“Welcome to Security Analyst Summit 2018,” the woman says, referring to what’s known as SAS, the annual conference thrown by Russian antivirus company Kaspersky Lab. This year, the conference drew 320 people, 231 of which were non-Kaspersky Lab employees, according to the company. There were Israelis, Europeans, Americans, Russians, and others. Among the attendees were industry experts, law enforcement agents, and hackers who used to work for British and American spy agencies.

In early March, at a five-star hotel in Cancun, Mexico, the lights go off, the room turns dark, and a woman wearing a shiny white dress appears on a screen that’s as wide as the stage.

“Welcome to SAS X World, a place where the only limit is your imagination,” she says, in another nod to the show. “Answer the main question, who are you really?”

“For the 10th anniversary of SAS, we’ve created something special. It’s a new story, with new rules and new roles,” the woman in the video said. Lights flash around the room, music blasts, and eight actors wearing Old West costumes, in a nod to the TV show Westworld, appear on stage.

Meanwhile, several news stories alleged that the company’s software helped Russian intelligence services steal highly classified documents from a US National Security Agency contractor. The company’s most recent move to show it’s independent from the Russian government has been to announce a new data center in Switzerland that will store information from customers in US, Europe, Japan, Korea, Singapore and Australia.

The government bans have also spilled over to the private sector. Best Buy stopped sales of the software, some of Kaspersky Lab’s financial customers dropped it , and more recently, Twitter banned the company from advertising on its platform.

Kaspersky Lab has been mired in an ongoing crisis. First, on the heels of the congressional inquiry into Russian meddling in the 2016 American presidential elections, the US government proposed and eventually passed a federal ban and purge on the use of Kaspersky Lab software across all government agencies. The British and Dutch governments has since followed suit.

It’s an unintentionally appropriate way for Kaspersky Lab to open its biggest event, since many attendees and the cyber security world at large have the same question for the company.

Eugene Kaspersky declined to talk to me during SAS, but agreed to answer follow-up questions via email afterward. In our written correspondence, he dismissed concerns over the company’s future, saying the company’s financial results in 2017 were “positive,” and that it remains operating in the US and the West. (Late last year, the company closed down one of its offices in the US.)

Kaspersky, whose full name is Yevgeny Valentinovich Kaspersky, graduated from a KGB school before becoming a cybersecurity entrepreneur. He seemed reticent to address the controversy between his company and the US government. It was perhaps a strategic move intended to send the message that, despite all the fuss in the news, Kaspersky Lab is trucking along.

“I'm not a speaker for this conference,” Eugene Kaspersky said. “Actually there are very, very few conferences I'm not a speaker [for], and SAS is one of these events. So I'm not going to waste your time. I want to enjoy this event together with you. Thank you, morning, and back to work.”

Shortly after the promo reel with the woman dressed in white ended, Eugene Kaspersky, the 52-year-old Russian founder of the company, took the stage. His five o’clock shadow and ice cold blue eyes reflected the lights in an otherwise dark room.

So what is Kaspersky Lab, really? Is the 20-year-old company behind one of the most popular antivirus programs in the world an arm of Vladimir Putin’s Kremlin? Or is the self-proclaimed “ company to save the world ” a victim of US government protectionist propaganda? Is SAS simply a networking event with an open bar where the company shows off the latest work from its researchers, who are some of the most well-respected malware hunters in the world? Or is it a chance for the company to expose highly sensitive, ongoing American intelligence operations, and—as some in the cybersecurity world told me—perhaps a chance for spies to keep tabs on attendees?

At the same time, Kaspersky Lab continues to have a good reputation in the industry. Its team of researchers is widely respected by its peers for its ability to find sophisticated government malware—regardless of where it’s from—and its software is considered one of the best to catch malware on your computer.

“Someone was complaining—or you could say whining—that we’re very aggressive when it comes to chasing malware or catching threat actors,” Raiu told me. “I'd like to say, ‘hell yeah!’ There’s no such thing as being too aggressive when it comes to chasing the bad guys in malware.”

