A BREEJ TOO FAR: How Abu Dhabi’s Spy Sheikh hid his Chat App in Plain Sight
This report examines the corporate structure of ToTok, a Voice over IP (VoIP) app associated with an Abu Dhabi-based company, Breej Holding Ltd. In December 2019, the New York Times reported that American officials said that the UAE Government spies on ToTok’s users, and that Breej was connected to UAE companies involved in earlier spying attempts. Google and Apple removed the app from their app stores, and ToTok has begun to aggressively fight the charges, calling them “defamat[ory],” a “shameless fabrication,” “vicious rumours,” “deranged,” and “absurd.”
- Three companies connected to the ToTok app are linked to Sheikh Tahnoon bin Zayed al-Nahyan, a “senior UAE intelligence official.” Tahnoon’s adopted son is the sole director of “Breej Holding Ltd,” listed in the Apple App Store as ToTok’s developer. An executive at Tahnoon’s Royal Group is the sole director of “ToTok Technology Ltd,” and Tahnoon’s PR Manager is the sole director of “Group 42 Holding Ltd,” the company that appears to have created the ToTok app. (Section 2: Who’s Behind ToTok?)
- Group 42 is a UAE-based artificial intelligence company, whose CEO is the former CEO of Pegasus LLC,¹ a one-time division of DarkMatter Group. Pegasus LLC appears to have been renamed “PAX AI,” and now seems to be a division of Group 42. Group 42 appears to have created ToTok as an app called “G42 IM,” based on YeeCall, a VoIP app written by a Chinese company. Interestingly, YeeCall’s COO, Senior Developer, and Design Director all appear to be connected to ongoing development or promotion of ToTok. (Section 4: Who Developed ToTok?)
- After the December 2019 New York Times report on ToTok, the app’s purported co-founders, Giacomo Ziani (“Giac”) and Long Ruan, emerged for the first time. Before December 2019, Giac’s LinkedIn profile listed him as “Marketing and Communications Manager” at Group 42, and Long’s listed him as the COO of YeeCall. After a December 2019 update to their LinkedIn profiles, these positions were truncated to end in July 2019, and ToTok co-founder positions were added, backdated to August 2019. (Section 5: ToTok’s Backdated Founders)
1. ToTok: The Story so Far
ToTok is a popular VoIP and chat app that was formerly offered for free on the iOS App Store and the Google Play store, until Apple and Google removed it on or around 20 December 2019. Before it was removed, the Google Play store recorded that ToTok had more than 5 million installs, and the iOS App Store ranked ToTok as the #4 app in the “Social Networking” category, just behind WhatsApp at #3.
The iOS version of the app was listed as developed by a UAE-based company, “Breej Holding Ltd,” (Figure 1) whereas the the Android version was listed as developed by “ToTok.”
ToTok appears to have been first promoted in a series of two articles on 28 August and 29 August in Al-Ittihad, an Arabic language government-owned newspaper in the UAE. The articles emphasize how the app is available for free, has no advertisements, uses “artificial intelligence” to improve call quality, and is not blocked in the UAE. Indeed, ToTok does not appear to have ever been blocked in the UAE, which is interesting given its popularity, and because the UAE blocks VoIP features of many popular apps, including WhatsApp, Viber, Skype, and FaceTime. We are also not aware of any report that ToTok was ever licensed by the UAE’s Telecommunications Regulatory Authority (TRA). A TRA regulation allows any VoIP licensee to “block” any unlicensed VoIP service, “unless instructed by the TRA to do otherwise.” The UAE’s telecom duopoly, Etisalat and Du, are VoIP licensees.
On 22 December, the New York Times reported that ToTok was developed as a spy tool “used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.” The report was based on “American officials familiar with a classified intelligence assessment.” As part of their reporting, the New York Times contacted Google and Apple, who removed the app from their stores.
Following the New York Times report, ToTok began an aggressive campaign to convince Google and Apple to reinstate their app. On 24 December, ToTok published a statement from “Giac and Long,” ToTok’s purported co-founders, in which they called reports that ToTok was a spy tool “defamat[ory],” a “shameless fabrication,” “vicious rumours,” “deranged,” and “absurd.” On 27 December, ToTok published an on-camera appeal to Google and Apple recorded by Giac. The two co-founders then gave an exclusive interview about ToTok’s origins to Dubai-based English language newspaper Khaleej Times on 28 December, in which they appeared with ToTok T-shirts and mugs.
