The people who kill the truth
From a small office building, a group of Israelis is spreading global disruption
No morals, no qualms, no borders: Tal Hanan and Team Jorge have turned chaos into business
One evening last July, Mashy Meidan, 63 – a well-known figure in the corporate intelligence sphere – was contacted via an intermediary by an unknown foreign business adviser.
In a Zoom conversation a few days later, the adviser – who had a French accent and wore granny glasses – said he represented a businessman who was close to the ruling family in a French-speaking African country that he did not name. Without fanfare, the adviser explained to his interlocutor the reason for the call. “There will be an election at the end of September. And according to my client, that election cannot happen.”
Meidan inferred immediately that the country was Chad – a conflict-ridden, desert land of meager resources in the heart of Africa. The scale of the mission did not faze him and his questions were mainly of a technical nature: Did the adviser have a list of phone numbers of the commanders in the Chad army, or of those who were against the move?
The adviser promised to look into the matter and get back to Meidan with an answer.
Meidan used a pseudonym in the conversation, calling himself Max. He continued to use that name in the next Zoom conversation, which took place a few days later. This was when the adviser first met Jorge – an exuberant man who now took the lead in relations with the client.
Jorge’s identity remained a secret during subsequent Zoom meetings, which were conducted in English. His voice was clear, but his webcam transmitted only a blurred image. The same pattern was repeated when two ostensible advisers of the mystery client joined the conversations – one an American, the other a former Israeli.
The pixelated Jorge turned out to be a first-rate salesman. In a jaw-dropping presentation to the clients, he revealed the array of tools at his disposal to achieve the ends for which the clients had approached him: cyberattacks; transnational disinformation campaigns; forged documents; incrimination of political adversaries; dissemination of fake reports; theft of bank documents.
Influence ops
A campaign that uses old and new media to manipulate public discourse. A military term originally, this psychological warfare service is now offered privately
Each of the tools was an instrument that could be used to break down resistance to political moves, or just to liquidate (in every nonphysical sense) the client’s political, personal or business rivals.
Without restraints, without morality and without discrimination, Jorge’s toolbox could be placed at the disposal of anyone ready to pay for it – even if its use resulted in an immediate danger to life.
In one of the meetings, Meidan suggested destabilizing Chad as a means to delay the elections. In another meeting, the advisers explained that there may be an explosion in a market in the capital, N’Djamena, to justify the postponement. That did not deter Jorge, who asked for 6 million euros ($6.4 million) to see the campaign through.
Jorge claimed that he and his staff had meddled in “33 presidential-level election campaigns” around the world, “in 27 of them successfully.” Even if he was exaggerating, this investigation shows that he tried to intervene in a number of elections in various countries over the past decade (a separate article, which is also being published today, is devoted to the tools he used to achieve his goals).
To impress his clients, he took them on a “tour” of private conversations being conducted by cabinet ministers in Kenya and Mozambique in Gmail accounts and Telegram (the instant messaging application). It was explained to the clients that Jorge had hacked the correspondence of prominent African personalities while providing service to other clients.
He also claimed responsibility for an infamous cyberattack that was intended to sabotage a referendum on Catalan independence in 2014. He also relayed how a client paid him to help in the arrest of Canadian fashion tycoon Peter Nygård for alleged sex crimes. And he boasted of a 2015 attack on the phones of the opposition party in Nigeria, within the framework of an election campaign in which – as the investigation subsequently discovered – he worked together with the notorious U.K. consulting firm Cambridge Analytica.
On top of all this came a presentation of a software, the likes of which had never been seen before. This system ran an army of avatars (fake identities) on social media sites, disseminating rumors, harassment, defamation or praise – whatever the client asked for.
Avatar
A fictitious persona that unlike a bot - an automated account active on one network – has a complex digital identity. It is operated in a 'cyborg' manner on a number of platforms without detection.
Some of the activity, Jorge casually admitted, is used to inflate the value of cryptocurrency.
All of this can be revealed because Jorge’s interlocutors also used pseudonyms. The French adviser is actually Frédéric Métézeau, the Radio France correspondent in Israel. The American and Israeli advisers are the writers of this article.
The investigative report being published here is the fruit of nine months of international cooperation, with dozens of journalists toiling to verify as much as possible the details that Jorge revealed in the series of recorded meetings.
Journalists from The Guardian, Der Spiegel, Die Zeit, Le Monde, the international organization of investigative journalists OCCRP, Radio France, Haaretz, TheMarker and other media outlets worked in France, Kenya, Israel, the United States, Indonesia, Germany, Tanzania and Spain to examine the veracity of Jorge’s claims about his worldwide deeds. Shockingly, many of the allegations were corroborated.
The proprietors of this toxic international chaos machine, as uncovered in the course of the investigation, are two Israeli brothers, Tal and Zohar Hanan, who live and work in the Israeli commuter city of Modi’in.
