A new type of mercenary spyware came on the radar called Predator. It’ll infect a mobile phone, and then suck up all the data from it. Contacts, text messages, location, and more. This malware is being sold to intelligence agencies around the world.In this episode we hear from Crofton Black at Lighthouse Reports who spent 6 months with a team of journalists researching this story which was published here: https://www.lighthousereports.com/investigation/flight-of-the-predator/.We also hear from Bill Marczak and John Scott-Railton from Citizen Lab.If you want to hear about other mercenary spyware, check out episodes 99 and 100, about NSO group and Pegasus. To hear another episode about Greece check out episode 64 called Athens Shadow Games.SponsorsSupport for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.Support for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.Support for this show comes from Akamai Connected Cloud (formerly Linode). Akamai Connected Cloud supplies you with virtual servers. Visit linode.com/darknet and get a special offer.
You ever think about the proliferation of weapons? Well, shoot, let's get into it. I want you to think about this guy, Sam Cummings. Here, I found an old vintage documentary made by CNN.
This is Sam Cummings, and this 57-year-old is the biggest private military weapons dealer in the world.
The business as a business is fascinating.
Cummings has sold tens of millions of guns to armies and sportsmen.
Okay, so how did he become the biggest private military weapons dealer in the world? Well, the U.S. Department of Defense taught him. That's how. When he was 18, in 1945, he was recruited into the U.S. Army, which, at the time, they were just wrapping up World War II. There was a big ramp-up to provide all these weapons for armies around the world to use in wars.
And then suddenly the war was over. So where's all the weapons going to go?
As a young arms buff, Cummings got his start at the CIA. His assignment was to buy surplus weapons in Europe. At the age of 23, he left the spy agency and started his own business.
Buying surplus weapons in the CIA gave him a crazy idea. How about buy a whole bunch of cheap weapons now that the war is over, and then slowly sell them over time? He had all the contacts. He needed to go buy them, and so he did. And he was selling them to the public, like to hunters or sportsmen, and was becoming known for having a big supply of weapons.
But he wanted bigger deals, and so he started talking to governments around the world. He brought a bunch of AR-10 rifles down to Nicaragua and demonstrated that to them there. Well, the Nicaraguan military was like, ah, that's cool, send us some of those. and then the Dominican Republic wanted some, and then Cuba wanted some.
And yet, he sold battle rifles to all these places, including Fidel Castro, which I think was illegal because it was an embargo not to sell any weapons to Castro, yet it still happened. Fidel Castro bought rifles from him, and he did not seem to get in any trouble for that. I don't think he cared who he sold to. If you had money, he'd sell you weapons.
Every morning, Cummings uses a telex to keep in touch with his military customers and branch offices. A telex comes in from Sudan, offering surplus military equipment.
I would go about 25% more than that in dollars if my list is the same as your list.
Cummings' military weapons are shipped and stored at Inner Arms House in Manchester, England. At any given moment, there are a quarter of a million guns here. And on little notice, Cummings says he would have no trouble equipping a fair-sized army.
Depends how large the army would be, but let's say an army of an average smaller African or Latin American state is 25,000 to 50,000 men. No problem.
Can you believe this kind of thing was going on in the 50s and 60s? Sam Cummings has sold or bought arms from almost every country in the world. Interarms has supplied Africa, and his company's weapons have shown up in Egypt. His guns were used at the Bay of Pigs by Fidel Castro and in Nicaragua under Somoza. But Cummings' best customers are countries in Asia.
This guy became a billionaire, selling hundreds of thousands of weapons to anyone who would pay. And a lot of time, he would buy these weapons from Russia, which was in the middle of a cold war with the U.S.
I would say the Russians build the best military weapons across the board, and they also build them in tremendous quantity, which is the key factor in modern war.
I don't know. I feel like this guy's only ally in life is money. He doesn't mind selling weapons to places that are actively at war with his home country, you know? So clearly he doesn't have an allegiance to the U.S. And from watching this documentary, he seems to believe that all sides are evil and there's just no way to take the moral high ground on any of these trade deals.
He does seem to have some kind of allegiance to his family, though. He invited this CNN reporter on an eight-hour car ride where they were going on a family trip somewhere. And I think it's pretty weird to have a reporter in the car with the whole family for eight hours.
But, okay. He asked us not to take pictures of his wife or his college-age daughters for security reasons.
Well, strangely enough, years later, one of those daughters, Susan, killed her boyfriend by shooting him four times and was convicted and had to serve prison time. These are true stories from the dark side of the internet. I'm Jack Recider. This is Darknet Diaries. This episode is brought to you by SpyCloud. For some people, ignorance is bliss.
But for you, as a security practitioner, that's not the case. I went to spycloud.com to check into my darknet exposure, and I won't tell you what it is, but spoiler alert, I found some things that are pretty eye-opening. From breach exposures to info stealing malware infections, knowing what criminals know about you and your business is the first step to setting things right.
Resetting stolen passwords and addressing the enterprise access points that have been stolen by malware helps you protect your business from ransomware, account takeovers, and online fraud. With SpyCloud, you have a trusted partner to fight the good fight with.
Their automated solutions, which is built on over 350 billion recaptured assets from the criminal underground, ensure you're not in the dark when it comes to your company's exposure to cybercrime. To get your full Darknet exposure report, visit spycloud.com slash darknetdiaries. That's spycloud.com slash darknetdiaries. This episode is sponsored by Delete Me.
In episode 133, I spoke to Connor Tumbleson about some people from who knows where who were stealing his identity. Luckily, they weren't out to destroy his reputation or extort him, but think of the damage that could be done. We all have data out there, which data brokers use to make profit. Anyone on the web can buy your private details to do anything they want.
This can lead to identity theft, phishing attempts, harassment, and unwanted spam calls. But there's a solution called Delete Me. I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found. And they got busy deleting these things. It was great to have someone on my team when it comes to privacy.
Take control of your data and keep your private life private by signing up for Delete Me. Now at a special discount for my listeners, you can get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code DD20 at checkout. The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code DD20 at checkout.
That's joindeleteme.com slash darknetdiaries code DD20. All right, so let's start out with what's your name and what do you do?
I'm Crofton Black. I'm a reporter at Lighthouse Reports.