We began investigating ToTok using open source intelligence (OSINT) techniques in early December, and are able to substantiate that the app is linked to UAE intelligence. We provided a copy of our findings to the Associated Press prior to publication.
In the remainder of our report, we explore who is behind ToTok in Section 2: Who’s Behind ToTok, introduce Sheikh Tahnoon in Section 3: Abu Dhabi’s Spy Sheikh, examine how Group 42 apparently created ToTok in Section 4: Who Developed ToTok, investigate Giac and Long in Section 5: ToTok’s Backdated Founders, and conclude in Secion 6: ToTok: Not Spyware, but Not Safe to Use.
2. Who’s Behind ToTok?
We identified three companies registered in the United Arab Emirates that appear to be behind ToTok: “Breej Holding Ltd,” listed in the Apple App Store as ToTok’s developer, “ToTok Technology Ltd,” whose name appeared in TLS certificates connected to ToTok, and “Group 42 Holding Ltd,” the company that appears to have created the ToTok app (Section 3). All three companies have links to Sheikh Tahnoon bin Zayed Al-Nahyan, the UAE’s National Security Advisor, the son of the UAE’s late founder Sheikh Zayed, and also a full brother of Mohammed bin Zayed, the powerful Crown Prince of Abu Dhabi. We summarize the corporate structure behind ToTok in Figure 2, and explain it in the remainder of this section.
ToTok’s iOS app developer, “Breej Holding Ltd,” is registered in the Abu Dhabi Global Market (ADGM), a Financial Free Zone in the UAE similar to the Dubai International Financial Centre (DIFC). According to ADGM’s Public Register, the company has a single director, a “Hasan Mohamed Saif Hasan Alremeithi” (Figure 3), and a single investor “HMR Investment SPV RSC Ltd.” Another company linked to the ToTok app, “ToTok Technology Ltd,” is also registered in the ADGM. The “ToTok Technology” company name appears in TLS certificates used by ToTok. That company has a single director, a “Osama Hussein Saleh Hussein Alahdaly,” and a single investor “G42 Enterprises Holding RSC Ltd.” All records of ToTok Technology and Breej Holding disappeared from ADGM’s Public Register on or around 25 December 2019, several days after the New York Times report on ToTok. The records were reinstated around 1 January 2020.
Someone with the exact same name as ToTok Technology’s sole director, “Osama Hussein Saleh Hussein Alahdaly,” is listed as a Person with Significant Control of a UK-based spring water company. His address is listed as the address for Royal Group UAE, Sheikh Tahnoon’s holding company.
According to a list of registered voters in Abu Dhabi published by UAE newspaper Emarat Al Youm in 2011, there is an individual with the exact same name as the sole director of Breej Holding, “Hasan Mohamed Saif Hasan Alremeithi” (“حسن محمد سيف حسن الرميثى”)² whose date of birth is listed as 27 February 1984. There is a Hassan Al-Rumaithi³ with the same birthdate who is a professional MMA and Jiu-Jitsu fighter. A profile of this Hassan Al-Rumaithi states that he is Sheikh Tahnoon’s adopted son. Al-Rumaithi maintains a Facebook page for Sheikh Tahnoon, where he regularly posts pictures of Sheikh Tahnoon meeting foreign heads of state and dignitaries, including Jim Mattis (then US Secretary of Defense), and Vladimir Putin, President of Russia.
Al-Rumaithi appears to be linked to Tahnoon’s company Mauqah Technology,⁴ placing first overall in the “Mauqah Technologies Corporate Cycle Race” in October 2014. Interestingly, Al-Rumaithi also appears to have placed 16th in the Al Wathba Cycle Challenge in August 2014, in which his age was incorrectly reported as 24 (he would have been 30 based on his birthdate).
Breej shares an address (2458 Al Sila Tower) with “ALPHA MANAGEMENT LIMITED.” Alpha bill themselves as “Business Set-Up Consultants,” (Figure 5) offering a registered address for companies along with other corporate services.
The ADGM Public Register records 101 companies set up with Alpha’s address, including and after the founding of Alpha, so we assume these companies are serviced through Alpha. Two Alpha-serviced companies, “AQMARTECH HOLDING LTD” and “MARSTECH HOLDING LTD,” were registered by Tahnoon’s deputy Akhtar Saeed Hashmi, one of the operators of a spyware system sold to the UAE by Italian vendor Hacking Team. Both AqmarTech and MarsTech have websites that purport to be mobile app development companies, with business descriptions apparently copied from other websites.
