The DEA originally placed an order for the software in August of 2012, according to both public records and sources with knowledge of the deal.

The software, known as Remote Control System or "RCS," is capable of intercepting phone calls, texts, and social media messages, and can surreptitiously turn on a user's webcam and microphone as well as collect passwords.

The Drug Enforcement Administration has been buying spyware produced by the controversial Italian surveillance tech company Hacking Team since 2012, Motherboard has learned.

The contract, according to public records, was signed on August 20, 2012 for a total value of $2.4 million between the DEA's Office of Investigative Technology and a government contractor named Cicom USA.

And given the how powerful this spyware can be, Soghoian added, "we need a public debate over this invasive surveillance technology."

"Hacking software is yet another example of a technology created for the intelligence community that has secretly trickled down to law enforcement," Christopher Soghoian, the principal technologist at the American Civil Liberties Union and an expert of surveillance technology, told Motherboard.

"Hacking software is yet another example of a technology created for the intelligence community that has secretly trickled down to law enforcement."

Surveillance tech experts say the DEA's relation with Hacking Team is further proof that methods and tools once only reserved for the military, intelligence agencies and even cybercriminals—such as drones and StingRays—are becoming commonplace in law enforcement as well.

This revelation comes just a week after USA Today uncovered a secret program with which the DEA collected the phone records of millions of Americans for more than 20 years, a program that pre-dated and inspired the NSA's own bulk telephone collection program, suggesting that the drug agency is sort of a pioneer in the use of surveillance .

The contract, which has not been previously revealed, shows that the FBI is not the only US government agency engaged in hacking tactics, but that the DEA has also been purchasing off-the-shelf malware that could be used to spy on suspected criminals.

Despite speculation based on the fact that Hacking Team has an office in the US, there's never been any evidence that the company had sold its products on American soil, even though CEO David Vincenzetti boasted of having clients in more than 40 countries, including the US, in a 2011 interview with Italian newsmagazine L'Espresso .

In light of those incidents, which were uncovered by researchers at the Citizen Lab at the University of Toronto's Munk School of Global Affairs, the company was included in a blacklist of corporate "Enemies of the Internet" by Reporters Without Borders.

Cicom USA, Motherboard has learned, was simply a reseller for Hacking Team, a spyware-maker that's been accused of selling its products to some governments with questionable human rights records. Some of those governments, such as Ethiopia , the United Arab Emirates , or Morocco , used Hacking Team's software to target dissidents and journalists.

"You cannot stop your targets from moving. How can you keep chasing them? What you need is a way to bypass encryption, collect relevant data out of any device, and keep monitoring your targets wherever they are, even outside your monitoring domain. Remote Control System does exactly that," a company brochure boasts.

That system, according to sources, is none other than Hacking Team's Remote Control System, also known as Galileo, which the company markets as "the hacking suite for governmental interception."

The contract, which records show is slated to be completed in August of 2015, is identified only as "Remote Controlled Host Based Interception System."

It's unclear what the DEA has been doing with Hacking Team's malware. But the relationship between the agency and Cicom USA—and thus, Hacking Team—appears to be ongoing. The most recent public record shows a payment from the DEA to Cicom USA made in September of 2014.

"I don't know about why that would be a coincidence," he said, but declined to elaborate.

But the connection between the two companies is clear. Cicom USA is based in Annapolis, MD, at the same exact address where Hacking Team's US office is located, according to the company's website . The phone number for Cicom USA listed in the contract with the DEA, moreover, is exactly the same one that was displayed on Hacking Team's website until February of this year.

"We don't identify our clients. I'm certainly not going to comment whether the DEA or anyone else has purchased Hacking Team software," he told Motherboard in a phone interview. And for the same reason, he added, he declined to clarify what was the relationship between Hacking Team and Cicom USA.

"We don't identify our clients. I'm certainly not going to comment whether the DEA or anyone else has purchased Hacking Team software."

Eric Rabe, a spokesperson for Hacking Team, did not confirm nor deny the existence of the contract with the DEA.

The connection between Cicom USA and Hacking Team was confirmed to Motherboard by multiple sources with knowledge of the deal, who spoke on condition of anonymity because they were not authorized to discuss the content of the contract.

Roughly a month later, on May 4, 2012. The DEA had what it was looking for. In another document, the agency announced that it was going to "solicit and negotiate" a contract with Cicom USA for the duration of at least four years.

"The DEA is seeking information from potential sources with a fully functional and operational product proven to be capable of providing a Remote Control Host Based Interception System for device or target specific collection pursuant to authorized law enforcement use," the document reads .

This is exactly the kind of software that the DEA was looking for, according to an official call for tender or "request for Information" published by the agency in March, 2012.

Software like this isn't sold only by Hacking Team. The Italian company is just one of an ever-growing group of surveillance tech companies that market their products exclusively to governments, police departments, and spy agencies, such as the French VUPEN , or the German FinFisher and its parent company Gamma International.

Hacking Team's RCS software can be surreptitiously installed on a target's computer or cellphone and monitor all activity, allowing police officers to spy on data that might otherwise be encrypted and out of their reach.

A spokesperson for the DEA did not respond to a series of specific questions on the contract and how the DEA is using this technology. Thomas L. Walden, the section chief of the DEA Office of Investigative Technology, also did not respond to a message requesting comment.

Cicom USA, according to the DEA, emerged as the only company capable of providing the service required, based on market research conducted internally by the agency. The DEA did not respond to questions regarding this research.

It's possible the DEA picked Cicom USA because the US Army had done the same a year prior. According to public records, the Army made a purchase order for a Remote Control System on March 2011. The order shows that the Army was supposed to pay $350,000 for the software, and further confirms Cicom USA's connection with Hacking Team, given that Italy is listed as the country of origin of the product. (The Army did not respond to Motherboard's questions regarding the contract.)

IS IT LEGAL FOR LAW ENFORCEMENT TO HACK TARGETS?

For surveillance experts, the big question is whether the DEA actually has legal authority to use spyware such as Hacking Team's—and how, exactly, it is used. A DEA spokesperson said that the agency "always abides by the laws of the jurisdictions within which it operates."

And added that "however, in this case, this is off-the-shelf technology, legally available for purchase by all and used throughout the world by many organizations."

But experts are not convinced.

"The legal framework governing the use of such tools in the US is extremely unclear, meaning that the use of Hacking Team's spyware is potentially unlawful," Edin Omanovic, a researcher at Privacy International, told Motherboard.

"The use of Hacking Team's spyware is potentially unlawful."

The FBI is the only other US law enforcement agency that has been reported to use malware. The bureau has been using it since at least 2001 when FBI's spyware Magic Lantern was revealed. But the precise legal authority, as well as the process that FBI agents use to get authorization, is still unclear, and very few cases where the bureau used malware have actually come to light.