Dahua Partner Arrested For Alleged $15 Million NDAA Fraud Relabelling Dahua

Published Jan 08, 2024 15:36 PM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

The US Department of Justice has filed criminal fraud charges against a video surveillance seller over allegedly misrepresenting millions in relabeled Dahua video surveillance as NDAA compliant. A potentially landmark case, this is the first time that alleged violations of the NDAA ban have resulted in criminal charges.

IPVM Image

The sales totaled over $35 million, of which $15 million, alleges the FBI, were federal funds and grants that are prohibited to be used for NDAA-banned products.

In this report, we examine the allegations, the FBI's evidence, Dahua's involvement, the defendant's response to IPVM, and the implications for video surveillance relabelers.

Executive Summary

The case against Tamer Zakhary puts video surveillance sellers on notice that obscuring and allegedly mispresenting product provenance risks severe legal consequences. It also emphasizes truthful disclosure of NDAA compliance to state and local end users, not just federal ones, as the case revolves around sales to New Jersey state/ local agencies.

Zakhary faces three fraud counts over allegedly selling a range of video surveillance products to these agencies, who used federal funds, while lying about their NDAA compliance. The government says they were actually produced by "Prohibited Company-1," identified by 404 Media/Court Watch as Dahua.

The complaint is an engrossing story of alleged deceit at an enormous scale; one agency became suspicious after discovering Dahua OUIs in the cameras' MAC addresses and contacted the FBI, who recorded calls with Zakhary. Zakhary told another agency MAC addresses are "like VIN numbers" that cannot be changed and are just an artifact of components, which is contrary to our experiences testing video surveillance products, including with Dahua OEMs.

Zakhary has not yet filed a response, but his defense in an FBI interview was that the devices were compliant because they did not use Dahua firmware/software, chipsets were "bleach[ed]," and Dahua only assembled components specified by his company Packetalk. IPVM's experience is that sellers cannot practically remove this software or "bleach" devices, even for mega-companies such as Honeywell, casting doubt on these claims.

Statement from Zakhary

IPVM contacted Tamer Zakhary and received a statement from his attorneys. Zakhary argues that the "charges do nothing to strengthen national security" and asserts "the prosecution will not be successful when tested in a court of law."

We are surprised and disappointed that the US Attorney's Office has decided to file charges against Tamer Zakhary in relation to Section 889 of the McCain Act. Today’s charges do nothing to strengthen national security, and do not accomplish the McCain Act’s intended goal of protecting U.S. infrastructure. Moreover, this prosecution will not be successful when tested in a court of law.

Mr. Zakhary and his company have a 20 year record of supporting law enforcement in curtailing violent street crime and being a partner in improving the safety and security of our communities. Their industry-leading systems deliver the only fully integrated platform solution for complete situational awareness, and third party audits of its equipment have confirmed the security of their software and hardware systems. The company’s cutting edge technology is providing dozens of county and local law enforcement agencies throughout New Jersey the solutions they need to better serve their communities. They will continue to be law enforcement’s partner every step of the way, and provide the best systems to keep communities safe.

Since first being informed of this inquiry, Mr. Zakhary has cooperated fully, providing any and all records necessary to address any concerns as quickly as possible. He remains committed to continuing to engage with the US Attorney’s office and federal investigators in good faith.

While this statement emphasizes the benefits of their offering in NJ, we would expect they would have to refute the government's allegation that these products are not NDAA compliant more directly since that is the gravamen of the government's case.

Dahua No Response

Dahua did not respond to a request for comment on this case or its dealings with Tamer Zakhary and Packetalk.

Last week, Dahua informed partners that it is selling off its US-branded business, which is at least indirectly related to a case such as this, as Dahua product sales are continuously caught at risk of violating US laws.

Overview: Four Criminal Counts Alleged

On December 28, 2023, the FBI filed criminal charges against Tamer Zakhary, alleging he "fraudulently misrepresented" the manufacturer and NDAA compliance of $35+ million of "surveillance cameras and equipment" sold to New Jersey "prosecutors' offices, sheriffs' offices, police departments and townships" between August 2019 and December 2022. Of this, $15+ million was purchased using federal funds, making NDAA compliance necessary.

IPVM Image

The charges, which were first reported jointly by 404 Media and Court Watch, include three counts of wire fraud and one count of making false statements during an FBI interview.

Zakhary is the owner and CEO of Packetalk, a company based in Lyndhurst, NJ, with ~10 employees, according to LinkedIn. The 18-page complaint refers to the NDAA-banned manufacturer only as "Prohibited Company-1"; however, 404 Media/Court Watch confirmed it is Dahua.