We identified an interesting linkage between Al-Rumaithi’s company Breej, and Hashmi’s companies AqmarTech and MarsTech. While the three companies were registered on different dates in 2019 (Breej on 12 February, and AqmarTech and MarsTech on 17 February), the ADGM Public Register records that “Corporate Services” filings were made several minutes apart on 20 February 2019 (16:02:51 for MarsTech, 16:03:15 for AqmarTech, and 16:04:16 for Breej).
3. Abu Dhabi’s Spy Sheikh
Sheikh Tahnoon Bin Zayed Al-Nahyan generally maintains a low profile, but is reported to be a “senior UAE intelligence official.” Sheikh Tahnoon has also been reported to be involved in a number of foreign policy and espionage operations. For example, he was allegedly involved in an operation to buy influence in the Trump White House, a secret trip to Iran to ease tensions, and was recently accused of being involved in a plot to infiltrate an anti-government movement in Iraq.
Sheikh Tahnoon was also linked to a hack of UAE activist Ahmed Mansoor’s computer. In 2012, Mansoor was targeted with Hacking Team’s Remote Control System spyware via a malicious email attachment. He opened the attachment, his computer was infected, and his email account was accessed from several IPs in the United Arab Emirates. Citizen Lab reported that the command and control (C&C) server that the spyware sent his personal information back to was a website called ar-24[.]com, which briefly pointed to the IP address 220.127.116.11, which is registered to Sheikh Tahnoon’s office, according to WHOIS records.
inetnum: 18.104.22.168 – 22.214.171.124
descr: Office Of Sh. Tahnoon Bin Zayed Al Nahyan
descr: P.O. Box 5151 , Abu Dhabi, UAE
According to emails leaked in 2015 from Hacking Team, Sheikh Tahnoon’s company Mauqah Technology was the operator of a Hacking Team spyware deployment in the UAE. Hacking Team sold the system to Mauqah for €1.2 million (Figure 7). Two of Sheikh Tahnoon’s deputies, Syed Basar Shueb⁵ and Akhtar Saeed Hashmi⁶ ran the spyware deployment. Hacking Team’s leaked customer database recorded this customer as “UAEAF” and “UAE Air Force.” At the time, Sheikh Tahnoon was the chairman of the UAE Amiri Flight.
4. Who Developed ToTok?
While examining Breej’s website (breej.vip) using RiskIQ, we found the TLS certificate in Figure 8, which appears to connect three entities: Breej, “Group 42,” described as a ” leading Artificial Intelligence and Cloud Computing company based in Abu Dhabi,” and “YiKuaiHuDong Beijing Technology Co., Ltd,” (“北京一块互动网络技术有限公司,” translated as “Beijing YeeCall Interactive Network Technology Co, Ltd.”) a Beijing-based company that develops a VoIP app named YeeCall (一块), which is available on both the iOS and Android stores, and was updated as recently as October 2019. YeeCall’s description on the Google Play Store mentions that it provides “Free unblocked video and voice calls for users who live in UAE, Saudi Arabia, Oman, Qatar, Egypt, India, Pakistan, Bangladesh, Philippines, US and more.”
We next examined Group 42’s website (g42.ai) using RiskIQ, and found a subdomain (im.g42.ai) that previously hosted the development version of an iPhone and Android app called “G42 IM.” We found a copy of this app on VirusTotal, which VirusTotal records was downloaded from im.g42.ai. The app contains Group 42’s branding (Figure 9), and appears to be a modified version of YeeCall. We found a Chinese-speaking account on GitHub (@risechen), who appeared to be a developer or tester first of G42 IM and later ToTok, based on two GitHub issue reports he filed that contain stack traces from those apps. In late July 2019, im.g42.ai started redirecting to im.totok.ai. The redirect and the shared developer/tester appear to imply that the G42 IM application was rebranded as ToTok in July 2019.
ADGM’s Public Register lists Group 42’s sole director as “Mr. Hamad Khlfan Ali Matar Alshamsi,” who, among his many titles, is “Public Relations Manager at the Office of H.H. Sheikh Tahnoun Bin Zayed Al Nahyan.” The Register lists Group 42’s sole investor as “HKS Investment SPV RSC Ltd,” which as a Restricted Scope Company (RSC) does not need to make public details of its directors or investors. However, it is potentially telling that “HKS” matches the initials of Group 42’s director “Hamad Khlfan Shamsi,” just as Breej’s sole investor “HMR Investment SPV RSC Ltd” (also an RSC) matches the initials of Breej’s director “Hasan Mohamed Remeithi.”
