For years, the U.S. Justice Department has worked to unravel a global hacking campaign that targeted prominent American climate activists. Now, public tax filings reviewed by NPR reveal an unexpected link between the company that allegedly commissioned the attacks and some of the victims.
The connection emerges as another element in the complex story of how hackers were allegedly hired to attack parts of American civil society. The Justice Department investigation has focused recently on an Israeli private investigator named Amit Forlit whom federal prosecutors are trying to extradite from the United Kingdom for allegedly orchestrating the hacking. Prosecutors say the operation was aimed at gathering information to foil lawsuits against the fossil fuel industry over damage communities have faced from climate change.
Buried in the investigation's court filings are the names of one of the world's biggest publicly-traded oil companies and one of its longtime lobbyists: ExxonMobil and DCI Group. In an affidavit filed in the UK, a federal prosecutor identifies DCI as the firm that allegedly commissioned the hacking.
DCI was working for ExxonMobil when the attacks allegedly started around early 2016, according to federal lobbying records and Justice Department legal filings. At the same time, DCI was also consulting for New Venture Fund, a nonprofit known for working on progressive causes, including reducing the use of fossil fuels, according to tax filings NPR reviewed. During that period when DCI worked for both ExxonMobil and New Venture Fund, a senior advisor at the nonprofit was working with climate activists targeted by the alleged hacking operation.
Legal experts and researchers who track Washington's influence industry told NPR the relationship between DCI and New Venture Fund raises questions about what role that connection might have played in the alleged targeting of climate activists. Analysts at The Citizen Lab, a cyber watchdog at the University of Toronto, said in a report about the attacks that they were carefully tailored, suggesting hackers had a "highly detailed and accurate understanding" of the climate activists and their relationships.
"What you have unearthed is certainly a step investigators would want to look at," Barbara McQuade, a law professor at the University of Michigan and a former federal prosecutor, told NPR about the link between DCI and New Venture Fund.
In criminal cases, investigators map out relationships between individuals and organizations using things like financial transactions, phone records and tax filings, McQuade says. "When you layer them along with dates, sometimes you can find interesting patterns," she says.
The Justice Department didn't respond to a message seeking comment.
A DCI executive, Craig Stevens, declined to comment. Stevens previously told NPR that no one at the firm has been questioned by the U.S. government as part of the hacking investigation. "Allegations of DCI's involvement with hacking supposedly occurring nearly a decade ago are false and unsubstantiated. We direct all our employees and consultants to comply with the law," Stevens said. "Meanwhile, radical anti-oil activists and their donors are peddling conspiracy theories to distract from their own anti-U.S. energy activities."
ExxonMobil referred to a previous statement in which the company told NPR it has not been "involved in, nor are we aware of, any hacking activities. If there was any hacking involved, we condemn it in the strongest possible terms." The company has said it has repeatedly acknowledged "climate change is real, and we have an entire business dedicated to reducing emissions."
New Venture Fund President Lee Bodner told NPR that DCI worked on a project housed at the nonprofit that promoted education reform and Common Core state education standards with Republicans. Bodner says DCI wouldn't have had access to New Venture Fund's internal computer systems.
Hacking victim says the attacks felt like 'Big Brother had arrived'
The hacking operation against climate activists fits a widespread pattern in which companies and wealthy individuals use private investigators to conduct cyberespionage against opponents, often to discredit them in legal disputes.
As part of the Justice Department's long-running investigation into the hacking, an Israeli private investigator named Aviram Azari was sentenced to prison in the U.S. in late 2023 after pleading guilty to conspiracy to commit computer hacking, wire fraud and aggravated identity theft. Azari hired hackers who targeted American climate activists, as well as government officials in Africa, members of a Mexican political party and critics of a German company called Wirecard, according to federal prosecutors.
In a sentencing memo for Azari, prosecutors singled out ExxonMobil, saying the company used news stories based on information stolen from activists as part of its defense against state climate investigations. Prosecutors didn't accuse ExxonMobil or DCI of wrongdoing in that case.
"It felt like Big Brother had arrived," and "citizens opposing powerful interests have their communications surveilled," Lee Wasserman, director of the Rockefeller Family Fund, said at Azari's 2023 sentencing hearing in Manhattan. Wasserman was among those targeted by the hacking.
