Transcription performed by LeahTranscribes[START OF RECORDING]
JACK: You ever think about the proliferation of weapons? Well, shoot, let’s get into it. I want you to think about this guy, Sam Cummings. Here; I found an old vintage documentary made by CNN.
HOST: This is Sam Cummings, and this fifty-seven-year-old is the biggest private military weapons dealer in the world. SAM: The business as a business is fascinating.
HOST: Cummings has sold tens of millions of guns to armies and sportsmen.
JACK: Okay, so how did he become the biggest private military weapons dealer in the world? [MUSIC] Well, the US Department of Defense taught him; that’s how. When he was eighteen, in 1945, he was recruited into the US Army, which at the time, they were just wrapping up WWII. There was a big ramp-up to provide all these weapons for armies around the world to use in wars, and then suddenly the war was over. So, where’s all the weapons gonna go?
HOST: As a young arms buff, Cummings got his start at the CIA. His assignment was to buy surplus weapons in Europe. At the age of twenty-three, he left the spy agency and started his own business.
JACK: Buying surplus weapons in the CIA gave him a crazy idea; how about buy a whole bunch of cheap weapons now that the war is over and then slowly sell them over time? He had all the contacts he needed to go buy them, and so, he did. He was selling them to the public, like to hunters or sportsmen, and was becoming known for having a big supply of weapons. But he wanted bigger deals, and so he started talking to governments around the world. He brought a bunch of AR-10 rifles down to Nicaragua and demonstrated that to them there. Well, the Nicaraguan military was like, ah, that’s cool; send us some of those. Then the Dominican Republic wanted some, and then Cuba wanted some. Yeah, he sold battle rifles to all these places including Fidel Castro, which I think was illegal because it was an embargo not to sell any weapons to Castro, yet it still happened. Fidel Castro bought rifles from him, and he did not seem to get into any trouble for that. I don’t think he cared who he sold to. If you had money, he’d sell you weapons.
HOST: Every morning, Cummings uses a telex to keep in touch with his military customers and branch offices. A telex comes in from Sudan offering surplus military equipment.
SAM: I would go about 25% more than that in dollars if my list is the same as your list.
HOST: Cummings’ military weapons are shipped and stored at Interarms House in Manchester, England. At any given moment there are a quarter of a million guns here, and on little notice, Cummings says he would have no trouble equipping a fair-sized army.
SAM: Depends how large the army would be, but let’s say an army of an average smaller African or Latin-American state is 25,000 to 50,000 men. No problem.
JACK: Can you believe this kind of thing was going on in the fifties and sixties?
HOST: Sam Cummings has sold or bought arms from almost every country in the world. Interarms has supplied Africa, and his company’s weapons have shown up in Egypt. His guns were used at the Bay of Pigs by Fidel Castro and in Nicaragua under Somoza. But Cummings’ best customers are countries in Asia.
JACK: This guy became a billionaire selling hundreds of thousands of weapons to anyone who would pay, and a lot of time he would buy these weapons from Russia, which was in the middle of a cold war with the US.
SAM: I would say the Russians build the best military weapons across the board and they also build them in tremendous quantity, which is the key factor in modern war.
JACK: I don’t know, I feel like this guy’s only ally in life is money. He doesn’t mind selling weapons to places that are actively at war with his home country, you know? So, clearly he doesn’t have an allegiance to the US, and from watching this documentary, he seems to believe that all sides are evil and there’s just no way to take the moral high ground on any of these trade deals. He does seem to have some kind of allegiance to his family, though. He invited this CNN reporter on an eight-hour car ride where they were going on a family trip somewhere, and I think it’s pretty weird to have a reporter in the car with the whole family for eight hours. But, okay.
HOST: He asked us not to take pictures of his wife or his college-age daughters for security reasons.
JACK: Well, strangely enough, years later one of those daughters, Susan, killed her boyfriend by shooting him four times, and was convicted and had to serve prison time.
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: Alright, so, let’s start out with what’s your name and what do you do.
CROFTON: I’m Crofton Black. I’m a reporter at Lighthouse Reports.
JACK: Lighthouse Reports is an investigative non-profit working with some of the world’s leading media companies on topics like migration and surveillance. A lot of episodes you hear on my show are sometimes slapped together in a matter of weeks and it’s only me doing the research, but not this episode. Here we have the luxury of talking with a real reporter who spent lots of time on this story.
CROFTON: Well, this article was a big team effort, right, because — I mean, first of all, we at Lighthouse, we wouldn’t have got involved in it without the work that Inside Story in Greece did, and for me personally, working with those guys was just a huge privilege because they’re so knowledgeable and so capable, and the material they were able to dig up was truly astounding in some cases. I guess for me it was cool ‘cause I’m a plane-tracking guy for a long time and I got into this business as a — doing plane-tracking stuff when I was tracking CIA rendition flights. So, for me it was kind of funny to do a story that combined those two things. That’s never happened before and I wonder if it’ll ever happen again. So, yeah, I’ve got a personal space in my heart for this story for that reason, really.
JACK: The team at Lighthouse Reports spent over six months researching this story, and they worked together with other reporters and journalists and researchers, places like Inside Story in Greece and Haaretz in Israel. They published similar stories, too, and when I first read this story, I was like, whoa, what? So, buckle up and let’s go for a ride. [MOTORCYCLE REVVING] The person at the center of this story is a guy named Tal Dilion.
CROFTON: Tal’s an Israeli entrepreneur, a long-time guy in the cyber business, formally in the military like a lot of those guys are, came out, and he was involved in a very famous phone geolocation outfit called Circles back in the day.
JACK: [MUSIC] So, I want to jump in here and underline this for a second. Tal went through the Israeli military. Specifically he was in Unit 81, which designs new tools for the Israeli military to use. I’ve heard that Unit 81 once designed a little microphone that was supposed to look like a rock so you could just set it down in an area you want to record audio in, and it’s hidden so nobody knows they’re being recorded. I imagine they make a lot of spy gear for the Israeli military. Yeah, so, Tal came out of that division, and when he left the military he created a company called Circles, which I believe was a surveillance company that used SS7 attacks to spy on mobile users. SS7 attacks are really fascinating. I’m not gonna get bogged down into the details of how they work, but real quick; SS7 is a way to exploit mobile carriers into getting info on the users or even taking over their phone number. I believe this company that Tal started, Circles, was using SS7 attacks to collect data from targets and intercept messages and phone calls.