The FBI provides evidence that Zakhary was not only aware of the use of federal funds, he encouraged it while knowing of Dahua's banned status, discussing these issues directly with Dahua in emails obtained by the government. However, Zakhary repeatedly assured agencies that Packetalk products were compliant, even claiming use by federal agencies, which he later admitted was false.

When questioned by the FBI, Zakhary asserted that while Packetalk uses "their assembly line," the components are not Dahua's, and Packetalk replaces the software and firmware and "bleaches" the chipset. Further, the devices "were compliant with section 889 because 'this is not [Dahua's] software.'" They had Dahua MAC addresses, but Zakhary claimed this represents only the "shell" of the camera, not "the guts of the camera."

However, Dahua MAC addresses would represent that the "guts" of the camera are produced by Dahua. Further, IPVM believes that Zakhary's claims of replacing software /firmware or "bleach[ing]" chipsets are implausible, given the enormous technical requirements and cost of doing so (though we certainly look forward to reviewing them in more detail if/when they are made available), as we discuss later.

NDAA State/ Local Funding Clause Explained

The NDAA ban applies to anything "produced" by Dahua, including hardware or software. While the NDAA ban is best known for prohibiting federal purchases of these goods, it also prohibits purchases made with federal funds, including by state and local agencies.

Video surveillance and telecommunications equipment produced by Dahua Technology Company, to the extent it is used for the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes, including telecommunications or video surveillance services provided by such entity or using such equipment. [underline addded]

(See: NDAA Video Surveillance Ban / Blacklists Guide)

This prohibition applies to the purchasing agency rather than the seller. As such, Zakhary is not accused of violating the NDAA ban per se but of fraud in allegedly representing his products as compliant.

NJ Sherriff "Became Concerned" After $3+ Million of Purchases

The FBI describes how an unnamed New Jersey sheriff's office, called "Victim Agency-1," that purchased $3,271,151 from Packetalk grew suspicious of its products despite Zakhary's assurances of NDAA compliance and contacted the FBI.

Zakhary allegedly told the sheriff's office that his cameras "had been 'authorized' for purchased by federal agencies" and were used by the Bureau of Alcohol, Tobacco, and Firearms (ATF) and Immigration and Customs Enforcement Homeland Security Investigations (HSI).

When asked for proof, he provided a screenshot of an email purportedly from an HSI special agent:

IPVM Image

While initially reassured, the Sherriff's office later checked the MAC addresses for several Packetalk cameras, "and all of the MAC addresses contained the organizationally unique identifier ("OUI") for Prohibited Company-1." They also "saw Chinese writing embedded in the software provided by [Packetalk]."

IPVM found an example of "Chinese writing" in a screenshot on the page for Packetalk's iPad app.

IPVM Image

Checking MAC addresses is one method of detecting Dahua or Hikvision devices inside networks, as they contain unique identifiers (OUIs) from manufacturers. However, relabellers can and often do change OUIs.

After this discovery, the Sheriff's office arranged a call with Zakhary to discuss the provenance of Packetalk's products further, with the FBI listening in. When questioned as to whether any of his cameras are made in China, Zakhary said "No," but the software was designed to "integrate" with other China cameras.

He reiterated that even federal agencies use his products, saying, "TSA [referring to the Transportation Security Administration] just approved us, deploying our cameras and s**t in Mercer County Airport...HSI uses our s**t. ATF uses our s**t."

IPVM Image

In fact, the FBI says, "no federal agencies purchased any cameras or equipment from" Packetalk. In an interview with the FBI months later, Zakhary admitted that he had no federal customers.

Device Components are "Wiped Clean" for "Complete" Security

Another NJ agency, "Victim Agency-2," described as a "county prosecutor's office," sought to ensure that Packetalk's products were compliant after the NDAA ban came into effect in August 2019.

On November 25, 2019, Zakhary provided the agency with an explanation of the "camera/backend build" process to "ensure complete system and device security," shown below:

IPVM Image

He claimed, "we never buy off the shelf cameras," and "before any component is installed," it is "completely wiped clean." As discussed further on, IPVM is highly skeptical of "bleaching" or completely wiping "clean" cameras.

Zakhary said "all that remains" are MAC addresses because they are "like VIN numbers on cars, they could never be" changed. This is false; relabelers regularly use their own unique identifiers in MAC addresses.

The FBI says that based on these communications, as well as emails from Zakhary advocating the use of federal funds on Packetalk products, "employees from Victim Agency-2 believed that the cameras and equipment sold by Subejct Company-1 were compliant with Section 889."

Zakhary sent both Victim Agency-1 and Victim Agency-2 several proposals explaining how COVID-related federal funds under the CARES Act and American Rescue Act could be used to buy Packetalk's products.

