On an August evening in 2020, around 9 pm, Kimberly Thompson and Brian James arrived at a driveway in Akron, Ohio, only to find themselves under gunfire. They sustained leg injuries and were immediately rushed to a hospital, but thankfully survived. Tragically, Thompson’s 20-month-old grandson, Tyree Halsell, who remained in the vehicle, was struck in the head and fatally wounded.
In the wake of the incident, the Akron police began gathering video evidence from nearby areas and called on the community to help identify two men who had been seen approaching the victims, firing shots, and then escaping in a truck. Within a few months, detectives focused on a suspect, Phillip Mendoza, and secured a search warrant for his cell phone location records from Sprint, as per court documents. Additionally, they executed a geofence warrant with Google, requesting information on devices that might have been in the vicinity of the shooting, utilizing GPS, Wi-Fi, or Bluetooth data. However, neither of these warrants resulted in any evidence linking Mendoza or his devices to the 1200 block of Fifth Avenue, where the shooting took place.
The investigation reached a standstill until August 2022, when Akron police received a three-page report containing previously sought-after information. This report came from a relatively obscure Canadian firm named Global Intelligence, which has been providing a remarkable service to law enforcement agencies across the United States for several years.
Global Intelligence asserts that, relying purely on publicly available data that does not necessitate a warrant, their Cybercheck system employs over 700 algorithms to geolocate individuals either in real-time or at specific past moments by analyzing the wireless networks and access points with which a person’s “cyber profile” has engaged. The company’s founder, Adam Mosher, has sworn in testimony that the entire process is automated, requiring no human input from the moment an investigator enters the fundamental particulars of a case into the Cybercheck portal to the generation of a report that identifies a suspect and their location.
If the technology functions as claimed, Global Intelligence is offering police departments surveillance capabilities previously unknown, available for as little as $309 per case, which rival the tools utilized by national spy agencies. However, a WIRED investigation reviewing the use of Cybercheck from California to New York, drawing on numerous court documents, testimonies, interviews, and police records, indicates that Cybercheck may be a significantly less effective resource. There have been instances in high-profile trials where the evidence provided was either blatantly incorrect or could not be corroborated through other means.
Experts in open-source intelligence have told WIRED that a substantial amount of the data presented by Cybercheck in its reports to law enforcement would be unattainable through open-source channels alone. In fact, Global Intelligence’s involvement in Ohio seems to have diminished over the last few months, with prosecutors ultimately opting not to rely on Cybercheck reports as evidence in multiple murder cases, including that of Mendoza.
“Either they’re somehow conducting the Minority Report now, or it’s just nonsense,” remarks Stephen Coulthart, director of the Open Source Intelligence Laboratory at the State University of New York at Albany, who assessed Cybercheck reports and the transcripts of Mosher’s testimony at WIRED’s request.
During a trial in November 2022, Mosher testified that 345 different law enforcement agencies had utilized Cybercheck to perform approximately 24,000 searches since 2017. WIRED has identified over a dozen cases involving Cybercheck, including thirteen cases where prosecutors aimed to present Cybercheck reports as evidence during the trial. In two instances, courts accepted Cybercheck reports as valid trial evidence, leading to murder convictions.
The agencies utilizing Cybercheck spanned from minor suburban police forces to county sheriffs and state law enforcement. The crimes in question ranged from offenses associated with child sexual abuse material to drive-by shootings, including longstanding cold cases that had troubled communities for years. For instance, last year, the New York State Police arrested an individual for murder after receiving evidence from Cybercheck that purportedly indicated his cell phone was present at critical locations on the night of the murder, nearly 20 years prior, as stated in the indictment. This case is set to go to trial in 2025.
Although Mosher has provided testimony about Cybercheck many times, his descriptions of the data sources that the algorithms utilize and the methodology behind their outcomes do not completely clarify how Cybercheck generates its reports. Global Intelligence has not responded to inquiries from WIRED regarding the developers of Cybercheck’s algorithms or the data used to train them. When questioned about the tool’s capability to establish that a person’s cyber profile had interacted with a specific wireless network—often long after the events had taken place—an unnamed employee from Global Intelligence replied via email: “There is no specific single source of information with regard to wireless network interactions.”
