The CIA secretly built an arsenal of hacking tools to turn phones, smart TVs, and cars into covert surveillance devices
Where the evidence lands: SupportedThat the Central Intelligence Agency secretly developed a large arsenal of cyber weapons, malware, viruses, and zero-day exploits, capable of breaking into smartphones, computers, routers, cars, and smart televisions, and using them as covert listening and tracking devices, and that these capabilities were built and used outside meaningful public oversight until the Vault 7 leak exposed them.
Believed by: A broad audience of privacy advocates, security researchers, journalists, and the general public, with a maximal 'they watch everyone through your devices' version circulating widely on social media
The full story
The leak that put the toolkit on the record
On 7 March 2017, WikiLeaks began publishing a cache it called Vault 7: roughly 7,800 web pages and more than 900 attachments in the first batch alone, drawn, it said, from an isolated, high-security network inside the CIA's Center for Cyber Intelligenceat Langley. WikiLeaks described it as the largest leak of intelligence documents in history, and by volume it exceeded even Edward Snowden's 2013 disclosures about the NSA.
The material was not a manifesto or a rumor. It was an engineering archive: user guides, tool catalogs, and technique write-ups describing how the agency's hackers compromised everyday devices. The files, dating from 2013 to 2016, covered exploits for Apple's iOS and Google's Android phones, Microsoft Windows, Linux, routers, and major web browsers, along with a now-notorious implant for internet-connected televisions.
The claim at the heart of this case file, that the CIA secretly built an arsenal of hacking tools to turn ordinary devices into covert surveillance instruments, is therefore unusual in this archive: it is largely true, and documented by the government's own subsequent actions. The discipline here is not to prove that the arsenal existed. It is to keep the real, documented capabilities apart from the much larger fear they inspired.
What Vault 7 actually documented
Take the documented capabilities seriously, because they are substantial and they are real. The files describe a working program to find and weaponize software flaws, including zero-day exploits, vulnerabilities unknown to the device makers and therefore unpatched, and to build malware that could sit on a target's phone or computer and quietly collect from it.
The single most cited example is Weeping Angel, an implant developed jointly with Britain's MI5that targeted certain Samsung smart TVs. Its trick was a “Fake Off” mode: to the person in the room the television looked switched off, while its built-in microphone kept recording and the captured audio could be retrieved later. A living-room appliance repurposed into a bug is exactly the kind of detail that makes the story stick, and it is not invented. It is in the leaked user guide.
A television that looks switched off while its microphone keeps recording is not a metaphor for surveillance. It is a documented CIA implant with a name.
The scale was real too. A CIA internal audit reportedly found that 91 of more than 500of the agency's malware tools had been compromised by the breach, a figure that only makes sense if there were hundreds of such tools to begin with. And the ultimate confirmation came not from WikiLeaks but from a federal courtroom: the United States prosecuted a former CIA software engineer for stealing and leaking this material and won a conviction. An agency does not spend years prosecuting the disclosure of documents it considers fake. The arsenal, in other words, is about as well established as a secret program can be.
Where the maximal reading overreaches
The gap opens between what the tools could do and the popular sense that Vault 7 proved the government watches everyone, always, through every screen in the house. The documents do not show that, and the difference is not a technicality.
Start with Weeping Angel. As documented, installing it required an operative to get physical access to the specific television and load the implant, in the leaked guide, from a USB stick, and a later firmware update reportedly closed even that route. That is a targeted operation against a chosen target, not a remote switch flipped on every Samsung set in the country. The same pattern runs through the catalog: many tools need particular device models, particular software versions, or particular access to work at all. Capabilities that must be aimed are a real menace to whoever they are aimed at, and a very different thing from blanket, passive surveillance of the public.
