Predator scandal: the European surveillance market is a black hole
They call it the Greek Watergate, but the case of illegal wiretapping concerns all of Europe. And Italy is the leading exporter of surveillance systems in the EU

March 21, 2023

Lorenzo Bagnoli
Riccardo Coluccini

Journalists, ministers, publishers, entrepreneurs, all caught up in the Watergate of Athens. That’s what the Greek media are calling the scandal over illegal wiretapping directly involving the government of Nea Dimokratia, the centre-right party of Prime Minister Kyriakos Mitsotakis. The kind of wiretapping that Greek law forbids

The latest blow to the government was dealt on November 6th, when the newspaper Document, close to the opposition Syriza party, published a list of 33 names of those who were targeted by Predator, a spyware similar to the better-known, Israeli-made Pegasus, which IrpiMedia has already written about. The prime minister of Nea Demokratia, the ruling liberal-conservative party, is said to have authorised the operation conducted by the Greek secret service (EYP) with the aim of gathering information to compile dossiers on opponents, powerful figures and even members of his own government. The official position is that the executive had nothing to do with the operation, but the connections between the entrepreneurs involved in the Predator affair and the government are increasingly detailed.

The scandal broke last January in Greece, when some local journalists – including colleagues from the Reporters United news consortium – began publishing information about the victims of spying and the network of entrepreneurs who brought this technology to Athens. In particular, one article reported on the links between politics and one of the owners of the companies involved in the scandal. In response, the authors were subjected to lawsuits «the sole aim of which is to intimidate journalists», Reporters Without Borders wrote.

The shadow of Greek Watergate looms over Europe

The spyware in question, Predator, is developed by the company Cytrox, originally based in North Macedonia, and now part of the Intellexa Alliance group: a conglomerate based in Greece and led by Tal Dilian, a former member of the Israeli intelligence community who also boasts Maltese citizenship, acquired through a passport sales scheme. The joint venture has a presence in Greece, Cyprus, Ireland, France and Hungary. While Cytrox produces Predator, the company that supplied the software to the state is called Krikel. According to the Greek newspaper Inside Story, although on paper they are different entities, Krikel and Intellexa can be traced back to the same Greek businessmen with close ties to the government. 

The Greek scandal was the subject of an investigation by the European Parliament PEGA Committee of Inquiry. The committee was set up in 2022, with the aim of gathering information on surveillance systems that violate the Charter of Fundamental Rights of the European Union. It was prompted by the revelations of the Pegasus Project, a journalistic investigation led by Forbidden Stories that uncovered instances of abuse of the Pegasus spyware in Poland, Hungary and other European countries. Those instances have led to the realisation that the problem is much broader than the individual spyware. 

Just recently, members of the Committee were in Greece to investigate the effects of the spying campaign. According to the PEGA investigation, however, it is not possible to establish even in official documents who is the real owner of the company, confirming the opacity of the whole operation. Krikel obtained six contracts with the Ministry of Citizen Protection (which is responsible for crime fighting, public security and emergency management) for the technical maintenance of a Greek police radio communication system, counter-surveillance technology and two other hand-portable radio systems. Thanks to these contracts, Krikel grew from zero turnover in 2017 to a €7.4 million project in 2021. That same year, the National Intelligence Service purchased a wiretapping system from the Italian company RCS Lab through Krikel, an authorised reseller in Greece. RCS had recently been acquired by Italy’s Cy4gate group, a direct competitor of the Israeli company NSO, the developer of Pegasus.

«Greece is a country where in 2021, a single prosecutor that is in charge of the national intelligence service, signed within one year 15,975 decisions to wiretap people for reasons of national security», Thanasis Koukakis, one of the first journalists caught in Predator’s crosshairs, said during his PEGA Committee hearing.

Koukakis is an investigative journalist specialising in the financial sector. In April 2022, he found out that he had been infected with spyware from 12 July to 24 September 2021, but his mobile phone had already been bugged for several months in 2020. In the following months, according to the PEGA Committee report, at least 33 high-profile targets were discovered. «Critical journalists or officials fighting corruption and fraud face intimidation and obstruction and there is no whistleblower protection», reads the draft report that was presented in a press conference by the rapporteur, Dutch MEP Sophie in ‘t Veld. «The trade in spyware benefits from the EU internal market and free movement», the text continues. «Certain EU countries are attractive as an export hub, as – despite the EU’s reputation of being a tough regulator – enforcement of export regulations is weak.»

Until then, criticism of surveillance system exports focused on the fact that the purchasing countries were totalitarian or repressive regimes. But the Predator case in Greece exposed all the flaws within the European Union. Compounding these weaknesses, which have existed for some time, is the fact that the new regulation on the control of dual-use items (i.e. goods that can be used for both civil and military purposes) does not monitor the intra-European market. Increased transparency is still only a promise, and in fact, Member States retain wide discretion over the information they release regarding the countries where surveillance items are exported.