Well, this became quite the service, so much so that NSO Group was like, hey, that’s cool. Can we buy it? Now, NSO Group is someone I’ve covered in detail before. That’s Episode 100, and it’s actually the most-listened to episode of this show. But to quickly recap who they are, NSO Group makes spyware called Pegasus and then sells it to governments around the world who then, well, spy on people. It infects the phone and then gives the government full visibility into it. So, when NSO saw how nifty this Circles company was, they purchased the company from Tal for $140 million. What would you do if you just sold your company for $140 million? Well, I’d move to a nice, warm island somewhere, and that’s just what Tal did, too. He moved to Cyprus, which is an island nation just off the coast of Israel in the Mediterranean Sea. But while there, he started talking with another Israeli named Abraham Avni. Abraham was a businessman and started a company called Pegasus Flight Center in Cyprus. I think they did charter planes. Together, Tal and Abraham started a new project; a surveillance tool.
CROFTON: He had an outfit there called, I think, Wispear. We Spear, Why Spear, something like that.
JACK: It might also be a weird spelling for ‘whisper’. Anyway, Tal started advertising this mobile surveillance technology, and that’s when Forbes is like, hey, that looks interesting. Do you mind showing us on camera what you’re working on? He’s like, sure; come on out. So, Forbes goes to Cyprus and interviews him.
TAL: [MUSIC] Actually, maybe you don’t like to know it, but somebody knows exactly where you are all the time because each of our devices just says, hey, I’m here every, I think, fifteen minutes. Maybe I don’t keep it and maybe I don’t share it with others, but the knowledge is there.
JACK: This video is wild. It’s one of those that when you watch it, your jaw just drops and you’re like, what the hell is this? Tal takes them to his van and then opens the back doors up, and there’s like, two racks of computers, routers, switches, servers. Inside it looks like your classic FBI spy van. There’s a desk and monitors and chairs and electronics panels, antennas. It’s nuts, and Tal is saying, yeah, so this is a $9 million spy van, and here, let me demonstrate.
TAL: We send out two people out of the van. We will trace them. We will intercept them. We will infect them.
JACK: He proceeds to use Wispear to lock on to these two people walking by, and somehow it grabs their data and he’s now in their phones spying on them. It’s a crazy piece of technology, but it’s even crazier that he was willing to show all this off on camera, to be published in Forbes.
CROFTON: I think that’s his rep, you know. He’s known as a guy who — people call him a maverick. They say that he doesn’t play by the rules, that he does unexpected things, and I think that — I think you could class that video in the category of unexpected things, sure. I think it caused quite a stir when it came out the first — in the first place amongst people who follow this kind of stuff. It was kind of, oh, wow, this crazy video has appeared of — we never normally see this stuff. It obviously had a lot of ramifications for his business, which perhaps was unintended. I imagine it was unintended.
JACK: Okay, so, Forbes publishes this video in September 2019. It rippled through the world, of course, but it also landed on the screens of the people within the Cyprus government, and they watched it in disbelief. A combination of both the police and the intelligence agency of Cyprus was shocked by this. They were like, you’re advertising more sophisticated spy tech than we have in our own government. But I think the main thing that Cyprus government got mad about was the fact that he was advertising this business that was being conducted out of Cyprus. This whole business is questionable. Espionage is illegal, you know, and here he’s selling tools to do it to who knows who. There are a lot of ethics at play here. So, a few months after this video aired, the Cyprus police decided to just take it down, take it all down.
CROFTON: [MUSIC] They move in; they search his premises, they make — they arrest some employees, they go through his stuff, they impound the van, computer hardware, whatever. He’s out of the country at the time. They put out an arrest warrant for him, an arrest warrant for his business partner, Avni. Tal Dilion, who was absent at the time, he returned voluntarily to Cyprus from wherever he’d been. That was March 2020. He got arrested. He was questioned. He was released.
JACK: It’s not clear what crimes Tal Dilion committed, but the Cyprus government made it clear that they just don’t want him running this business in their country. Tal got the message and agreed to pack it up. He had to move this whole operation somewhere new, and looked across the Mediterranean Sea and saw Greece.
CROFTON: Dilion’s partner or wife, I believe, is a specialist in creating complex corporate structures. That’s a thing that she does.
JACK: Tal began working on the paperwork to reestablish his company in Greece, and the whole time, he seemed to be a bit sore at the Cyprus government for ruining his plans.
CROFTON: Well, he wrote an angry op-ed which was published in a newspaper where he basically said that the government was creating an unfriendly climate for business and that he was gonna take his business elsewhere. At least in terms of premises, that is, well, he did do that. He did take his office elsewhere; he took it to Athens.
JACK: This, I think, put pressure on the Cyprus government to change their position.
CROFTON: Ultimately, of course, the whole thing was maybe a bit of a storm in a teacup. After a year he was pretty much exonerated. The police who had carried out the raids were, I think — I mean, it was decided that basically they’d exceeded their powers in such and such a way or whatever. The whole thing was kind of smoothed over and I think eventually could have gone back to business as normal except by that time, he’d already decided that he wanted to set up a new office in Greece.
JACK: You might be wondering, is this spyware, malware, virus thing legal? It’s just code. It’s just an app. To answer that, let’s go to Sudan. [MUSIC] In 2003, the Sudanese government had an armed militia called the Janjaweed, and they started conducting genocide on the people of Sudan. It’s believed that over a million children have been killed or tortured or raped or injured or just lost a parent in the last twenty years from this group. They’ve been accused of committing crimes against humanity so many times. The killings settled down for a while, but recently there’s been another flare up. Civil war has broke out in Sudan. The Janjaweed are back, but they changed their name now, and now they’re called the Rapid Support Forces, and the boss of them is Hemedti, and Hemedti is one of the richest people in Sudan and seems to be funding the war against the people of Sudan. Now, Crofton, the reporter we’ve been talking to in this episode, his specialty is tracking airplanes, and he was particularly zoomed in on the planes that Tal was getting on, and was trying to figure out if his flights had some connections with the business and his customers.