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de , or email lorenzo@motherboard.tv

Kamluk’s boss, Costin Raiu, the head of GReAT, Kaspersky Lab’s Global Research and Analysis Team, likewise defended the company’s history of going after all hackers, including nation-state hackers, be they American, Russian, or from another country. Earlier this month, GReAT discovered a cyber espionage campaign from a team Kaspersky Lab called ZooPark, which others in the industry believe is connected to the Iranian government , which is a Russian ally.

“We don’t have any problems with the US government, they have some issues with us,” fellow Kaspersky Lab researcher Vitaly Kamluk said during a press conference on the morning of SAS’s first day. “We just do our job and we do it good.”

The format of Bartholomew’s debate assigned speakers a position they had to defend, regardless of their true beliefs. Speakers were encouraged to be outspoken, almost to the point of satire. Bartholomew was clearly being facetious, though he and his colleagues insist the company is innocent and has been unfairly treated by the media and American authorities.

“You guys have all heard the fake news propaganda about Kaspersky stealing classified documents,” Brian Bartholomew, an American security researcher at Kaspersky Lab, joked during a live debate on disinformation and fake news on the first day of SAS. “You guys are smart enough to understand that that shit’s not real.”

Over the course of the two-day conference, some of the company’s researchers were happy to talk about the cloud hanging over the company.

“We only have one rule when it comes to our research—we detect and report on all malware; it does not matter what language it speaks, its origin or purpose,” Eugene Kaspersky told Motherboard. “There is no such thing as good malware. Ever.”

The company initially denied the accusation, but in an October blog post , Kaspersky Lab said that in 2014 its software automatically detected malware from a sophisticated espionage group on a user’s computer. According to Kaspersky Lab , the user’s computer was infected with malware, and his anti-virus detected the run-of-the-mill malware as well as a suspicious .zip file. That .zip file turned out to contain source code and classified documents belonging to Equation Group, Kaspersky Lab’s codename for a cyberespionage unit widely believed to be the NSA. When researchers alerted Eugene Kaspersky to the discovery, he ordered them to delete the source code and documents, according to the company.

Tensions between the US government and Kaspersky Lab were first reported in mid-2017, but they ratcheted up in October, when The New York Times and The Wall Street Journal dropped a bombshell. In 2015, Israeli government hackers broke into Kaspersky Lab servers, an incident the company acknowledged but downplayed by saying no sensitive data was stolen. But according to the new reports, the hackers watched in real-time as Russian spies used Kaspersky Lab’s antivirus to scan for classified and sensitive US government documents, and then stole some.

The NSA and its military counterpart, the US Cyber Command, had known that Kaspersky Lab had discovered and detected its malware used in intelligence operations a year before the Russian company went public with the Equation Group research, according to two sources who worked in the US intelligence community at the time. The sources asked to remain anonymous to discuss sensitive intelligence issues.

At SAS 2015, Kaspersky Lab published an in-depth report detailing the activities of Equation Group, which the company described as the “gods of cyberespionage.” The company, as usual, didn’t publicly identify who was behind the group’s moniker. The company wrote that it was “either the same [group] or working closely together” with the developers of the sophisticated and stealthy Stuxnet , malware created to sabotage Iranian nuclear centrifuges. Last year, data released by a mysterious group who call themselves The Shadow Brokers linked the NSA to Stuxnet .

It’s not just alleged spying, though. Those who believe the company is a front for the Kremlin point to some of the company's most high-profile research.

Eugene Kaspersky told Motherboard that these challenges are based “on nothing but rumors and unverified allegations,” and “zero evidence of any wrongdoing.”

The US intelligence community, for now, hasn’t provided any evidence—at least to the public—that this incident proves what’s been rumored for years: that Kaspersky Lab has deep, dangerous, ties with the Russian government.

The hackers behind the operation, the researchers explained, were going after routers, specifically at internet cafes in the Middle East. The day before, at a press briefing, Raiu, the head of GReAT, said that while the company didn’t know who was behind Slingshot, it did know the hackers’ skills matched those of Equation Group and Regin—a cyberespionage group widely believed to be the UK’s spy agency GCHQ.

On the second day of the conference, two Russian Kaspersky Lab malware researchers got on stage and talked about newly discovered malware they dubbed “ Slingshot .” It would become a textbook example of how Kaspersky Lab can be seen as either a good cyber security outfit or an antagonistic player out to sabotage American operations around the world, depending on who you ask.