Lighthouse Reports is an investigative nonprofit working with some of the world's leading media companies on topics like migration and surveillance. And a lot of episodes you hear on my show are sometimes slapped together in a matter of weeks, and it's just me doing the research. But not this episode. Here, we have the luxury of talking with a real reporter who spent lots of time on this story.
Well, this article was like a big team effort, right? Because, I mean, first of all, we at Lighthouse, we wouldn't have got involved in it without the work that Inside Story and Grease did.
And, you know, for me personally, like working with those guys was just a huge privilege because, you know, they're so knowledgeable and so capable and the material they were able to dig up was like truly astounding in some cases.
And, you know, I guess for me it was cool because, you know, I'm a plane tracking guy for a long time and, you know, I got into this business as a, you know, doing plane tracking stuff when I was tracking CIA rendition flights. So, you know, for me, it was kind of funny to do a story that combined those two things. That's never happened before, and I wonder if it'll ever happen again.
So, yeah, I've got a personal space in my heart for this story for that reason, really.
The team at Lighthouse Reports spent over six months researching this story, and they worked together with other reporters and journalists and researchers, places like Inside Story in Greece and Haaretz in Israel. They published similar stories, too. And when I first read the story, I was like, whoa, what? So buckle up and let's go for a ride.
The person at the center of this story is a guy named Tal Dillion.
Tal's an Israeli entrepreneur, a longtime guy in the cyber business, formerly in the military, like a lot of those guys are, came out. And he was involved in in a very famous phone geolocation outfit called Circles back in the day.
So I want to jump in here and underline this for a second. Tal went through the Israeli military. Specifically, he was in Unit 81, which designs new tools for the Israeli military to use. I've heard that Unit 81 once designed a little microphone that is supposed to look like a rock.
So you could just set it down in an area you want to record audio in, and it's hidden, so nobody knows they're being recorded. I imagine they make a lot of spy gear for the Israeli military. Yeah, so Tal came out of that division, and when he left the military, he created a company called Circles, which I believe was a surveillance company that used SS7 attacks to spy on mobile users.
SS7 attacks are really fascinating. I'm not going to get bogged down into the details of how they work, but real quick, SS7 is a way to exploit mobile carriers into getting info on the users or even taking over their phone number. And I believe this company that Tal started, Circles, was using SS7 attacks to collect data from targets and intercept messages and phone calls.
Well, this became quite the service. So much so that NSO Group was like, hey, that's cool. Can we buy it? Now, NSO Group is someone I've covered in detail before. That's episode 100. And it's actually the most listened to episode of this show. But to quickly recap who they are, NSO Group makes spyware called Pegasus and then sells it to governments around the world. who then, well, spy on people.
It infects the phone and then gives the government full visibility into it. So when NSO saw how nifty this Circles company was, they purchased the company from Tal for $140 million. Now, what would you do if you just sold your company for $140 million? Well, I'd move to a nice warm island somewhere. And that's just what Tal did, too.
He moved to Cyprus, which is an island nation just off the coast of Israel in the Mediterranean Sea. But while there, he started talking with another Israeli named Abraham Avni. Abraham was a businessman and started a company called Pegasus Flight Center in Cyprus. I think they did charter planes. And together, Tal and Abraham started a new project, a surveillance tool.
He had an outfit there called, I think, We Spear, We Spear, Why Spear, something like that.
It might also be a weird spelling for whisper. Anyway, Tal started advertising this mobile surveillance technology. And that's when Forbes is like, hey, that looks interesting. Do you mind showing us on camera what you're working on? And he's like, sure, come on out. So Forbes goes to Cyprus and interviews him.
Actually, maybe you don't like to know it, but somebody knows exactly where you are all the time. Because each of our devices just says, hey, I'm here every, I think, 15 minutes. Maybe I don't keep it, maybe I don't share it with others, but the knowledge is there.
This video is wild. It's one of those that when you watch it, your jaw just drops and you're like, what the hell is this? Tal takes them to his van and then opens the back doors up and there's like two racks of computers, routers, switches, servers. Inside it looks like your classic FBI spy van. There's like a desk and monitors and chairs and electronics panels, antennas. It's nuts.
And Tal is saying, yeah, so this is a $9 million spy van. And here, let me demonstrate.
We send two people out of the van. We will trace them. We will intercept them. We will infect them.
He proceeds to use WeSpear to lock on to these two people walking by, and somehow it grabs their data, and he's now in their phones spying on them. It's a crazy piece of technology. But it's even crazier that he was willing to show all this off on camera to be published in Forbes.
I think that's his rep. He's known as a guy who people call him a maverick. They say that he doesn't play by the rules, that he does unexpected things. And I think you could class that video in the category of unexpected things. Sure. I mean, I think it caused quite a stir when it came out in the first place amongst people who follow this kind of stuff. It was a
You know, it was like kind of, oh, wow, you know, this crazy video has appeared of, you know, we never normally see this stuff. And it obviously had a lot of ramifications for his business, which perhaps was unintended. I imagine it was unintended.
Okay, so Forbes publishes this video in September 2019. It rippled through the world, of course, but it also landed on the screens of the people within the Cyprus government. And they watched it in disbelief. A combination of both the police and the intelligence agency of Cyprus was shocked by this. They were like, you're advertising more sophisticated spy tech than we have in our own government.
But I think the main thing that the Cyprus government got mad about is the fact that he was advertising this business that was being conducted out of Cyprus. I mean, this whole business is questionable. Espionage is illegal, you know? And here he's selling tools to do it to who knows who. There are a lot of ethics at play here.
So a few months after this video aired, the Cyprus police decided to just take it down, take it all down.
They move in, they search his premises, they arrest some employees, they go through his stuff, they impound the van, computer hardware, whatever. He's out of the country at the time. They put out an arrest warrant for him, an arrest warrant for his business partner, Avni. Tal Dillion, who was absent at the time, he returned voluntarily to Cyprus from wherever he'd been. That was March 2020.
He got arrested. He was questioned. He was released.
It's not clear what crimes Tal Dillion committed, but the Cyprus government made it clear that they just don't want him running this business in their country. Tal got the message and agreed to pack it up. He had to move this whole operation somewhere new. and looked across the Mediterranean Sea and saw Greece.