In 2022, more than two years after Halsell was fatally shot in Akron, Cybercheck issued a report to the police indicating that Mendoza’s cyber profile had connected with two wireless internet devices located near 1228 Fifth Avenue after 9 pm. According to Mosher’s testimony, a cyber profile comprises a collection of names, aliases, emails, phone numbers, IP addresses, Google IDs, and various online identifiers that collectively create a person’s unique digital identity.
Summit County prosecutors filed murder charges against Mendoza. However, when Mendoza’s defense lawyer, Donald Malarcik, examined the Cybercheck report, he uncovered an error. The police department staff member who input the data into Cybercheck’s system had reportedly made a mistake by asking the system to locate Mendoza at the scene on August 20, 2020, when the shooting had in fact occurred on August 2. Despite this, Cybercheck asserted it had pinpointed Mendoza at 1228 Fifth Avenue with 93.13 percent accuracy, despite the incorrect date. Even more puzzling for Malarcik was that after submitting the initial report, Cybercheck generated a second report. This report mirrored the first in every detail—from the MAC addresses, which are unique identifiers connected to network devices, to the time when Mendoza’s cyber profile supposedly interacted with them, and the accuracy rating—except it included the correct date of the shooting.
The warrants issued to Sprint and Google did not yield any evidence linking Mendoza’s devices or accounts to the scene of the incident. However, the automated algorithms employed by Cybercheck indicated that Mendoza’s cyber profile was not only present at 1228 Fifth Avenue during the shooting, but also at that same location, on the same day, for the same duration, connecting to the same wireless networks 18 days later.
An unnamed Cybercheck employee, responding to inquiries from WIRED, stated that the company maintains the validity of both reports concerning Mendoza. “It is not unusual to find the same cyber profile associated with the same device at a location on a different date,” they mentioned.
Malarcik submitted a motion requesting the prosecutor to provide Cybercheck’s software for another case that had generated a report. He also issued a subpoena to Mosher and retained a digital forensics expert to review the code along with the two Cybercheck reports regarding Mendoza. Malarcik shared with WIRED that the expert in a different case allegedly encountered merely a few hundred lines of code designed to scrape public websites for information about individuals—not the 1 million lines of code and over 700 algorithms that Mosher had described in pre-trial hearings.
“It was akin to conducting a Google search,” Malarcik claims. “What we failed to uncover was the secret sauce, which [Mosher] asserts is the machine learning that synthesizes these data points and infers that a cyber profile was present at a certain location. That is what he has yet to reveal to us.”
Mosher and Global Intelligence did not reply to WIRED regarding Malarcik’s allegations.
Malarcik asked the court to conduct a Daubert hearing to evaluate the credibility of Mosher’s testimony concerning Cybercheck’s findings for inclusion as evidence in Mendoza’s trial. Just two days prior to the scheduled hearing, prosecutors in Summit County chose not to introduce Cybercheck as evidence. Since that time, the prosecutor’s office has retracted Cybercheck reports in three additional cases involving four men accused of murder, where these reports might have been introduced as evidence, according to Malarcik and court documents. In early August, Mendoza entered a plea of guilty and was sentenced to serve a minimum of 15 years of a 15-to-20.5-year sentence.
“In the cases involving Cybercheck that proceeded to trial, there were certain elements identified by Cybercheck that also aligned with findings from the detectives on the ground,” stated Brad Gessner, chief counsel for the Summit County prosecutor’s office, in an interview with WIRED. “Those elements corresponded.”
Gessner noted that the prosecutor’s office has utilized or planned to utilize Cybercheck reports in 10 cases referred to them by the Akron Police Department. The Akron Beacon Journal and NBC News were the first to cover the county’s use of this tool.
The Summit County Sheriff’s Office has confirmed to the Akron Beacon Journal this month that it is examining allegations regarding Mosher’s potential perjury, but has not disclosed additional information.
In previous cases, specifically the murder trials of Salah Mahdi and Adarus Black, the defense attorneys chose not to contest the use of Cybercheck, which ultimately led to convictions upheld by an appeals court.
Subsequently, judges presiding over the murder trials of Javion Rankin, Deair Wray, Demonte Carr, and Demetrius Carr have determined that Cybercheck cannot be presented as evidence unless the defendants are granted access to its source code by Global Intelligence. However, the Summit County Prosecutor’s Office has appealed several of these decisions. In September, an Ohio appeals court found that the trial court mistakenly excluded Cybercheck reports for reasons not related to the effectiveness of the technology.
