The FBI is one of the clients who bought hacking software from the private Italian spying agency Hacking Team, which was itself the victim of a recent hack. It’s long been suspected that the FBI used Hacking Team’s tools, but with the publication yesterday of internal documents, invoices, emails and even product source code from the company, we now have the first concrete evidence that this is true.

The FBI is not in good company here. According to several spreadsheets within the hacked archive, which contain a list of Hacking Team's customers, many of the other governments who bought the same software are repressive regimes, such as Sudan and Bahrain. The documents show that the FBI first purchased the company's “RCS” in 2011. RCS stands for “Remote Control Service,” otherwise known as “Galileo,” Hacking Team's premiere spy product.

RCS is a simple piece of hacking software that has been used by the Ethiopian regime to target journalists based in Washington DC. It has also been detected in an attack on a Moroccan media outlet, and a human rights activist from the United Arab Emirates.

Once a target's computer has been infected, RCS is able to siphon off data, and listen in on communications before they have been encrypted. According to researchers based at the University of Toronto's Citizen Lab, who have monitored the use of RCS throughout the world, the tool can also “record Skype calls, e-mails, instant messages, and passwords typed into a Web browser.” To top that off, RCS is also capable of switching on a target's web camera and microphone.

Hacking Team has generated a total of 697,710 Euros ($773,226.64) from the FBI since 2011, according to the hacked spreadsheets. In 2015, the FBI spent 59,855 Euros on “maintenance,” and in 2014 the agency spent the same amount on “license/upgrades.” No expenditure was recorded for the whole of 2013.

In 2012, however, the FBI allegedly spent 310,000 Euros for Hacking Team's services, all on licenses or upgrades, and the year before it spent 268,000 Euros.

Despite this expenditure on controversial surveillance technology, it appears that the FBI is only using Hacking Team's software as a "back up" to other tools, according to internal emails.

As highlighted by Forbes, Eric Rabe, Hacking Team's communications chief, wrote in a leaked email that "The FBI unit that is using our system seems like a pretty small operation and they have purchased RCS as a sort of back up to some other system they user."

A final column on one of the hacked spreadsheets is entitled “Exploit”. For the FBI, the entry is written as “Yes.” Though it’s unclear exactly what this means, we can infer that the FBI's version of RCS came with an exploit of some kind that could gain access to user's computers, rather than being deployed through social-engineering means.

Regardless, the FBI has been known to hack the computers of criminals in the past. In fact, the agency has been using malware since at least 2002 for all sorts of criminal cases, and the FBI develops some of its own tools. In 2012, “Operation Torpedo” was launched, which involved loading malware onto a number of child pornography sites, and identifying the IP addresses of anyone who visited. A similar operation was launched shortly after, in order to catch users of Freedom Hosting, a dark web hosting company.

Those were both broad attacks, designed to sweep up as many offenders as possible. Hacking Team's tools, on the other hand, are used for more targeted surveillance of specific individuals or groups. According to the hacked spreadsheets, the FBI has used RCS against 35 targets, although it is unclear who these targets are.

The FBI did not immediately respond to multiple requests for comment.

One interesting tidbit from the spreadsheet is that it appears that Hacking Team has not been selling these products directly to the FBI. Though the FBI is listed as the client, its “Partner/Fulfillment Vehicle” is listed as “CICOM USA.”

That name is familiar. Earlier this year, an investigation from Motherboard revealed that the Drug Enforcement Administration had been secretly purchasing surveillance technology from Hacking Team. Within that contract, $2.4 million was sent “between the DEA's Office of Investigative Technology and a government contractor named Cicom USA,” according to Motherboard.

An invoice with the file name “Commessa019.2014. CICOM USA x FBI.xls,” also included in the Hacking Team archive, lists a “One year renewal for Remote Control System,” charged to Cicom USA. The invoice says that the product lasts from July 1, 2014 to the June 30, 2015. The file name for the invoice explicitly includes the FBI, and not the DEA. However, the spreadsheet with the client list shows that the FBI is, in fact, joined by the DEA and the DOD in buying products from Hacking Team, which both also use Cicom USA as their “fulfillment vehicles.”

Cicom USA is little more than a shell company for Hacking Team. “They have the same address, they have the same telephone number,” as Hacking Team's US office, Edin Omanovic, a technologist at Privacy International, told WIRED in a phone interview.

As for what protections might be in place to make sure that the FBI (or any US government agency) is using this technology responsibly, it's all a bit hazy.

“We think they get court orders, and we have even seen a few, but the applications don't really describe how the software works, or how they will get it onto the target's device,” Christopher Soghoian, Principal Technologist at the American Civil Liberties Union, told WIRED in an encrypted chat.

The problem is that the discussion around law enforcement using hacking as a means of information gathering has never been carried out in public.

“Congress has never explicitly granted law enforcement agencies the power to hack. And there have never been any congressional hearings on the topic,” Soghoian continued.

“We need to have a national debate about whether we want law enforcement agencies to be able to hack into the computers of targets. This is too dangerous a tool for them to start using by themselves.”

Updated at 5:40 pm 7/06/15 with a quote from an additional leaked email.