Dillion's partner or wife, I believe, is a specialist in creating complex corporate structures. That's the thing that she does.
Tal began working on the paperwork to reestablish his company in Greece. And the whole time he seemed to be a bit sore at the Cyprus government for ruining his plans.
Well, he wrote like an angry op-ed, which was published in a newspaper where he basically said that the government was, you know, creating an unfriendly climate for business and that he was going to take his business elsewhere. And, you know, at least in terms of... premises, he did do that. He did take his office elsewhere. He took it to Athens.
And this, I think, put pressure on the Cyprus government to change their position.
Ultimately, of course, the whole thing was maybe a bit of a storm in a teacup. After a year, he was pretty much exonerated. The police who had carried out the raids were, I think... I mean, it was decided that basically they'd exceeded their powers in such and such a way or whatever.
The whole thing was kind of smoothed over and I think eventually could have gone back to business as normal, except by that time he'd already decided that he wanted to set up a new office in Greece.
Now, you might be wondering, is this spyware, malware, virus thing legal? It's just code. It's just an app. To answer that, let's go to Sudan. In 2003, the Sudanese government had an armed militia called the Janjaweed, and they started conducting genocide on the people of Sudan.
It's believed that over a million children have been killed or tortured or raped or injured or just lost a parent in the last 20 years from this group. And they've been accused of committing crimes against humanity so many times. The killings settled down for a while. But recently there's been another flare-up. Civil war has broke out in Sudan. The Janjaweed are back.
But they changed their name now. And now they're called the Rapid Support Forces. And the boss of them is Hermedi. And Hermedi is one of the richest people in Sudan. And seems to be funding the war against the people of Sudan. Now, Crofton, the reporter we've been talking to in this episode, his specialty is tracking airplanes.
And he was particularly zoomed in on the planes that Tal was getting on and was trying to figure out if his flights had some connections with the business and his customers.
You know, this plane that we linked to Tal Dillion flying into Khartoum and delivering some surveillance tech that wasn't for the regular army, it was for Hometi. And there was a bust up, there was like a flare up between the two sides. And the rapid support forces guys spirited this stuff away, took it out of Khartoum, took it off to Darfur. This was in like May last year.
So when we wrote the piece, There were analysts who we spoke to, you know, spoke about the kind of potentially lethal implications of someone like Hameti having access to, you know, top of the range phone hacking technology.
So, I mean, yeah, to circle back to your question, Sudan's rapid support forces is extremely high on the list of people who it's hard to find a legitimate reason for selling phone hacking equipment to, I believe.
So if Tal is selling his spyware to people in Sudan who are using it to kill innocent civilians, then how much of that responsibility should fall back onto Tal? The kit he has for sale can be weaponized against innocent people. Militia groups who are actively killing their citizens, attempting genocide, and are accused of crimes against humanity now have this spyware in their hands and can use it?
I think conducting weapons deals with Sudan's militia groups should be illegal. But is this spyware a weapon? So anyway, that was one of the trade deals that Crofton was tracking by watching Tal's flights in and out of Sudan.
So he heads to Greece, and Greece has a new government at this point. And the new government comes in in 2019. Now, I racked my brain trying to understand, why Greece?
Why not just establish a base in Israel, his home country, where he's a military veteran there? He knows people there. He can just operate out of there. But I have a theory. I believe Tal really likes what the NSO group is doing, which is creating mobile spyware and selling it to governments around the world. But he also saw all the heat and scrutiny that NSO group was under.
They have to work closely with the Israeli government to share with them who they're doing business with. And there may be some restrictions that have been put on the NSO group, like who they can and can't do business with. And if there weren't restrictions, there is a lot of public outcry and scrutiny of the NSO group of what they should be doing and not doing, which can spoil deals.
I believe Tal saw this huge fire that the NSO group had started and decided to take the wheel and drive right into it. But he would sort of sidestep all the bureaucracy that NSO was tied up in. If the Israeli government required some kind of oversight into the affairs of NSO group, then forget that. Let's set up shop in a different country.
And if NSO couldn't sell to certain regimes, Tal might have saw that as an opportunity to do business with forbidden customers. Cal knows that some people he sells his spyware to misuse it. But his response to this? Well, he told Forbes.
We are not the policemen of the world and we are not the judges of the world.
Which makes me think he may be interested in doing business with anyone. And if that's the case, I'm not sure he only does business with governments. He might be selling his spyware to anyone who can afford it. In 2019, Tal started thinking bigger. That van kitted out with that wispier technology, he wanted to crank that thing up even higher.
Now, he's not the kind of guy that's tapping away on the keyboard writing malware. No, what he's looking for are other companies that are already doing that because he'd want to purchase those companies. Two companies caught his eye, Citrox and Nexa. Citrox made this phone hacking software called Predator. And I believe it was Citizen Lab that first showed us a glimpse into what Predator is.
So I'm Bill Marzak. I am a senior researcher at the Citizen Lab at the University of Toronto. And I do a lot of the technical work at Citizen Lab in tracking what we call the mercenary spyware industry. So companies like NSO or Citrux, which makes Predator.
A couple of people in Egypt felt like something weird was going on on their phone. One was a journalist, one was a politician, and they heard about Citizen Lab and they reached out asking them to examine their phones.
That's right, yeah. We first discovered samples of Predator back in November, December 2021. It's funny, we were actually checking people's phones for Pegasus, but we found one phone and something else caught our eye, which was there was a suspicious process running on the phone right when the forensic data was gathered called Payload 2, which struck us as quite suspicious.
Payload 2 didn't match any previously known malware that they had been tracking on phones. So of course, it was time to crack this open and look closer.
Right. We could see precisely what input or arguments were passed into this process when it was started up. And those arguments included a URL, which was very long, looked quite dodgy. And when we went out and fetched this URL, we were actually able to obtain a binary file for an iPhone. In other words, an application file.
And analysis of this application quite clearly established that it was spyware. It had the capability to, for instance, exfiltrate files from the phone, take passwords, turn on the microphone and listen in to what was going on. So we were actually able to analyze the final payload of the spyware and understand what it was doing.
And through analysis of the payload, as well as analysis of that URL and the website and the URL, we were able to make an attribution back to Predator.
