Intellexa (AKA Intellexa Anonymi Etaireia), an alliance of digital intelligence firms in Greece run by an ex-Israeli intel officer, and Cytrox AD (AKA Sytrox), which produces their Predator spyware, added to U.S. ‘entity list’ which already includes Israel’s NSO and Candiru.
Late last year, Citizen Lab uncovered the hacking of an Egyptian dissident’s phone. The affected device was host to two forms of malware, one created by NSO Group and the other by Cytrox. According to the Citizen Lab investigation, these infections were traced back to two different government clients.
Cytrox and its clients’ targets included politicians and journalists around the world.
The spyware, named Predator, was developed by the then- small and virtually unknown North Macedonian start-up called Cytrox, founded in 2017 and was acquired by Cyprus-based Wispear (renamed Passitora Ltd) owned by Tal Dillian, former CEO of Unit 81Unit 81, an elite technology unit under the Israeli military’s intelligence services.
Intellexa and Cytrox are reportedly owned by a group of Israeli-owned digital surveillance firms operating from Europe. Both have been added to a U.S. blacklist of companies acting against American interests, in the latest attempt by the White House to curb the international proliferation of military-grade spyware.
The U.S. Commerce Department added Intellexa and Cytrox, both owned by different Israeli nationals, among them the former military intelligence officer Tal Dilian, to its economic trade “entity list.”
Cytrox, a Hungary-based surveillance company with a presence in North Macedonia, produces a spyware called Predator. The firm also enjoyed early investments from state-owned Israel Aerospace Industries.
The Commerce Department said the companies were being added “for trafficking in cyber exploits used to gain access to information systems, thereby threatening the privacy and security of individuals and organizations worldwide.”
Intellexa, which is registered in Greece and has related entities in Ireland and North Macedonia, serves as a one-stop-shop for state surveillance needs. Both firms were at the center of a massive political storm in Greece.
Greek prosecutor opened an investigation last year into an allegation by a journalist that his smartphone had been infected by surveillance software in an operation by the country’s intelligence service. The journalist said his phone had been infected by Predator spyware developed by Cytrox and sold in Greece to the government by Intellexa.
The journalist’s allegation came as the European Union (EU) was beginning to follow the United States in taking a harder look at spyware merchants and the use of powerful surveillance software.
Attempts by Haaretz to reach representatives from Cytrox and Intellexa were not successful.
Last year, as part of the Biden administration’s efforts to counter the misuse of commercial spyware, two firms operating out of Israel – NSO Group and Candiru – were also added to the list in 2021, which prevents them from doing business with U.S. bodies.
In a statement for the U.S. Secretary of State Antony Blinken, he said the blacklisting was part of a broad U.S. government initiative “to counter the risks posed by commercial spyware [that] poses distinct and growing counterintelligence and security risks to the United States, including to the safety and security of U.S. government personnel.”
The decision to place NSO and Candiru on the blacklist was a watershed moment for Israeli cyber firms. After years in which Israel pushed the firms as part of Prime Minister Benjamin Netanyahu’s “cyber diplomacy,” the U.S. started pushing back after misuse of spyware like NSO’s Pegasus by client states – including against American diplomats in Africa.
Israel understood the message and decided to drastically curb its cyber exports, dropping the list of countries to which such technologies can be exported from over 130 to barely over 30, almost all of which are Western democracies.
Since then, the Israeli offensive cyber market has faced a massive squeeze, with a list of firms shutting down, among them Nemsis, Kela, Magen and QuaDream, which closed shop after Israel refused to let it sell its spyware to Morocco, which was a previous client of NSO but was cut off after misusing Pegasus.
Ironically, sources say this helped those Israelis operating outside of Israeli regulations – first and foremost Intellexa, which headhunted teams let off from Israeli firms buckling from lack of new sales.
A senior Israeli source part of a prominent Israeli offensive spyware firm told Haaretz that the decision to add the EU-based firms on the U.S. blacklist is different than the decision to sanction NSO and Candiru. “These two firms operated under strict Israeli oversight and regulation by the Defense Ministry. The decision to blacklist them backfired and actually led Israel to crack down on firms they were already regulating and thus actually sparked a brain drain.
“By adding NSO and Candiru to the blacklist, the Americans pushed people to think creatively and move their operations outside of Israel. This also pushed people to Intellexa, which is not regulated. The decision to sanction them now makes sense – it shows that even if you try to operate abroad, it doesn’t matter if it’s from a tax haven or a spyware regulation haven – the U.S. will find you and stop you.”
A Haaretz investigation published last summer revealed Intellexa was picking up all the deals Israel had refused to authorize – selling their digital surveillance wares to countries like Ukraine. Simultaneously, sources suggested that alongside countries in which Israeli firms were once allowed to work – such as Mexico, Ghana, Colombia and Greece – Dilian-linked firms have also inked deals with clients in Saudi Arabia, Oman, Malaysia, Indonesia and Sri Lanka.
According to Citizen Lab, a digital rights watchdog based in Toronto and studies spyware, Predator was used to hack exiled Egyptian politician Ayman Nour as well as an Egyptian television journalist whose identity was kept anonymous. What this spyware can do can be answered in one word:everything, since it turns the mobile phone into a sophisticated surveillance device.
“Predator is a surveillance tool that offers its operator full and continuous access to the target’s mobile [phone] device. Predator allows the operator to extract secret passwords, files, photos, web browsing history, contacts as well as data such as mobile device information,” according to the Citizen Lab investigation.
A Haaretz investigation also revealed the sale of digital tools to a militia in Sudan. In 2017, in Skopje, North Macedonia, Rotem Farkash, who founded Cytrox, the company that developed the infamous Predator spyware, with millions of dollars in initial funding from the state-owned Israel Aerospace Industries (IAI). Cytrox was later acquired by Intellexa, and was merged into the alliance of digital surveillance firms founded in Cyprus and Greece by Tal Dilian, a former commander of Israeli army intelligence select technology unit.
As early as 2019, the Greek government began testing the Predator spyware technology, though they had not formulated a legal framework for using it. Thanasis Koukakis, an investigative journalist, was one of the first victims of its use. According to the investigation, a preliminary agreement was drafted in March 2022. But one month later the “Greek Watergate” scandal would erupt, revealing widespread use of Predator against Greek politicians and business executives, and the agreement with North Macedonia was never signed.
See also: Attempted intimidation and cover-up: Intellexa’s unprecedented out-of-court settlement at PEGA