This year, Kaspersky Lab took another shot at US intelligence operations while I was at SAS. And this time, American spies might not have seen it coming.

They said that the US government even sent people to SAS that year because it knew Kaspersky Lab was going to talk about Equation Group.

“By the time [the Equation Group report] came out, everything had been cleaned up for months,” one source said. “We were able to see them discovering it all in real time via their silent signatures. A significant portion of the organization was reassigned to deal with the remediation effort.”

Kaspersky Lab doesn’t see it that way. Instead, the company claims its researchers didn’t know who was behind the hack or who were the intended targets.

“One can’t possibly help but think this was either a calculated burning of [counterterrorism] operations for PR or retribution for the past year,” Michael Rea, a security researcher at CrowdStrike who used to work in the US intelligence community, wrote on Twitter.

That revelation completely changed the story of Slingshot. This wasn’t just an interesting report presented at a conference anymore. A talk and its accompanying blog post presented at a conference in Cancun, Mexico, reportedly forced US military hackers to burn and abandon the digital infrastructure of an espionage operation aimed at some of the most dangerous terrorists on the other side of the world.

The impact of Kaspersky’s Slingshot report wouldn’t be known until two weeks after the conference, when anonymous intelligence officials told CyberScoop that by revealing Slingshot, Kaspersky Lab had compromised an ongoing operation led by the Department of Defense’s Joint Special Operations Command (JSOC) to hunt down al Qaeda and ISIS terrorists.

Apart from the talk and the press release, the company didn’t really make a big deal out of this research. It pitched it to journalists and got some coverage , but compared to its report on Equation Group three years earlier, Slingshot barely registered.

Eugene Kaspersky did not directly respond when asked whether the company ever gave governments a heads up about upcoming research.

Another former GReAT researcher told me in an online chat that the group generally “attempted to do ‘The Right Thing’ while staying apolitical.” So if Kaspersky Lab was aware of the true nature of Slingshot and went ahead and published the research anyway, “I wouldn't call that responsible disclosure,” the researcher, who asked to remain anonymous because he was not authorized to speak to the press, told me in a chat.

“If you know you're going release something, you go and you tell the organizations that you think are involved,” said Guerrero-Saade, who left the company last year and said he has no direct knowledge of Slingshot. “You go and you give them a heads up. Nobody here [in the industry] is trying to surprise anybody.”

If the company is telling the truth, then no one warned the US government or JSOC that its operation was about to be burned. An advance warning along those lines would not have been unusual, according to former GReAT researcher Juan Andres Guerrero-Saade. (JSOC did not respond to a request for comment.)

“We do not know the identity of the attackers behind the Slingshot APT or of its victims,” Eugene Kaspersky said. “We also do not discriminate or pick our cases based on nationality or the malware authors’ intent—we report on all threats, period.”

There are very few examples of antivirus companies publishing reports on suspected counterterrorism operations. The tendency for cybersecurity companies to shy away from this type of research is an issue that's rarely discussed in public within the threat intelligence world. But there are a few isolated examples of other companies publishing research that exposes counterterrorism surveillance activities. In 2016, McAfee published research about spyware targeting ISIS sympathizers. In 2014, Symantec , Kaspersky Lab , and The Intercept wrote about a UK intelligence operation nicknamed Regin. At the time, the CEO of a cybersecurity firm that was hired to investigate one of the breaches related to this operation told me that the industry didn’t reveal Regin earlier because "we didn't want to interfere with NSA/GCHQ operations."

There's a difference between malware research and the public discussion thereof. Kaspersky Lab could have done work in the background, detecting Slingshot and stopping it from infecting customers’ computers. That’s what antivirus software is designed to do. Instead, it decided to disclose Slingshot at the company’s annual marquee event, putting a very public spotlight on it.

Though Kaspersky Lab researchers say they didn't know who used Slingshot, several outside observers, such as Vesselin Bontchev, an assistant professor at the National Laboratory of Computer Virology at the Bulgarian Academy of Sciences, and pseudonymous researcher Odisseus , concluded soon after the talk that it looked like Americans were behind Slingshot. And at SAS, Kaspersky Lab researchers gave enough clues that suggested the hackers behind Slingshot could be working for the US government, perhaps the CIA.