CROFTON: This plane that we linked Tal Dilion flying into Khartoum and delivering some surveillance tech, that wasn’t for the regular army; it was for Hemedti. There was a bus stop; there was a flare-up between the two sides, and the Rapid Support Forces guys spirited this stuff away, took it out of Khartoum, took it off to Darfur. This was in May last year. So, when we wrote the piece, there were analysts who we spoke to — spoke about the potentially lethal implications of someone like Hemedti having access to top-of-the-range phone-hacking technology. So, yeah, to circle back to your question, Sudan’s Rapid Support Forces is extremely high on the list of people who it’s hard to find a legitimate reason for selling phone-hacking equipment to, I believe.
JACK: So, if Tal is selling his spyware to people in Sudan who are using it to kill innocent civilians, then how much of that responsibility should fall back onto Tal? The kit he has for sale can be weaponized against innocent people. Militia groups who are actively killing their citizens, attempting genocide, and are accused of crimes against humanity now have this spyware in their hands and can use it? I think conducting weapons deals with Sudan’s militia groups should be illegal. [PLANE ENGINE] But is this spyware a weapon? So, anyway, that was one of the trade deals that Crofton was tracking by watching Tal’s flights in and out of Sudan.
CROFTON: So, he heads to Greece, and Greece has a new government at this point. The new government comes in in 2019.
JACK: Now, I wracked my brain trying to understand; why Greece? Why not just establish a base in Israeli, his home country where he’s a military veteran there? He knows people there. He could just operate out of there. But I have a theory. I believe Tal really likes what the NSO Group is doing, which is creating mobile spyware and selling it to governments around the world. But he also saw all the heat and scrutiny that NSO Group was under. They have to work closely with the Israeli government to share with them who they’re doing business with, and there may be some restrictions that have been put on the NSO Group, like who they can and can’t do business with.
If there weren’t restrictions, there is a lot of public outcry and scrutiny of the NSO Group of what they should be doing and not doing, which can spoil deals. I believe Tal saw this huge fire that the NSO Group had started and decided to take the wheel and drive right into it, but he would sort of sidestep all the bureaucracy that NSO was tied up in. If the Israeli government required some kind of oversight into the affairs of NSO Group, then forget that. Let’s set up shop in a different country. If NSO couldn’t sell to certain regimes, Tal might have saw that as an opportunity to do business with forbidden customers. Tal knows that some people he sells his spyware to misuse it, but his response to this? Well, he told Forbes.
TAL: We are not the policemen of the world and we are not the judges of the world.
JACK: Which makes me think he may be interested in doing business with anyone. If that’s the case, I’m not sure he only does business with governments. He might be selling his spyware to anyone who can afford it. In 2019, Tal started thinking bigger. That van kitted out with that WiSpear technology, well, he wanted to crank that thing up even higher. Now, he’s not the kind of guy that’s tapping away on the keyboard writing malware. No; what he’s looking for are other companies that are already doing that, because he’d want to purchase those companies. Two companies caught his eye; Cytrox and Nexa. Cytrox made this phone-hacking software called Predator, and I believe it was Citizen Lab that first showed us a glimpse into what Predator is.
BILL: So, I’m Bill Marczak. I am a senior researcher at the Citizen Lab at the University of Toronto, and I do a lot of the technical work at Citizen Lab in tracking what we call the mercenary spyware industry. So, companies like NSO or Cytrox, which makes Predator.
JACK: A couple of people in Egypt felt like something weird was going on on their phone. One was a journalist; one was a politician. They heard about Citizen Lab and they reached out, asking them to examine their phones.
BILL: That’s right, yeah. We first discovered samples of Predator back in November, December 2021. It’s funny; we were actually checking people’s phones for Pegasus, but we found one phone and something else caught our eye, which was there was a suspicious process running on the phone right when the forensic data was gathered called Payload 2, [MUSIC] which struck us as quite suspicious.
JACK: Payload 2 didn’t match any previously-known malware that they had been tracking on phones. So, of course, it was time to crack this open and look closer.
BILL: Right. We could see precisely what input or arguments were passed into this process when it was started up, and those arguments included a URL, which was very long, looked quite dodgy. When we went out and fetched this URL, we were actually able to obtain a binary file for an iPhone. In other words, an application. Analysis of this application quite clearly established that it was spyware. It had the capability to, for instance, exfiltrate files from the phone, take passwords, turn on the microphone and listen in to what was going on. So, we were actually able to analyze the final payload of the spyware and understand what it was doing, and through analysis of the payload as well as analysis of that URL and the website in the URL, we were able to make an attribution back to Predator.
JACK: This was a big finding, and they published this for everyone to see. The report was loaded with tons of information, too. I mean, not only was it like, here’s the malware we found, but it’s like, here’s what I does, here’s how you can detect if it’s on your phone, but it also showed the links to how they know that this is the Predator spyware made by Cytrox. But it doesn’t stop there. It goes on to say who Cytrox was, who Tal Dilion was, and all these other companies that may also be involved with this. Then it goes on to say who those companies may be selling this to, actually listing some of the governments that may have bought this.
BILL: Yeah. One of the interesting things that struck us about this company, or this sort of cluster of companies like Intellexa and Cytrox that are behind Predator, is there was this very tangled corporate web spanning multiple different countries and it was tough to figure out exactly what was going on. Where were the people actually writing the spyware code physically located? We did see some references in the spyware’s code; like, they were trying to avoid targeting phone numbers in Israel even though the company is ostensibly or was ostensibly Cytrox-based in Northern Macedonia. So, there’s all these weird links which are hard — a little bit hard to make sense of.