Group 42’s CEO is Peng Xiao, former CEO of DarkMatter Groups’s Pegasus LLC division. DarkMatter is noteworthy because a hacking unit (“Project Raven”) that targeted UAE activists around the world reportedly operated under its auspices. The hacking unit was exposed by Reuters in a January 2019 report. IntelligenceOnline reported that following the Reuters report, DarkMatter was “abruptly taken in hand by the authorities” and various units were transferred to other companies.
Pegasus LLC appears to have been renamed “PAX AI,” as an online job posting apparently written for Pegasus is now listed under PAX AI. PAX also appears to be a division of Group 42; Group 42’s “News” page lists “PAX” (Figure 10), and we found an individual on LinkedIn whose job description is listed as “HR Business Partner at Group 42, Heading HR for PAX-AI.”
According to historical WHOIS data on RiskIQ, PAX’s website was registered by a “Martin Pegman,” the same registrant name as Group 42’s website (g42.ai). We found a “Martin Pegman” on LinkedIn who is listed as “Director of Technical Operations — Group 42.” His LinkedIn page reports he has been working for Group 42 in Abu Dhabi since March 2016, but we could not identify any UAE corporate entity with the name “Group 42” registered prior to June 2018. A previous version of Pegman’s LinkedIn page apparently listed his position as “Infrastructure Operations at DarkMatter LLC” (per a Google crawl), a position missing on his current LinkedIn page. This appears to indicate that Pegman’s DarkMatter position was transferred to Group 42.
5. ToTok’s Ex Post Facto Founders
On 24 December, after the New York Times report, ToTok’s website issued a statement, signed by “Giac and Long, ToTok Cofounders.” This appears to be the first time that the names “Giac” and “Long” were associated with ToTok. “Giac” appears to be Giacomo Ziani, and “Long” appears to be Long Ruan, and both are apparently associated with Group 42. Twitter and LinkedIn profiles for Giac and Long appear to have been recently updated to include positions at ToTok backdated to August 2019.
On 27 December, ToTok published a video on their newly created official Twitter account, @ToTokMessenger, in which Giac appealed to Apple and Google to restore ToTok to their app stores.
When Google indexed Giacomo Ziani’s LinkedIn page in December 2019, he was listed as “Marketing and Communications Manager” at Group 42 from “June 2019 — Present (7 months).” As of 27 December, the position name had been changed to “Marketing and Comms Manager,” and had been truncated to end in July 2019, and a new position “ToTok: Co-Founder — Head of Business” backdated to August 2019 had been added.
Giac’s Twitter account was also renamed from @GiacomoCurly to @Giacomo_Ziani some time after 21 December (as per Google’s cache), and the account description was changed to add a reference to ToTok.
When Google indexed Long Ruan’s LinkedIn page in October 2019, Long was listed as the “Chief Coin Officer” of the “Yee Blockchain Project,” and Chief Operating Officer of YeeCall from “September 2017 — Present (2 years 1 month).” As of 27 December, the “Chief Coin Officer” position had been removed, his COO position had been truncated to end in July 2019, and a new position “ToTok: Co-Founder, Head of Technology” backdated to August 2019 had been added.
Interestingly, the only “Activity” on Long Ruan’s LinkedIn page shows him liking a post about Group 42’s Artemis supercomputer (Figure 13), suggesting that Long may have some connection to Group 42.
Based on the backdated LinkedIn updates, the apparent lack of any public mention of Giac or Long’s association with ToTok before December 2019, and the deletion of data about Breej Holding from the ADGM Public Register on or around December 25, we believe that the “Giac and Long” personas are an attempt to establish an ex post facto cover story for ToTok’s genesis.
Long Ruan does not appear to be the only individual connected to YeeCall also involved with ToTok. Sam Huang, whose LinkedIn page lists his current position as “Senior Developer (老码农) at YeeCall.com 一块互动,” appears to maintain the Twitter account @sam721213 (“sam huang”), as the account retweeted a video of Sam posted by a YeeCall account. We believe Sam is linked to ToTok, because his Twitter account was apparently the first follower of @ToTokMessenger, he retweeted Giac’s video statement, and he posted an article from Gulf News entitled “UAE law strictly prohibits espionage, TRA responds to ToTok allegations.”