Then there was the encryption confusion. Early headlines suggested the CIA had “cracked” Signal and WhatsApp. Security researchers corrected this quickly: the files show the agency compromising the phone, so that once a device is fully owned, its messages can be read before they are encrypted or after they are decrypted, along with everything else on it. The cryptography behind the apps was not broken. As one researcher put it, that no more defeats Signal than reading a text over your shoulder does. Owning a specific target's handset is a serious capability; it is not a skeleton key to everyone's private chats.
The CIA itself, for its part, declined to confirm the authenticity of individual documents while making clear it regarded the breach as real and damaging, warning that such leaks endanger personnel and operations. That posture, treating the loss as genuine without endorsing every published claim, is worth mirroring: the toolkit was real, and the alarmed maximal interpretation of it ran ahead of the evidence.
Why the maximal version stuck
It is easy to see why the sweeping reading spread faster than the careful one, and it does not require assuming anyone was gullible. The maximal version was built on a foundation of documented truth, which is exactly what makes it durable.
Vault 7 also arrived on prepared ground. Snowden had already shown, four years earlier, that a U.S. intelligence agency would build vast electronic surveillance capabilities and keep them secret. Against that backdrop, a CIA hacking arsenal did not read as a surprise to be weighed carefully; it read as the next confirmation of something already believed, and confirmation invites the boldest interpretation.
The modern home did the rest of the work. Living rooms now contain a growing crowd of internet-connected microphones and cameras: phones, televisions, speakers, doorbells, even cars. Once you know that an agency has, in fact, hacked some of these devices, the inference that it can reach all of them, all the time, feels less like paranoia than prudence. The Weeping Angel image, a TV listening while it looks off, crystallizes that fear into a single unforgettable picture.
And some of the overreach was handed to the public by the coverage itself. When major outlets initially implied the CIA had beaten encrypted messengers, the exaggeration carried the authority of mainstream headlines before the corrections arrived. A story that starts partly wrong in respectable places is hard to fully walk back.
Where the evidence lands
On the core claim, that the CIA secretly built an arsenal of hacking tools capable of turning phones, computers, routers, and smart TVs into covert surveillance devices, the verdict is substantiated. The Vault 7 files document it, the CIA treated the breach as real, and a federal jury convicted the engineer who leaked it, with a 40-year sentence handed down in 2024. There is very little room left to doubt that the toolkit existed and did roughly what the documents say.
What remains important is the boundary. The evidence supports a program of targeted cyber-espionage tools, several requiring specific access or specific hardware, wielded by an intelligence agency against chosen targets. It does not support the fear that most people took away, that Vault 7 proved continuous, passive surveillance of the entire public through their devices, or that encrypted messaging had been broken. Both of those readings reach past what the files show.
The honest position holds both at once. A real, formidable, largely hidden hacking arsenal was exposed, and that exposure was serious enough that the government spent years and a landmark prosecution responding to it. And the tools were instruments of aimed intelligence work, not a machine for watching everyone. The substantiated story needs no inflation; the inflation is where an accurate account of a genuine secret program tips over into something the record cannot carry.
What's still unexplained
- How widely and against whom the Vault 7 tools were actually deployed is not public. The leak documents capabilities in detail, but the operational record of their use, targets, authorizations, and oversight, remains classified, so the line between what the CIA could do and what it did do is not fully drawn.
- How the archive was exfiltrated from a high-security CCI network, and what that says about the agency's own internal security, was aired in court but never fully resolved in public. The CIA's WikiLeaks Task Force reportedly found lax security, and the broader lesson about safeguarding cyber weapons is still being argued.
- What happened to the exploits after publication is a live security concern in its own right. Once zero-day vulnerabilities and techniques are exposed, they can in principle be studied or repurposed by others, and the full downstream effect of releasing an intelligence agency's toolkit is hard to measure.
- Whether intelligence agencies should stockpile undisclosed zero-day vulnerabilities at all, rather than reporting them so manufacturers can patch, is a genuine unresolved policy debate that Vault 7 sharpened but did not settle.