And it’s not necessarily true that Kaspersky Lab publishes everything it finds. Especially in the last few years, Kaspersky Lab has not been publishing everything it finds. As part of its business model, which isn’t unusual in the industry, the company now provides paying subscribers with private reports on malware and hacking groups, some of which never get released to the public.

“Of course they’re trotting out the line ‘a threat is a threat is a threat, and you know we're just going to block threats,’” Patrick Gray, host of the infosec podcast Risky Business, said in a recent episode . “But maybe doing entire presentations on them that make it extremely obvious that this is an American intelligence operation against extremely dangerous people, maybe that's the bit that people have a problem with, not that you just squashed their malware.”

When Raiu and I caught up at SAS, he put it in even simpler terms when talking about his company’s decision to publish research on government spying.

“I believe it would be a problem if companies would restrict the topics researchers can investigate and those they can’t,” Raiu told me over Twitter direct message.

Raiu told me there’s no company policy against researching malware linked to counterterrorism campaigns. Eugene Kaspersky confirmed this in our email interview, which generally puts the company at odds with how much of the rest of the industry operates.

“Sometimes the PR machine runs faster than anybody's good sense,” he said, while adding that he did not think Kaspersky Lab was in the wrong in this case.

According to Guerrero-Saade, occasionally, companies might find it hard to pass up on the public attention that some research gets.

The GReAT researchers also were the first to blow the lid off Russian espionage operations with a report on a group they dubbed Red October . This wasn’t the first and only time they busted Russian government hackers. GReAT has also published reports about other Russian-linked groups they named Sofacy and Cozy Duke , which are different codenames for the infamous Fancy and Cozy Bear , widely believed to be Russian spies.

While it didn’t discover Stuxnet (that was Sergey Ulasen, a security researcher who worked for VirusBlokAda in Belarus), GReAT was one of the most active groups to delve into it, identifying the worm’s first victims . It was also the first to discover new operations from Stuxnet’s creators, including ones that targeted computers in Iran, Syria, Sudan, Lebanon, among others.

Kaspersky Lab probably owes most of the attention it’s gotten in the last decade to GReAT, its 10-year-old, 40-something strong research team scattered across Moscow, Sao Paulo, Miami, and Buenos Aires, among others. These malware hunters are responsible for researching and busting some of the most infamous hacking groups of the last decade.

Their high-profile research has led to some unwanted attention for some of its members.

GReAT’s reports routinely get headlines on tech sites like Motherboard, Wired, and Forbes, but also in more traditional outlets such as The New York Times and The Wall Street Journal.

“The attackers that came to infect us, they came after the researchers, and after the technology that we were developing to save the people of the world,” he said.

GReAT’s own members don’t hide how proud they are, and how ambitious they see their mission. At SAS, during a talk to celebrate the team’s 10 year anniversary, Kamluk, one of the group’s researchers, talked about Israel hacking into Kaspersky Lab, and said the attack was aimed at GReAT.

“The others are inferior. Even Symantec, which is the world’s most popular antivirus can’t keep up,” the source, who requested to speak anonymously as he wasn’t authorized to talk to the press, said. “Costin [Raiu] is from another planet.”

“In my humble opinion, when it comes to APTs, the GReAT remains unrivalled,” said a source who works for a government and is a Kaspersky Lab subscriber, using the abbreviation for Advanced Persistent Threats (APTs), an industry term that refers to government or highly skilled hacking groups.

“GReAT is one of the best teams of its kind. It may also have been one of the first ones,” Martijn Grooten, the editor of Virus Bulletin, told me.

“If we, a small company with 3,000 employee can stop the malware produced by a 30,000-strong intelligence agency with billions of dollars in budget,” Raiu said at that 2015 talk, “it means that we’re probably doing something right.”

Raiu said that he did take a break, but then kept going. He’s proud of his team’s work, which often busts the operations of well-funded and equipped intelligence agencies.

“It’s a pretty scary situation,” Raiu recalled during a talk in 2015 . “You go into your home and you find a gift like this on the table.”