The investigative report on “Team Jorge,” as the group called themselves in all presentations, is part of an even more extensive journalistic project, Story Killers, which deals with the disinformation-for-hire industry.
The project was initiated and coordinated by the Paris-based organization Forbidden Stories, which pursues the work of assassinated or threatened journalists, and also took part in the investigation itself.
The entire Story Killers project is dedicated to the memory of Gauri Lankesh – the Indian journalist murdered in Bangalore in 2017, following incitement and the dissemination of disinformation against her on social media.
The announcement of the election results in August 2022 led to violence and a legal battle contesting the outcome. In its wake, a delegitimization campaign was launched that is still ongoing
Team Jorge’s role: Hanan showcased the hacked Telegram accounts of five senior members of William Ruto’s campaign to undercover reporters. Ruto went on to win the election and is now president. Two of the campaign staffers whose accounts were compromised are now being accused of hacking the election committee in order to “steal” the vote
Skirmishes after the announcement of Kenya's election results in 2022 (Credit: Reuters)
Kenyan President William Ruto (left) and senior military officials, December 2022
Children’s game
Intelligence is a “puzzle,” Jorge said, resorting to a timeworn cliché just 15 minutes into his first presentation, which quickly took a dark turn.
Showing us a Gmail account that wasn’t his, he asked: “Can you see now? This is one target named Farouk. He's an assistant for a very important guy and we are inside,” he said, browsing the hacked account.
Farouk, the investigation revealed, was Farouk Kibet – the right-hand man of Kenyan President William Ruto. The hack was part of the service Jorge was providing to a client in the 2022 Kenyan presidential election campaign in which Ruto defeated his rival, Raila Odinga.
Jorge rummaged around in the account a bit more, highlighted some internal surveys and an internal group for election campaign HQ staffers, before moving on to the next target.
The hacking of the Gmail account, Jorge explained, was possible thanks to the cooperation of a local cellular provider, and the installation of a small device that makes it possible to reroute messages sent to the phone of the target so that they reach the hackers.
Residential proxy
The 'oil' of the inline disinformation industry. It is a system of remote connections providing real, regional IP addresses. Thus a buffer is created between the operators, the clients, the fake accounts and the smear campaign
The mechanism of replacing the password of many online servers, including Google, is based on identity verification via a text message. “Hijacking” the messages enables those who do not own the account to infiltrate it.
Next came the Telegram accounts. “I know in some countries they believe Telegram is very safe,” Jorge said a few minutes later. “So here I'll show you how safe it is … this is some minister of, uh, some country.”
A name appeared in the upper left of the screen: Davis Chirchir – at the time the head of Ruto’s election campaign and now Kenya’s energy minister. Before our eyes, the minister’s private account emerged – not a screenshot from the distant past, but his actual real-time correspondence.
The consortium of journalists was later able to confirm that the number appearing on the screen did indeed belong to Chirchir.
“I can check all his calls,” Jorge bragged, “and I can go to any chat and see what they're saying,” he added, heading to a random chat. “B. is telling him this and that,” he said, naming the minister’s interlocutor, a woman, and clicking on her profile image. “What it means is active intelligence,” Jorge said. “[It] means I can write you.”
Active intelligence
Engaging with targets not solely for passive intel collection, but also creating actionable intel. For example, a target can not only be hacked – but messages can be sent on his or her behalf, thus extracting more information
He then typed in the words “Hello, how are you dear,” in the chat of the Kenyan minister’s account. “Now when I hit ‘enter,’ the message will transmit. You see?” he asked, hitting “Send.” “Usually, I will wait for them to see [it] and then I will delete [it],” he explained, immediately deleting the sent message.
Jorge would show us that trick – sending messages from hacked accounts – several more times in the presentations that followed. This provided the consortium of journalists with an opportunity to verify that what was being presented as the hacking of an account was genuinely that.
Last December, a reporter involved with the investigation succeeded in reaching one of the recipients of the messages from the hacked accounts. They asked the person to open his phone, found the message that Jorge had sent from the hacked account and asked him to document it. This was proof that Jorge was not only demonstrating hacking; he really was hacking.
Throughout the series of presentations, Jorge and his staff showed us hacked email and Telegram accounts of five victims in Kenya: presidential aide Kibet; Minister Chirchir; former National Assembly member James Omingo Magara; election campaign adviser Dennis Itumbi; and a political functionary named Simon Mbugua.
After Ruto won the election in August 2022, the losing side launched a campaign to delegitimize the results. Their campaign was based in part on allegations that named two of the individuals whose accounts Jorge hacked before our eyes: Itumbi and Chirchir.