Furthermore, WIRED discovered that in other jurisdictions, prosecutors have opted not to utilize Cybercheck reports or have rescinded charges against defendants after defense attorneys closely examined the results and Mosher’s statements.
In 2021, sheriff’s deputies in Midland County, Texas, were probing the murder of a woman whose charred remains had been discovered in a roadside field. They had apprehended the victim’s ex-boyfriend, Sergio Cerna, on charges that were unrelated. Upon examining his phone, an affidavit revealed that deputies uncovered text messages where Cerna made threats against the victim, including messages stating, “Your car is going to be burned down then you will be next.” However, they could not find any evidence placing Cerna at the crime scene.
The sheriff’s office sought assistance from Cybercheck, which provided a report indicating that the algorithms concluded, with 97.25 percent accuracy, that Cerna’s cyber profile had connected to a wireless LaserJet printer located near the crime scene on the day the victim’s body was discovered. Prosecutors intended to present this report as evidence at Cerna’s trial, but his defense team requested a Daubert hearing. During the hearing, prior to the defense having the chance to cross-examine Mosher, assistant district attorney Lisa Borden opted not to utilize Mosher’s testimony or the Cybercheck report in the trial.
“We would have needed to be able to authenticate that data,” she explained to WIRED, noting that by the time of the Daubert hearing, the printer pinpointed by Cybercheck in its report had gone missing. According to court records and Global Intelligence, this marked the only instance of a Daubert hearing involving Cybercheck throughout the nation.
In March, a jury in Midland County found Cerna guilty and sentenced him to life imprisonment. His attorney expressed intentions to appeal the conviction.
In Colorado, inquiries regarding Mosher and Cybercheck arose before prosecutors decided to dismiss charges and seal the case files against a defendant involved in what authorities described as a child sexual abuse material (CSAM) incident. Upon discovering that the district attorney’s office intended to present Cybercheck evidence during the trial and call Mosher as an expert witness, defense attorney Eric Zale engaged private investigators to delve into Mosher’s credentials.
According to Zale and an appeal brief submitted by Malarcik for a different client where a Cybercheck report was included in the discovery, Mosher informed the Boulder County court that he had previously served as an expert witness in two CSAM cases in Canada. However, after Zale’s investigator reached out, the Canadian prosecutors associated with one of those cases contacted their Boulder County counterparts to clarify that Mosher had never been called to testify in any capacity. It was noted that the defendant, who had familial ties to Mosher, entered a guilty plea on the trial’s first day. Additionally, a prosecutor acquainted with the other Canadian case wrote to the court, stating that no charges were ever filed against the individual whose trial Mosher claimed to have testified in.
Zale claims that Mosher is “exploiting this sort of holy grail of technology to mislead local law enforcement, judges, prosecutors, and even some defense attorneys” into trusting Cybercheck’s technology.
WIRED reached out to Mosher for his comments regarding Zale’s assertions, but he did not respond. Global Intelligence did not contest Mosher’s assertion of having testified as an expert in the two Canadian cases.
“Mr. Mosher felt at the time that he needed to relay all court participation activities including provision of statements regarding an investigation,” the unnamed Global Intelligence employee wrote. “Other prosecutors have reviewed this matter during other trial proceedings, finding this incident was more of a lost-in-translation issue as opposed to some sort of impropriety.”
WIRED requested the names of those prosecutors but did not receive a response.
The challenges in Ohio and Texas have hinged on an unusual aspect of Cybercheck that differentiates it from other digital forensics tools: The automated system doesn’t retain supporting evidence for its findings. As Mosher has testified under oath in multiple jurisdictions, Cybercheck doesn’t record where it sources its data, how it draws connections between various data points, or how it specifically calculates its accuracy rates.
In Mendoza’s case, for example, no one knows exactly how Cybercheck determined that the email address “ladypimpjuice625@aol.com” belonged to Mendoza. Nor did Global Intelligence explain exactly how the system determined that Mendoza’s cyber profile had pinged the wireless devices near 1228 Fifth Avenue.
Mosher has stated that Cybercheck retains only the information it considers pertinent to the investigation during its search process. All of this data is included in the reports that are automatically generated for investigators. Any other information, including details that might contradict who owns a specific email address or online alias, is supposedly processed by algorithms to compute accuracy scores featured in Cybercheck’s reports but is not archived.