IPVM Image

Between May 2019 and June 2022, the prosecutor's office purchased $5.5+ million worth of products from Packetalk, and "$2.5 million spent were federal funds."

Zakhary and Dahua Discussed Ban Risks, Federal Funding

In the complaint, the FBI details how Zakhary was in direct communication with Dahua about relabeling its products for projects involving the use of federal funds.

In April 2020, he emailed a Dahua employee asking, "What is the best you can do on the pricing?" noting that "something competition has over your company, is they are not blacklisted by US government," confirming he was aware of the NDAA ban.

IPVM Image

Zakhary later added, "It's a big financial and business risking [sic]" working with Dahua.

IPVM Image

Dahua themselves wondered how Zakhary would justify using its products for projects funded by the federal government. The month prior, Dahua said, "the project with Federal funds has quite limitation...how will you use [Prohibited Company-1] Products and against the limitation?"

IPVM Image

Zakhary responded that there are "proprietary components" that make cameras "a very limited piece of our deployment."

IPVM Image

In their communications, Zakhary and Dahua arranged to "customize the logo on the firmware" and "customize the logo on the cover," settling on the below design:

IPVM Image

Zakhary Defended NDAA Compliance in FBI Interview

In December 2022, Zakhary agreed to a "voluntary interview" with FBI and HSI agents regarding his sales in New Jersey, a conversation which went on to precipitate the charge of making false statements.

Zakhary defended his products' NDAA compliance by asserting that Packetalk sources its own components, not Dahua, and wipes Dahua software/firmware from the devices.

Packetalk did "manufacture [products] through their assembly line" but provided Dahua with "the specifications of the type of components to use," he claimed.

IPVM Image

He said, "Chipset installation was completed at" Packetalk's warehouse, and Packetalk "sources all of the different internal components."

The FBI alleges that eight days later, Zakhary contacted Dahua asking "someone to absolutely confirm all components inside both ALPR cameras we build," specifying he wanted "Manufacturer of individual pieces within each camera. Chipset. Sensor. Etc."

IPVM Image

As the FBI concludes, this indicates that he did not, in fact, source and provide Dahua with components for assembly, as he did not know what the components were:

The messages described above in paragraph 54 show that ZAKHARY knew that he and Subject Company-1 did not manufacture the components inside of the ALPR cameras, and that Prohibited Company-1 was responsible for installing all the components. Thus, ZAKHARY's prior statements that Subject Company-1 did not buy "any off the shelf components" and that Subject Company-1 sourced all of the different internal components of the cameras "from everyone" were false. [emphasis added]

When asked about camera MAC addresses, he said it "does not represent the guts of the camera" but just the "shell" of the camera. Zakhary added that when Packetalk installed chipsets at their warehouse, they were "bleached" and the devices "loaded with [Packetalk's] firmware."

Zakhary stated that the MAC address that appeared on the outside of the camera 'does not represent the guts of the camera,' but rather represented the 'shell' of the camera. He again reiterated that the chipsets were manufactured elsewhere and 'bleached' at [Packetalk]'s warehouse, and "loaded with [Subject Company-1] firmware."

He acknowledged that Dahua is banned under Section 889, saying that he "definitely looked at [Section 889] because it's our core business" but asserted Packetalk's products are not banned because "this is not [Prohibited Company-1's] software." The NDAA ban, he said, applied only to "specific companies as a whole, off the shelf, as is...but not specific components."

That is incorrect. The NDAA ban expressly states that it applies to anything produced by Dahua, including any "essential component of any system."

IPVM Image

During the interview, Zakhary did acknowledge "that no federal agencies purchased cameras and equipment from [Packetalk]."

Zakhary NDAA Compliance Claims Analysed

Zakhary's claims to the FBI and government agencies that his products were compliant are undermined by evidence in the complaint and aspects of his statements that are highly questionable.

First, Zakhary claimed that Packetalk sources its own components, which Dahua only assembles, and installs its own chipsets. But Zakhary had to ask Dahua where the chipsets and other components were from, indicating this was not true. (Even if true, it would still be debatable that something only assembled by Dahua is "produced" by Dahua.)

Second, Zakhary claimed, "We completely wipe away any and all previous programming/code or firmware's [sic]" and "bleach" the chipset. But in emails with Dahua, he discusses replacing the logo on Dahua's firmware, indicating it is being used. This is a common practice we have found with OEMs/relabellers. In any case, we do not believe it is technically and practically possible to remove and replace Dahua (or other) firmware on these cameras. This would require replacing hundreds of controls built into the cameras' operating systems, costing many millions of dollars, and employing a sizeable development team, at which point it makes more sense to just source from another manufacturer.