In subsequent presentations, Jorge showed us the hacked accounts of four more targets: Mozambique Agriculture Minister Celso Ismael Correia, who later examined the email address that Jorge showed us and confirmed that it belonged to an old email account of his. Correia later retracted that statement; an Indonesian businessman; a Tanzanian citizen; and Zhaxylyk Zharimbetov, a former senior official at the BTA Bank in Kazakhstan. The accounts in Mozambique, Indonesia and Tanzania were presented within the framework of “active intelligence”; the Kazakh banker’s account was shown as a screenshot in a presentation.
Who killed Emmanuel the Emu?
In the series of presentations, Jorge gave us several guided tours of a user interface that appears to be the most advanced known software to date for perpetrating acts of deception on social media.
The software for the creation and activation of avatars is called AIMS, which stands for Advanced Impact Media Solutions. According to the screen user interface, AIMS controlled over 39,000 avatars as of December 2022, and possessed the ability to produce new ones easily and rapidly.
“We have Arabs, Russians, Asians, everything. Africans, of course,” Jorge said, scrolling through his inventory of fictitious accounts.
Before our eyes, he constructed a new avatar. After choosing the country of residence, gender and age range of the fictitious user, the software proffered sets of images (stolen from a genuine profile) for him to use to complete the profile.
The fictitious identities created by AIMS, Jorge explained, can operate on different platforms. Google, Facebook and Instagram are the easy ones. The system can also open accounts on sites such as Amazon, Airbnb, Reddit, Netflix or even digital wallets.
To bypass the various sites’ processes of identity confirmation, text messages are sent to virtual numbers created for the avatars. Passing these checks makes Jorge’s avatars far more difficult to identify as fakes.
The AIMS avatars, as Jorge demonstrated, are not solo performers; they are able to sing together in a choir. They can be activated in coordination as a campaign to disseminate messages by scattering the tweets or posts across ranges of time that imitate the genuine behavior of web users.
The creation of content is also automatic, driven by AI. You choose a tone (negative, positive or neutral) and the system generates tweets and posts that it is hard, nay impossible, to detect as machine-generated.
Jorge’s presentation looked convincing, but an elegant presentation does not guarantee that the technology works in the real world. So, we asked him to test AIMS on the actual battlefields of Twitter and Facebook. In other words, to conduct a small demo campaign for us.
In the summer of 2022, social media sites were agog about a viral hit that was hard to avoid: Emmanuel the Emu. For those not well versed in zoology, an emu is a large, flightless Australian bird.
Emmanuel the Emu is one of the farm animals of Taylor Blake, a web influencer who rose to fame thanks to her TikTok videos starring Emmanuel and his buddies, including Princess the deer.
To test Jorge’s capability, we gave him a mission: to spread a Twitter rumor announcing Emmanuel’s premature death. The campaign, it was decided, would be labeled #RIP_Emmanuel.
The next day, Jorge’s army started to fill Twitter – and to a lesser degree Facebook – with rumors of the big bird’s demise. The campaign, as we could ascertain for ourselves, included thousands of tweets, shares and likes.
Jorge sent us a screenshot according to which #RIP_Emmanuel was one of the trending items on Twitter in Slovakia, with 1,347 tweets in that country alone. In Africa, Europe and also the United States, the death of “the legend” was lamented and people wrote about how much “Emmanuel will be missed.”
The next morning, Blake awoke in a fright. “Woke up to find out that someone started a rumor that Emmanuel DIED and I literally sprinted out to the barn to see if it was true. He was waiting for me at the gate, very much alive and ready for cuddles. EMMANUEL IS NOT DEAD!!” she tweeted on the morning of July 29, 2022, via her Twitter handle “eco sister.”
Some of her followers reacted furiously. “People just looking for attention,” one of them tweeted about the fake news.
Blake’s response to the rumor, and the 37,200 likes she received, only heightened the campaign’s exposure. According to Jorge, it drew some 7 million views. This is the place to apologize to Emmanuel, Taylor and the rest of her animal farm.
Comment, commend or condemn
The #RIP_Emmanuel campaign demonstrated that AIMS is a genuine machine. But testing its capabilities was only our campaign’s first goal. The fake death of the big bird led Jorge and his staff to inadvertently reveal the identity of some of their network of avatars to us, and carved a path for the continuation of the investigation by other means.
Now it would be possible to track down the profiles that had spread the false rumor and analyze their historic activity.
Journalists of Le Monde, Der Spiegel and the Munich-based investigative newsroom Paper Trail Media led the effort.
First in the spotlight was a campaign against Peter Nygård, the 81-year-old Finnish-Canadian fashion tycoon who founded the Canadian label that bears his name and, according to indictments, is a serial sex offender.
Jorge, it transpired, hounded Nygård for about five years. His aim was to make public the allegations that Nygård was a serial rapist and to push for his indictment, trial and conviction.
