Iraq, hacks and the Kingfish: The scandal that could bring down Prime Minister SudaniSuadad al-Salhy
In late July, just after Iraq’s parliament went into recess and as MPs were beginning their summer holidays, dozens of them received a WhatsApp message from an unknown number.
At first glance, it appeared to be a screenshot of news breaking on an Iraqi satellite channel, suggesting that four members of the parliamentary finance committee had tampered with the budget they had voted on days earlier.
Most of the MPs didn’t dwell on the message. It’s not uncommon for them to receive such things.
But three weeks later another message was sent from the same number, this time to even more MPs. Its contents were shocking.
The message appeared to reveal details of a secret meeting between three influential political figures to agree on a candidate for the position of parliamentary speaker, which had been vacant since Mohammed al-Halbousi was removed by Iraq’s top court in November 2023 over forgery allegations.
Although the men were not named, they were referred to by titles which would have left no one in informed political circles with any doubt as to their identities.
Ahmed Abdullah al-Jubouri, the governor of Saladin province and leader of the Jamahir party, was referred to as “the leader”. Halbousi was “the forger”. (Halbousi has condemned his removal from parliament as “unconstitutional”. His Taqadum Party says he is a victim of “political targeting”).
The third man, called “the trustee”, was Qais Khazali, the commander of Asaib Ahl al-Haq, one of Iraq’s most powerful armed factions and a key leader of the ruling Coordination Framework alliance of Shia parties.
The trustee, the leader and the forger
“Both the trustee, the leader and the forger are preparing to nominate an MP known for his forged certificate as a candidate for the presidency of the parliament,” the message read. “The problem is that the judge is satisfied.”
The MP referred to was Ziad al-Janabi, the leader of the Initiative parliamentary bloc. Janabi had been accused by rivals of forging his academic certificate, but a judicial inquiry had dismissed this allegation. The judge appeared to be Faeq Zidane, head of the Supreme Judicial Council.
The sensitivity of the message’s content and the claim that Khazali would be involved in choosing the speaker contributed to its increased circulation among MPs, politicians and journalists.
'If Sudani says Juhi and his group were working with his knowledge... this is a sin. If he says they were working without his knowledge, then this is a disaster'
- Adviser to Prime Minister Mohammed Shia al-Sudani
Under Iraq’s power-sharing system, the position of speaker is customarily held by a Sunni politician and the suggested involvement of a controversial Iran-backed Shia leader in the process was incendiary.
Janabi himself filed a complaint with the Iraqi National Intelligence Service (INIS) to find out who was behind it, MPs and officials familiar with the case told Middle East Eye.
A few days later someone suspected of sending the message was arrested: Ali Mutair, an officer and IT specialist in the National Security Service (INSS) – a separate security agency to INIS – who had been seconded to the office of Prime Minister Mohammed Shia al-Sudani.
Not long afterwards, on 19 August, staff in Sudani’s office were implicated in another scandal.
A court specialising in terror cases arrested a network of people employed in the prime minister’s office. An MP who gave evidence to the court, Mustafa Sanad, accused those arrested of "dirty work", including wiretapping the phones of politicians and MPs.
Sanad accused Mohammed Juhi, an influential figure in Sudani’s office, of running the operation.
Since then, the scandal has grown exponentially as the scale of the alleged wiretapping operation has become clear.
Senior political figures and officials were among those allegedly bugged in an extraordinary security breach that has cast suspicion on Sudani’s close circle of allies and advisors, including his own brothers, Haider and Abbas, and a number of tribal cousins appointed to senior positions in his office.
"Have you ever heard of the night visitor? Mohammed (Juhi) was the night visitor. The case is huge," Halbousi said in a television interview in September.
A night visitor is a colloquial term in Iraq for someone who intrudes uninvited into the personal lives of others.
'Usurping of the state'
Following Mutair’s arrest, the first thing that caught the attention of investigators, led by a senior judge, Ali Jafat, was the presence of a number of pictures of politicians on his laptop.
Most of them were designed to look like screenshots taken from a breaking news broadcast.
At first, they seemed the kind of images often circulated to smear political figures. However, investigators would soon come to a different conclusion.
Under interrogation, Mutair said he had been working under Juhi’s supervision. That evening, on Jafat’s orders, security forces raided Juhi’s residence in Baghdad’s Green Zone, arresting him and seizing phones, laptops and other digital equipment.
"Juhi and his bosses did not expect that Jafat would dare to arrest him inside the Green Zone, nor did they expect it to happen so quickly," a senior official familiar with the raid told MEE.
Juhi, Mutair and five others - including security and intelligence officers working in Sudani’s office - were arrested then subjected to intense interrogation. By the end of August, investigators had uncovered the contours of what they assessed to be a far-reaching plot.
Zidane, the head of the judiciary, shared the initial findings of the investigation with the leaders of the Coordination Framework.
Essentially, they were told, the resources of Iraq’s intelligence agencies, the prime minister’s office and the offices of the heads of the military “were all at the service of Juhi and his network”, a prominent Coordination Framework leader told MEE.