Tal Dilian, the former intelligence officer behind the “Alliance”

Predator’s activities have been known for almost a year. In December 2021, researchers at the Citizen Lab, an interdisciplinary laboratory at the University of Toronto, reported the existence of a spyware that had hitherto gone unnoticed. The researchers discovered through analysis that it is called Predator and is produced by the previously little-known developer Cytrox. The company structure is labyrinthine: Cytrox reportedly began as a start-up in North Macedonia, but its name could not be found in the country’s corporate registry, while it appears to have a corporate presence in Israel and Hungary.

Citizen Lab’s analysis revealed the presence of servers communicating with the spyware in Greece. Confirmation also came from a second December 2021 report, published by the US company Meta (owner of Facebook, Instagram, and WhatsApp), with a list of web domains that were compromised with Cytrox software. This is how malware usually enters a device, when the target is induced to click on a spoofed website. Among those identified by Meta were spoofed versions of Greek newspapers Kathimerini and Inside Story: kathimerini[.]news and insider[.]gr[.]com. Meta removed about 300 Facebook and Instagram accounts linked to Cytrox, and clearly identified customers in Greece, among other countries.

As we mentioned, Cytrox is part of the Intellexa Alliance, along with Nexa Technologies, WiSpear and Senpai Technologies. According to Gizmodo, Intellexa made its first public appearance in 2019, when it was unveiled at Abu Dhabi’s IDEX military industry conference, where companies showcase their products in search of potential new customers. Intellexa is described by founder Tal Dilian as a “one-stop shop” offering a wide range of hacking tools, from exploits for wireless network vulnerabilities to trojans. Dilian would be extremely familiar with such tech, as the former head of the military intelligence department known as Unit 81.

Before Intellexa, Dilian created Circles, a company that came under the NSO umbrella in 2014. Circles offers exploits for vulnerabilities in mobile networks to locate a person anywhere in the world. Even Italy’s Hacking Team came into contact with Circles, as emails published a few years later by WikiLeaks have revealed. Dilian is said to have met with a Hacking Team manager in Munich to discuss business between the two companies in 2013.

Behind Intellexa is a holding company registered in the British Virgin Islands, Aliada Group Inc, 32% of which is controlled by an Israeli investment fund. Aliada is named in a court case in Israel dating back to June 2016, where the company is described as “a group of cyberweapon companies whose products are branded under the name Intellexa». 

Intellexa and its subsidiaries

Intellexa’s capabilities are the result of a partnership between several companies, each one with its specific expertise. Some of them have already been involved in suspicious operations. Nexa Technologies/Amesys is a French-registered company that sold surveillance technology to Libyan dictator Muammar Gaddafi in 2007 and to Egyptian President Abdel Fattah al-Sisi in 2014. On June 16th and 17th 2021, four of its executives were indicted by the Paris Judicial Court for complicity in torture and enforced disappearance in Libya in 2013 and enforced disappearance in Egypt.

Another subsidiary is WiSpear – now Passitora Ltd – which offers data extraction via wireless network, according to a recent investigation by the Israeli newspaper Haaretz in collaboration with the Greek newspaper Inside Story based on a document presenting the group’s products. It was WiSpear that got Dilian himself into trouble: in November 2021, the company was fined more than €900,000 for illegally collecting identification data from computers and smartphones passing through Larnaca airport in Cyprus. To do this, WiSpear allegedly used a van equipped with the company’s products, which was even shown in a rare interview with Forbes. Dilian was initially arrested, but later released after the prosecutor dropped the charges against him and two other people connected to the company. However, the Larnaca criminal court imposed a €76,000 fine on WiSpear.

Finally, there is Cytrox, which extracts data from mobile phones of specific targets with its spyware. Originally, in the Gizmodo interview, Tal Dilian stated that the alliance included five other non-public partners. According to the presentation seen by Haaretz, a fourth Cypriot company is Poltrex. It is not clear what products it offers, but IrpiMedia was able to locate at least one former employee on LinkedIn, who also worked for NSO before moving on to Poltrex.

In 2022, several websites and Twitter accounts shared documents about an agreement between Intellexa and an unspecified government. According to Haaretz , the firm provides a three-part service: the first is the hacking technology, with the ability to spy on 10 live targets at the same time; the second part is a software, called Nova Platform, capable of bringing all the data together; the third part, Haaretz continues, involves the sale of support and project management services (including “technical, operational and methodological support”), something that is not allowed under Israeli law. They can market technologies, in fact, and not services. The complete package is sold at a price of $8 million. 