This was a big finding, and they published this for everyone to see. The report was loaded with tons of information too. I mean, not only was it like, here's the malware we found, but it's like, here's what it does, here's how you can detect if it's on your phone, but it also showed the links to how they know that this is the predator spyware made by Cytrox. But it doesn't stop there.
It goes on to say who Cytrax was, who Taldillion was, and all these other companies that may also be involved with this. And then it goes on to say who those companies may be selling this to, actually listing some of the governments that may have bought this.
Yeah, I mean, one of the interesting things that struck us about this company, or this sort of cluster of companies like Intellexa and Citrox that are behind Predator, is there was this very tangled corporate web spanning multiple different countries, and it was tough to figure out exactly what was going on. Like, where were the people actually writing the spyware code physically located?
I mean, we did see some references in the spyware's code, like they were trying to avoid targeting phone numbers in Israel, even though the company is ostensibly or was ostensibly Citroën based in northern Macedonia. So there's all these weird links, which are kind of hard, a little bit hard to make sense of.
And I just want to stop and show respect for this skill for a moment. It's one thing to be able to analyze binary files for an iPhone, but it's a whole other skill set to try to determine the geopolitical ramifications for such an exploit being sold on the mercenary marketplace. You know? In fact, it wasn't just Citizen Lab who was investigating this.
They shared their findings with the security team at Meta, Facebook, who was also investigating. And the combined forces of Citizen Lab and Meta meant that these reports they published were very impressive. Okay, so let's try to connect some of the dots ourselves of what happened here.
An Egyptian politician who was living in exile and an Egyptian journalist were both found to have Predator on their phones. If two people from Egypt are infected with this... It may mean the Egyptian government is using this technology to spy on their civil society, which is spooky.
You'd think they'd be using this to stop terrorists or catch criminals, but they're using it to see what stories a journalist is working on next? This is awful. But when we back up a second and say, okay, so who makes Predator? This company called Cytrox shows up. And we see that Cytrox was bought by Tal Dillion. But we also read about this other company called Nexa.
Nexa was formerly known as Amasis. Amasis was indicted for illegally selling weapons to Libya. In fact, Amasis was charged with crimes against humanity for helping Libya conduct torture. But guess what? While the executives of that company were facing these indictments, Tal started making deals with them.
I don't know exactly what, but at the very least, he was using their technology somehow, either through a partnership or a deal he made with them. And with that technology, he combined the names together, Citrox and Nexa, to form a new company called Intellexa. Combining this new technology with that spy van, Wii Spear stuff he already had,
It meant that Intellexa had quite the arsenal of ways to gather data off a phone and track its location. And he doesn't seem to be bothered by making deals with a company that's been accused of conducting crimes against humanity. The report that Meta came up with showed that Predator may have been sold to the following governments.
Egypt, Armenia, Saudi Arabia, Colombia, Vietnam, Philippines, Germany, and Greece. Of course, Greece, right? I mean, Tal was reestablishing his whole business in Greece at the same time. If he had some kind of partnership with high-ups in the Greek government... then that might be a good reason to move there.
I mean, if he had some connections, then that might help him be able to conduct business without having that long arm of the law messing things up. Well, some Greek journalists saw this report by Meta and Citizen Lab, and they're like, what, spyware may have been sold to the Greek government? We better write a story on this.
A news outlet called Inside Story wrote a piece basically saying, look out, Predator may be in the wild here in Greece.
A nice warning, right? And one person who read that report is a journalist called Thanasis Koukakis. And he read the report and it made him a bit suspicious because one of the people who was mentioned in passing was a man called Felix Bitsios. And Felix Bitsios was someone who Koukakis, the journalist, had been investigating a couple of years before.
And I think seeing the target of his former investigation tied into the corporate structure of a spy company that was operating in Greece kind of set off some red flags for him. And I believe that's what led him to go to the guys at Citizen Lab and ask them to check his phone.
Right. Yeah, we started getting some outreach from Greece. And spoiler alert, we found spyware. So the first confirmation we were able to produce centered around this financial journalist, Phanasis Koukakis, based in Greece, who had contacted us. And he was already a little bit suspicious for a number of reasons about potential surveillance. He noticed his phone acting a little bit weird.
He had flagged some text messages that he thought were a little bit odd. So we instructed him on how to forward some forensic information from his phone. We reviewed it, and lo and behold, we were able to determine that his phone had been hacked successfully with Predator in, I believe it was July 2021.
The Greek paper Inside Story exposed it. And once news broke out, it erupted in an explosion of articles. Then the Committee to Protect Journalists chimed in. Amnesty International echoed the story. The Council of Europe spoke up. It was news that could not be silenced.
It was kind of a rolling thing that just got bigger and bigger. There was all kinds of questions and rumors about who was behind the use of the Predator software in Greece and how it connected to the if you like, kind of quote unquote, like official phone tapping software. And this was puzzling, you know, why? You know, is it two different entities doing it?
Is it, you know, one entity doing it, but just doing it two different ways? Like what's going on there? And that was definitely a question that was in the Greek context that was troubling a lot of people.
Yeah, I mean, one of the really nice things to see in Greece was that there was such tenacity on behalf of the investigative journalist community there. They were so invested, so interested in this story. And we don't really see that in a lot of other countries where we uncover spyware abuses, perhaps because they're more repressive or there's not as much of a tradition or...
It's not really ingrained. Like in Greece, you have this, you know, oh, the birthplace of democracy ingrained in the public consciousness. So there's a lot of people, I think, who feel some responsibility to take action to live up to that legacy.
So just incredible, incredible work by the investigative journalists in Greece taking the story forward, constantly pushing the government and ministers for information and driving this case forward.
The Greek government spoke up and said, we've never heard of this predator spyware, so clearly it's not us, okay? But now that this story made such a stink, other people started wondering if their phones were being targeted too. And so some more Greek people who thought something weird was going on on their phone sent the data to Citizen Lab for analysis.
And yeah, more instances of Predator were found. At this point, three people from Greece's civil society were confirmed to have Predator on their phone. One of these people was a journalist, and the other was the opposition leader, Nikos Andrioulakis, a politician. Now, by this time, Citizen Lab was getting pretty good at understanding how all this worked.
