A controversial company that sells weaponized spyware has been penetrated by hackers who claim to have plundered more than 400GB worth of e-mails, source code, and other sensitive data—including invoices showing that the firm has done business in countries ruled by highly repressive governments.

Italy-based Hacking Team has long denied selling to nations with poor human rights records. It instead markets itself as a supplier of customized software for law enforcement departments and government agencies in countries with good human rights records. Its spyware, company officials have said, helps crack down on criminals and terrorists. Over the weekend, unidentified people claimed to hack Hacking Group computers and social media accounts and to make off with documents contradicting that narrative. As proof, the hacktivists posted invoices purporting to show malware sales to groups in Egypt, Russia, Saudi Arabia, Bahrain, the United Arab Emirates, Azerbaijan, Kazakhstan, and Uzbekistan.

"Since we have nothing to hide, we're publishing all our e-mails, files, and source code," the hackers wrote in a tweet that included a BitTorrent link to the alleged trove of documents. The statement was posted to the official Hacking Team Twitter account, which the hackers said had also been compromised (the account handle was changed to "Hacked Team").

Other tweets posted to the same compromised Twitter account and elsewhere purported to show passwords for Hacking Team support websites, e-mails sent by Hacking Team executives, and invoices. According to The Guardian, one June 2012 bill showed Hacking Team charging €480,000 for goods and services provided to the Sudanese national intelligence service. The British news organization reported a separate document showing Hacking Team negotiating with a third-party reseller to export malware to Nigeria. Other material reportedly showed Hacking Team executives discussing what to do should an independent report from the University of Toronto criticize the sale of hacking tools to Ethiopia for use in monitoring journalists.

Hacking Team engineer Christian Pozzi may have acknowledged the security breach. In a tweet, he wrote, "We are awake. The people responsible for this will be arrested. We are working with the police at the moment." The tweet and Pozzi's entire Twitter account were soon deleted. The official Hacking Team Twitter account was active as of press time, but Pozzi's account remained unavailable.

Long criticized by human rights groups

Hacking Team is known to sell a malware surveillance software known as Da Vinci. Its remote access tools also make it possible to compromise a wide variety of hardware, including Android and Blackberry phones and Windows devices. More recently, the US Drug Enforcement Administration and the US Army were identified as Hacking Team customers. (Kaspersky Lab has deep dives on Hacking Team technologies here and here.)

Hacking Team has long been criticized by human rights organizations. Reporters Without Borders, for instance, named Hacking Team as one of the "enemies of the Internet" because its software was used in countries known to be openly hostile to the press. Given the strong dislike of Hacking Team, it wouldn't be surprising if less law-abiding groups targeted the Italian firm and deliberately orchestrated a massive data breach.

It's not possible to immediately confirm the authenticity of the documents or the claim that more than 400GB of data was seized. Still, it's a safe bet that Hacking Team has suffered some sort of breach involving its corporate network. Assuming the hack is legitimate—and there are no indications so far it's not—it wouldn't be the first time a controversial surveillance firm has been penetrated. In 2014, documents leaked online showed that software created by the controversial UK-based Gamma Group International was used to spy on computers that appeared to be located in the US, the UK, Germany, Russia, Iran, and Bahrain.