Saudi Arabia Pays Twitter Insiders $300K for Account Info

In the world of espionage, the nation-state is always looking for insiders with access to desired information, and the Kingdom of Saudi Arabia is no different than any other country. The difference between Saudi Arabia and many other countries is how it uses inside information to monitor their citizenry. Free speech as defined in the U.S. First Amendment doesn’t exist in Saudi Arabia; thus, dissidents and critics of the country or royal family oftentimes find themselves on the receiving end of the Saudi government’s internal security efforts.

It’s against this backdrop we witness individuals representing the Kingdom focused on spotting, accessing and ultimately recruiting individuals with access to information of interest to Saudi Arabia in its efforts to monitor dissent among its citizens and critics—this time at Twitter.

AppSec/API Security 2022

The Twitter Insiders

According to the criminal complaint released Nov. 6 by the U.S. Department of Justice (DoJ), two Twitter employees, Ahmad Abouammao (41, of Seattle), a “Media Partnerships Manager” at Twitter, and Ali Alzabarah (35, of Saudi Arabia), a site reliability engineer at Twitter, were successfully recruited to provide account information—including content, contacts and  email addresses, phone numbers, IP addresses and dates of births—to representatives of the Saudi government. The recruitment of the two Twitter employees was facilitated by Ahmed Almutairi, aka Ahmed Aljbreen, (30, of Saudi Arabia) who also was named in the criminal complaint.

The Saudi representatives are not named but are described as “representatives of the Kingdom of Saudi Arabia and the Saudi Royal Family.” That may infer the unidentified Saudi individuals were representing the office of Mohammad bin Salman bin Abdulaziz Al Saud (MBS), whose office’s track record of pursuing and persecuting Saudi dissidents is well-documented (think: Khashoggi).

Abouammao was arrested in Seattle Nov. 5. Both Alzabarah and Almutairi absconded and are presumed to be in Saudi Arabia. Arrest warrants have been issued for both individuals.

An FBI special agent in charge (SAC) for the San Francisco Division of the FBI commented, “The FBI will not stand by and allow foreign governments to illegally exploit private user information from U.S. companies. These individuals are charged with targeting and obtaining private data from dissidents and known critics, under the direction and control of the government of Saudi Arabia. Insider threats pose a critical threat to American businesses and our national security.”

How Saudi Arabia Recruited the Twitter Insiders

The criminal complaint tells us how the two Twitter employees were spotted.

Abouammo’s role brought him in contact with individuals within the Middle East and North Africa region on behalf of Twitter. He aided high-profile users on how to use the platform effectively. Almutairi worked for a social media firm that had the Saudi Royal Family office as a client. The initial contact was innocuous—a query to be answered by Twitter. Abouammo happened to be the one to which the task of responding was assigned.

Through the course of six months, Abouammo was contacted by individuals representing the Saudi royal court, either directly or via professional engagement (Almutairi), and a face-to-face meeting was arranged as Abouammo attended a Twitter global summit in London in December 2014. At meeting, he was gifted a Hublot watch valued at $25,000 to $30,000.

Within a week of the meeting, Abouammo began accessing Twitter users’ accounts and emails, including that of a prominent critic of the Kingdom who had more than 1 million followers. He continued to access the information and provide reports to the Saudi government representative via email. Abouammo also had a relative open a bank account in Beirut, where he received payments from Saudi Arabia and then disbursed funds to his U.S. account at his own cadence.

The first payment for $100,000 landed in the Beirut bank account in February 2019, two months after the initial face-to-face and many email exchanges (which included information which Abouammo was tasked to provide and actions the Kingdom requested be taken, including suspending user accounts). A few months later, Abouammo quit Twitter, but maintained the operational contact with the Kingdom’s representative. He would over time receive an additional $200,000 from the Saudi representative for his collaboration.

Separately, just before Abouammo departed Twitter, Almutairi made contact with Alzabarah, schmoozing him and puffing up his ego by telling him how special he was to the Kingdom. Indeed, he was invited to Washington, D.C., to meet with the same representative of the Kingdom who had recruited and handled Abouammo. Within a week of Alzabarah returning to San Francisco, he, too, began harvesting Twitter user data.

Over the course of the next six months, Alzabarah’s insider access allowed him to capture the data on 6,000 Twitter users on behalf of the Kingdom, including 33 who were on Saudi watchlists and for whom the Kingdom had formally requested information. Alzabarah would continue to access thousands of Twitter user accounts on behalf of Saudi Arabia from his office in San Francisco, as well as while on vacation to Saudi Arabia.

On or about Dec. 2, 2015, Alzabarah was confronted by Twitter as to why he, an engineer, was accessing account data, specifically account data associated with Saudi Arabia. During the interview, he admitted he had accessed the accounts and attributed his access to curiosity. Twitter seized his laptop, placed him on admin leave and escorted him out of the building.

That very evening Alzabarah lit up the phones of his Saudi contacts (Almutairi, his royal family contact, the consulate in Los Angeles, the embassy in Washington D.C. and others). The next morning, at 7 a.m., Alzabarah and family boarded a flight in San Francisco, connected in Los Angeles and flew to Saudi Arabia. Within one week of his return to Saudi Arabia, Alzabarah became an employee of the representative of the Royal Family. We don’t know the size of his signing bonus, but given that Abouammo received $300,000 plus gifts, one can speculate that Alzabarah received a hefty reward for his inside Twitter assistance in squelching the voice of dissent in Saudi Arabia.

What Happens Next?

If convicted, Abouammo faces 20 years in prison and a 250,000 fine, while Alzabarah and Almutairi face 10 years in prison and a $250,000 fine. Extradition of Alzabarah and Almutairi from Saudi Arabi is highly unlikely.

Twitter adjusted its internal controls in December 2015 to preclude a recurrence of this type of exploitation of its application by an insider in the future.

Christopher Burgess

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 170 posts and counting.See all posts by burgesschristopher