The spy was minutes from leaving Iran when he was nabbed.
Gholamreza Hosseini was at Imam Khomeini Airport in Tehran in late 2010, preparing for a flight to Bangkok. There, the Iranian industrial engineer would meet his Central Intelligence Agency handlers. But before he could pay his exit tax to leave the country, the airport ATM machine rejected his card as invalid. Moments later, a security officer asked to see Hosseini’s passport before escorting him away.
Hosseini said he was brought to an empty VIP lounge and told to sit on a couch that had been turned to face a wall. Left alone for a dizzying few moments and not seeing any security cameras, Hosseini thrust his hand into his trouser pocket, fishing out a memory card full of state secrets that could now get him hanged. He shoved the card into his mouth, chewed it to pieces and swallowed.
Not long after, Ministry of Intelligence agents entered the room and the interrogation began, punctuated by beatings, Hosseini recounted. His denials and the destruction of the data were worthless; they seemed to know everything already. But how?
“These are things I never told anyone in the world,” Hosseini told Reuters. As his mind raced, Hosseini even wondered whether the CIA itself had sold him out.
Rather than betrayal, Hosseini was the victim of CIA negligence, a year-long Reuters investigation into the agency’s handling of its informants found. A faulty CIA covert communications system made it easy for Iranian intelligence to identify and capture him. Jailed for nearly a decade and speaking out for the first time, Hosseini said he never heard from the agency again, even after he was released in 2019.
The CIA declined to comment on Hosseini’s account.
Hosseini’s experience of sloppy handling and abandonment was not unique. In interviews with six Iranian former CIA informants, Reuters found that the agency was careless in other ways amid its intense drive to gather intelligence in Iran, putting in peril those risking their lives to help the United States.
Such aggressive steps by the CIA sometimes put average Iranians in danger with little prospect of gaining critical intelligence. When these men were caught, the agency provided no assistance to the informants or their families, even years later, the six Iranians said.
James Olson, former chief of CIA counterintelligence, said he was unaware of these specific cases. But he said any unnecessary compromise of sources by the agency would represent both a professional and ethical failure.
“If we’re careless, if we’re reckless and we’ve been penetrated, then shame on us,” Olson said. “If people paid the price of trusting us enough to share information and they paid a penalty, then we have failed morally.”
The men were jailed as part of an aggressive counterintelligence purge by Iran that began in 2009, a campaign partly enabled by a series of CIA blunders, according to news reports and three former US national security officials. Tehran has claimed in state media reports that its mole hunt ultimately netted dozens of CIA informants.
To tell this story, Reuters conducted dozens of hours of interviews with the six Iranians who were convicted of espionage by their government between 2009 and 2015.
To vet their accounts, Reuters interviewed 10 former US intelligence officials with knowledge of Iran operations; reviewed Iranian government records and news reports; and interviewed people who knew the spies.
None of the former or current US officials who spoke with Reuters confirmed or disclosed the identities of any CIA sources.
The CIA declined to comment specifically on Reuters’ findings or on the intelligence agency’s operations in Iran. A spokeswoman said the CIA does its utmost to safeguard people who work with the agency.
Iran's Ministry of Foreign Affairs and its Mission to the United Nations in New York did not respond to requests for comment.
Hosseini was the only one of the six men Reuters interviewed who said he was assigned the vulnerable messaging tool. But an analysis by two independent cybersecurity specialists found that the now-defunct covert online communication system that Hosseini used – located by Reuters in an internet archive – may have exposed at least 20 other Iranian spies and potentially hundreds of other informants operating in other countries around the world.
This messaging platform, which operated until 2013, was hidden within rudimentary news and hobby websites where spies could go to connect with the CIA. Reuters confirmed its existence with four former US officials.
The CIA considers Iran one of its most difficult targets. Ever since Iranian students seized the American embassy in Tehran in 1979, the United States has had no diplomatic presence in the country. CIA officers are instead forced to recruit potential agents outside Iran or through online connections. The thin local presence leaves US intelligence at a disadvantage amid events such as the protests now sweeping Iran over the death of a woman arrested for violating the country’s religious dress code.
The six Iranians served prison terms ranging from five to 10 years. Four of them, including Hosseini, stayed in Iran after their release and remain vulnerable to rearrest. Two fled the country and have become stateless refugees.
Hosseini’s leap to espionage came after he had climbed a steep path to a lucrative career. The son of a tailor, he grew up in Tehran and learned lathing and auto mechanics, he said, showing Reuters his trade-school diploma.
Along the way, teachers spotted Hosseini’s intelligence and pushed him to study industrial engineering at the prestigious Amirkabir University of Technology, he said. Hosseini said a professor there put him in touch with a former student with ties to the Iranian government who eventually became his business partner.
Founded in 2001, their engineering company provided services to help businesses optimize energy consumption. The firm at first worked mainly with food and steel factories, Hosseini said, over time scoring contracts with Iran’s energy and defense industries. Hosseini’s account of his professional background is confirmed in corporate records, Iranian media accounts and interviews with six associates.
Hosseini said the company’s success made his family affluent, allowing him to buy a large house, drive imported cars and go on foreign vacations. But in the years after the election of President Mahmoud Ahmadinejad, who served from 2005 to 2013, his business teetered.
Under Ahmadinejad, a hardliner aligned with the country’s theocratic ruler, Iran’s security forces were encouraged to enter the industrial sector, increasing the military’s control over lucrative commercial projects. Established companies often found themselves relegated to the role of subcontractors for these newcomers, Iranian democracy activists said, shrinking their slice of the pie.