In 2010, Raiu came back home after giving a talk about Stuxnet. According to Raiu, when he stepped into his living room with his wife, he found a white rubber cube with a message written on it: “take a break.”

Over opening cocktails Wednesday night, I found myself cornered by two Kaspersky Lab flacks from the company’s Moscow office whom I had never met before. They complimented me for my stories, and thanked me for coming to SAS. One of the two, Yuliya Shlychkova, who said she’s been at the company for 13 years, was candid when I asked what the last year has been like for the company.

Kaspersky Lab’s PR machine works overtime at SAS. A dozen press representatives for the company roam the conference halls and parties, schmoozing with reporters, while hotel employees pour liters of tequilas at the open bar. (While Kaspersky Lab has paid some reporters in the past to fly to SAS, Motherboard paid for my flight to Cancun and hotel. At a previous job, Kaspersky Lab offered to help pay for my travel and hotel to attend SAS and other events, but I declined.)

“Freebies, good times, and free flowing liquor,” one security researcher, who has never attended SAS but has been invited several times, said of SAS’s reputation. “It’s a very cynical, carefully choreographed attempt to integrate with the security community.” In other words, “it’s a way to wine and dine your way in.”

I asked Tait a few minutes after he left the stage if he had posted the selfie.

Serious research and talks seamlessly blend in with the seemingly limitless streams of tequila. This year’s keynote was given by Matt Tait, a well-known former GCHQ and Google hacker, who’s perhaps best known for his prolific tweets under the moniker @pwnallthethings. Tait, who spoke about the history of (mainly Russian) disinformation, won the conference prize for best speaker. When he went on stage to collect it, he snapped a selfie with Eugene Kaspersky himself, who had already spent most of the evening with a drink in hand.

“Let’s get a shot,” Naraine said. When we ran into another attendee, Naraine whispered to me: “He’s from an intelligence agency.”

Tensions and challenges notwithstanding, the conference is still packed with high profile hackers and researchers. Given the small number of attendees, and the fact that everyone stays at the home hotel and are pretty much at the same events at all times, it’s easy to bump into interesting people. When I arrived at SAS, I ran into into Ryan Naraine, a former Kaspersky employee who still helps the company organize the conference.

Her colleague, Sergey Malenkovich, agreed, saying it was hard to put together the conference this year because of “the geopolitical tensions.”

Guido has openly criticized SAS for being a “purposefully engineered opportunity for Russian intelligence to get close to hackers they care about.” Guido admits that every cybersecurity conference is a good opportunity for spies to get close to or hack attendees of interest. But SAS is small, and everyone is pretty much always in the same place, including during field trips or for the evening booze-fueled events (usually away from the conference hotel), so Guido likens targeting people there with “shooting fish in the barrel.”

“I did have a fun time,” Guido told me. “For them it was all about, ‘Dan, this upstanding guy in the community, supports this.’ If you speak at a conference your name gives credence to the conference. But all I really supported was a free trip to Spain.”

“The point is twofold,” said another security researcher who requested anonymity for fear of angering the Russian government. “First, good will. Second is spying: assessing, recruiting, stealing data on the spot.”

“Kaspersky doesn't care; they make the most excluded outsiders (yes, especially the influential ones) feel like part of something,” Blue wrote. “If they were running some kind of influence campaign, it's commendably slick.”

Violet Blue, a reporter who’s covered cybersecurity for years and has previously attended SAS, told me that the conference is a case study in how to influence the infosec world and the journalists who cover it. Kaspersky Lab, Blue wrote in an email, is “generous, warm, kind” to all attendees, including those who come from groups that have been left out of the traditional infosec community.

Motherboard was unable to independently verify the specifics of any of these cases. Eugene Kaspersky said he’s “never heard of such incidents,” and a company spokesperson said there is no validity to them.

“I have no interest in going back,” another attendee said. “I got a weird vibe the whole time I was there. It was super shady. There were a lot of very inquisitive people that came out of nowhere. It felt like it was an information gathering fest for them. They liquor you up, and work their way into all these conversations that you're having with people.”