Months later, in early 2024, Amit Forlit, a business associate of Azari's, was arrested under an Interpol Red Notice at London's Heathrow airport on his way to Tel Aviv. The Justice Department has charged Forlit with conspiracy to commit computer hacking, conspiracy to commit wire fraud and wire fraud. Forlit has previously denied ordering or paying for hacking.
A former officer in Israel's internal security service, Shin Bet, Forlit said in a sworn statement after his arrest that he owns a security and intelligence-gathering firm whose clients include law firms, lobbyists and hedge funds. Another hearing in Forlit's extradition case is scheduled for April 17 in London.
A lawyer for Forlit said in a recent court filing that the hacking operation her client is accused of leading "is alleged to have been commissioned by DCI Group, a lobbying firm representing ExxonMobil, one of the world's largest fossil fuel companies."
Private eye's lawyer says U.S. hacking charges are part of an attack on ExxonMobil
The British judge overseeing Forlit's extradition case recently unsealed the U.S. indictment against him. In it, the names of the oil and gas company and the lobbying firm Forlit allegedly worked for are anonymized. Instead, the indictment refers to a "public affairs, lobbying, and business consulting company, headquartered in Washington, D.C.," that allegedly hired Forlit to target environmental activists as part of its work for "one of the world's largest oil and gas corporations, with headquarters in Irving, Texas."
However, an affidavit that a Justice Department prosecutor filed in support of the U.S. extradition request fails to anonymize the "D.C. lobbying firm" in one part of the document. About halfway through the 30-page affidavit, the prosecutor cites emails in which "DCI Group" employees allegedly shared versions of a stolen memo belonging to an environmental lawyer, as well as information about people who received the memo.
NPR couldn't confirm that the Justice Department is referring to DCI every time the affidavit mentions the "D.C. lobbying firm." However, the Justice Department only cites one lobbying firm in the affidavit.
According to the affidavit, the "D.C. lobbying firm" started working with Forlit at least as far back as 2013.
In 2015, an executive at the D.C. lobbying firm allegedly approached Forlit about targeting environmental and climate advocates, according to the affidavit. The affidavit details how the Justice Department alleges the hacking operation worked:
- The D.C. lobbying firm allegedly identified people and organizations it wanted to discredit as part of its work for the Texas oil company;
- Forlit or a co-conspirator allegedly gave Azari lists of people or accounts that were of interest to the D.C. lobbying firm;
- Azari then allegedly hired hackers to target the climate activists;
- Later, the lobbying firm allegedly shared with the oil company private documents — or versions of documents — that were "likely obtained through the successful hacking," according to the prosecutor's affidavit.
Soon after, the private documents appeared in media reports that were "designed to undermine the integrity of the civil investigations" into the oil company, the Justice Department alleges. The affidavit claims the oil company then "relied on the published articles about the stolen and leaked documents" in court filings to fight litigation.
DCI lobbied for ExxonMobil for about a decade, according to federal lobbying records. ExxonMobil was based in Irving, Texas, until mid-2023. Forlit's lawyer, Rachel Scott, said in a January court filing in London that the U.S. is trying to prosecute Forlit in part "to advance the politically-motivated cause of pursuing ExxonMobil."
ExxonMobil and other fossil-fuel companies face dozens of climate lawsuits filed by states and localities for allegedly misleading the public for decades about the dangers of burning fossil fuels, the primary cause of climate change. The lawsuits seek money to help communities cope with the risks and damages from global warming, including more extreme storms, floods and heat waves. The U.S. government is not part of the litigation. The fossil fuel industry says the lawsuits are meritless and politicized, and that climate change is an issue that should be dealt with by Congress, not the courts.
A private meeting among climate activists gets exposed in the press
In the affidavit, the Justice Department said the first example of alleged hacking of documents and leaking to the media came in 2016.
Early that year, Kenny Bruno, an environmental advocate, emailed an agenda for a closed-door strategy meeting to a group of climate activists. They planned to gather at the Manhattan office of the Rockefeller Family Fund, a philanthropy that supports initiatives to address climate change, inequality and threats to democracy. At the time, the fossil-fuel industry was under growing pressure as Democratic politicians urged the Justice Department to investigate whether ExxonMobil had misled the public about climate change. Climate activists were to meet at the Rockefeller office to hone their attacks on the company, according to the meeting agenda.