First, the victim would receive a phishing text message, and these were crafty phishing messages.
Some of the common themes are really anything that creates or engenders a sense of urgency to interact with the message to ensure that the target clicks on these in a timely fashion. So, for instance, things about a large unpaid phone bill or something like, oh, you owe the phone company $8,000. It's due in two days. Click here to pay or something.
Or things that are interesting to the target given the upcoming events in the target's life. Like, oh, you have a package delivery is one we see a lot. Click here to customize the delivery of the package. We couldn't reach you.
click here to reschedule delivery, or things like the upcoming vaccine appointment, or here's your boarding pass for your upcoming flight, or here's your registration for this conference. So they can use cues from the target's life to make these seem very plausible for the target to click on.
Once the user clicks the link, it triggers a series of exploits on the phone. It may seem like it's just one click, but there's a whole bunch of steps that have to happen for the phone to get infected. The website exploits something within the Safari browser, which then gets a foothold on the phone. And from there, it downloads additional malware to infect the phone.
And after a few steps, it then has the spyware binary file on the phone, which is able to watch what's going on with the camera, listen on the microphone, scrape passwords, read texts, and of course, report where the person is located. Now, the tricky thing about this malware was as soon as it would infect the phone, it would erase the tracks of the whole infection process.
So while it may have taken a few exploits to get it to work, those exploits were not visible to Citizen Lab since traces of how it got in were wiped. And this stinks because it means they can't go to Apple and show them this vulnerability that needs to be patched. It's like they caught the spy in the building but have no idea how he got in. So you don't know which door or window to go check on.
And you have to think, hold on. If the Greek government paid all this money for this software, surely they didn't get it just to infect these three people. So who else is being targeted with this? People demanded that the Greek government say something now that three people had their phones infected.
And they said, oh, okay, yeah, well, we've heard of this predator spyware, but that's not something we have. Flat out denying it for a second time. But people didn't accept that as a good answer. In fact, they sort of narrowed down who would do such a thing. And they landed on, this must be the work of EYP, which is Greeks Intelligence Agency, pronounced ape. Because here's the thing.
This technology is supposedly only sold to intelligence agencies. So either they did it, or they know who did it, or should be investigating to find out who did it. And if they don't know who did it, then they're bad at their jobs, you know? So Ape has to know something about this.
And this circles back to the Greek prime minister, too, because as soon as he took office in 2019, he moved the Greek intelligence agency to be under the direct control of the prime minister's office. But not all news outlets were angry about this in Greece.
In fact, a lot of mainstream media in Greece was on the government side trying to slander the journalists for bringing up these stories, even slandering the people who were infected by the spyware since they were critical of the government. It was a mess. Now, while all this was going on in Greece, a big conference was kicking off in Prague called ISS World.
ISS World is, you know, it's one of the kind of premier, maybe the premier surveillance technology conference. It happens a few times a year in different locations. There's one in Prague. It's showcasing everything from a large booth featuring hidden away in a kind of inner sanctum presentations of like NSO groups, Pegasus, phone hacking tech, all the way down to open source analytics suites.
I guess there's hidden camera stuff there, audio gathering stuff. But it's like the mecca of the highest end surveillance technology sales. You'll find exhibiting the world's most famous spyware companies like Intellexa, like Kandiru, like NSO Group.
Rayzone, Septier.
Rayzone, Septier, yeah. I mean, they're not quite as famous as the others.
So when you list a bunch of companies like that, I just feel like, oh my gosh, there's got to be a huge story for every one of those companies. Who have they done business with? Who have they spied on? What shady deals are they dealing with? We keep picking on NSO, but I really feel like just walk into the ISS World Conference and every one of these companies are... Are any of them above board?
Are any of them like, oh, no, we're very clean? Or are they all, oh, yeah, this is a cyber weapon that you can use to spy on your citizens with if you want. We don't care. We'll look the other way.
Well, you know, they'll all tell you that they're above board and very clean. You know, that's a constant refrain of the industry. And, you know, it goes back to what we said earlier about like who do you sell to and what are they using it for? And indeed, to the question of like, do these guys even know? Do these companies even know? Can they know?
A lot of them will say that they're very careful about who they sell to, but oh, well, we can't actually monitor what they do with it.
Oh, yeah, that's a whole other degree of responsibility, right? Because how exactly do these targeting systems work? Like, we have this Predator and Intellecta thing, right? Like, does this whole kit and infrastructure and everything get sold to the customer? And then once it's delivered, Intellecta just kind of steps back and wipes their hands clean of the whole thing?
Or is it some kind of hacking as a service type of thing? where the customer tells IntellXa, here's what we want you to target, and then IntellXa does all the infections and delivers the data that they got off the phone.
Or maybe it's a mix of IntellXa doing the infection, and once the spyware is on the phone, then the customer can access that data whenever they want, like listen to the phone calls or see where that person is. We don't know exactly how involved anyone is in all this. You see how this changes where the responsibility lands. Isn't this an important thing to know?
Is the government doing the hacking themselves or is this company doing it with authorization from a government? I mean, think about it like this. The phishing message that journalists got, it looked like a normal article from a financial news website, but the domain was changed from .gr to .online. And that is what hosted the malware.
So someone had to register this domain, get it hosted somewhere, stage the malware on it, and then integrate it into the Predator package. And not to mention, craft a message that the target is likely to click on. And these domains get burned fairly often, so you need to create new ones all the time and integrate that into the package. Is the customer doing all that work?
Or is Intellexa setting all this stuff up to make it easier for the customer to simply point and shoot? So at the conference, do we get kind of any information about Predator, how much it costs or anything?
Um, there was a, there was a document that leaked online right after that conference. Let's see what it was. Um, this was, um, a predator package for, uh, 10, 10 targets at once, a hundred, a hundred successful infections, but 10 running at the same time, one click infection, $8 million. That was the price tag.
One-click infection. I imagine this means that someone has to click once for their phone to be infected, which is pretty sophisticated, I'll say. But the brass ring for spyware is zero-click.
Or maybe you could do something like send a message to someone while they're sleeping, and when the phone tries to process it, like display the preview for what the website's gonna look like, then that preview somehow contains the malware that can infect the phone. Then when the phone gets infected, the text message can be deleted, and you have no idea that anything happened to your phone.