Third, Zakhary makes several dubious claims regarding MAC addresses and OUIs, which are among the first things one would change if the devices are, in fact, "bleach[ed]." Zakhary justifies the Dahua OUIs saying MAC addresses are "like VIN numbers on cars" and cannot be changed. This is plainly not true. He further states that the MAC address represents the "shell" of the camera not the "guts," but MAC addresses are tied to the device's networking interface, not its "shell."

Court Could Examine What Constitutes Dahua + Size of Fraud

While Zakhary's claims are doubtful, it is possible that Packetalk does conduct some degree of transformation of its products. His attorneys may try to prove that these changes are significant enough that the products are not "produced" by Dahua. This is the first case that may litigate this aspect of the NDAA ban's language, raising the possibility that a judge may establish judicial precedent on the definition and scope of this or other aspects of the NDAA ban.

Separately, Zakhary's attorneys may dispute the actual size of the alleged fraud. The Department of Justice's claim that this is a "$35 million" fraud may not subtract costs for installation, maintenance, or parts/products other than cameras included in Packetalk's contracts, such as networking cables.

Impact on OEM Sales

This is an important case for the video surveillance industry as the first set of criminal charges related to false NDAA claims. It shows, for the first time, that enabling NDAA-violating sales can have severe consequences.

(Previously, Aventura's CEO was indicted for selling relabeled Hikvision cameras to the US government. However, the charges pertained to false "Made-in-the-USA" claims and all illegal conduct occurred prior to the NDAA ban taking effect.)

While Zakhary's alleged deception goes beyond typical seller misrepresentations, false claims of NDAA compliance are a common problem in the industry. IPVM has reported on numerous false claims of NDAA compliance or violating sales to federal agencies, as well as state/local agencies using federal funds:

Recently, a letter from Congress to ADI identified numerous Dahua and Hikvision products listed as "NDAA Compliant" on ADI's website.

These past examples raise the question of why Zakhary's activity, in particular, caught law enforcement's attention. Several factors may explain this. First, Victim Agency-1 was abnormally prudent with NDAA compliance; typically, agencies are not aware of relabeling practices, do not think to check MAC addresses, or, sometimes, are not even aware of the NDAA ban. Second, Zakhary's numerous alleged false statements exacerbate the element of fraud, whereas in other cases, sellers were ignorant or feigned ignorance. Third, the purported multi-million dollar size of the alleged fraud vastly exceeds other known examples of false NDAA compliance claims.

Sales of relabeled cameras are fundamentally designed around deception, but with these new charges, practices may change. In the past, sellers have had little incentive to inform end users if their products are made by Dahua and Hikvision; the NDAA ban does not specify consequences for sellers when violations occur. Now, sellers may be more cautious in how they market their products. Already, Lorex has opted to include a label disclosing that those covered by the NDAA should not use their devices.

Contracts and "Victim" Agencies Undisclosed

The complaint does not specify which agencies Zakhary allegedly misled. However, a publicly available document from the city of West Orange, NJ, details a project with Packetalk.

It notes, ironically, that the project "will help to...Make West Orange an unfriendly place for criminals."

IPVM Image

The specific details of Packetalk's sales with NJ agencies also remain unknown, and IPVM was unable to source the contracts via NJ procurement data. These details may become available if the case proceeds to trial.

While Zakhary told Dahua cameras are "a very limited piece of our deployment," the complaint only mentions sales of cameras and other video surveillance products covered by the NDAA ban.

Zakhary Out on Bail, Possible Plea Negotiations

According to a January 4, 2024 court filing, Zakhary was granted bail set at $100,000.

IPVM Image

Ordinarily, a grand jury would be convened to issue or deny an indictment within 30 days. However, a continuance order was also filed on January 4, postponing proceedings in the case for 60 days until March 4, 2024.

The continuance order states that "Plea negotiations are currently in progress...which would render grand jury proceedings and a trial in this matter unnecessary."

IPVM will continue to report on this case as it moves through the legal system.

Update (02/09/24)

One of the alleged victims is the Passaic County Sheriff's office, according to new information on the case reported by the Paterson Press. They reported that Zakhary's company Packetalk sold $10 million of equipment to the Sheiff's office, an amount that does not match any of the unnamed victims described in the FBI's complaint. This indicates that additional victims may exist beyond those named in the complaints.

The Paterson Press also spoke to Tamer Zakhary, who said he had "a close personal relationship" with the Sheriff of Passaic County, who died on January 23, 2024, from an apparent self-inflicted gunshot wound.

The Passaic County Sheriff's office said, “It’s important to note that the county is considered the victim of this fraud.”

Comments are shown for subscribers only. Login or Join