Point by point
The claim: The CIA built a large secret arsenal of hacking tools, malware, and zero-day exploits to break into everyday devices.
What the record shows: Substantiated, and confirmed twice over. The Vault 7 files themselves describe the tools in operational detail, and the government's own criminal case treated the archive as authentic classified material, securing a conviction and a 40-year sentence for the engineer who leaked it. The documents cover exploits for Apple's iOS, Google's Android, Microsoft Windows, Linux, routers, and major web browsers. A CIA internal audit reportedly found that 91 of more than 500 of its malware tools had been exposed. This is not a rumor about capabilities; it is the government prosecuting someone for revealing them.
The claim: One of the tools could turn a smart TV into a hidden microphone that keeps listening after you switch it off.
What the record shows: True in the specific, and worth stating precisely. Weeping Angel, developed with Britain's MI5, targeted certain Samsung smart TVs and used a 'Fake Off' mode so the set appeared powered down while its microphone recorded. But the documented method required an operative to install the implant, in the leaked guide, via physical access and a USB stick, and a later firmware update reportedly closed that USB route. It was a targeted espionage implant for a specific model under specific conditions, not a switch flipped remotely on every television at once.
The claim: The CIA had cracked encrypted messengers like Signal and WhatsApp and could read anyone's private chats.
What the record shows: This is where early coverage overreached and security experts pushed back. The Vault 7 files do not show the CIA breaking the cryptography behind Signal or WhatsApp. They show the agency compromising the phone itself, so that once a device is fully hacked, its owner's messages can be read before they are encrypted or after they are decrypted, along with everything else on the handset. As one researcher put it, that no more breaks Signal than reading a message over someone's shoulder does. The encryption held; the endpoint was the target.
The claim: Vault 7 proves the government is passively watching everyone, all the time, through their phones and TVs.
What the record shows: This is the overreach the documents do not support. The tools cataloged in Vault 7 are instruments of targeted intelligence operations: many require specific access, specific device models, or specific conditions, and several (like the TV implant) needed hands-on installation. There is no document showing a program that mass-compromised consumer devices across the public, or that quietly turned every phone and television into an always-on feed. A capability that can be aimed at a chosen target is a serious thing; it is not the same as continuous surveillance of everyone, and conflating the two is where the accurate story tips into the false one.
The claim: The whole thing could be a fabrication or a foreign forgery, so none of it can be trusted.
What the record shows: The authenticity question is effectively closed. The CIA never denied the archive's provenance and treated the breach as a genuine, damaging loss from the moment it broke. More decisively, the United States tried a former CIA engineer for stealing and disclosing the material, and a jury convicted him; you cannot convict someone of leaking documents that do not exist. The dispute was never whether the files were real. It was how far their significance should be stretched.
Timeline
- 2013–2016The internal documents later published as Vault 7 are created and circulated inside the CIA's Center for Cyber Intelligence (CCI) in Langley, Virginia. They catalog the agency's cyber tools: malware, exploits, and technique write-ups for compromising a wide range of consumer and commercial devices.
- 2016The Weeping Angel implant, a joint CIA and British Security Service (MI5) project targeting certain Samsung smart TVs, is documented in a user guide. It uses a 'Fake Off' mode so a set appears powered down while its built-in microphone keeps recording.
- 2016 (approx.)According to a later internal CIA assessment, the material that would become Vault 7 is copied from a high-security CCI network. A subsequent audit found that 91 of more than 500 of the agency's malware tools had been compromised by the breach.
- 2017-03-07WikiLeaks publishes the first Vault 7 batch, 'Year Zero': roughly 7,800 web pages and more than 900 attachments. WikiLeaks says the archive came from an isolated, high-security network inside the CCI, and calls it the largest leak of intelligence documents in history.
- 2017-03 to 2017-11WikiLeaks releases a run of further installments (Dark Matter, Marble, Grasshopper, Weeping Angel, and others), 26 disclosures in total that it labels Vault 7 and Vault 8, each documenting specific tools, frameworks, or techniques.