NSO has this capability, and it sounds like Intellecta wishes they did too. We're going to do a quick commercial break here, but come back because things are really heating up in Greece, and you're not going to want to miss this. This episode is sponsored by Arctic Wolf.
Arctic Wolf, an industry leader in managed security operations, surveyed a thousand security and IT professionals across the globe to better understand them. What are their top priorities, current challenges, and future concerns? This survey revealed some startling findings, and you can discover them all in the State of Cybersecurity 2024 Trends Report.
Learn why the number of insider threats spikes severely, what lessons can be learned from the year over year change, and how many organizations disclose a breach. and what cyber attacks struck 70% of organizations. Download the State of Cybersecurity 2024 Trends Report today at arcticwolf.com forward slash darknet. That's arcticwolf.com forward slash darknet.
Now, while all this is going on, Crofton Black, the journalist with Lighthouse Reports, was following where Tao's little Cessna airplane was flying off to, trying to make sense of why Tao would be visiting some of these locations.
The Cessna was kind of key to our reporting because, you know, we found out about the Cessna through researching, you know, the company and the people in the company and what they were doing and where they were going. And that led us to the Cessna.
And the Cessna obviously led us to a bunch of destinations, not only going backwards and forwards between Greece and Cyprus, going to Prague for the spy warfare, but it was also in Sudan. It was in Sudan at the time that our sources on the ground said that this transfer of surveillance tech took place. It was also in Saudi Arabia. It was also in UAE. We were able to follow it.
We were able to trace it for a fair few months going around the place. It was in Israel quite a lot. So, you know, obviously it raises questions about the extent to which, you know, Tau Dillion is or isn't doing business in Israel because that plane was for sure there a fair amount.
Yeah, but you just mentioned Saudi Arabia. And Saudi Arabia and Israel, they're not the best of friends. I'll at least say that, right? They've got some disagreements. And I just wonder how much Tal had to say, like, okay, is this million-dollar deal worth more than my... ally ship to my homeland.
Like if people in my country are getting spied on because of this, or maybe he made a deal of like, you can only spy on your own people, Saudi Arabia. Don't spy on us. If I hear you spying on Israelis, I'm going to pull the plug on this software.
Yeah. I mean, I think there's a lot of back channels between these countries where, you know, there's possibly more kind of intelligence cooperation than you might think. I think there's a long history of the UAE buying Israeli surveillance tech. I don't think it's particularly surprising that Saudi Arabia should be a client. I think these guys, they're a good market, right?
Back in Greece, with this scandal erupting, a newspaper called Documento was saying that they found 35 more people who were infected with this and started publishing the names of these people. And then every Sunday after that, they kept publishing even more names of people infected with Predator. This list was growing big.
There was a media tycoon on there, a cabinet minister, senior military officials, friends of the prime minister's wife. our respected newspaper editor, and even a popular comedian.
Then the Greek government was asked again, and this time they said, Well, actually, it does sound like what happened was that some people got wiretapped, and we do wiretap sometimes, but it's for national security, and we don't use Predator to do it. But any wiretapping we do do, that's legal.
Well, the pressure continued to mount, and it was focused on APE, the Intelligence Department of the Greek government.
You know, we're back in kind of summer last year, where there were actually two resignations from government. One of them was the head of the intelligence agency, and the other one was this guy called Dimitriadis, who was the nephew, he's the nephew of the prime minister, And he's also the kind of head at the time of the, let's say, the prime minister's kind of inner office, if you like.
The sky is at the top of it.
Now, even though people resigned, the government didn't admit to doing anything illegal. They said, what happened might have been legal, but it was also wrong.
What happened might have been legal, but it was also wrong.
Now, once these people resigned, journalists and investigators were looking into who these people were. And it turned out that one of them was the nephew of the prime minister. And he actually had some kind of connection with the NSO group. I think they were trying to discuss the Pegasus software a while back.
He quit. The intelligence head quit. And it's interesting that on exactly the same day, The plane that we've been tracking that's been carrying out its business, based in Greece but going all over the place, also quits and it goes to Israel. And once it gets there, it just sits there for months and doesn't move again.
Of course, journalists and investigators continued asking the Greek government questions, which led us to learn something new.
The sale of the tech to Sudan was confirmed by the government after the Fighting broke out again in Sudan.
Wait, so the Sudanese government said, yeah, we did buy it?
No, the Greek government confirmed that it had been sold to Sudan. Wait, how did they know? Well, they issued the export license.
What? What? What is happening here? Someone at Intellexa applied for an export license to sell their spyware to a group in Sudan who is notorious for committing crimes against humanity. And the Greek government is like, yep, approved. Go for it. Doesn't this put some kind of responsibility now on the Greek government for assisting Sudan in the proliferation of digital weapons?
I'm just so tired of things being blatantly wrong in the world and nothing being done about it. I need some help here. Hello, hello. Let me just turn all the vibrations off. All right.
How are you?
This is John Scott Railton. He's been on the show a few times, and I just like to call him JSR. He works with Bill at Citizen Lab, and he got his hands on this predator malware and analyzed it further. I told him how mad and upset and frustrated I was about all this, and JSR being JSR tried to help.
You know, the thing I did first was neuroscience. That was my old thing. No way. Yeah.
Oh my God.
And one of the big things, so I was working on neuroplasticity and one of the big things that is known about the brain is that anxiety suppresses plasticity and the suppression of plasticity is a good candidate for one of the major causes of depression.
Whoa, whoa, whoa. I'm not ready to get that deep about my feelings right now. Hold on. Let's reset. Why I called JSR was because I wanted to talk with him about the ethics of all this, not how I get depressed about it. Okay, so let's try to understand the implications of all this.
So this world of... I mean, what do you even classify this type of software? Do you call it a cyber weapon? Yeah.
I like to call it mercenary spyware, although I've noticed that a lot of other groups call it commercial spyware. But I like the mercenary term in part because it denotes the idea that these people are probably working for states, whereas commercial, to my ear, could refer to a much broader category of things.
Yeah, and looking at this, I stumbled upon this thing called the ISS World Conference, which seems to be just a venue of all these mercenary spyware groups.