When Bruno emailed the agenda in January 2016, he and DCI were both working with the non-profit New Venture Fund, NPR has found in tax filings and documents related to the U.S. hacking investigation. The prosecutor's affidavit says that about a month after Bruno sent the email, around February 2016, an executive at the D.C. lobbying firm gave copies of the email to the firm's client, the unnamed Texas oil company.
NPR hasn't been able to find any evidence of how the D.C. lobbying firm allegedly got copies of the email with the agenda. Forlit's team was also asked around that time to dig up information about the activists who received Bruno's email, according to the Justice Department affidavit.
The agenda for the Rockefeller meeting then surfaced in media reports in April 2016. ExxonMobil and Republican lawmakers cited the document as they battled state climate investigations, saying activists and state prosecutors colluded to advance a political agenda.
Bruno says he didn't know DCI was a consultant for New Venture Fund at the same time he was there. He says he was working on a project housed at the nonprofit to limit oil production from Canadian tar sands. "I had no interaction with them," he says.
"If DCI was involved, they wouldn't have [had] access through their work with New Venture Fund," says Bodner, the nonprofit's president. Bodner adds: "Our [computer] systems didn't house that kind of sensitive project communication that would have been of most interest to the hackers."
As a so-called fiscal sponsor, New Venture Fund provides administrative, legal and accounting support for the projects that it hosts. New Venture Fund was the fiscal sponsor for the projects that Bruno and DCI, respectively, were working on when climate activists were targeted by hackers.
The leak of the Rockefeller agenda wasn't the only time private communications between environmental advocates appeared in the media in an apparent effort to shape public opinion.
In another example cited by the Justice Department, the D.C. lobbying firm allegedly obtained a private memo belonging to an environmental lawyer as early as March 2016. Around that time, an executive at the lobbying firm gave a copy of the document to the oil company, according to the prosecutor's affidavit.
It's in this portion of the affidavit where the anonymization of the D.C. lobbying firm lapses. The affidavit states that a version of the private memo was then emailed between "DCI Group" employees shortly before it was published in a news report in 2017. On the day the article was published, an executive at the D.C. lobbying firm emailed it to colleagues, the prosecutor's affidavit against Forlit alleges. The subject line of the email was "BOOM."
When the FBI interviewed Forlit a few years later, in the U.S. Embassy in London in 2021, they discussed his "connections with DCI," Forlit said in a sworn statement that was filed as part of his extradition case.
Kert Davies, director of special investigations at the Center for Climate Integrity and a target of the hacking, says DCI was instrumental in public relations work that helped ExxonMobil and others in the fossil-fuel industry fight efforts to cut heat-trapping emissions while politicizing the issue of climate change among voters.
The industry "sought division and debate to slow the policy wheel from turning," Davies says.
DCI executive said the firm is hired 'when the stakes are the highest'
Analysts at The Citizen Lab, the cyber watchdog group, said in a report several years ago that the attacks on climate activists were "well-informed." Hackers targeted campaigners and their family members with what are known as "phishing emails," which are used to gain access to sensitive information through impersonation or other deceptive means. Some of the messages seemed to refer to confidential documents related to ExxonMobil, The Citizen Lab said, while others impersonated people who were involved in lawsuits against the oil company.
That suggests hackers "had a deep knowledge of informal organizational hierarchies" among the climate activists, The Citizen Lab said. "Some of this knowledge would likely have been hard to obtain from [publicly-available information] alone."
The Citizen Lab report didn't mention Forlit or DCI, and it didn't draw conclusions about who may have commissioned the hacking. NPR hasn't been able to find evidence that DCI obtained any non-public information about climate activists through its work with New Venture Fund.
DCI has longstanding ties to the fossil fuel industry. In the early 2000s, ExxonMobil provided funding for a website DCI published called Tech Central Station, which the Union of Concerned Scientists called a "hybrid of quasi-journalism and lobbying." And from 2005 until early 2016, ExxonMobil paid DCI around $3 million to lobby the federal government, according to lobbying disclosures. DCI has also worked for a nonprofit that supports the U.S. coal industry, and another that launched a campaign in 2017 to push back on climate lawsuits targeting the fossil fuel industry.
In a post on the social media site X in March, a DCI executive, Justin Peterson, denied orchestrating the hacking campaign against climate activists. DCI "is retained by our clients when the stakes are the highest," the post says. "We are aggressive and we play to win. But we follow the law."
Copyright 2025 NPR