JACK: I just want to stop and show respect for this skill for a moment. It’s one thing to be able to analyze binary files for an iPhone, but it’s a whole other skill set to try to determine the geopolitical ramifications for such an exploit being sold on the mercenary marketplace, you know? In fact, it wasn’t just Citizen Lab who was investigating this. They shared their findings with the security team at Meta, Facebook, who was also investigating, and the combined forces of Citizen Lab and Meta meant that these reports they published were very impressive. Okay, so let’s try to connect some of the dots ourselves of what happened here. An Egyptian politician who was living in exile and an Egyptian journalist were both found to have Predator on their phones. If two people from Egypt are infected with this, it may mean the Egyptian government is using this technology to spy on their civil society, which is spooky.
You’d think they’d be using this to stop terrorists or catch criminals, but they’re using it to see what stories a journalist is working on next? This is awful. But when we back up a second and say, okay, so, who makes Predator, this company called Cytrox comes up. We see that Cytrox was bought by Tal Dilion, but we also read about this other company called Nexa. Nexa was formally known as Amesys. Amesys was indicted for illegally selling weapons to Libya. In fact, Amesys was charged with crimes against humanity for helping Libya conduct torture. But guess what? While the executives of that company were facing these indictments, Tal started making deals with them. I don’t know exactly what, but at the very least he was using their technology somehow, either through a partnership or a deal he made with them. With that technology, he combined the names together, Cytrox and Nexa, to form a new company called Intellexa, combining this new technology with that spy van WiSpear stuff he already had.
It meant that Intellexa had quite the arsenal of ways to gather data off a phone and track its location. He doesn’t seem to be bothered by making deals with a company that’s been accused of conducting crimes against humanity. The report that Meta came up with showed that Predator may have been sold to the following governments; Egypt, Armenia, Saudi Arabia, Colombia, Vietnam, Philippines, Germany, and Greece. Of course Greece, right? Tal was reestablishing his whole business in Greece at the same time. If he had some kind of partnership with high-ups in the Greek government, then that might be a good reason to move there. If he had some connections, then that might help him be able to conduct business without having that long arm of the law messing things up. Well, some Greek journalists saw this report by Meta and Citizen Lab, and they were like, what, spyware may have been sold to the Greek government? We better write a story on this. A news outlet called Inside Story wrote a piece basically saying, look out; Predator may be in the wild here in Greece. A nice warning, right?
CROFTON: Someone — one person who read that report is a journalist called Thanasis Koukakis. He read the report and it made him a bit suspicious because one of the people who was mentioned in passing was a man called Felix Bitsios, and Felix Bitsios was someone who Koukakis, the journalist, had been investigating a couple of years before. I think seeing the target of his former investigation tied into the corporate structure of a spy company that was operating in Greece kind of set off some red flags for him, and I believe that’s what led him to go to the guys at Citizen Lab and ask him — ask them to check his phone.
BILL: Right. Yeah, we started getting some outreach from Greece, and spoiler alert; we found spyware. So, the first confirmation we were able to produce centered around this financial journalist, Thanasis Koukakis based in Greece, who had contacted us, and he was already a little bit suspicious for a number of reasons about potential surveillance. He noticed his phone acting a little bit weird. He had flagged some text messages that he thought were a little bit odd. So, we instructed him on how to forward some forensic information from his phone. [MUSIC] We reviewed it and lo and behold, we were able to determine that his phone had been hacked successfully with Predator, and I believe it was July 2021.
JACK: The Greek paper Inside Story exposed it, and once news broke out, it erupted in an explosion of articles. Then the Committee to Protect Journalists chimed in, Amnesty International echoed the story, the Council of Europe spoke up; it was news that could not be silenced.
CROFTON: Okay, it was kind of a rolling thing that just got bigger and bigger. There was all kinds of questions and rumors about who was behind the use of the Predator software in Greece and how it connected to the, if you like, quote, unquote, “official” phone-tapping software. This was puzzling. Why? Is it two different entities doing it? Is it one entity doing it but just doing it two different ways? What’s going on there? That was definitely a question that was — in the Greek context that was troubling a lot of people.
BILL: Yeah, one of the really nice things to see in Greece was that there was this — such tenacity on behalf of the investigative journalist community there. They were so invested, so interested in this story, and we don’t really see that in a lot of other countries that — where we uncover spyware abuses, perhaps because they’re more repressive or there’s not as much of a tradition or it’s not really — in Greece you have this — oh, the birthplace of democracy ingrained in the public consciousness. So, there’s a lot of people, I think, who feel some responsibility to take action, to live up to that legacy. So, just incredible, incredible work by the investigative journalists in Greece taking this story forward, constantly pushing the government and ministers for information, and driving this case forward.
JACK: The Greek government spoke up.
SPEAKER: [SPEAKING GREEK]
JACK: …and said, well, we’ve never heard of this Predatory spyware, so clearly it’s not us, okay? But now that this story made such a stink, other people started wondering if their phones were being targeted, too. So, some more Greek people who thought something weird was going on on their phone sent the data to Citizen Lab for analysis, and yeah, more instances of Predator were found. At this point, three people from Greece’s civil society were confirmed to have Predator on their phone. One of these people was a journalist and the other was the opposition leader, Nikos Angelakis, a politician. Now, by this time, Citizen Lab was getting pretty good at understanding how all this worked. First, the victim would receive a phishing text message, and these were crafty phishing messages.
BILL: Some of the common themes are really anything that creates or engenders a sense of urgency to interact with the message to ensure that the target clicks on these in a timely fashion. So, for instance, things about a large, unpaid phone bill or something. Like, oh, you owe the phone company $8,000. It’s due in two days. Click here to pay, or something. Or things that are interesting to the target given, upcoming events in the targets life. Like, oh, you have a package delivery, is one we see a lot. Click here to customize the delivery of the package. We couldn’t reach you; click here to reschedule delivery, or things like the upcoming vaccine appointment or upcoming — here’s your boarding pass for your upcoming flight or here’s your registration for this conference. So, they can use queues from the target’s life to make these seem very plausible for the target to click on.
