The Biden administration took a public stand last year against the abuse of spyware to target human rights activists, dissidents and journalists: It blacklisted the most notorious maker of the hacking tools, the Israeli firm NSO Group.
But the global industry for commercial spyware — which allows governments to invade mobile phones and vacuum up data — continues to boom. Even the U.S. government is using it.
The Drug Enforcement Administration is secretly deploying spyware from a different Israeli firm, according to five people familiar with the agency’s operations, in the first confirmed use of commercial spyware by the federal government.
At the same time, the use of spyware continues to proliferate around the world, with new firms — which employ former Israeli cyberintelligence veterans, some of whom worked for NSO — stepping in to fill the void left by the blacklisting. With this next generation of firms, technology that once was in the hands of a small number of nations is now ubiquitous — transforming the landscape of government spying.
One firm, selling a hacking tool called Predator and run by a former Israeli general from offices in Greece, is at the center of a political scandal in Athens over the spyware’s use against politicians and journalists.
After questions from The New York Times, the Greek government admitted that it gave the company, Intellexa, licenses to sell Predator to at least one country with a history of repression, Madagascar. The Times has also obtained a business proposal that Intellexa made to sell its products to Ukraine, which turned down the sales pitch.
Predator was found to have been used in another dozen countries since 2021, illustrating the continued demand among governments and the lack of robust international efforts to limit the use of such tools.
The Times investigation is based on an examination of thousands of pages of documents — including sealed court documents in Cyprus, classified parliamentary testimonies in Greece and a secret Israeli military police investigation — as well as interviews with more than two dozen government and judicial officials, law enforcement agents, business executives and hacking victims in five countries.
The most sophisticated spyware tools — like NSO’s Pegasus — have “zero-click” technology, meaning they can stealthily and remotely extract everything from a target’s mobile phone, without the user having to click on a malicious link to give Pegasus remote access. They can also turn the mobile phone into a tracking and secret recording device, allowing the phone to spy on its owner. But hacking tools without zero-click capability, which are considerably cheaper, also have a significant market.
Commercial spyware has been used by intelligence services and police forces to hack phones used by drug networks and terrorist groups. But it has also been abused by numerous authoritarian regimes and democracies to spy on political opponents and journalists. This has led governments to a sometimes tortured rationale for their use — including an emerging White House position that the justification for using these powerful weapons depends in part on who is using them and against whom.
The Biden administration is trying to impose some degree of order to the global chaos, but in this environment, the United States has played both arsonist and firefighter. Besides the D.E.A.’s use of spyware — in this case, a tool called Graphite, made by the Israeli firm Paragon — the C.I.A. during the Trump administration purchased Pegasus for the government of Djibouti, which used the hacking tool for at least a year. And F.B.I. officials made a push in late 2020 and the first half of 2021 to deploy Pegasus in their own criminal investigations before the bureau ultimately abandoned the idea.
In a statement to The Times, the Drug Enforcement Administration said that “the men and women of the D.E.A. are using every lawful investigative tool available to pursue the foreign-based cartels and individuals operating around the world responsible for the drug-poisoning deaths of 107,622 Americans last year.”
Steven Feldstein, an expert at the Carnegie Endowment for International Peace in Washington, has documented the use of spyware by at least 73 countries.
“The penalties against NSO and its ilk are important,” he said. “But in reality, other vendors are stepping in. And there’s no sign it’s going away.”
The Biden Presidency
Here’s where the president stands after the midterm elections.
- A New Primary Calendar: President Biden’s push to reorder the early presidential nominating states is likely to reward candidates who connect with the party’s most loyal voters.
- A Defining Issue: The shape of Russia’s war in Ukraine, and its effects on global markets, in the months and years to come could determine Mr. Biden’s political fate.
- Beating the Odds: Mr. Biden had the best midterms of any president in 20 years, but he still faces the sobering reality of a Republican-controlled House for the next two years.
- 2024 Questions: Mr. Biden feels buoyant after the better-than-expected midterms, but as he turns 80, he confronts a decision on whether to run again that has some Democrats uncomfortable.
Arsonist and Firefighter
For more than a decade, NSO sold Pegasus to spy services and law enforcement agencies around the world. The Israeli government required the company to secure licenses before exporting its spyware to a particular law enforcement or intelligence agency.
This allowed the Israeli government to gain diplomatic leverage over countries eager to purchase Pegasus, such as Mexico, India and Saudi Arabia. But a mountain of evidence about the abuse of Pegasus piled up.
The Biden administration took action: A year ago, it placed NSO and another Israeli firm, Candiru, on a Commerce Department blacklist — banning American companies from doing business with the hacking firms. In October, the White House warned of the dangers of spyware in its national security strategy outline, which said the administration would fight the “illegitimate use of technology, including commercial spyware and surveillance technology, and we will stand against digital authoritarianism.”
The administration is coordinating an investigation into what countries have used Pegasus or any other spyware tools against American officials overseas.