They told me there have been multiple cases of attendees reporting being slipped drugs in their drinks, or people breaking into other people’s rooms. Another person who attended in the past also described a similar incident, but declined to elaborate. Yet another attendee also said he heard rumors of such incidents.

“My default is if the Russian government wants my files, (a) they can (b) they don't need a Kaspersky conference to do it and (c) I probably won't notice, even if I'm looking, because FSB don't fuck around,” he told me. “It also seems like the wrong conference to try such things.”

For another attendee, these are overblown concerns, even if the Russians could get to attendees if they wanted.

The vast majority of attendees I spoke to enjoy the conference. Many of them have attended multiple times and have SAS marked in red in their calendar. Several of them, including from companies that compete with Kaspersky Lab, described SAS as one of the best, if not the best, conference they’ve ever attended.

“Providing SAS participants with the best possible conditions, including safety and security, is a top priority for the event organizers,” a company spokesperson said in an email. “SAS attendees can address any issues with the conference organizers, and to date, we have not received any reports of the speculated incidents.”

KASPERSKY LAB, FRIEND OR FOE?

On the closing night of SAS 2018, as former spies, government hackers, and Kaspersky Lab employees danced and drank tequila, I couldn’t help but think back to a moment in early 2013 at a one-day Kaspersky Lab event in New York City. I attended that event along with several other journalists, some of whom the company flew in from Europe in an effort to score points with the press and the security industry.

Everyone was invited for a fancy dinner on a boat that circled Manhattan. Later that night, Eugene Kaspersky stopped by every table to greet attendees. This was a few months after Wired magazine published an in-depth profile of Eugene Kaspersky and his ties with Russian intelligence (As an intern at Wired at the time, I did some minor research for that piece.)

Eugene and the company were not happy about the story. So much so that Paul Roberts, then an editor of Threatpost, a cybersecurity blog fully funded by Kaspersky Lab, told me he was fired for retweeting the story from the publication’s official Twitter account. The order from Moscow, Roberts told me, was not to acknowledge or respond to the piece. (Eugene Kaspersky said that Threatpost is an “independent team” over which the company has “no editorial authority.”)

“What did you think about the Wired article?” I asked Kaspersky, as he made the rounds by another Italian journalist and myself.

Kaspersky, holding a glass of what looked like vodka, took a step back, paused, and grimaced. “You know,” he said, “I think Symantec paid for that article.” When I asked him again about this encounter for this article, Kaspersky said he did not remember that conversation, “but Symantec paying for an article to hurt us seems quite improbable to me.”

Five years later, looking out over the party in the final hours at this most recent SAS, I remembered that Kaspersky Lab has always faced an uphill battle in western countries because it’s a Russian company. Often critics have unfairly accused the company of only going after Western government hackers, even though it has often documented government hacking operations from around the world.

The same can’t be said for many of Kaspersky Lab’s competitors, including American companies, when it comes to busting their own government’s operations.

“I know from other companies that they avoid writing about campaigns linked to the US government, or that sometimes they get a request from management not to publish something,” said a source who works in the antivirus industry and asked to remain anonymous. “That can be both about ‘not wanting to disrupt ongoing investigations’ but also because they're an important customer.”

Because of they research seemingly indiscriminately and because of their technical chops, some industry experts consider GReAT’s researchers to be the best in the business. Which brings us back to the question posed by the actress in the over-the-top SAS promo video: What is Kaspersky Lab, really?

When I prepared to go to SAS, I took more precautions than usual: I locked myself out of my regular email accounts, and only carried a clean iPhone and a clean Chromebook, as some people I trust recommended. The cyber security world is inhabited by hackers, criminals, and spooks. They are extremely vigilant, some would say paranoid, because they see on a daily basis how technology is manipulated and abused to hurt people.

It’s possible that the US government is targeting Kaspersky Lab for its alleged connections to Russian spies, for its penchant to expose American hacking operations during its conferences at exotic locations. Or perhaps Kaspersky Lab is just a victim of a new cold war, as there still isn’t conclusive, public, evidence of the company’s involvement with the Russian government.

The US government, which is reportedly mulling imposing additional penalties on the company, clearly doesn’t want you to trust Kaspersky Lab. While the company points to its resume and track record going after everyone, “for good, and for bad.”

Trust at your own risk.