JACK: [MUSIC] Once the user clicks the link, it triggers a series of exploits on the phone. It may seem like it’s just one click, but there’s a whole bunch of steps that have to happen for the phone to get infected. The website exploits something within the Safari browser which then gets a foothold on the phone, and from there it downloads additional malware to infect the phone, and after a few steps, it then has the spyware binary file on the phone which is able to watch what’s going on with the camera, listen on the microphone, scrape passwords, read texts, and of course, report where the person is. Now, the tricky thing about this malware was as soon as it would infect the phone, it would erase the tracks of the whole infection process. So, while it may have taken a few exploits to get it to work, those exploits were not visible to Citizen Lab since traces of how it got in were wiped. This stinks because it means they can’t go to Apple and show them this vulnerability that needs to be patched. It’s like they caught the spy in the building but have no idea how he got in, so you don’t know which door or window to go check on. You have to think, hold on, if the Greek government paid all this money for this software, surely they didn’t get it just to infect these three people. So, who else is being targeted with this?
People demanded that the Greek government say something now that three people had their phones infected. They said, oh, okay, yeah, well, we’ve heard of this Predator spyware, but that’s not something we have, flat-out denying it for a second time. But people didn’t accept that as a good answer. In fact, they sort of narrowed down who would do such a thing, and they landed on this must be the work of EYP, which is Greek’s intelligence agency, pronounced ‘eep’. Because here’s the thing; this technology is supposedly only sold to intelligence agencies. So, either they did it or they know who did it or should be investigating to find out who did it. If they don’t know who did it, then they’re bad at their jobs, you know? So, EYP has to know something about this. This circles back to the Greek prime minister, too, because as soon as he took office in 2019, he moved the Greek intelligence agency to be under the direct control of the prime minister’s office. But not all news outlets were angry about this in Greece. In fact, a lot of mainstream media in Greece was on the government’s side, trying to slander the journalists for bringing up these stories, even slandering the people who were infected by the spyware since they were critical of the government. It was a mess. Now, while all this was going on in Greece, a big conference was kicking off in Prague called ISS World.
CROFTON: [MUSIC] ISS World is — it’s one of the kind of premiere — maybe the premiere surveillance technology conference. It happens a few times a year in different locations. There’s one in Prague. It’s showcasing everything from a large booth featuring — hidden away in a kind of inner sanctum — presentations of NSO Group’s, Pegasus’ phone-hacking tech, all the way down to open-source analytic suites. I guess hidden — there’s hidden camera stuff there, audio-gathering stuff, but it’s the mecca of the highest-end surveillance technology sales. You’ll find exhibiting there the world’s most famous spyware companies like Intellexa, like Candiru, like NSO Group.
JACK: Rayzone, Septier…
CROFTON: Rayzone, Septier, yep. They’re not quite as famous as the others, but they’re…
JACK: So, when you list a bunch of companies like that, I just feel like, oh my gosh, there’s gotta be a huge story for every one of those companies. Who have they done business with? Who have they spied on? What shady deals are they dealing with? We keep picking on NSO, but I really feel like — just walk into the ISS World Conference, and every one of the companies are — are any of them above-board? Are any of them like, oh no, we’re very clean? Or are they all — oh yeah, this is a cyber weapon that you can use to spy on your citizens with if you want. We don’t care; we’ll look the other way.
CROFTON: Well, they’ll all tell you that they’re above-board and very clean. That’s a constant refrain of the industry and it goes back to what we said earlier about who’d you sell to and what are they using it for. Indeed, to the question of like, do these guys even know, do these companies even know, can they know; a lot of them will say that they are very careful about who they sell to, but oh well, we can’t actually monitor what they do with it.
JACK: Yeah, that’s a whole other degree of responsibility, right? Because how exactly do these targeting systems work? We have this Predator and Intellexa thing, right? Does this whole kit and infrastructure and everything get sold to the customer, and then once it’s delivered, Intellexa just kinda steps back and wipes their hands clean of the whole thing? Or is it some kind of hacking-as-a-service type of thing where the customer tells Intellexa, here’s what we want you to target, and then Intellexa does all the infections and delivers the data that they got off the phone? Or maybe it’s a mix of Intellexa doing the infection and once the spyware is on the phone, then the customer can access that data whenever they want, like listen to the phone calls or see where the person is. We don’t know exactly how involved anyone is in all this.
You see how this changes where the responsibility lands, right? Isn’t this an important thing to know? Is the government doing the hacking themselves or is this company doing it with authorization from a government? Think about it like this; the phishing message that that journalist got, it looked like a normal article from a financial news website, but the domain was changed from .gr to .online, and that is what hosted the malware. So, someone had to register this domain, get it hosted somewhere, stage the malware on it, and then integrate it into the Predator package, not to mention craft a message that the target is likely to click on. These domains get burned fairly often, so you need to create new ones all the time and integrate that into the package. Is the customer doing all that work or was Intellexa setting all this stuff up to make it easier for the customer to simply point and shoot? So, at the conference, do we get any information about Predator, how much it costs or anything?
CROFTON: There was a document that leaked online right after that conference. Let’s see what it was. This was a Predator package for ten targets at once. A hundred successful infections, but ten running at the same time. One-click infection. $8 million. That was the price tag.
JACK: [MUSIC] One-click infection. I imagine this means that someone has to click once for their phone to be infected, which is pretty sophisticated, I’ll say. But the brass ring for spyware is zero-click, where maybe you could do something like send a message to someone while they’re sleeping and when the phone tries to process it, like display the preview for what the website’s gonna look like, then that preview somehow contains the malware that can infect the phone. Then when the phone gets infected, the text message can be deleted and you have no idea that anything happened to your phone. NSO has this capability, and it sounds like Intellexa wishes they did, too. We’re gonna do a quick commercial break here but come back, because things are really heating up in Greece and you’re not gonna want to miss this. [PLANE ENGINE] While all this is going on, Crofton Black, the journalist with Lighthouse Reports, was following where Tal’s little Cessna airplane was flying off to, trying to make sense of why Tal would be visiting some of these locations.