Nygård has been held in custody in Canada since the end of 2020, and is fighting extradition to the United States to face further criminal charges there (once his Canadian trials are completed). The fashion tycoon was called “the Canadian Jeffrey Epstein” by both Jorge and avatars.
The discovery that an AIMS army was mobilized against Nygård was confirmed in a later meeting with Jorge.
Jorge, as he himself would make clear to us, does not take a moral position in his job. He can work against suspects or for them: the only issue is who is paying. Accordingly, the network of avatars that tweeted against Nygård and bemoaned the death of Emmanuel, conducted two campaigns on behalf of individuals wanted for extradition. One of them was a former senior official in Mexico’s Criminal Investigation Agency: Tomás Zerón.
Tomás Zerón, a former senior official in Mexico, fled the country and has been residing in Israel over the last several years. Mexico wants to extradite him on suspicion of torturing people who were interrogated in the case of the 2014 kidnapping and disappearance of 43 students who were on their way to protest against the government
Team Jorge’s role: Their avatar network took part in a positive campaign in favor of Zerón, played up his part in the capture of the drug baron "El Chapo" and claimed suspicions against him were politically motivated
A demonstration in commemoration of the 43 missing students in Mexico (Credit: Reuters)
Tomás Zerón
Zerón has been living in Israel for the past several years. Mexico has tried, without success, to extradite him on suspicion of obstructing an investigation and torturing interrogees in the case of the 2014 kidnapping and disappearance of 43 students who were on their way to a protest against the government in the city of Iguala.
Jorge’s virtual soldiers played up Zerón’s part in the capture of the drug lord Joaquín “El Chapo” Guzmán, and promoted a narrative to the effect that the suspicions against Zerón are politically motivated.
Some of the avatars also insisted on the innocence of brothers William and Roberto Isaias – leading businessmen who were convicted in their native Ecuador in 2012 of embezzling hundreds of millions of dollars from a bank they controlled.
Brothers and businessmen William and Roberto Isaias were convicted of embezzling hundreds of millions of dollars in 2012 in Ecuador. They reside in the U.S., and Ecuador has been requesting their extradition for years.
Team Jorge’s role: Their army of avatars took part in a campaign to support the Isaias brothers, and presented the government's efforts as political persecution
The brothers, who reside in the United States, have for years faced repeated extradition requests from Quito. A “political campaign of persecution,” Jorge’s avatars called it. Others accused Rafael Correa, Ecuador’s president from 2007 until 2017, of hounding them.
In one of our Zoom video presentations, Jorge was asked about ties with individuals who could influence U.S. policy in order to assist the Chad government to handle the administration’s response to the postponement of the country’s general election. Jorge suggested using the services of two people: former Mossad deputy head and national security adviser Ilan Mizrahi; and Roger Noriega, a former U.S. assistant secretary of state for Western Hemisphere Affairs and “my ex-partner,” as Jorge termed him. Noriega apparently also operated in the past on behalf of the exiled Ecuadorian bankers, having published two pro-articles in their favor and condemning then-President Correa on the website of the American Enterprise Institute, a Washington-based think tank.
Gov. Gavin Newsom delayed renewing the operating license of a nuclear plant amid claims of safety issues
Team Jorge’s role: Their army of avatars took part in a campaign against Newsom. The online campaign ended after the license was renewed
Democratic Governor Gavin Newsom (Credit: Reuters)
The California nuclear plant.
In California, it emerged, the army of avatars had attacked Democratic Gov. Gavin Newsom when he considered not renewing the operating license of a nuclear plant amid safety issue concerns. The governor finally gave the go-ahead in September 2022 and Jorge’s avatars backed off.
All told, the consortium of reporters found 19 campaigns in which some 1,800 AIMS-linked suspected avatars took part.
Team Jorge’s horror show
In Jorge’s presentations, there was a noticeable tension between the desire to show past “achievements” and the need to preserve clients’ anonymity and distance Jorge and his staff from responsibility for the operations. That tension peaked in a clip screened in each of his presentations.
The showreel, which is about two minutes long, opens with the caption: “Team Jorge Presents: Intelligence on Demand.” The clip features an array of incidents involving computer hacks, tricking journalists by publishing false information, cyberattacks and other deceptions.
Jorge occasionally froze the frame in order to provide an explanation. Unlike Jorge's claims that were verified, to date it has not been possible either to confirm that he actually carried out the deeds he took responsibility for in the clip, or to refute those claims.
According to the clip, Jorge was behind the 2019 cyberattack against the central elections committee of a country that we identified as Indonesia, about a month before a general election there. A spliced screenshot appeared in which the caption KPU (the name of Indonesia’s elections committee) was visible. Below the image was the caption “During S.E. Asian Election Day.” Jorge accompanied the slide with an explanation that for political reasons his client had requested to be seen as an adversary of China. So they launched an offensive, he said, “and we showed that all the traffic – everything came from China.”
