The EU Commission has announced that it will "immediately" stop funding individuals or organizations involved in "serious professional misconduct." This follows an investigation by Follow the Money (FtM) which revealed that EU funds amounting to millions of euros have been directly channeled to commercial spyware firms in recent years.
In September, the FtM portal, in collaboration with other media partners, uncovered that the spyware industry is receiving substantial subsidies from the EU while simultaneously surveilling its citizens. According to the report, the Intellexa Group, which developed the Predator state trojan, has, through affiliated companies, secured public funding, particularly through innovation programs. Cognyte, CyGate, and Verint are also reported to have received financial support from EU sources for their surveillance technologies, such as spyware, whose solutions are frequently mentioned in the context of human rights violations.
In response, 39 EU parliamentarians from four political groups have jointly requested concrete answers from the Commission in a letter. The representatives lamented that the EU is, apparently unintentionally, funding instruments that have been or are being used for repressive purposes in member states like Poland, Greece, and Hungary, as well as in authoritarian third countries. This, they argue, undermines fundamental rights and democracy.
According to the letter, the Commission has apparently failed to verify the trustworthiness, ownership structure, and human rights compliance of these companies. The requested end-user clauses or dual-use controls, which assess whether a product can be misused for civilian, military, and police purposes, are apparently not being effectively enforced. The revelations indicate that the Brussels-based governing institution is not sufficiently adhering to recommendations from the parliamentary inquiry committee on spyware scandals in this highly sensitive area.
Commission Stands By
In its statement, according to an FtM newsletter, the Commission explains that law enforcement agencies and intelligence services may "lawfully use spyware for legitimate purposes." However, it fails to list all EU programs from which surveillance companies have benefited. Specifically, information regarding grants from the European Social Fund and another financial pot awarded to the Italian surveillance company Area is missing.
The executive body also fails to mention financial flows to the notorious spyware manufacturer Hacking Team, the report continues. Even recent transfers from the European Investment Fund (EIF) to the Israeli spyware company Paragon Solutions, which is currently at the center of a scandal in Italy, remain unmentioned. Instead of proposing new protective measures, the Commission merely refers to the existing legal framework for protection against the illegal use of spyware.
The EU executive is "hiding behind vague references to 'EU values'," criticizes Aljosa Ajanovic Andelic from the initiative European Digital Rights (EDRi) regarding the response to FtM. It openly admits that "European funds have financed companies whose technologies are used for espionage against journalists and human rights defenders." This, he states, demonstrates a complete lack of effective control mechanisms. Green Party MEP Hannah Neumann criticizes that the Commission has taken hardly any action in the past two years following the committee's report.
Following major public exposures by Insikt Group and others throughout the last two years, alongside US government sanctions targeting the Intellexa Consortium — the organizational structure behind the Predator mobile spyware — Insikt Group observed a significant decline in Predator-related activity. This apparent decline raised questions about whether the combination of US sanctions, public exposure, and broader international efforts to curb spyware proliferation, such as the UK and France-led Pall Mall process, had dealt a lasting blow to Intellexa’s operations. Yet, Predator activity has not stopped, and in recent months, Insikt Group has observed a resurgence of activity, reflecting the operators’ continued persistence. While much of the identified infrastructure is tied to known Predator operators in countries previously identified by Insikt Group, a new customer has also been identified in Mozambique — a country not previously publicly linked to the spyware. This aligns with the broader observation that Predator is highly active in Africa, with over half of its identified customers located on the continent. Additionally, Insikt Group has found a connection between high-tier Predator infrastructure and a Czech entity previously associated with the Intellexa Consortium.
Intellexa’s Predator spyware infrastructure re-emerges after sanctions. Learn how this mercenary spyware is evolving, targeting high-profile individuals, and what defensive measures can be taken.
The U.S. government announced Tuesday sanctions against the founder of the notorious spyware company Intellexa and one of his business partners. This is
Discover our TDR team's revelations about Predator spyware: its C2 infrastructure and list of countries still using its cyber espionage tool.
The Intellexa Alliance is the name of the shady group of European companies that supplies dictators and despots with cyberweapons. The mass spyware attacks have also been lucrative for some in Germany.
Between May and September 2023, former Egyptian MP Ahmed Eltantawy was targeted with Cytrox's Predator spyware via links sent on SMS and WhatsApp after Eltantawy publicly stated his plans to run for President in the 2024 Egyptian elections. As Egypt is a known customer of Cytrox's Predator spyware, and the spyware was delivered via network injection from a device located physically inside Egypt, we attribute the attack to the Egyptian government with high confidence.
Last week Google’s Threat Analysis Group (TAG), in partnership with The Citizen Lab, discovered an in-the-wild 0-day exploit chain for iPhones. Developed by the commercial surveillance vendor, Intellexa, this exploit chain is used to install its Predator spyware surreptitiously onto a device.
In response, yesterday, Apple patched the bugs in iOS 16.7 and iOS 17.0.1 as CVE-2023-41991, CVE-2023-41992, CVE-2023-41993. This quick patching from Apple helps to better protect users and we encourage all iOS users to install them as soon as possible.
The three zero-day flaws addressed by Apple on September 21, 2023, were leveraged as part of an iPhone exploit chain in an attempt to deliver a spyware strain called Predator targeting former Egyptian member of parliament Ahmed Eltantawy between May and September 2023.
"The targeting took place after Eltantawy publicly stated his plans to run for President in the 2024 Egyptian elections," the Citizen Lab said, attributing the attack with high confidence to the Egyptian government owing to it being a known customer of the commercial spying tool.
We would like to thank The Citizen Lab for their cooperation, support and inputs into this research.
Spyware is sold to countries including Egypt, Indonesia, Oman, Saudi Arabia, and Serbia.
Smartphone malware sold to governments around the world can surreptitiously record voice calls and nearby audio, collect data from apps such as Signal and WhatsApp, and hide apps or prevent them from running upon device reboots, researchers from Cisco’s Talos security team have found.
A U.S. and Greek national who worked on Meta’s security and trust team while based in Greece was placed under a yearlong wiretap by the Greek national intelligence service and hacked with a powerful cyberespionage tool, according to documents obtained by The New York Times and officials with knowledge of the case.
‘Democracy and rule of law are at stake,’ says MEP Saskia Bricmont.
Two Egyptians—exiled politician Ayman Nour and the host of a popular news program (who wishes to remain anonymous)—were hacked with Predator spyware, built and sold by the previously little-known mercenary spyware developer Cytrox. The phone of Ayman Nour was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different government clients.