CROFTON: The Cessna was kind of key to our reporting because we found out about the Cessna through researching the company and the people in the company and what they were doing and where they were going, and that led us to the Cessna. The Cessna obviously led us to a bunch of destinations not only going backwards and forwards between Greece and Cyprus, going to Prague for the spyware fair, but it was also in Sudan. It was in Sudan at the time that our sources on the ground said that this transfer of surveillance tech took place. It was also inside Arabia. It was also in the UAE. We were able to follow it. We were able to trace it for a fair few months going around the place. It was in Israel quite a lot, so obviously it raises questions about the extent to which Tal Dilion is or isn’t doing business in Israel, because that plane was for sure there a fair amount.
JACK: Yeah, but you just mentioned Saudi Arabia, and Saudi Arabia and Israel, they’re not the best of friends. We’ll say that, right? They’ve got some disagreements. I just wonder how much Tal had to say. Like, okay, is this million-dollar deal worth more than my allyship to my homeland? If people in my country are getting spied on because of this — or maybe he made a deal of like, you could only spy on your own people, Saudi Arabia. Don’t spy on us. If I hear you spying on Israelis, I’m gonna pull the plug on this software.
CROFTON: Yeah, I mean, I think there’s a lot of back channels between these countries where there’s possibly more intelligence corporation than you might think. I think there’s a long history of the UAE buying Israeli surveillance tech. I don’t think it’s particularly surprising that Saudi Arabia should be a client. I think these guys are — they’re a good market, right?
JACK: Back in Greece with this scandal erupting, a newspaper called Documento was saying that they found thirty-five more people who were infected with this, and started publishing the names of these people. Then every Sunday after that, they kept publishing even more names of people infected with Predator. This list was growing big. There was a media tycoon on there, a cabinet minister, senior military officials, friends of the prime minister’s wife, a respected newspaper editor, and even a popular comedian. Then the Greek government was asked again, and this time they said…
SPEAKER: [SPEAKING GREEK]
JACK: Well, actually, it does sound like what happened was that some people got wire-tapped, and we do wire-tap sometimes, but it’s for national security and we don’t use Predator to do it. But any wire-tapping we do do, that’s legal. Uh-huh. Well, the pressure continued to mount and was focused on EYP, the intelligence department of the Greek government.
CROFTON: We’re back in kind of summer last year where there were actually two resignations from government. One of them was the head of the intelligence agency and the other one was this guy called Dimitriadis, who was the nephew — he’s the nephew of the prime minister and he’s also the kind of head at the time of the — let’s say the prime minister’s kind of in a office, if you like; this guy is at the top of it.
JACK: Now, even though people resigned, the government didn’t admit to doing anything illegal. They said, what happened might have been legal, but it was also wrong.
SPEAKER: [SPEAKING GREEK]
JACK: Now, once these people resigned, journalists and investigators were looking in to who these people were, and it turned out that one of them was the nephew of the prime minister, and he actually had some kind of connection with the NSO Group. I think they were trying to discuss the Pegasus software a while back.
CROFTON: He quit. The intelligence head quit. It’s interesting that on exactly the same day, the plane that we’ve been tracking that’s been carrying out its business based in Greece but going all over the place also quits, and it goes to Israel and once it gets there, it just sits there for months and doesn’t move again.
JACK: Of course, journalists and investigators continued asking the Greek government questions, which led us to learn something new.
CROFTON: The sale of the tech to Sudan was confirmed by the government after the fighting broke out again in Sudan.
JACK: Wait, so the Sudanese government said, yeah, we did buy it?
CROFTON: No, the Greek government confirmed that it had been sold to Sudan.
JACK: Wait; how did they know?
CROFTON: Well, they issued the export license.
JACK: What? What? What is happening here? Someone at Intellexa applied for an export license to sell their spyware to a group in Sudan who is notorious for committing crimes against humanity, and the Greek government is like, yep, approved. Go for it. Doesn’t this put some kind of responsibility now on the Greek government for assisting Sudan in the proliferation of digital weapons? Ugh, I’m just so tired of things being blatantly wrong in the world and nothing being done about it. I need some help here. [RINGING] Hello, hello.
JOHN: Hi, Jack. Let me just turn all the vibrations off.
JACK: Alright.
JOHN: How are you?
JACK: This is John Scott-Railton. He’s been on the show a few times and I just like to call him JSR. He works with Bill at Citizen Lab, and he got his hands on this Predator malware and analyzed it further. I told him how mad and upset and frustrated I was about all this, and JSR, being JSR, tried to help.
JOHN: You know, the thing I did first was neuroscience. That was my old thing.
JACK: No way.
JOHN: Yeah.
JACK: Oh my god.
JOHN: One of the big things — so, I was working on neuroplasticity and one of the big things that is known about the brain is that anxiety suppresses plasticity, and the suppression of plasticity is a good candidate for one of the major causes of depression.
JACK: Whoa, whoa, whoa. I’m not ready to get that deep about my feelings right now. Hold on. Let’s reset. Why I called JSR was because I wanted to talk with him about the ethics of all this, not how I get depressed about it. Okay, so let’s try to understand the implications of all this. So, this world of — I mean, what do you even classify this type of software? Do you call it a cyber weapon?
JOHN: I like to call it mercenary spyware, although I’ve noticed that a lot of other groups call it commercial spyware. But I like the mercenary term in part because it sort of denotes the idea that these people are probably working for a state, whereas commercial, to my ear, could refer to a much broader category of things.
JACK: Yeah, and looking at this, I stumbled upon this thing called the ISS World Conference, which seems to be just a venue of all these mercenary spyware groups.
JOHN: That’s right, and I like to frame it sort of like this; after Snowden, a lot of governments who didn’t really know all the cool toys that the US government had suddenly not only learned but were like, hey, I gotta get some of that. You have this other dynamic which is kind of like the first generations of people working within tier-one government programs developing exploitation tools. I was starting to look for a bigger paycheck and a cushy approach to retirement. Thus begins this massive technology and knowledge transfer from some of the most developed cyber powers in the world towards the rest of the world. That’s the proliferation as people — whether it’s from American or German or Italian or British countries, they’re like, hey, we could really make a business out of this stuff. Then you add to that this dramatic rise in Israel’s high-tech sector combined with a really permissive environment towards export law, and you get yourself a global industry in this technology.