In March 2019, several media outlets (including Bloomberg) reported on a “Chinese-Russian” attack against the elections committee’s computer system.
The false flag operation worked in part. The information safety expert the elections committee hired was quoted by The Guardian as saying the traffic indeed appeared to be coming largely from China and Russia. However, he added: “Probably most of them are local hackers. They are just using jump points in those countries to cover their trail.”
Hack-and-leak
A type of influence operation that involves breaking into and leaking a target's personal information, emails and documents. In some cases, the material is tampered with
The next segment in the “Team Jorge Presents” horror show dealt with disruption to a 2014 referendum on the question of Catalan independence from Spain. According to the clip, the disruption was caused by a DDoS attack (standing for distributed denial-of-service – which overwhelms a site with traffic, knocking it offline). According to then-Catalan leader Artur Mas, the cyberattack damaged the Catalonian internet on the morning of the referendum. However, the vote was not canceled and those responsible for the event have not been located.
Jorge also took the credit for reports in the Spanish media during that time about supposed ties between the separatist Catalan party and the Islamic State. How was that manufactured? “They found leaflets connecting the party and the radical [Islamists], and the intelligence [services] start investigating,” Jorge related, adding, “You never know how things happen. Crazy.”
Jorge took pride in his apparent role in another attack, this time in Africa. This was similar in essence to the DDoS event, but was on the cellphones of the leaders of the opposition party in Nigeria, the All Progressives Congress (APC), which ultimately won the March 2015 general election there.
On the morning of the 2015 Nigerian election, the cellphones of the opposition leaders stopped working. During the campaign leading up to the vote, Cambridge Analytica was working with the campaign of then-President Goodluck Jonathan. Former employees at Cambridge Analytica claimed that “Israeli hackers” gave the firm secret medical and financial documents relating to Jonathan’s rival
Team Jorge’s role: Hanan admitted being behind the attack on the opposition leaders’ phones. In-house Cambridge Analytica emails also revealed that Hanan and his team were the “Israeli hackers"
Supporters of Muhammadu Buhari, who won the 2015 election (Credit: Reuters)
Brittany Kaiser, who was whisteblower in the Cambridge Analytica scandal.
The clip showed a headline from the Nigerian news site Vanguard. A few words were redacted – seemingly a sloppy attempt to conceal the identity of the country and attack, which occurred on the morning of Election Day. “This is the biggest country in Africa,” Jorge said, unable to resist the temptation to reveal the identity of the country, “and all the opposition, they come, they show their phones to the media and say 'blockage of all leaders' phones,'” quoting from a Nigerian newspaper headline.
As another chapter of the investigative report will reveal, Team Jorge operated in Nigeria in 2015 in collaboration with now-disgraced British firm Cambridge Analytica. Back in 2018, British weekly The Observer published testimonies about Cambridge Analytica’s use of the services of “Israeli hackers” in Nigeria, and also in the tiny Caribbean country of Saint Kitts and Nevis.
New emails in the hands of the consortium of journalists identify the hackers as Team Jorge and link the team to job offers in other countries – including an offer to take part in Donald Trump’s 2016 presidential campaign.
Jorge also claimed, during the screening of the clip, that he had used access to emails of the chief of staff in the government of Trinidad and Tobago's then-Prime Minister Kamla Persad-Bissessar to foment a political crisis in the Caribbean island state.
The earliest event presented in the clip took place during the 2012 Venezuelan presidential election. Jorge admitted to disseminating false information in order to influence that election, which was won by Hugo Chávez. Jorge and his partners claimed responsibility for circulating internal presentations from Chávez’s camp – which were subsequently published by the ABC News network – after they had made additions of their own to the documents.
“It comes back to the question of fake news,” Jorge said, warming to his theme. “What is fake? I tell my clients: Under 80 percent credibility, it’s fake. But between 80 and 100 percent, there’s … a game we can play.”
This video contains audio. Click the icon to activate the sound
What does a system to disseminate disinformation look like? Meet AIMS (videos based on talks with Jorge)
Tailoring for target country: The system allows a fast creation of fake avatars, generating a name and a language for each one
Identity creation: The system has a database of fake users from different countries who speak different languages. Each avatar has a tailored photo. The investigation found photos of real people were used without their knowledge
Multiple networks: Each avatar receives a unique digital footprint, which included an email and a real phone number. If there is a need for verification using a text message, the system knows how to handle it. These details are used to create matching profiles on various networks and websites
Activity history: The fake users have a rich online 'identity': Thousands of social network members, activity over time and even purchase history – all in order to convey credibility
Timed action: When needed, the operator has an army of avatars which can be configured and timed. Thus a huge group is created, who can echo the negative message on all networks
Tal Hanan, 50, Modi’in
We first heard about “Team Jorge” from a source who had learned about Jorge's exploits. To arrange a meeting with Jorge, a network of mediators was utilized – including some who were tricked into thinking they were introducing a real client to Jorge.