In July 2022, Sophie in ‘t Veld sent a letter to the CEO of Intellexa on behalf of the PEGA Committee, seeking clarification about the corporate structure and the legal status of the company. A spokesperson for the MEP confirmed to IrpiMedia that no reply has been received so far. In the meantime, we learned that Europol has asked five European countries whether further investigations have been launched into the Pegasus and Predator software.

Loopholes in the European market

This is not the first time a foreign surveillance company has managed to enter the European market through the front door despite existing regulations. Intellexa is an Israeli alliance, but uses its affiliates in Cyprus and Greece to gain a foothold in Europe. So does the Israeli NSO, which relies on affiliated companies based in EU countries. One of the keys to the European market for NSO was Circles, founded by Dilian.

In the e-mails stolen from Hacking Team and published by WikiLeaks, a small start-up company claims to offer services similar to those of Circles; the start-up, modelled on Dilian’s company, is also considering where to set up its headquarters. The email reads: «Circles and other open theirs in countries like Bulgaria when the founders are of course not from Bulgaria so sales approval to Gov’s are easier from regulations point of view». In other words, they are taking advantage of the fact that Bulgaria is in the European Union: for the export of surveillance technology within EU countries, the regulation only requires approval for specific products, largely unrelated to digital surveillance technology.

In 2019, Bulgarian and Cypriot authorities denied having granted export licenses to NSO, after receiving a request for clarification from the digital rights organisation Access Now. The NSO Group closed the Cyprus offices of Circles in 2020, according to a report by Vice, which spoke with two former employees. 

In a hearing, NSO explained to the PEGA Committee that 12 EU countries use a total of 15 Pegasus systems (the list is still incomplete). Two European countries were previously NSO customers, but their contracts were terminated, allegedly for misuse of spyware. Yet in an interview in July 2021, Shalev Hulio, then CEO of NSO, stated that most of the company’s 45 customers came from Europe.

It is unclear whether the sale of these technologies has been authorised by the Israeli government, which is responsible for monitoring NSO, or whether the sales have come from other European countries. In the latter case, there would be no need to go through governmental approval.

Also benefiting from loopholes within the European system is an Italian company, RCS Lab, historically one of the official suppliers of wiretapping systems, according to a recent investigation by Lighthouse Reports and IrpiMedia. RCS Lab provides remote geolocation tools that exploit vulnerabilities in global phone networks, as well as spyware. 

Greece is one of the markets where RCS Lab has expanded. According to the Greek newspaper Inside Story, the Italian company was awarded a contract worth €6.2 million to provide voice and data traffic monitoring for 1,100 mobile devices and 500 landlines. These specifications appear to be in line with the descriptions of Mito, a monitoring centre capable of collecting and analysing data from different sources, reads the product brochure that Lighthouse Reports shared with IrpiMedia: audio recordings of conversations and phone calls, internet traffic, data from social networks, emails, chats, and data extracted from devices. RCS clarified by email that «the “Predator” system has never been integrated into the Mito platform, nor has RCS Lab ever had direct experience or any knowledge of it».

However, RCS Lab also offers technologies for direct data collection. In another brochure, the company explains that it has telephone and internet traffic interception probes at its disposal that can support the surveillance of «hundreds of remote targets accessible simultaneously». These probes can capture phone traffic in addition to internet traffic. The technology is also capable of massively collecting internet traffic data and extracting metadata to separate and identify traffic generated by applications such as WhatsApp, Messenger, Twitter, Skype, or Telegram. 

RCS did not provide any answers or clarifications regarding possible links with Krikel, and emphasised that exports of its products «can only be made to those countries to which the competent national authorities provide regular export authorisation».

However, Italy’s Foreign Ministry told IrpiMedia that «the export of dual-use items within the EU is free (with the exception of the nuclear sector), and therefore not subject to licensing by UAMA». UAMA is the Armaments Material Licensing Unit responsible for dual-use items. The lack of transparency in sales within the EU is not an isolated case: little is also known about the total number of export authorisations granted and the purchasing countries. A Freedom of Information request sent by IrpiMedia was rejected because an old regulation excludes UAMA activities from access to records. The refusal was also restated in the reply to a request for reconsideration submitted by IrpiMedia: issues of «security, national defence, the exercise of national sovereignty and the continuity and fairness of international relations» prevent the disclosure; in addition, according to the Ministry, the new European regulation approved in September 2021 on the export of dual-use technologies limits the autonomy of Member States favour of the Union: the Ministry sends its statistical data to the European Commission, which then produces an annual report on it.

Further proof, according to the ministry, is the fact that UAMA does not submit a public report to the Italian Parliament, as is the case for conventional armaments. Dual-use items, such as surveillance technology, are considered far more confidential than a military jet. The Ministry concluded its reply by saying that the existence of a report produced by the European Commission should be considered sufficient to prevent any transparency loopholes in this sector.

