrators nevertheless had likely gained access to sensitive UCS emails and strategic planning documents.
It was also previously known, from court testimony and documents in Azari’s case, that he was paid to orchestrate the cyber espionage, that he contracted with a hacking group in India to carry it out, and that the hackers in India emailed him to say they had successfully infiltrated the targets. Azari pled guilty to facts that he undertook espionage campaigns under contract from corporate clients in Europe and the United States (Copley and Brady 2023).
Court documents have revealed previously undisclosed allegations by the US government regarding the genesis of a coordinated scheme to hack into the email accounts of staff members at UCS and other public interest organizations working to hold fossil fuel companies accountable for their role in climate change.
The court filing alleges that the US government possesses evidence that a “D.C. Lobbying Firm” (likely referring to longtime ExxonMobil lobbyist the DCI Group) paid a middleman at least $16 million between 2013 and 2018, that co-conspirators referred to one of multiple hacking schemes as “Operation Fox Hunt,” and that this scheme included at least 128 individual targets. The US government also claims to possess email evidence linking “one of the world’s largest oil and gas corporations, centred in Irving, Texas” (likely referring to ExxonMobil, which was previously headquartered there) to what the government calls “the fruits of the hacking” scheme.
(United States District Court, Southern District of New York 2025b; read the US government filing at https://legacy.www.documentcloud.org/documents/25501845-250113-usa-v-forlit/.)
As previously mentioned, those in the hacking scheme’s list of targets were also involved in work at nonprofit groups to hold ExxonMobil and other fossil fuel companies accountable. The cyberattacks occurred at a key moment, when pressure was building against ExxonMobil in particular. For example, when UCS email accounts were infiltrated in 2017, then-New York Attorney General Eric Schneiderman was preparing to file a lawsuit against ExxonMobil for deceiving its shareholders about the realities of climate change. At the time, other attorneys general across the country were considering lawsuits as well, and UCS was in contact with some of their offices, providing information about specific examples of climate deception.
During the period noted in the legal filing, the previously mentioned fossil fuel industry–backed news site Energy in Depth published disinformation citing former UCS Science and Policy Director Peter Frumhoff by name and spuriously accusing him and the organization of having “conspired” against ExxonMobil. The site even quoted language from Frumhoff’s work-related emails (Energy in Depth 2017).
An excerpt from a private email sent to Lee Wasserman, director of the Rockefeller Family Fund, similarly found its way into an article from The Wall Street Journal. That article subsequently was published by the right-wing Washington Beacon newspaper, Energy in Depth, and later on ExxonMobil’s website, on a dedicated page about the #ExxonKnew allegations that has since been taken down. Wasserman recently told The Wall Street Journal that ExxonMobil used his private emails to try to “develop a convoluted and completely false story” of a conspiracy against the company. He likened ExxonMobil’s effort to “arsonists trying to pin blame on the firefighters” (Matthews 2023). The same stolen document was submitted as evidence of the “conspiracy” against ExxonMobil in court proceedings in New York state, Massachusetts, and other venues (Copley and Brady 2023).
Until now we haven’t seen public court evidence linking ExxonMobil and its then-lobbying firm, the DCI Group, to the hacking conspiracy.
This blog is an excerpt from the UCS Report ‘Decades of Deceit,’ which Kathy Mulvey coauthored with Delta Merner, Laura Peterson, and Seth Shulman. Read the full report here.