The last of these was the owner of a media consultancy firm in the Israeli city of Hadera, Yaakov Tzedek. Tzedek, who was present at the first Zoom meeting with Meidan, was silent when a campaign was discussed whose aim was to get the Chad elections postponed.
Also present and silent in that meeting was Ishay Shechter, a former executive in the Jewish National Fund, who is described on the site of the lobbying firm Goren Amir Consultants as its “strategy director.”
Attending another Zoom meeting, in which hacking of accounts was presented, was Shuki Friedman, a security service retiree whom Meidan described as “part of our core team.” Friedman is known among former security officials as the recruiter of a very famous asset who cannot be named. But he is no more than a supporting actor in the Team Jorge story.
The common denominator among the people leading the presentation was the use of fictitious names: Max, Jorge and another individual who will enter the picture later, Nick. We discovered Max’s identity (Meidan) quickly. He was careless enough to use his Israeli phone number.
Jorge was more cautious. He spoke to us only from an Indonesian phone number, did not reveal his face, and for the first five months of contacts with him denied that he was operating from Israel.
When we asked him whether he was apprehensive about exporting hacking services without authorization from the Defense Export Controls Agency of Israel’s Defense Ministry, he claimed that the question was not relevant for him. “All this bullshit is for Israeli companies. We’re not Israelis. This technology is from Java Selatan [a district in Indonesia]. … Actually, we do have an office there [in Indonesia] if you’re interested. So let me know when you’re coming.” And he ended by wishing us “Selamat malam” – “Good night” in Indonesian.
After considerable effort, we found reliable information about Jorge’s identity. His real name is Tal Hanan, a 50-year-old Israeli who was born in Upper Nazareth (now Nof Hagalil) and now lives in Modi’in with his family. Shortly after we discovered his identity, an investigative report was published in which his name was casually mentioned. The Hebrew version of this report, by the International Consortium of Investigative Journalists and Uri Blau from Shomrim – the Center for Media and Democracy, was published in TheMarker.
That report noted that Hanan was a friend and business associate of Martin Rodil, a Venezuelan citizen who had previously worked at the International Monetary Fund. Bloomberg News reported that through Hanan’s mediation, he became a Mossad source in the struggle against Hezbollah and Iranian terror funds in Latin America. Rodil is suspected in Spain of trying to shake down leading business figures in Venezuela, about whom he transmitted information to the authorities in Spain.
Hanan was active in security affairs long before social media was born. In 1999, he founded a company called Demoman International, which is registered at his home address in Modi’in and in the past even had an export permit from the Defense Ministry.
The company’s website contains the usual spiel these firms pronounce about the struggle against terrorism and training forces. You will not find a word there, however, about avatars, hacking or cyberattacks.
“I have no idea how Hanan landed in this position. He has no intelligence background, he served in some unknown unit in the air force. But I know he has ties with senior and very serious people among the intelligence agencies in Israel and the U.S.,” said a former ranking individual in Israeli intelligence, who learned of Hanan’s activity.
Team Jorge’s members:
The people we met at the chaos factory
French journalist for sale
While the efforts to trace Hanan’s exploits continued, the date of the planned Chad election passed – and the election was indeed postponed. Neither Hanan nor the undercover journalists had a hand in this. The cover story just turned out to be a lucky guess.
Time did its work and Hanan shed some of his suspicions. When we told him we were coming to Israel in connection with legal proceedings and would be happy to meet with him, he forgot that he had previously denied operating from Israel and invited us to his offices in Modi’in.
The offices are located on the third floor of a nondescript, half-empty office block across from a commercial center in the industrial zone.
There is no name or identifying sign on the front door. The room into which we were ushered – after being asked to leave our phones at the entrance – was a large and not very impressive bomb shelter that no one had bothered to decorate or design. Other, that is, from what looked like souvenirs from trips abroad that were scattered here and there, along with paper cups for hot drinks bearing the inscription “Free Love.”
Hanan was waiting for us, without any attempt to disguise himself: stubble-covered face, charismatic, gleeful as ever, brimming with self-confidence.
At the start of the meeting, he speculated on what is yet to be found on Hunter Biden’s laptop. “[Do you know] the difference between conspiracy and truth?” he asked, and as usual answered his own question: “Eighteen months.”
Sitting next to Hanan was Meidan, and on the other side of the table was Nick. He was introduced to us as “the company’s CEO.” The CEO would later be identified as Zohar, Tal Hanan’s 55-year-old brother. Zohar worked for an Israeli security agency and was an expert in polygraph testing.