We also found a video on YouTube entitled “ToTok Review” posted on 26 July 2019, which showcases some of ToTok’s features. This appears to be the first video that mentions the ToTok app ever uploaded to YouTube. The video was uploaded by an account called “FU PENG.” We found a “Fu PENG” on LinkedIn who lists his current position as “Design Director — YeeCall Network Limited.”
While Long Ruan told Khaleej Times that ToTok “purchased [YeeCall’s] code to speed our development,” it appears that the involvement between YeeCall and ToTok is deeper: YeeCall’s COO, Senior Developer, and Design Director are all apparently connected to ongoing development or promotion of ToTok.
6. ToTok: Not Spyware, but Not Safe to Use
Security researcher Patrick Wardle examined the iOS version of ToTok for malicious behavior, and found none. ToTok subsequently issued a statement citing Wardle’s negative result as proof that the app was safe to use, and mentioning his status as a former NSA employee.
However, our distractors continue to spread misinformation and stir up the “spying” allegations, to vilify our work, to jeopardize our business, even to insult our users by mocking their enthusiastic appreciation of ToTok.
Here is the fact — since day one, we have built ToTok with user security and privacy as our priority.
Don’t just take our word for it. A technical analysis by a former NSA employee has concluded ToTok “simply does what it claims to do, and really nothing more… no exploits, no backdoors, and no malware”.
Many popular communications tools have similar architectures to ToTok, in which administrators could theoretically read a user’s messages or listen in on a user’s VoIP calls. Several popular examples include Gmail, Google Hangouts, Facebook Messenger, Telegram, and Twitter. However, what distinguishes ToTok from these apps is its corporate structure (Figure 2), which shows several significant connections to Abu Dhabi’s sprawling intelligence apparatus, including artificial intelligence companies that explicitly perform big data analytics. Also worrying is ToTok’s apparent use of subterfuge to try to disguise its real owners.
ToTok appears to be the latest case of a digital platform surreptitiously operated by a nation state to obtain a strategic advantage in intelligence gathering. In October 2019, Check Point Research reported on an app called IndexY, which provided a caller ID service for unknown numbers. The app functioned in much the same way as other popular caller ID apps like TrueCaller, by collecting the address books of users who had installed the app. When a user received a call from a number not in their local address book, their phone would contact the IndexY servers, which would report the names that other users had had assigned to that number in their address books. IndexY’s code included reference to an alias called “Shenno,” which appears to be connected to the Egyptian Government’s Technology Research Department.
When examined through the lens of legitimate apps with similar functionality, the subterfuge of apps like ToTok and IndexY appears puzzling. Why not simply have a legitimate UAE technology company develop and release a chat app, which has the ability and obligation to provide unencrypted messages in bulk to UAE intelligence or law enforcement organs upon lawful request? Of course, when it comes to matters of national security, the law in the UAE has flexible interpretation and boundaries, so users would do well to avoid such an app. But could Apple and Google credibly remove a popular app from their stores whose only transgression is responding to UAE Government process?
Ironically, the lack of UAE companies that could plausibly develop and run such a service may be due to the UAE’s VoIP licensing requirements. Unfortunately for the UAE’s surveillance ambitions, the very public ToTok fiasco may have poisoned the well. Future UAE-built apps and digital platforms may well be looked upon with suspicion for some time.
: No relation to NSO Group’s Pegasus spyware.
: Sometimes the two dots from the Arabic letter ي (ya’) are ommited when the letter ends a word.
: Arabic transliterations can result in several different spellings. For example, Al-Rumaithi and Alremeithi are both transliterations of the Arabic الرميثي.
: The mailserver for the company’s domain “mail.mauqah.com” pointed to IP address 126.96.36.199 between October 2011 and November 2015, according to RiskIQ. That IP address is registered to “Office Of Sh. Tahnoon Bin Zayed Al Nahyan.”
: Syed Basar Shueb is “general manager of the Pal Group of Companies, a subsidiary of the Abu Dhabi-based Royal Group chaired by His Highness Sheikh Tahnoon Bin Zayed Al Nahyan.”
: Akhtar Saeed Hashmi is the CEO of Mauqah Technology, as well as the CEO of Royal Technology Solutions (RTS).