- 2017-03The CIA responds without confirming the authenticity of specific documents, warning that such disclosures damage national security and endanger personnel, while defending its mission to collect foreign intelligence. Security researchers stress that the files show the CIA compromising devices, not breaking the encryption of apps like Signal or WhatsApp.
- 2018-06Federal prosecutors charge Joshua Adam Schulte, a former CIA software engineer who had worked in the CCI, with unlawfully transmitting the Vault 7 material to WikiLeaks, among other counts.
- 2022-07-13After an earlier trial ended without a verdict on the central counts, a jury convicts Schulte of espionage and computer-hacking charges tied to the leak. He is separately convicted in 2023 on child sexual abuse material charges.
- 2024-02-01U.S. District Judge Jesse Furman sentences Schulte to 40 years in prison. The Justice Department describes his theft as the largest data breach in CIA history and one of the largest unauthorized disclosures of classified information the United States has ever seen.
From the case file
The actual records: declassified, released, or leaked. We link straight to each document in its official archive, so you never have to take our word for it. Read the originals yourself.
Vault 7: CIA Hacking Tools Revealed (Year Zero release)
The WikiLeaks release page for the first Vault 7 batch, drawn from what WikiLeaks said was a high-security network inside the CIA's Center for Cyber Intelligence. It indexes the leaked tool guides and technique documents covering exploits for iOS, Android, Windows, routers, browsers, and smart TVs, including the Weeping Angel implant.
Read the document: WikiLeaks →Former CIA Officer Joshua Adam Schulte Sentenced to 40 Years in Prison for Espionage and Child Pornography Crimes
The Justice Department's announcement of the 40-year sentence imposed on former CIA software engineer Joshua Schulte for transmitting the Vault 7 material to WikiLeaks and other crimes. It describes the theft as the largest data breach in CIA history, and its existence confirms that the leaked archive was authentic classified material.
Read the document: U.S. Department of Justice (SDNY) →Supported. The core is documented and, unusually, confirmed by the government's own criminal case. Beginning on 7 March 2017, WikiLeaks published Vault 7, thousands of files from the CIA's Center for Cyber Intelligence describing a real toolkit of malware and zero-day exploits for iPhones, Android phones, Windows, routers, and smart TVs, including a Samsung TV implant, Weeping Angel, that could turn a set into a covert microphone. A former CIA software engineer, Joshua Schulte, was later convicted of the leak and sentenced to 40 years, which settles that the material was authentic. What the record does not support is the maximal spin: these were targeted espionage tools, several needing physical access, not a system for passively watching everyone through their living-room television. The arsenal is real; the always-on all-seeing version is not what the documents show.
Sources
- 1.Vault 7: CIA Hacking Tools Revealed (release page), WikiLeaks (2017)
- 2.Former CIA Officer Joshua Adam Schulte Sentenced to 40 Years in Prison for Espionage and Child Pornography Crimes, U.S. Department of Justice, U.S. Attorney's Office, Southern District of New York (2024)
- 3.WikiLeaks Releases What It Calls CIA Trove of Cyber-Espionage Documents, NPR (2017)
- 4.The CIA Didn't Break Signal or WhatsApp, Despite What You've Heard, The Intercept (2017)
- 5.WikiLeaks Says CIA Hacked Samsung Smart TVs, CBS News (2017)
- 6.WikiLeaks and the CIA: What's in Vault 7?, Council on Foreign Relations (2017)
- 7.A Record Sentence in the 'Vault 7' Leak Case, Reporters Committee for Freedom of the Press (2024)
- 8.Former CIA Engineer Gets 40 Years for Giving Agency's Hacking Secrets to WikiLeaks, NPR (2024)
Help us investigate
This is a living case file. If you spot an error or know evidence we missed, tell us, and weigh in on where you land.
Where do you land?
Cast your read on this one.