Most top political leaders, ministers, MPs and senior officials had been hacked, and their conversations recorded. The heads of major public bodies, judges, prominent businessmen and clerics were also targeted.
“It is a usurping of the state and its institutions,” the Coordination Framework leader said.
") rgba(220, 220, 220, 0.5); top: -15px; left: 0px;">Investigators also discovered dozens of voice messages and hundreds of text messages sent by the prime minister himself to Juhi.
According to the Coordination Framework leader, the messages “included explicit instructions to target some political leaders”.
Middle East Eye contacted three of Sudani's advisers, all intelligence officials familiar with the investigations. They confirmed the existence of these messages and their contents.
"The situation is tragic and we do not know how it will end,” one of the advisers said.
Read More »
“If he [Sudani] says that Juhi and his group were working with his knowledge and approval, then this is a sin. If he says that they were working without his knowledge, then this is a disaster and a security breach beyond measure."
When contacted by MEE, Sudani's office declined to offer any comment.
The prime minister has yet to make any public comment on the allegations. In the weeks after the scandal broke his office denied Iraqi media reports about the alleged existence of a spying network within his office.
In an interview in early September, Subhan al-Mulla Jiyad, Sudani’s political adviser, denied that the case was linked to espionage and said it had been “exaggerated by some people”.
He blamed it on a “mistake” made by people in Sudani’s office.
“It could be blackmail, recording calls... it could be voice messages that included blackmailing some people, but it cannot rise to the level of espionage,” said Jiyad.
“This mistake was exploited and exaggerated for certain purposes. It could be for personal reasons or for other interests.”
A who's who of Iraqi political society
The judicial investigation into the so-called “Juhi network” is ongoing and strictly under the control of Jafat, who reports directly to Zidane to protect against any political interference.
And while neither has talked publicly, sources familiar with the case say the scope and scale of the scandal is becoming clearer.
The list of those targeted reads like a who’s who of Iraqi political society.
They include key Coordination Framework leaders and their families; including Nouri al-Maliki, the former prime minister; Khazali, the architect of Sudani’s government; and Mohsen al-Mandalawi, the deputy parliamentary speaker.
Halbousi, the former speaker, and Mohammad Ridha Sistani, the eldest son of Grand Ayatollah Ali Sistani who runs his father’s office, were also targeted.
") rgba(220, 220, 220, 0.5); top: -15px; left: 0px;">The network also penetrated senior intelligence and security circles, according to a damage assessment report prepared by security officials and seen by MEE.
It indicates that Lieutenant General Abdul Amir al-Shammari, the interior minister, and Qasim al-Araji, the national security advisor, were both targeted.
And rather than Juhi, it identified Sudani’s military office director Lieutenant General Abdul Karim al-Sudani, who is a tribal cousin of the prime minister, as the head of the network. According to the assessment, “periodic reports” were also submitted to the prime minister himself.
“So far, all signs indicate that the network was formed for internal, not external, purposes,” a senior security official told MEE.
"The network aimed to tighten Sudani's grip on the political and security scenes to ensure that he would obtain more terms as prime minister."
Investigators have so far not publicly disclosed any information about their findings. But arrest and summons warrants issued in the course of their work have made it possible to piece together the broad outline of the plot.
The network appears to have used telecommunication companies to access to its targets' call logs, two senior officials at the Iraq Communications and Media Commission (CMC) told MEE.
'The network aimed to tighten Sudani's grip on the political and security scenes to ensure that he would obtain more terms as prime minister'
- Senior Iraqi security official
Call logs are records that contain metadata about phone calls and messages. They typically show caller and recipient phone numbers, times, dates and durations of calls, and location data.
“They took advantage of the facilities these companies provide to the prime minister’s office and requested them,” said one CMC official.
“Unfortunately, the companies cooperated with them and provided these records without court permissions.”
On 21 October, Jafat issued summonses to Ali al-Moayyad, chair of the CMC, and another CMC official.
“When the representatives of the mobile phone companies were questioned, they claimed they had received clear instructions from the CMC to fully cooperate with the prime minister’s office,” a member of the CMC’s board of trustees told MEE.
“Therefore, they did not hesitate to comply with the requests of Juhi and his group.”
Muayyad and the other official were questioned and released on bail, the board member said.
Muayyad did not respond to MEE’s requests for comment. However, a senior CMC official close to Muayyad told MEE that they usually ask telecom companies to cooperate with requests from the prime minister’s office.
“But they have never asked them to break the law or give private information about their clients,” he said.
The Kingfish
While call logs typically provide valuable data on a surveillance target’s contacts and movements, they do not allow for listening to calls or access to messages themselves.
Seeking a solution, Juhi and his fellow plotters acquired surveillance equipment used by INIS’s Eavesdropping and Targeting Unit, according to officials familiar with the investigation.