In the meeting, Tal Hanan claimed he had more than 100 employees in his business. He may have exaggerated somewhat. In our estimate, the space we were in could accommodate around 20 employees. He said he also had offices in Indonesia, Bosnia and the Israeli tech hub of Herzliya, and additional employees in Ukraine. The Herzliya office, he noted, served a separate company he claimed to own called Deep Impact, which, he said, uses AIMS to inflate the value of cryptocurrency.
The meeting was conducted partly in English and partly in Hebrew. It started with a discussion about a new goal: to stir up trouble between the president of Chad and a businessman. Afterward, Hanan repeated his by-now regular performance of infiltrating email and Telegram accounts – this time of targets in Indonesia and Tanzania.
One service we learned about during this meeting involved planting false reports in the French media.
Television presenter Rachid M'Barki was suspended after an internal investigation by BFMTV after he broadcast a series of odd reports, allegedly on behalf of interested parties, without the knowledge or consent of his editors
Team Jorge’s role: An internal investigation was launched after Hanan claimed during his meeting with undercover reporters that he could get reports published in the French media. He showed the journalists a clip from a broadcast that he claimed to have orchestrated. The report was presented by M’Barki
Hanan screened a clip of a report that had been broadcast on the news channel BFMTV a few days earlier, and claimed he himself had planted it. In the item, French television presenter Rachid M’Barki stated that the U.S. sanctions on Russian oligarchs would lead to the unemployment of tens of thousands due to a slowdown in the activity of the shipyards that handle the oligarchs’ yachts in Monaco – an unlikely development.
Because the item seemed odd, the consortium of journalists contacted the BFMTV management last month. That prompted the channel’s directors to launch an internal investigation, which raised additional concerns about M’Barki’s reporting. The presenter was suspended and articles appeared in the French media on the matter. Few knew, though, that it all began with a casual remark made by Tal Hanan in his Modi’in office.
However, not all of Hanan’s claims turned out to be correct. In the Modi’in meeting, he presented the outcome of another operation he had supposedly conducted, which turned out to be a bluff. He showed us a supposedly internal presentation from the campaign of a rival of his clients in “a Latin American country.” We subsequently learned that the document was a public report, about which there was nothing secret, and could be found on Google.
Afterward, he spent a lot of time showcasing a service that he called “Global Bank Scan,” through which internal bank information is supposedly obtained. In the previous presentations, we had already been shown what looked like information from the bank accounts of Batkhuu Gavaa, a Mongolian politician and media group owner who died in 2019 after falling down the stairs at the State Palace (years after Hanan apparently poked through his accounts).
At the Modi'in meeting, a similar report was presented. According to Hanan, this included stolen banking information of a Turkish businessman whose name was not provided – though for a fraction of a second it was possible to identify him in the documents that were shown: shipping magnate Mehmet Ali Umar. Meidan explained in the meeting that the material had been obtained by a human source with access to the world banking system.
We also learned that in two cases at least, former clients of Hanan’s had complained that the financial reports they had purchased from him turned out to be unreliable and even forged.
One of the reports that was allegedly faked was sold more than 10 years ago to a secret Israeli agency. “It cost the state hundreds of thousands of dollars. The information was checked and most of it turned out to be complete nonsense – apparently a forgery,” said a person familiar with the details. The other report was allegedly sold to a client in Bosnia.
On one of the pieces of furniture in the office was a book about Nygård, which offered a golden opportunity to crossmatch the investigation that had been conducted on the basis of analyzing the army of avatars.
Finnish-Canadian fashion tycoon Peter Nygård is facing trial in Canada, and extradition to the U.S., on human trafficking and rape charges, detailed in several indictments against him
Team Jorge’s role: Their army of avatars took part in a campaign against Nygård. According to Hanan, he obtained the first nondisclosure agreement between Nygård and one of his victims, who was 16 at the time. "He paid her $100,000," according to Hanan
One of Peter Nygård's fashion stores (Credit: Reuters)
Peter Nygård
A question about the book triggered a speech from Hanan about Nygård and the way his sex scandal had developed. He started by recounting how he had dispatched his army of avatars to attack the U.S. talk show host Oprah Winfrey – whose apparent sin was to have once interviewed Nygård during a visit to his Bahamas estate. The attack on Winfrey produced an article in Newsweek, to the satisfaction of Hanan’s client.
Hanan also implied he had actually brought about the uncovering of the scandal by hacking certain accounts. “Six years ago I found the first silencing agreement,” he said, mentioning a detail that identified the person with whom Nygård allegedly made the nondisclosure agreement. “He paid $100,000 to this poor girl. She was 16 when he raped her.”
According to Hanan, his client paid a lot for the work. “It cost millions, many millions. Five years [of work]. Five!”
‘Let’s move ahead’
One of the many items Hanan showed us during the Modi’in meeting was a photocopy of a check that he says was located in a hacked email. He told us what could be done with such a find. “I take the check … fake a donation to a candidate,” he said.
“Are there, like, any elections without this shit anymore?” we asked, trying to draw Hanan into a discussion apropos the talk about the fake donation.