Congress is working on a bipartisan bill requiring the director of national intelligence to produce an assessment of the counterintelligence risks to the United States posed by foreign commercial spyware. The bill would also give the director of national intelligence the authority to ban the use of spyware by any intelligence agency. The White House is working on an executive order with other restrictions on the use of spyware.
But there are exceptions. The White House is allowing the D.E.A. to continue its use of Graphite, the hacking tool made by Israel-based Paragon, for its operations against drug cartels.
A senior White House official, who spoke on condition of anonymity, said the White House executive order being prepared would target spyware that posed “counterintelligence and security risks” or had been used improperly by foreign governments. If any such evidence emerged against Paragon, the official said, the White House expects that the government would terminate its contract with the company.
“The administration has been clear that it will not use investigative tools that have been used by foreign governments or persons to target the U.S. government and our personnel, or to target civil society, suppress dissent or enable human rights abuses,” the official said. “We expect all departments and agencies to act consistent with this policy.”
Similar to Pegasus, the NSO tool, Graphite spyware can invade the mobile phone of its target and extract its contents. But unlike Pegasus, which collects data stored inside the phone itself, Graphite primarily collects data from the cloud, after data is backed up from the phone. This can make it more difficult to discover the hack and theft of information, according to cybersecurity experts.
An official with the Drug Enforcement Administration said Graphite had been used only outside the United States, for the agency’s operations against drug traffickers. The agency did not respond to questions about whether Graphite had been used against any Americans living abroad or to questions about how the agency handled information about American citizens — messages, phone contacts or other information — that the agency obtained when using Graphite against its targets.
D.E.A. officials met in 2014 with NSO about purchasing Pegasus for its operations, a meeting reported earlier by Vice News, but the agency decided against purchasing the spyware.
Paragon’s sales are regulated by the Israeli government, which approved the sale of Graphite to the United States, according to an official aware of Israel’s defense export licensing agreements.
The company was founded just three years ago by Ehud Schneorson, a former commander of Unit 8200, Israel’s equivalent of the National Security Agency. Little public information is available about the company; it has no website. Most of the company’s executives are Israeli intelligence veterans, some of whom worked for NSO, according to two former Unit 8200 officers and a senior Israeli official.
Ehud Barak, the former Israeli prime minister, sits on the company’s board, and American money helps finance its operations. Battery Ventures, a Boston-based fund, lists Paragon as one of the companies in which it invests. A representative for Paragon declined to comment.
Even as the U.S. government purchases and deploys Israeli-made spyware with one hand, the Biden administration’s move to rein in the commercial spyware industry with the other has frayed relations with Israel.
Israeli officials have pushed to get NSO and Candiru removed from the Commerce Department blacklist to no avail.
Amir Eshel, the director general of the Israeli Defense Ministry, said Israeli officials had been trying to find out the U.S. government’s redlines on commercial spyware.
Despite these efforts, Mr. Eshel said, “senior government officials are not ready to answer us, address the issue or explain their point of view.”
The Biden administration’s move to blacklist NSO and Candiru has had a financial impact. To prevent the blacklisting of other companies, Israel’s Defense Ministry has imposed tougher restrictions on the local cybersecurity industry, including by reducing the number of countries to which those companies can potentially sell their products to 37 from 110, according to two senior Israeli officials and an Israeli tech company executive. With fewer countries available as potential buyers, many Israeli spyware companies, most famously NSO, have taken a severe financial hit. Three others have gone bankrupt.
This new landscape, however, provided new opportunities for others to seize.
Tal Dilian did just that.
A former general in Israeli military intelligence, Mr. Dilian was forced to retire from the Israeli Defense Forces in 2003 after an internal investigation raised suspicions that he had been involved in funds mismanagement, according to three people who were senior officers in military intelligence. He eventually moved to Cyprus, a European Union island nation that has become a favored destination in recent years for surveillance firms and cyberintelligence experts.
In 2008 in Cyprus, Mr. Dilian co-founded Circles, a company that used an Israeli-perfected snooping technology known as Signaling System 7. He sold it off and went on to set up other companies selling surveillance products. He prided himself on recruiting the best hackers, including former spyware experts from the Israeli military’s most elite cyberintelligence unit.
Mr. Dilian did not respond to requests for an interview or to written questions submitted to him directly and through his lawyers in Cyprus and Israel.
For several years after the sale of Circles, Cyprus was good to Mr. Dilian. Then, in 2019, he gave an interview to Forbes from a surveillance van driving through the Cypriot city of Larnaca. He gave a mock demonstration of the van’s ability to hack any nearby phone and steal WhatsApp and text messages from unsuspecting targets.
Asked about human rights abuses committed when using his products, Mr. Dilian told Forbes that “we work with the good guys.” He added, “And sometimes the good guys don’t behave.”
Cypriot authorities soon issued a request for his arrest through Interpol, the global police agency, for illegal surveillance. His lawyer ultimately succeeded in settling the episode with a 1 million euro ($1 million) fine paid through Mr. Dilian’s company, but he was no longer welcome to do business in Cyprus, several Cypriot officials involved in the case said.