Before long, Hosseini said, all of his new contracts had to be routed through some of these firms, forcing him to lay off workers as earnings tumbled.
“They didn’t know how to do the work, but they took the lion’s share of the profits,” said Hosseini, his voice rising as he recounted the events a decade later. “It was as if you were the head of the company, doing everything from 0 to 100, and seeing your salary being given to the most junior employees. I felt raped.”
At the same time, US rhetoric was ramping up against Ahmadinejad. Washington viewed Iran’s president as a dangerous provocateur set on building nuclear weapons. Hosseini began to feel that his life was being destroyed by a corrupt system, and that the government was too erratic to be allowed to obtain nukes. His anger grew.
One day in 2007, he said he opened the CIA public website and clicked the link to contact the agency: “I’m an engineer who has worked at the nuclear site Natanz and I have information,” he wrote in Persian.
Located 200 miles south of Tehran, Natanz is a major facility for uranium enrichment. Archived web records from Hosseini’s engineering firm from 2007 say the company worked on civilian electrical power projects. Reuters could not independently confirm Hosseini’s work at Natanz.
A month later, to his surprise, Hosseini said he received an email back from the CIA.
Meeting with CIA agents, Hosseini said he explained that his company had several years earlier worked on contracts to optimize the flow of electricity at the Natanz site, a complex balancing act to keep centrifuges spinning at precisely the speed needed to enrich uranium.
Located in central Iran, Natanz was the heart of Tehran’s nuclear program, which the government said was to produce civilian electricity. But Washington saw Natanz as the core of Iran’s push to acquire nuclear weapons.
Hosseini said his firm was a subcontractor of Kalaye Electric, a company sanctioned in 2007 by the US government over its alleged role in Iran’s nuclear development program. He added that he was seeking additional contracts at other sensitive nuclear and military sites.
Hosseini unfurled a maze-like map showing the electricity connected to the Natanz nuclear facility.
While several years old, Hosseini explained, the map’s notations of the amount of power flowing into the facility provided Washington a baseline to estimate the number of centrifuges currently active. That evidence, he believed, could be used to assess progress toward processing the highly enriched uranium needed for a nuclear weapon.
Hosseini said he didn’t know it at the time, but Natanz was already in the crosshairs of US authorities. That same year, Washington and Israel launched a cyberweapon that would sabotage those very centrifuges, infecting them with a virus that would cripple uranium enrichment at Natanz for years to come, security analysts concluded. Reuters could not determine whether the information provided by Hosseini assisted in that cyber sabotage or other operations.
In subsequent meetings, Hosseini said, the CIA asked him to turn his attention to a broader US goal: identifying possible critical points in Iran’s national electric grid that would cause long and paralyzing blackouts if struck by a missile or saboteurs.
Hosseini said he continued to meet with the CIA in Thailand and Malaysia, in a total of seven meetings over three years. To show evidence of his travels, Hosseini provided photographs of entry stamps in his passport for all but his first two trips, for which he said he had used an older, now discarded, passport.
In August 2008, a year after becoming a spy, Hosseini said he met with an older, broad-shouldered CIA officer and others at a hotel in Dubai.
“We need to expand the commitment,” Hosseini recounted the officer saying. The officer handed Hosseini a piece of paper and asked him to write a promise that he would not provide the information he was sharing to another government, a CIA practice intended to deepen a feeling of commitment from an informant, two former CIA officials said.
Another CIA officer in the meeting then showed Hosseini a covert communications system he could use to reach his handlers: a rudimentary Persian-language football news website called Iraniangoals.com. Entering a password into the search bar caused a secret messaging window to pop up, allowing Hosseini to send information and receive instructions from the CIA.
When Hosseini lamented missing his daughter’s third birthday during one of the trips, he said a CIA officer bought him a teddy bear to give to the child. “I felt that I had joined the team,” Hosseini told Reuters.
What Hosseini didn’t know was that the world’s most powerful intelligence agency had given him a tool that likely led to his capture. In 2018, Yahoo News reported that a flawed web-based covert communications system had led to the arrest and execution of dozens of CIA informants in Iran and China.
Reuters located the secret CIA communications site identified by Hosseini, Iraniangoals.com, in an internet archive where it remains publicly available. Reuters then asked two independent cyber analysts – Bill Marczak of University of Toronto’s Citizen Lab, and Zach Edwards of Victory Medium – to probe how Iran may have used weaknesses in the CIA’s own technology to unmask Hosseini and other CIA informants.
The two are experts on privacy and cybersecurity, with experience analyzing electronic intelligence operations. The effort represents the first independent technical analysis of the intelligence failure.
Marczak and Edwards quickly discovered that the secret messaging window hidden inside Iraniangoals.com could be spotted by simply right-clicking on the page to bring up the website’s coding. This code contained descriptions of secret functions, including the words “message” and “compose” – easily found clues that a messaging capability had been built into the site. The coding for the search bar that triggered the secret messaging software was labeled “password.”
Far from being customized, high-end spycraft, Iraniangoals.com was one of hundreds of websites mass-produced by the CIA to give to its sources, the independent analysts concluded. These rudimentary sites were devoted to topics such as beauty, fitness and entertainment, among them a Star Wars fan page and another for the late American talk show host Johnny Carson.
Each fake website was assigned to only one spy in order to limit exposure of the entire network in case any single agent was captured, two former CIA officials told Reuters.
But the CIA made identifying those sites easy, the independent analysts said. Marczak located more than 350 websites containing the same secret messaging system, all of which have been offline for at least nine years and archived.