“No,” he replied drily.
“Okay. So what’s the point in elections?” he was asked.
Hanan ignored that, but Meidan started to offer a response. “Look,” he said, but before he could continue, we asked him, “Do you vote?”
“Sure,” he replied.
“But you know this is how it works.”
“Look, you’re talking about other places. It’s not that here [in Israel] we don’t have that. Here there are other mechanisms.” He paused for a second. “But listen, someone once told me something: ‘Where there is faith, there is no logic.’ I say that in sorrow,” he said, shooting us a slightly emotional look.
Meidan does not give the impression of being a bad guy. He is a perfectly normal individual. An Israeli man in his 60s with a security background, lives in the heart of the country. In every way, he’s just like those who fill the city squares on Saturday evenings to protest the Netanyahu government's attack on democracy.
Meidan struggled to formulate a meaningful statement. It seemed as though it was difficult for him to find the words.
“You tell me: ‘I’m a man of faith, I wear a kippa,’” he said, pointing to the kippa-wearing “adviser” attending the meeting. “I too am a believer,” he said. “I’m completely secular but I too am a man of faith … and that gives me so much strength.”
The conversation went on for a few more seconds. But just when it looked like we might get Meidan to talk about what a person whose profession is destructing democracies tells himself – just then, Hanan put an end to the conversation.
“Guys, we need to move ahead,” he said, and proceeded to show us another hacked email.
Disruption and disinformation across the world
A number of countries where Team Jorge operated, according to the investigation and them
Israel
Some 15 years ago, an Israeli security agency acquired from Hanan a financial report on Iran and Hezbollah assets. “It cost Israel hundreds of thousands of dollars, and turned out to be bogus, probably fake,” said a person familiar with the matter.
Indonesia
Hanan claims he is behind the cyberattack on the computers of KPU, Indonesia’s elections committee, in 2019. He said the attack was planned to appear as if it came from China in order to paint a political nominee as a rival of the Chinese
Catalonia
Hanan took responsibility for a DDoS attack intended to disrupt the 2014 referendum on Catalan independence. The referendum continued as planned
Trinidad and Tobago
Hanan claimed he hacked emails of the chief of staff of then-Prime Minister Kamla Persad-Bissessar, and leaked a document to create a political crisis
Mozambique
Jorge showed the hacked Gmail account of Agriculture Minister Celso Ismael Correia. The minister confirmed it's an old email account of his, but later retracted
Saint Kitts and Nevis
According to testimonies published in The Observer, 'Israeli hackers' offered Cambridge Analytica documents supposedly obtained by hacking the accounts of former PM Timothy Harris. Emails we have identify the 'Israeli hackers' as Hanan and his team
Venezuela
Hanan claimed he disseminated false info to an ABC journalist against former President Hugo Chavez, in an attempt to influence the 2012 elections
Mongolia
Hanan presented documents that appeared to contain confidential financial information of deceased politician Batkhuu Gavaa
Morocco
Hanan's avatar network conducted a campaign in 2022 with the hashtag #PolisarioCrime, claiming the movement for the liberation of Western Sahara (the Polisario Front) has ties to Hezbollah and Iran
Britain
In 2021, Hanan's avatar network were involved in a positive campaign about a U.K. clinic under investigation for providing false COVID results
Qatar
In 2022, Hanan’s avatar network were involved in a social media campaign claiming Ali Bin Fetais Al-Marri, special UN envoy for combating corruption, was himself corrupt
India and Sri Lanka
In 2021 and 2022, Hanan's avatar network conducted a Twitter and LinkedIn campaign claiming Dinesh Pandey, an owner of the Saamag corporation, is corrupt. The campaign included links to a 'leaks site' that has since been taken offline
Responses
Tal Hanan and Zohar Hanan refused to answer questions. Tal Hanan denied "any wrongdoing." Zohar Hanan said: "I have been working all my life according to the law!”
Demoman International, Shuki Friedman, Yaakov Tzedek and Rachid M’Barki declined to comment for this story.
Mashy Meidan's attorney replied: "Contrary to the allegations raised in your request to respond, Mr. Meidan is not, and has never been, associated with a company or entity named 'Team Jorge,' and is definitely not a 'business partner' in such a venture. In fact, until receiving your emails, Mr. Meidan had never even heard the name 'Team Jorge' before, and therefore could not be 'one of the core team' of this company, as falsely alleged by you."
Ishay Shechter replied: "I never had any business relationship with Jorge or Tal Hanan. I am not familiar or aware of his team's alleged illegal or improper activity. To make things clear – I have never linked or mediated between Mr. Jorge and any client. I do not understand why someone would mix my name in with the case unless that person is attempting to hurt me."
Ilan Mizrahi commented: "I do know Tal Hanan, but I was never part of his business."