Mr. Dilian wasn’t done. He decamped to Athens and set up Intellexa there in 2020, which is when he began to aggressively market his new spyware product, Predator.
Predator requires the targeted user to click on a link to infect the user’s phone, whereas Pegasus infects the phone without any action from the target.
Predator infections come in the form of carefully crafted, personalized instant messages and the bait — infected links mimicking established websites. An investigation into Predator by Meta listed about 300 such sites that experts had found were used for Predator infections.
From spring 2020, Intellexa operated from offices along the Greek capital’s Riviera, its southern coastline favored by surfing digital nomads and international sports stars. According to confidential employment records reviewed by The Times as well as staff LinkedIn profiles, the company hired at least eight Israelis, several of whom had a background in the country’s intelligence services.
Mr. Eshel, whose ministry oversees export licenses for spyware, said he had little power to control what Mr. Dilian or other former Israeli intelligence operatives did once they set up businesses outside Israel.
“It certainly disturbs me that a veteran of our intelligence and cyber units, who employs other former senior officials, operates around the world without any oversight,” he said.
Intellexa also looked out for opportunities that used to be in NSO’s domain. Ukraine had previously tried to acquire Pegasus, but the effort failed after the Israeli government blocked NSO from selling to Ukraine out of concern that doing so would harm Israel’s relationship with Russia.
Intellexa swooped in. The Times obtained a copy of a nine-page Intellexa pitch for Predator to a Ukrainian intelligence agency last year, the first full such commercial spyware proposal to be made public. The document, dated February 2021, brags about the capabilities of Predator and even offers a 24/7 help line.
For 13.6 million euros ($14.3 million) for the first year, Intellexa offered Ukraine a basic package of 20 simultaneous infections with Predator and a “magazine” of 400 hacks of domestic numbers, as well as training and a round-the-clock help center. If Ukraine wanted to use Predator on non-Ukrainian numbers, the price would go by an extra 3.5 million euros.
Read the Intellexa Pitch on Its Spyware Tool
The New York Times obtained a copy of a nine-page Intellexa pitch for Predator to a Ukrainian intelligence agency in 2021, the first full such commercial spyware proposal to be made public.
Ukraine rejected the pitch, a person familiar with the matter said. Ukraine’s reasons for passing on Predator are unclear, but that did not appear to dissuade Intellexa or Mr. Dilian. Freed from the strictures of Israeli government regulation and running with virtually no oversight in Athens, the company expanded its clientele.
Meta, as well as the University of Toronto’s Citizen Lab, a cybersecurity watchdog organization, detected Predator in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, Serbia, Colombia, Ivory Coast, Vietnam, the Philippines and Germany. These locations were determined through internet scans for servers known to be associated with the spyware.
A Greek Drama
Over the past few months, Predator has also roiled public life in Greece, where it was found to have been used against journalists and opposition figures. The Greek government has repeatedly described the spyware as illegal and said it had nothing to do with it.
Despite the denunciations, Greece admitted to backing Intellexa and its spyware in a vital way: by licensing the company to export Predator to Madagascar, whose government has a history of cracking down on dissent.
Alexandros Papaioannou, the spokesman for the Greek Foreign Ministry, confirmed that a division of the ministry issued two export licenses to Intellexa on Nov. 15, 2021. In a hint of the pressure the country is under, Mr. Papaioannou said the ministry’s inspector general had begun an internal investigation after reports in the local press about the company. European Union legislation treats spyware as a potential weapon and calls for authorities to grant export licenses after due diligence to prevent its abuse.
Just off the coast of East Africa, Madagascar is the world’s fourth-poorest nation. It struggles with corruption, especially in the mining and oil industries that bring in billions a year for corporations. Malagasy officials did not comment.
In Greece, Predator is also at the center of a domestic political maelstrom.
The saga began in April, when the Greek outlet Inside Story reported that Predator had been used to infect the phone of a local investigative reporter. The University of Toronto’s Citizen Lab forensically found the infection. Two opposition politicians soon confirmed that they, too, had been targeted, each with forensic evidence to back the claims.
All three suspect that the Greek state ordered their surveillance and have filed lawsuits. Thanasis Koukakis, an investigative reporter, has sued Mr. Dilian and his Intellexa associates.
The conservative prime minister, Kyriakos Mitsotakis, has denied ordering surveillance using Predator and maintains that the Greek government does not own the spyware.
Even so, Mr. Mitsotakis’s nephew, who had political oversight of the national intelligence service, resigned over the spyware scandal in August, although he denies any role in it. Around the same time, the prime minister fired the national intelligence chief.
The same month, Intellexa dismissed most of its Athens-based staff.
In November, Mr. Mitsotakis admitted that somebody is running covert operations using Predator inside Greece — he just does not know whom.
“To be clear, I never claimed — and the government has never claimed — that there were no hacks and no forces using the Predator software,” he said, adding: “There’s illegal spyware all over Europe.”