Lack of transparency in the new export regulation

In September 2022, the European Commission presented a report to the EU Parliament, summarising its activities regarding the implementation of a Union regime for the control of dual-use items in 2021, and including some aggregate data on licenses granted in 2020.

With the update to the European regulation governing the export of such products, coming into effect in September 2021, the EU has sought to introduce more requirements on the transparency for export licenses granted by individual Member States. In addition, broader categories such as cyber-surveillance technologies and biometric technologies have been included.

The new regulation also introduced a Dual Use Coordination Group (DUCG), chaired by a representative of the Commission and one from each Member State to monitor the application of export rules. The DUCG, reads the September report, collected information from European states on cyber-surveillance technologies exported in 2020. The data shows a sharp decline in licenses: from nearly 200 granted in 2017 to 39 in 2020. In the same period, the report says, 32 denials were issued for cyber-surveillance items. Unfortunately, the data is aggregated and not broken down for each European country, and information on destination countries is also missing.

Granted licenses

Number of cyber surveillance technology licenses granted in Europe from 2014 to 2020

The data is shown for 3 specific categories of technology: telecommunication interception systems, Internet monitoring systems, and tools for intrusion software (spyware). The former are consistently the leading exports and are also the most common: the classic wiretapping systems commonly used by law enforcement agencies in our countries.

This is aggregate data, but an interesting detail emerges from another graph: in terms of sheer export value, technologies falling under the category telecommunications and “information security” (including electronic devices used in warfare as well as device interception systems and monitoring systems) are in first place, followed by nuclear materials and equipment.

Licenses value

Authorised export value by categories of dual-use items in 2020. Cyber surveillance technologies are in first place

Despite the lack of transparency from the Foreign Ministry, the Italian government has offered occasional glimpses into the foreign market for its surveillance companies. Claudio Guarnieri, a cybersecurity expert who at the time was the head of Amnesty International’s Security lab, showed during his hearing before the PEGA Commission the results of a FOIA request sent in 2019. The Ministry of Economic Development, which was in charge of issuing export authorisations at the time, provided statistics for the years 2017 and 2018. In that period, 11 authorisations were granted for systems or software used to facilitate or control intrusion with spyware; 21 authorisations for internet network monitoring; and 3 authorisations for mobile network interception or interference systems.

If one compares these data with those collected in the European Commission’s report, the role played by Italy is immediately evident: about 38% of the authorisations for intrusion software were granted to Italian companies, but the percentage rose to 75% for those related to Internet network monitoring.

No information was provided about the purchasing countries. The new export regulation stipulates that this data must be provided by the Member States and included in the final report, but there is a clause in the European regulation, whereby countries may choose not to provide this information wherever «legal requirements concerning the protection of personal information, commercially sensitive information or protected defence, foreign policy or national security information» apply.

The black hole that should not exist, according to the Italian Ministry of Foreign Affairs, may well be already written into the regulation.

Latest updates (by Riccardo Coluccini)

Over a year ago, Reporters United opened its investigation into the Greek wiretapping scandal with a report that has since put Prime Minister Kyriakos Mitsotakis under scrutiny and revelations haven’t stopped. More victims have also been confirmed, among them Renew Europe MEP Giorgos Kyrtsos and investigative journalist Tasos Teloglou, according to a report by the Hellenic Authority for Communication Security and Privacy (ADAE). ADAE’s investigation also proved the wiretapping of six additional people, including a minister, generals and military personnel.

In December 2022, a new investigation by Reporters United revealed how for almost two years the Minister of Justice, the Minister of State and the EYP have been sabotaging the creation of a digital archive that  ADAE would use to carry out audits. In this way the authority’s mission has been undermined and to carry out an audit ADAE has to go directly to the telecommunication providers. 

In January 2023 the Greek Data Protection Authority issued a 50,000 euro fine to Intellexa for failing to cooperate as part of an ongoing spyware investigation. In the meantime the Hellenic police searched homes of individuals and company facilities allegedly related to the case.

Greece’s parliament passed a bill criminalising the sale or possession of spyware and making the private use of spyware a felony punishable by up to 10 years’ imprisonment. Only EYP and the anti-terrorism unit can request a prosecutor’s approval to monitor people and a second prosecutor must sign the request. However, politicians can still be monitored for national security reasons but the parliament’s speaker must also approve such requests. Those affected can be informed about the surveillance three years later, if prosecutors allow it.



Lorenzo Bagnoli
Riccardo Coluccini


Raffaele Angius

In partnership with

Privacy International

Data visualisation

Lorenzo Bodrero

Cover photo