“When you’re asking, do we keep all the artifacts and all the data that we crawl—we couldn’t realistically do that because it’s zettabytes of data,” Mosher explained during the Texas Daubert hearing on January 19, 2024. A zettabyte equals more than 1 trillion gigabytes.
Mosher has claimed that there is no need for Cybercheck to present its methodology, as its conclusions stem from open-source data that anyone equipped with the right open-source intelligence (OSINT) training can locate online.
“If you provide that [Cybercheck] report to a skilled investigator familiar with cyberspace and machine learning, they will arrive at the exact same conclusions,” Mosher testified during the murder trial of Adarus Black, in Summit County.
Rob Lee is an expert in open-source intelligence (OSINT) and serves as the chief of research and faculty lead at the SANS Institute, a prominent provider of cybersecurity and information security training. As detailed in Mosher’s résumé and court testimony, he completed over a dozen training courses at the SANS Institute before establishing Global Intelligence.
In response to a request from WIRED, Lee and a team of researchers at the SANS Institute conducted an analysis of Cybercheck reports and examined the descriptions provided by Mosher under oath. They concluded that it is improbable that some of the details in the reports could be obtained from publicly available sources.
Lee explains that to track when a specific device has connected to a wireless network, an analyst would need to intercept the signal or have access to the device or the network’s logs, which are not available through open sources. Such access necessitates obtaining a search warrant.
“The lack of peer review and transparency in [Cybercheck’s] algorithmic processes raises questions regarding the legitimacy, sufficiency, and legality of the datasets utilized for precise profiling and geolocation,” Lee stated to WIRED. “The assertion of reaching this degree of accuracy using solely open-source data without additional validation and transparency in the tool’s methods and data sources is highly questionable.”
A source from Global Intelligence informed WIRED that law enforcement collaborates with “industry analysts and experts in the open source intelligence space who are manually replicating and backstopping intelligence data from our reports.” They stated that “investigations and prosecutions only proceed based on the evidence collected by agencies and corroborated after backstopping Cybercheck intelligence.” The company’s statement did not address concerns that certain information, such as whether a device connected to a specific Wi-Fi network, is generally not obtainable through open source methods.
During the Black murder trial in November 2022, Mosher revealed that since January 2021, Cybercheck had conducted approximately 1,900 searches for the historical locations of suspects and an additional 1,000 searches for their real-time locations. From those 2,900 searches, Mosher mentioned that there was only one instance where the individual did not match the location indicated in Cybercheck’s cyber profile.
However, in interviews and emails reviewed by WIRED through public records requests, multiple law enforcement representatives using Cybercheck’s services claimed that the technology provided information that could not be verified or that contradicted credible sources.
In January, Mark Kollar, an assistant superintendent with the Ohio Bureau of Criminal Investigation (BCI), sent an email to Cybercheck concerning a search warrant his agency had executed to obtain information from an email provider about an account linked to a suspect. Kollar noted, “The email provider is saying that the email listed in the Cybercheck report doesn’t exist and has never existed.”
The Ohio BCI, a part of the state attorney general’s office, formed a $30,000 trial agreement with Cybercheck in August 2023 and forwarded over a dozen cases to the firm, according to Steve Irwin, a spokesperson for the attorney general’s office, who shared insights with WIRED. “BCI has not obtained results on many of the cases, and some of the leads that were produced have not been fruitful,” he stated. “Because of the absence of useful investigative leads, BCI has no plans to pursue another contract with the company.”
The Yakima County Sheriff’s Office in Washington signed an $11,000 contract in 2022 that allowed them to submit 20 cases to Cybercheck. “I believe we still have access to Cybercheck, but we don’t utilize it,” shared Casey Schilperoort, the sheriff’s public information officer, in an email. “I have heard that the information we receive is often not much or precise.”
In an unofficial email chain obtained by WIRED through a public record request, investigators from various agencies discussed their experiences with the technology. Aurora, Colorado detective Nicholas Lesnansky noted that Cybercheck named a suspect in one of his department’s homicide investigations based on the individual’s cyber profile triggering a router at a relevant location. “Detectives spoke with the resident of that home, who has lived there for over 20 years and has never owned a router by that name, thus we cannot support their information,” Lesnansky explained. Neither Mosher nor Global Intelligence responded to WIRED regarding Lesnansky’s assertions.
