The typo could have had serious consequences. As the Financial Times revealed in an article published Monday, July 17, hundreds of thousands of “US military emails were diverted to Mali following a ‘typography leak'”. To err here is human: many Pentagon employees and departments use email addresses ending in “. mil”, this is the suffix, also known as “top level domain”, operated by the US military. Just forget to type an i to inadvertently send an email to “interlocutor@army.ml”.

This is where the problem comes in: the top-level domain “. ml”, which corresponds to the country code of Mali, has been technically managed for ten years by the Dutch private company Mali Dili, which takes care of allocating all addresses in “. ml”. In the columns of the Financial Times, an official from Mali Dili explains that he observed, from 2013, a large number of requests concerning domain names such as army.ml and navy.ml, which did not yet exist. By setting up a mail server associated with these domain names, he discovered nearly 117,000 messages, initially intended for US military personnel, but sent by mistake to a Malian email.

How big is the leak? According to the financial daily, no classified document is concerned, and a large part of the diverted emails actually corresponds to spam. But sensitive information was still inadvertently sent to addresses in “. ml”, such as the upcoming travel of a US general, personnel lists, or medical and financial documents relating to military employees. The newspaper also claims that the US military is not the only ones affected: emails intended for Dutch officials (using the “.nl” top-level domain) have also been inadvertently sent to Malian addresses.

Persons outside the army

These errors can be a source of concern for US authorities. Especially since Mali Dili is no longer, since Monday, the technical manager of domain names in “. ml”. This role has, in fact, been transferred to the Agency for Information and Communication Technologies (Agetic), an organization attached to the Malian government. And this while Russia continues to increase its influence in the country, in particular through the private Russian paramilitary group Wagner present in Mali since December 2021, and poses as the main ally of the military in power since their coup d’état. in August 2020.

Through Agetic, will Malian authorities and their Russian ally now be able to use misdirected emails to harm Washington’s interests? On Monday, July 17, Sabrina Singh, one of the Pentagon spokespersons, assured at a press conference that the ministry’s messaging systems were configured to prevent any sending of emails to an “. ml”, without however specifying since when.

“None of the [leaked] emails that have been mentioned [in the press] are from a Department of Defense email address,” Ms. Singh also promised. The Pentagon assures that the problem comes in particular from the members of the personnel of the army using their personal address (for example a Gmail address) to send professional documents. The Financial Times’ description of the documents also suggests that some emails mistakenly sent to “. ml” also come from people outside the military: employees of other branches of government, or even private companies.

Alerts repeatedly

According to the British daily, “the problem was first identified almost ten years ago by Johannes Zuurbier”. The man, presented as a “Dutch Internet entrepreneur”, reportedly alerted the highest US authorities on several occasions to the risk of such a data leak. Even unclassified, these could be “exploited by adversaries of the United States,” the entrepreneur reportedly wrote in a letter sent to the US administration in early July.

But Johannes Zuurbier, also named Joost Zuurbier, is not just a whistleblower. In March 2022, several companies he ran, including Mali Dili, were the subject of a complaint for “cybersquatting” – that is, for domain name theft, by Instagram , WhatsApp and Meta, the parent company of Facebook. According to the court document consulted by Le Monde, several companies that Mr. Zuurbier led, with a certain Marcel Trik, “formed a complex network of fictitious companies” having “registered, trafficked and used more than 5,000 domain names identical or Similar to Trademarks” by Meta.

In particular, Freenom, a company that oversees several other domain name management companies, is accused of having turned a blind eye to the fraudulent use of many addresses that they managed and marketed, and which were mainly used for operations phishing schemes intended to siphon personal data and hack accounts on social networks.

Counterfeit domain names, such as fb-instagram.cf, chat-whatsaap.gq or faceb00k.ga are cited in the complaint. Registered on behalf of clients by Mr. Zuurbier through his companies based in the Netherlands and the United States, they have thus been used to “redirect their visitors to other commercial, pornographic or sites used for malicious activities such as phishing”.

27,000 phishing operations

Citing a study on abuse of the domain name system conducted by the European Commission, the American justice has indeed pointed out that “five of the ten most abused top-level domains are operated by Freenom”. Another report, published in September 2021 by the Interisle Consulting Group, a group of digital security experts, finds that Mali’s, “. ml”, was the subject of more than 27,000 phishing attacks from May 2020 to April 2021.

Mali is far from being the only country concerned. According to this same report and over the same period, the domain names of the States of Gabon (.ga), the Central African Republic (.cf) and Equatorial Guinea (.gq), also “operated by Freenom”, the company created by Mr. Zuurbier, have also been the subject of more than 57,000 phishing attacks.