'They sent messages loaded with a malicious virus. The sender needed only one click from the target'
- Iraqi intelligence official
In particular, they used a US-made portable device called a Kingfish, two INIS officers and three of Sudani’s advisers told MEE. The Kingfish is used by law enforcement and intelligence agencies to track and intercept phone signals by mimicking a mobile phone tower.
The US supplied a number of Kingfish devices to Iraqi security agencies as part of military gear provided since 2015 to support the fight against Islamic State (IS) group militants.
A former INIS official told MEE that the US withdrew all of these devices in 2018 and 2019 “after it was proven that they were being used for personal purposes” - with the exception of the device designated to INIS.
“They transferred the device and the officers working on it from INIS to the prime minister's office," one of INIS’s officers told MEE.
Intelligence cousins
Sudani, who became prime minister in October 2022, has never appointed anyone to head INIS and instead holds that position himself.
He did, however, appoint Lieutenant General Abdul Karim al-Sudani, the director of his military office, as general supervisor of the agency, and Ahmed Ibrahim al-Sudani, another tribal cousin, as director of the office of the head of the agency.
In late August, arrest warrants were issued for both men. Both were questioned and released on bail, sources said.
Ahmed Ibrahim al-Sudani submitted his resignation to the prime minister immediately after his release. His resignation has not been officially accepted, but sources told MEE he has not resumed official duties.
'It is as if an earthquake has struck the intelligence service'
- Senior Iraqi intelligence officer
MEE contacted both Lieutenant General Abdul Karim al-Sudani and Ahmed Ibrahim al-Sudani for comment.
Ahmed Ibrahim al-Sudani said: "By virtue of my responsibilities and job duties, I have no relation to the matter, neither directly nor indirectly.
"The matter is before the Iraqi judiciary, which is concerned with deciding on it."
Lieutenant General Abdul Karim al-Sudani had not responded to MEE at the time of publication.
In October, Haider Laith al-Sudani, the director of INIS’s Eavesdropping and Targeting Unit, who is also a tribal cousin of the prime minister, and six officers were arrested and remain under investigation.
Dozens of the spy agency’s officers, especially among those working in the Eavesdropping and Targeting Unit, have since been dismissed, suspended or transferred into different roles.
"It is as if an earthquake has struck the intelligence service," a senior officer told MEE.
“The breach is very large and there are suspicions and concerns that some information may be shared with an outside party.”
While the Juhi network is understood to have had access to call logs, and the Kingfish enabled them to listen to conversations and read messages exchanged over cellular networks, one final obstacle remained.
Read More »
Most of those whose phones the network was trying to hack were routinely using encrypted apps such as WhatsApp, Signal and Telegram, whose contents they were still unable to access.
This is where the screenshots and provocative messages found by investigators on Mutair's laptop become relevant.
One senior intelligence official familiar with the investigation told MEE it is believed they were used to install “Trojan Horse” spyware viruses on targets’ phones.
“They sent messages loaded with a malicious virus. The sender needed only one click from the target, and the phone was in the hands of the hacker and the encryption was over,” he said.
A number of MPs who say they were targeted confirmed to MEE they had received such messages.
“As MPs, we receive dozens of images and written appeals via WhatsApp every day. As long as there are no suspicious links attached, we usually open these messages,” said one of them, Mohamed Nouri.
“All of us opened the messages we received without hesitation.”
'Major betrayal'
It is not clear when Jafat will conclude his investigation. But the judge has begun summoning the network’s victims to record their statements and ask them if they wish to sue the accused, suggesting that his work is almost complete.
Dozens of lawsuits have already been filed against those accused of involvement on charges including wiretapping, blackmail and threats.
A large number of these lawsuits are against the prime minister himself, several MPs told MEE.
Johi, Mutair, Haider Laith al-Sudani and six intelligence officers remain detained, while others questioned as part of the probe have been released on bail.
'This is a major betrayal. A betrayal of the friends who brought Sudani to power'
- Yasser al-Husseini, independent Iraqi MP
None of those detained can be reached for comment and their court-appointed lawyers are not permitted to speak about the case.
For now, the wider turmoil that has engulfed the region prompted by Israel’s wars in Gaza and Lebanon, with Iraq facing the threat of Israeli attacks and Iraqi leaders under pressure from both the US and Iran, has distracted attention from Iraq’s own political crisis and bought Sudani and his government some time.
But a new scandal in recent weeks over leaked audio recordings in which a number of senior officials aligned directly with Sudani appeared to be asking for bribes suggests that the truce between the prime minister and his rivals has ended.
With elections expected by October 2025, some believe Sudani’s political fate has already been sealed.
Yasser al-Husseini, an independent MP, told MEE that the scandal amounted to a “coup de grace” for Sudani’s chances of continuing as prime minster.
Husseini said: "This is a major betrayal. A betrayal of the friends who brought [Sudani] to power. The lack of trust that this case has generated threatens the entire political process.
"The judiciary is the one that will determine the fate of Sudani's government. But I am absolutely certain that Sudani will not return to the position of prime minister again."