That's right, and I like to frame it sort of like this. After Snowden, a lot of governments... who didn't really know all the cool toys that the US government had, suddenly not only learned, but were like, hey, I got to get some of that. And you have this other dynamic, which is kind of like the first generations of people working within tier one government programs, developing exploitation tools.
are starting to look for a bigger paycheck and a cushy approach to retirement. Thus begins this massive technology and knowledge transfer from some of the most developed cyber powers in the world towards the rest of the world. That's the proliferation as people, whether it's from American or German or Italian or British countries are like, hey, we could really make a business out of this stuff.
And then you add to that kind of this dramatic rise in Israel's high-tech sector combined with a really permissive environment towards export law, and you get yourself a global industry in this technology.
Yeah, I spoke about this in episode 98, which is called Zero Day Brokers. There are people who came through the NSA and were developing exploits while working there, and they realized that they could start their own company developing exploits and then sell that to the NSA and make more money doing that than if they were to work at the NSA. And yeah, some of this tech looks hot.
So I can imagine some other countries wanting this capability too. And while their internal forces may not be sophisticated enough to develop it, they may have the cash to buy it. And who knows where they're buying viruses and malware from, you know? So I'm trying to find that line in my head of when this goes wrong, where's that ethical line? And I've got spy tools myself, right?
I can walk into the store and buy binoculars and a camera and an audio recording device. And I practice hacking things. So sometimes I've got little Little devices that can screw around. And some of that stuff's available commercially at DEF CON, and nobody really puts a big stink about that. Like, oh, this is awful. You're giving this to the criminals of the world. It just kind of is out there.
But there's something about this that's different. And do you have a good sense of when that wind shifts to, ah, this is a stinky wind?
It's a stinky wind, yeah. Yeah. I think that in a democracy, the people who elect the government should have some degree of understanding of how much power the government has to completely pry into their personal lives and when the government can exercise that power. And what is so scary about mercenary spyware like Predator or Pegasus is that it offers a security service a total view
into a person's private world in ways that were never designed to respect existing law about search warrants or search seizures or anything like that, and can just provide that as a turnkey. So the intent really is to provide this total view on an individual.
I think it's also the case that there are a lot of autocrats around the world who want this technology because they really want to hold on to power. And they recognize that making their citizens afraid of having their lives basically dumped out on the digital table silently and remotely without any warning is a core part of how they stay in power.
That fear, that technology of fear is a big part of it. And the fact that Pegasus doesn't respect national borders is a great way for autocrats to basically claw back power into states that they would otherwise have no ability to act in, right? It shouldn't be the case that an autocrat in Togo has dissidents in the UK afraid.
But that can be the case when you acquire this kind of technology because you can experience completely devastating consequences of speaking up against an autocrat or a dictator from around the world. That kind of stuff is just net dangerous to democracy and to freedom.
It appears to me that sometimes when governments get this kind of capability, the temptation is just too high to use it on their wives' friends, their opposition leader. It's just stuff that shouldn't be targeted. Do you have any thoughts about, man, you've got to really get permission. If you buy this tool, you've got to really...
have a lot of oversight on how it's used or something. I don't know. What's the solution there to keep you from being tempted to use it on your enemies?
Well, on your perceived enemies, right? So we know from extradition documents, for example, like Panama's then president, Ricardo Martinelli, apparently got himself a bunch of Pegasus. Well, who did he put under monitoring? People like his business rivals, but also his mistress.
And every morning he would, according to these documents, sit and put his headphones on in his office and listen to the conversations and read the messages of people who he didn't like. That image of a president angry and jealous, prying into the lives of anybody who he felt like it, is a scary image to all of us. And it's scary because that's not part of the social contract, right? That's not...
a power that government should have and any of the existing powers that government has in a you know society like the united states are circumscribed by law right i know my rights you can say at a traffic stop but with something like pegasus if you know your local police department has acquired um Pegasus and has used it against you, do you know your rights?
Do you know whether they were within their rights or authorities to use it? Do you know whether their use of it was properly overseen? What's happening is that this technology is landing in jurisdictions that don't yet have any legal protections around how this stuff gets used. Citizens have nothing to protect them.
And that's really, really scary because you want there to be limits on the power of the state. Without those limits, you're existing in a tyrannical or autocratic regime.
I just realized something. And I don't have time to really research this further, so I'm just going to go off the cuff here. But like Google and Facebook, they know a ton about us, right? They have access to our emails, text messages, friend circles, contacts, even our location. And the police have sometimes asked Google or Facebook for the information on one of their users.
And if given the right warrant or whatever Google needs, Google will turn over that data to the cops. And I don't know, that concept alone kind of prompts me to pull focus in on these big tech companies and how they can spy on us harder than Predator can. And it's built into their terms of service.
But the thing that I just thought about is, what happens when some other country wants data on a Google user? Like the Sudanese government. They might be like, hey, this guy here, he's committed some crimes, right? Can you tell us everything you know about him, Google? does Google have to comply with local law enforcement?
And be like, well, this request came from your military, so yeah, okay, approved, here you go. I guess I want to know, how does Google handle data requests from tyrannical or autocratic regimes?
I see what you're saying. And companies should fight as hard as they can to prevent badly formed or wrong requests for this data. We'd be in a better universe if that stuff was not collected, but it is. That said, I think that something like Pegasus or Predator
is actually even more invasive in some ways than what those apps have, in part because your phone really is, for most people at this point, it's just like nexus of your public and private brain.
And what's really scary is the idea that governments could access this secretly without you ever having to know about it and without a warrant, without any kind of oversight, and without any kind of potential consequence or accountability if they abuse that power, if they get in there and they use it to hurt you.
And we've already seen cases where the fruits of hacking are used to hurt and harm people. So as I see this... There is a constant battle to try to protect a degree of individual privacy from big, powerful interests, whether it is governments or corporations. And we should be fighting this battle on multiple fronts at once. But what we shouldn't do is say, well, okay, you know,
One bad apple is already violating our privacy, so we shouldn't be angry when another bad apple does it. It's different also, if you think about it like this, it's different when an entity that is seeking to monitor your behavior in order to sell you something
learn something about you than an entity that can put you in jail and deny you your freedom based on that information has access to it and that's why in many cases i think it's appropriate for the police to have a harder time getting access to people's private information than you or i might if we wanted to buy a bunch of user data because the consequences are so great good point
Jack, as you're talking about these things, here's how I think about this. There are certain questions about citizens that are probably illegitimate for governments to ask. Certain questions like, do they really believe in politics? you know, so-and-so, president so-and-so, right?
