Crown Prince Mohamed and Jeff Bezos’ Rocky Relationship Leads to Hack, Murder

Against the backdrop of strengthened relations between the United States and Saudi Arabia over the past few years, relations began between Saudi Crown Prince Mohamed bin Salman and Amazon founder and Washington Post owner Jeff Bezos. The two initiated communications though WhatsApp in April 2018, but on May 1, cybersecurity experts at FTI Consulting believe the prince sent a downloadable video file containing hidden malicious code to Bezos’ iPhone through the popular messaging application. The malware went undetected for months while a proposal totaling $1 billion for Amazon to build multiple datacenters in Saudi Arabia was established. Around this same time, a series of critical and damning articles written about Prince Mohamed and the Saudi government were published by Washington Post columnist Jamal Khashoggi. For reasons still not completely explained, Khashoggi was murdered on October 2 by assailants with ties to Prince Mohamed and Saudi government, most notably al Qahtani, president and chairman of the Saudi Federation for Cybersecurity.

After the murder of the Washington Post columnist, tensions between the prince and Bezos increased. On January 10, 2019, a series of texts containing details of an affair between Bezos and his mistress surfaced in the National Enquirer. An investigation sparked by potential information implicated Prince Mohamed and the Saudi government as the source of the leak, and ultimately led to a full cybersecurity investigation of Jeff Bezos’ phone. At its conclusion, FTI Consulting stated with “medium to high confidence that Jeff Bezos’ iPhone X was compromised via malware sent from a WhatsApp account used by Saudi Crown Prince Mohamed bin Salman.” The UN, for its part, demanded a formal probe to begin on January 22, 2020.

An Advanced Persistent Threat in Action

An advanced persistent threat is a detailed attack wherein a bad actor puts long-term malware on a device in an effort to continuously gather data, or uses the malware to gain access to a network. In the case of Jeff Bezos, the attack began from a downloaded video sent from a trusted source, Saudi Crown Prince Mohamed, but there are many other ways advanced persistent threat attacks can be introduced to a device or network. The most common tactic is though malicious uploads/downloads or social engineering attacks that, in reality, companies face on a day-to-day basis. In the case of Bezos, after the video was downloaded, massive amounts of data were extracted from his iPhone that continued undetected for months. According to the UN, “FTI Consulting found that six months before the video download, Mr. Bezos’ phone averaged about 430 kilobytes egress of data per day, a small amount. Within hours of receiving the video, that number rose, and the phone started averaging 101 megabytes for months afterward.”

Threat actors commonly look for sensitive information, financial information, trade secrets or access to a network in an effort to cause damage to a company’s infrastructure. Actors using advanced persistent threat attacks are usually experienced government-funded cybercriminals who use the extracted data for political, financial or personal gain. The UN report references Saudi Arabia-owned Pegasus malware as a possible threat actor in the attack on Jeff Bezos. According to accounts, the malware costs a few hundred thousand dollars to create this type of NSO Group tool, then tens of thousands of dollars more to maintain. Saudi Arabia’s clear funding abilities, expertise in cybercrime and the attack on Bezos raises questions with regard to other reported communications between Prince Mohamed and other U.S. individuals.

With this recent high-profile cybercrime incident, companies and individuals are fine-tuning their cybersecurity practices to protect their organizations. When you receive emails, files or other communications from unknown individuals, always be cautious before opening. In the event it’s a known associate, always ask yourself if you were expecting the communication, and follow up over the phone if you aren’t sure.

How Can Schneider Downs Help?

The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. Learn more about our cybersecurity services at or contact the Schneider Downs cybersecurity team at [email protected].

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2021 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
President Biden Signs K-12 Cybersecurity Act into Law
What Are the Top Cybersecurity Questions of 2021?
Cybersecurity Awareness Month 2021
Biden Administration Announces First Ever Sanctions Against Cryptocurrency Exchange
Apple Releases Emergency Security Update to Address Critical Spyware Vulnerability
REvil Ransomware Group Resurfaces Over Labor Day Weekend
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.