JACK: Yeah, I spoke about this in Episode 98, which is called Zero-Day Brokers. There are people who came through the NSA and were developing exploits while working there, and they realized that they could start their own company developing exploits and then sell that to the NSA and make more money doing that than if they were to work at the NSA. Yeah, some of this tech looks hot, so I can imagine some other companies wanting this capability, too. While their internal forces may not be sophisticated enough to develop it, they may have the cash to buy it. Who knows where they’re buying viruses and malware from, you know? So, I’m trying to find that line in my head of when this goes wrong. Where’s that ethical line? I’ve got spy tools myself, right? I can walk into the store and buy binoculars and a camera and an audio-recording device. I practice hacking things, so sometimes I’ve got little devices that can screw around. Some of that stuff’s available commercially at Defcon and nobody really puts a big stink about that, like, oh, this is awful; you’re giving this to the criminals of the world. It just kinda is out there. But there’s something about this that’s different, and can you — do you have a good sense of when that wind shifts to this is a stinky wind?
BILL: It’s a stinky wind, yeah. I think that in a democracy, the people who elect the government should have some degree of understanding of how much power the government has to completely pry into their personal lives and when the government can exercise that power. What is so scary about mercenary spyware like Predator or Pegasus is that it offers a security service, a total view into a person’s private world in ways that were never designed to respect existing law about search warrants or search and seizures, anything like that, and can just provide that as a turnkey. So, the intent, really, is to provide this total view on an individual. I think it’s also the case that there are a lot of autocrats around the world who want this technology because they really want to hold onto power and they recognize that making their citizens afraid of having their lives basically dumped out on the digital table silently and remotely without any warning is a core part of how they stay in power. That fear or that technology of fear is a big part of it, and the fact that Pegasus doesn’t respect national borders is a great way for autocrats to basically claw back power into states that they would otherwise have no ability to act in, right? It shouldn’t be the case that an autocrat in Togo has dissidents in the UK, afraid. But this can be the case when you acquire this kind of technology, because you can experience completely devastating consequences of speaking up against an autocrat or a dictator from around the world. That kind of stuff is just net dangerous to democracy and to freedom.
JACK: It appears to me that sometimes when governments get this kind of capability, the temptation is just too high to use it on their wives’ friends, their opposition leader. It’s just stuff that shouldn’t be targeted. Do you have any thoughts about, man, this — you’ve gotta really get permission once you — if you buy this tool, you’ve gotta really have a lot of oversight on how it’s used or something. I don’t know, what’s the solution there to keep you from being tempted to use it on your enemies? I mean, use it on civil society, right?
CROFTON: Well, on your perceived enemies, right? So, we know from extradition documents, for example; Panama’s then president Ricardo Martinelli apparently got himself a bunch of Pegasus. Well, who did he put under monitoring? People like his business rivals but also his mistress, and every morning he would, according to these documents, sit and put his headphones on in his office and listen to the conversations and read the messages of people who he didn’t like. That image of a president, angry and jealous, prying into the lives of anybody who he felt like it is a scary image to all of us, and it’s scary because that’s not part of the social contract, right? That’s not a power that government should have.
Any of the existing powers that government has in a society like the United States are circumscribed by law, right? I know my rights, you can say at a traffic stop. But with something like Pegasus, if your local police department has acquired Pegasus and has used it against you, do you know your rights? Do you know whether they were within their rights or authorities to use it? Do you know whether their use of it was properly overseen? What’s happening is that this technology is landing in jurisdictions that don’t yet have any legal protections around how this stuff gets used. Citizens have nothing to protect them, and that’s really, really scary because you want there to be limits on the power of the state. Without those limits, you’re existing in a tyrannical or autocratic regime.
JACK: God, I just realized something, and I don’t have time to really research this further, so I’m just gonna go off the cuff here, but Google and Facebook, they know a ton about us, right? They have access to our e-mails, text messages, friend circles, contacts, even our location. The police have sometimes asked Google or Facebook for the information on one of their users, and if given the right warrant or whatever Google needs, Google will turn over that data to the cops. I don’t know, that concept alone kinda prompts me to pull focus in on these big tech companies and how they can spy on us harder than Predator can, and it’s built into their terms of service. But the thing that I just thought about is what happens when some other country wants data on a Google user, like the Sudanese government? They might be like, hey, this guy here? Yeah, he’s committed some crimes, right? Can you tell us everything you know about him, Google? Does Google have to comply with local law enforcement and be like, well, this request came from your military, so, yeah, okay; approved. Here you go. I guess I want to know, how does Google handle data requests from tyrannical or autocratic regimes?
BILL: I see what you’re saying, and companies should fight as hard as they can to prevent badly-formed or wrong requests for this data. We’d be in a better universe if that stuff was not collected, but it is. That said, I think that something like Pegasus or Predator is actually even more invasive in some ways than what those apps have, in part because your phone really is, for most people at this point, it’s just — nexus of your public and private brain. What’s really scary is the idea that governments could access this secretly without you ever having to know about it and without a warrant, without any kind of oversight, and without any kind of potential consequence or accountability if they abuse that power, if they get in there and they use it to hurt you. We’ve already seen cases where the fruits of hacking are used to hurt and harm people.
So, as I see this, there is a constant battle to try to protect a degree of individual privacy from big, powerful interests, whether it is governments or corporations. We should be fighting this battle on multiple fronts at once, but what we shouldn’t do is say, well, okay, one bad apple is already violating our privacy, so we shouldn’t be angry when another bad apple does it. It’s different, also, if you think about it like this; it’s different when an entity that is seeking to monitor your behavior in order to sell you something learns something about you than an entity that can put you in jail and deny you your freedom based on that information — has access to it, and that’s why, in many cases, I think it’s appropriate for the police to have a harder time getting access to people’s private information than you or I might if we wanted to buy a bunch of user data, because the consequences are so great.
JACK: Good point.