Because once governments start having the ability to get those questions asked and to do so in secret, there may be a temptation to use that information to retaliate and to harm people. And part of why it's critically important to stem the proliferation of spyware like Pegasus and Predator
is not just because it's bad when dictators are able to hack dissidents and chill dissidents, but because in democracies, we really also do not want this kind of capability lurking around out there, tempting governments, local, state, and national to abuse it in ways that will ultimately erode the freedoms that we cherish. Think about it this way. When you make a choice to speak out publicly,
against a government policy that you disagree with. In a democracy, you should have some perception, not just that you are free to speak your mind, you can't be jailed for saying, I disagree with this, but also that it would be inappropriate for the government to retaliate against you for doing this, right?
And what form of retaliation is scarier than the idea that the government could suddenly choose to basically penetrate as deep as it can into your private world and look at all your stuff? What a terrifying thought. That is the thought that people in East Germany live with every day. That is the thought that people living in dictatorships live with every day.
The potential that an angry official could just be like, well, let's see what Jack's worried about at 2 a.m., right? Let's see what health concerns bother him. Let's see what things he's like talking about in the evening with his partner.
But I think it comes down to why. Because if you're trying to say, like, we think he's a terrorist and we want to know what he's doing at 2 a.m., that's almost legitimate to open up my phone and see what I'm up to.
But if it's like, no, we just want to see if he's going to talk about us on his next podcast, then that's – wait, hold on. You can't be doing that.
Yeah. And this is the question. And there are two parts to it. The first is, would they be doing it with proper authority under law? Or are they just doing it like in a 24 episode because there's a ticking time bomb, right?
And spyware merchants love the idea that there are just like all these terror plots and bad actors and the only thing you can do is Kiefer Sutherland it and just like hack them immediately, right? Forget the law, we need to get the bad guys. But the thing is, we know from recent and older history that if governments start being enabled to do that, Bad things inevitably follow.
Temptation to abuse it always follows. Some of the biggest problems that we have today in the United States around privacy come from the post-September 11th period, things like the Patriot Act, right? Hugely invasive stuff. But then the other question, and this is just like equally important, is does the society, does the governmental office that's receiving this data,
have the mechanisms in place to prevent abuse if the people who happen to be holding this stuff in their hands are not good people. or it could be giving into the wrong temptations.
Part of why it's important that we have laws and rule of law is that you want a person who's got some of the power of the state in their hands, whether it's a cop or an investigator or a prosecutor or a politician or whatever, they have to feel that there will be consequences if they misuse that power, and they have to know what the guardrails are around how they can use that power.
One of the big problems with mercenary spyware is that it's arriving in jurisdictions that don't yet have any laws that say how police should or shouldn't or prosecutors should or shouldn't
use this technology in a situation like that the potential for abuse is huge in part because like what's going to be the consequence right people in authority might not even believe there would be any consequence if they abuse the technology that's part of why people like me feel that it's so important to slow the proliferation down because the faster this stuff arrives at jurisdictions that don't have any laws around this the more likely you are to see abuse
I think, unfortunately, we're stuck with the existence of this technology. But slowing down the rate of proliferation is, I think, the best approach we have to limiting the global harm that it's going to cause.
And it is my firm belief that as more and more governments pay attention, they will recognize that a totally uncontrolled, a digital Mogadishu of spyware, where everybody is using this stuff all the time, is a really bad outcome for most governments. And that you will need a degree of protection.
The problem is that willingness to act is, I think, unfortunately contingent on a lot of governments feeling the sting first. I don't think it's an accident that a large number of U.S. government personnel had to get hacked with Pegasus spyware before the U.S. took really decisive action.
Well, the U.S. is taking decisive action against Intelexa now. Reuters published a story a few weeks ago saying the U.S. Commerce Department has blacklisted both Intelexa and Citrax. They've been sanctioned. I think this essentially means it's prohibited in the U.S. to do business with these companies, and I don't really know how this impacts them. Perhaps U.S.
banks can't do business with them now, or maybe it's harder for them to fly on U.S. airlines? I'm not exactly sure. But also if they have investors, this doesn't look good for business. You know, it could shake investors who want to expand to the U.S. someday. But yeah, that's not happening now. Intellectual is part of a dizzying web of companies that are operating in different countries.
The parent company is called Thelestris, which is in Ireland for some reason, and their holding company has declared that they've made $35 million in sales from just doing business in the Middle East. But other sources have said that they've made close to $200 million in sales in the last three years. So it seems like life and business is great for Taldillion and Indalexa.
This will definitely be a company that I'll be keeping an eye on in the future. But with the noise that they seem to be making, sounds like everyone is going to be watching them too. A big thank you to Croft and Black from Lighthouse Reports for coming on the show and sharing the story with us. Also, thanks to Bill Marzak and John Scott Railton from Citizen Lab for telling us what they know.
If you liked this episode, you'll probably also like the episodes about NSO Group, which are episodes 99 and 100. But also, this isn't Greek's first big hacking scandal. If you want to hear another crazy story about Greece, check out episode 64 called Athens Shadow Games. If you like this show, if it brings value to you, consider donating to it through Patreon.
By directly supporting the show, it helps keep ads at a minimum and it tells me you want more of it. So please visit patreon.com slash darknetdiaries and consider supporting the show. You'll also get 10 bonus episodes there as well as an ad-free version of the show. So thank you. The show is made by me, the hesitant skeleton, Jack Recider. Our editor is the bear slayer, Tristan Ledger.
Mixing done by Proximity Sound, who just released a book on how to use Pro Tools. It's called Pro Tools Post Audio Cookbook 2023, and he's done audio production on films, music, and spoken word, and jam packs the book with tons of great tips on how you can be a better audio producer. I'll have a link in the show notes on where to get the book.
Our theme music is by the mysterious Breakmaster Cylinder. I don't like ultra wide screen monitors because the loading bar on them is just like so long. This is Dark Knight Diaries.