In another case from Aurora concerning the deadly shooting of a 13-year-old, Global Intelligence personnel were “adamant” that Cybercheck had pinpointed the murderer, yet Lesnansky’s investigation leaned toward a different individual he believed to be a stronger suspect. “They then created a narrative suggesting it was a gang initiation where the person they identified was driving the individual I think is more likely around,” Lesnansky noted. “I doubt the suspect identified by Cybercheck and the other individual I consider more likely would be driving around together since the former has had his home shot up by the latter multiple times.”
In the same email conversation, Heather Collins, an intelligence analyst from the special victims unit at the Mississippi Bureau of Investigation, noted that she utilized Cybercheck in a case involving a missing juvenile. She stated, “They provided us with information on potential ‘suspects’ that turned out to be entirely inaccurate. We ultimately found the missing juvenile through alternative means. It was a waste of our time.”
When approached by WIRED regarding Collins’ claims about the inaccuracies in the information supplied by Global Intelligence, Mosher did not provide a response.
Though there are instances where Cybercheck has seemingly yielded correct information, law enforcement officials have not always been able to act on those findings.
Joe Moylan, the public information officer for the Aurora Police Department, mentioned that his department has sought information from Cybercheck in five different cases. He noted that in two of those instances, the technology was “helpful for the investigations,” despite the fact that no arrests have come as a result.
In 2017, a 9-year-old named Kayla Unbehaun was abducted. The South Elgin, Illinois police department dedicated years to searching for Unbehaun and her mother, Heather Unbehaun, who was suspected of the abduction. Their investigation led them to Georgia, but that trail ended there. During this time, the police department engaged Global Intelligence for assistance. Sergeant Dan Eichholz received a Cybercheck report suggesting that Unbehaun and her mother were in Oregon. However, as Eichholz explains to WIRED, the report lacked supporting evidence, preventing him from utilizing it to secure a search warrant.
In 2023, Unbehaun was finally reunited with her father after an employee at a consignment shop in Asheville, North Carolina, recognized her mother from an image featured on the Netflix series Unsolved Mysteries. Following her discovery, Eichholz learned that, until just a few months prior, the pair had indeed resided in Oregon.
“I don’t want to say it wasn’t actionable, but I couldn’t just take their information and go with it,” Eichholz remarks. “That was always the hang-up for us. ‘OK, you got me this information, but I still have to check and verify and do my thing with search warrants.’” The case of child abduction against Heather Unbehaun remains unresolved.
Cybercheck has gained traction among law enforcement agencies nationwide, fueled by persuasive marketing and recommendations. However, interviews conducted by WIRED and a review of email communications revealed scant evidence that these agencies confirmed or substantiated the claims made by Global Intelligence regarding its technology’s capabilities.
Prosecutors interviewed by WIRED, including Borden from Midland County, mentioned they discovered Cybercheck because law enforcement in their area had been utilizing it. When it arose during legal proceedings, they opted to let the adversarial court system determine its validity.
“It was new technology and I was curious, so I was like, ‘Let’s give it a try and see how far we can get,’” Borden commented. “I’m thankful that it didn’t come into evidence in my case, that I didn’t need it to obtain my conviction.”
Correspondence reveals that sales representatives from Global Intelligence frequently proposed to process police department cases through Cybercheck at no charge to showcase the technology. They also mentioned cases that Global Intelligence described as high profile, claiming that Cybercheck had a role in solving them, but did not provide specifics or evidence that Cybercheck influenced the investigations.
Emails acquired from the Ohio Bureau of Criminal Investigation indicate that investigators were initially eager to uncover what insights Cybercheck could offer regarding their cold cases. They even connected Global Intelligence sales representatives with other law enforcement agencies in Ohio. This excitement seemingly played a significant role in persuading additional agencies to place their trust in the company.
Gessner, representing the Summit County Prosecutor’s office, mentioned that when his team was evaluating the use of Cybercheck evidence, they consulted with the Ohio BCI’s cybercrimes unit for their input. “They indicated that it was a sensible approach … we lack the technology for this, but we would welcome it,” he stated. Additionally, county prosecutors contacted the SANS Institute, only to find out that the institute did not specialize in that area.
Despite retracting the evidence obtained from Cybercheck, Gessner noted that the Summit County Prosecutor’s Office is proactively reaching out to other firms to see if they can perform similar open-source location tracking that was promoted by Global Intelligence.
“Our goal is to keep avenues open that could assist in uncovering the truth in our cases,” he stated.