BILL: You know, Jack, as you’re talking about these things, here’s kind of how I think about this; there’s certain questions about citizens that are probably illegitimate for governments to ask, certain questions like do they really believe in so-and-so — President So-and-so, right? Because once governments start having the ability to get those questions asked and to do so in secret, they may start — there may be a temptation to use that information to retaliate and to harm people. Part of why it’s critically important to stem the proliferation of spyware like Pegasus and Predator is not just because it’s bad when dictators are able to hack dissidents and chill dissidents. But because in democracies, we really also do not want this kind of capability lurking around out there tempting governments, local, state, and national, to abuse it in ways that will ultimately erode the freedoms that we cherish.
Think about it this way; when you make a choice to speak out publicly against a government policy that you disagree with, in a democracy you should have some perception not just that you are free to speak your mind; you can’t be jailed for saying ‘I disagree with this’, but also that it would be inappropriate for the government to retaliate against you for doing this, right? What form of retaliation is scarier than the idea that the government could suddenly choose to basically penetrate as deep as it can into your private world and look at all your stuff? What a terrifying thought. That is the thought that people in East Germany lived with every day. That is the thought that people living in dictatorships live with every day, the potential that an angry official could just be like, well, let’s see what Jack’s worried about at 2:00 AM, right? Let’s see what health concerns bother him. Let’s see what things he’s talking about in the evening with his partner.
JACK: But I think it comes down to why, because if you’re trying to say we think he’s a terrorist and we want to know what he’s doing at 2:00 AM, that’s almost legitimate to open up my phone and see what I’m up to. But if it’s like, no, we just want to see if he’s gonna talk about us on his next podcast, then that’s — wait, hold on, you can’t be doing that.
BILL: Yeah, so the — and this is the question, and there are two parts to it. The first is would they be doing it with proper authority under law or are they just doing it like in a 24 episode because there’s a ticking time bomb, right? Spyware merchants love the idea that they are just like, all these terror plots and bad actors — and the only thing you can do is Kiefer Sutherland it and just hack them immediately, right? Forget the law; we need to get the bad guys. But the thing is we know from recent and older history that if governments start being enabled to do that, bad things inevitably follow. Temptation to abuse it always follows. Some of the biggest problems that we have today in the United States around privacy come from the post-September 11th period, things like the Patriot Act, right? Hugely invasive stuff. But then the other question — and this is equally important — is does the society, does the governmental office that’s receiving this data have the mechanisms in place to prevent abuse if the people who happen to be holding this stuff in their hands are not good people or could be giving in to the wrong temptations?
Part of why it’s important that we have laws and rule of law is that you want a person who’s got some of the power of the state in their hands, whether it’s a cop or an investigator, a prosecutor, politician, or whatever, they have to feel that there will be consequences if they misuse that power and they have to know what the guardrails are around how they can use that power. The problem — one of the big problems with mercenary spyware is that it’s arriving in jurisdictions that don’t yet have any laws, that say how police should or shouldn’t or a prosecutor should or shouldn’t use this technology. In a situation like that, the potential for abuse is huge in part because what’s gonna be the consequence, right? People in authority might not even believe there would be any consequence if they abuse the technology.
That’s part of why people like me feel that it’s so important to slow the proliferation down, because the faster this stuff arrives at jurisdictions that don’t have any laws around this, the more likely you are to see abuse. I think unfortunately we’re stuck with the existence of this technology, but slowing down the rate of proliferation is, I think, the best approach we have to limiting the global harm that it’s gonna cause, and it is my firm belief that as more and more governments pay attention, they will recognize that a totally uncontrolled — a digital Mogadishu of spyware where everybody is using this stuff all the time is a really a bad outcome for most governments and that you will need a degree of protection. The problem is that willingness to act is, I think, unfortunately contingent on a lot of governments feeling the sting first. I don’t think it’s an accident that a large number of US government personnel had to get hacked with Pegasus spyware before the US took really decisive action.
JACK: Well, the US is taking decisive action against Intellexa now. Reuters published a story a few weeks ago saying the US Commerce Department has blacklisted both Intellexa and Cytrox. They’ve been sanctioned. I think this essentially means it’s prohibited in the US to do business with these companies, and I don’t really know how this impacts them. Perhaps US banks can’t do business with them now or maybe it’s harder for them to fly on US airlines. I’m not exactly sure. But also, if they have investors, this doesn’t look good for business, you know? It could shake investors who want to expand to the US someday. But yeah, that’s not happening now. Intellexa is part of a dizzying web of companies that are operating in different countries. The parent company is called Thalestris, which is in Ireland, for some reason, and their holding company has declared that they’ve made $35 million in sales from just doing business in the Middle East. But other sources have said that they made close to $200 million in sales in the last three years. So, it seems like life and business is great for Tal Dilion and Intellexa. This will definitely be a company that I’ll be keeping an eye on in the future. But with the noise that they seem to be making, sounds like everyone is gonna be watching them, too.
(OUTRO): [OUTRO MUSIC] A big thank-you to Crofton Black from Lighthouse Reports for coming on the show and sharing this story with us. Also, thanks to Bill Marczak and John Scott-Railton from Citizen Lab for telling us what they know. If you liked this episode, you’ll probably also like the episodes about NSO Group, which are episodes 99 and 100. But also, this isn’t Greek’s first big hacking scandal. If you want to hear another crazy story about Greece, check out Episode 64, called Athens Shadow Games. If you like this show, if it brings value to you, consider donating to it through Patreon. By directly supporting the show, it helps keep ads at a minimum and it tells me you want more of it. So, please visit patreon.com/darknetdiaries and consider supporting the show.
You’ll also get ten bonus episodes there as well as an ad-free version of the show. So, thank you. This show is made by me, the hesitant skeleton, Jack Rhysider. Our editor is the bear-slayer, Tristan Ledger, mixing done by Proximity Sound who just released a book on how to use pro tools. It’s called Pro Tools Post-Audio Cookbook 2023, and he’s done audio production on films, music, and spoken word, and jam-packs the book with tons of great tips on how you could be a better audio producer. I’ll have a link in the show notes on where to get the book. Our theme music is by the mysterious Breakmaster Cylinder. I don’t like ultra-wide screen monitors because the loading bar on them is just so long. This is Darknet Diaries.
[END OF RECORDING]