Illustration: Lenka Matoušková (Investigace.cz) 2024-10-03
Illustration: Lenka Matoušková (Investigace.cz) 2024-10-03
Our search for the service providers of Cytrox, part of the Intellexa spyware company group, leads us to a small town in the east of the Czech Republic. There, a cheerful bistro owner, programmer, marketer and entrepreneur is alleged to have been working for Intellexa, the developer of the Predator spyware, an invasive technology used to monitor journalists, opposition politicians and activists. A Greek police report describes financial transactions from Intellexa to the bistro owner and his companies totalling almost three million euros – for services that remain shrouded in mystery.
In 2020, Greek financial journalist Thanasis Koukakis suspected that his phone was bugged. But until he received the results of analysis by Citizen Lab, nonprofit research organization that investigates digital surveillance and censorship, in March 2022, he had no idea how extensively he was being surveilled.
For at least ten weeks, the operators of the spyware could track every aspect of his professional and personal life.
In the summer of 2021, the journalist received a text message reading, “Thanasis, you know this?” It contained a link to a website that, at first glance, looked exactly like a news blog. It wasn’t. Clicking the link gave the perpetrators direct access to Koukakis’ phone.
The manufacturer of Predator spyware is Cytrox, a company based in Hungary that is part of the Intellexa consortium. One of the Intellexa companies, which were placed on the US sanctions list earlier this year, Intellexa SA, is based in Greece. Intellexa’s owners have also been sanctioned for developing, operating and distributing commercial spyware “used to attack US citizens, government officials and journalists.”
“We are still trying to come to terms with how this has affected us as journalists, but also our sources,” Koukakis explained to Investigace.cz. Rather than eliciting sympathy between journalists and sources, the incident has caused problems: “Sources are now afraid to talk to us and don’t trust us. But what’s worse is the fact that Intellexa was operating in Greece in a completely unscrupulous way and selling its products from there to the whole world.”
The Greek National Intelligence Service (EYP) was suspected of having been responsible for spying on Koukakis, because they have admitted having done so before. But in July of this year, Greek prosecutors shelved the case, which they had begun investigating in 2022, ostensibly due to a lack of evidence. The prosecution acknowledged that Koukakis was tracked by Predator spyware, but denied that any Greek state institution used Predator. Following the investigation, the Greek prosecutor’s office decided to instead prosecute Intellexa’s employees and owners for the crime of violation of the confidentiality of communications. The trial is due to begin next year.
As part of the investigation into the use of spyware against Koukakis and others, the local prosecutor’s office ordered the financial police to produce a report on companies linked to Intellexa. Investigace.cz gained access to the report.
The report also includes a table of Intellexa suppliers. One of them is a man named Dvir Horef Hazan.
“Magic Maker”
Dvir Horef Hazan is a cheerful expatriate from Israel who lives in the town of Krnov, in the Moravian-Silesian region of the Czech Republic. He enjoys whisky and food, and owns a bistro, cafe and hotel. He also offers his services as a photographer. On his professional Instagram, he presents photos: nature shots, portraits or female nudes.
“I’ve been contacted about this before, but I don’t know what the f*ck Intellexa is,” Dvir Horef Hazan explains over the phone. He does, however, follow Intellexa on LinkedIn.
According to his LinkedIn profile, he left the world of programming and marketing early last year to invest more time in his bistro, cafe and bakery. But one of his companies received the latest in a series of generous payments from Intellexa and its affiliated firms, according to a report by the Greek financial police.
Hazan, who describes himself as the “Magic Maker” on his website, owns eight companies in the Czech Republic. Four of them provide marketing, consulting and IT advisory services. His websites all look like placeholders: all consist of just a single page with incorrect contact information and no real description of the company services. Two of the companies are for his hospitality business; one company advertises selling cannabis oil; and one is for his real estate investments.
Importgenius database shows that, between 2020 and 2021, Hadastech, a company of which Hazan is the sole director, ordered 40 shipments from an unknown Ukrainian company. The product description indicates that the order was for mobile phones and “other networking apparatus.”
According to the Greek police report, three of Hazan’s companies – Zambrano Trade s.r.o., Hadastech s.r.o. a Shilo s.r.o. – and Hazan himself received a total of €2.9 million from Intellexa and its companies from 2020 to early 2023. The report doesn’t describe the services the payments were for.
“Hazan was one of Intellexa’s most important and best-paid suppliers,” explained Thanasis Koukakis.
Hazan’s companies are alleged to have received large sums of money from Intellexa-linked firms over the course of three years, according to the Greek police report. In several cases, the companies’ financial reports did not reflect these payments as revenue in their financial statements in Czechia, which is to say that their reported revenue was lower than the amounts they allegedly received from Intellexa’s network.
Hadastech allegedly received over 450 thousand euros in total for 2020 and 2021, but its financial statements show revenues of CZK 9.6 million (over 381 thousand euros) for that period. According to tax law specialist Nelly Vostrá, this is still ambiguous. “Just because we know that the payments in question were made does not mean that they were income or expenses,” the lawyer explained. “For example, they could have been advances for future services.”
Hazan’s companies’ accounts show operating costs that are almost as much as the total revenue of the company: these companies may bring in lots of income, but they also have very high expenses, so little profit is retained. The companies may be acting as intermediaries for a service — in the case of one of the companies, Zambrano Trade, for services worth over four million euros in 2023.
Hazan’s email – horef@shilo[.]eu – is present on the registration information for the IP address [173.236.173[.] This IP address hosts a small number of websites, including shilo[.]eu. It also hosted the Greek version of Intellexa’s website, intellexa[.]gr.
We shared our findings with Julian-Ferdinand Vögele, a senior threat researcher with Recorded Future’s Insikt Group. On the significance of the findings, he said, “Technical attribution generally relies on a combination of indicators that, when examined in isolation, may appear coincidental. Yet when these indicators are considered together, the likelihood of them occurring independently diminishes significantly.”
“Knowing that two domains were hosted on the same IP address during the same timeframe is often insufficient to connect them with each other, as it may be unclear whether the infrastructure is fully owned by a single entity, among others. However, when we consider additional factors like the hosting history of these domains, the timing of IP address changes, and the track records of the involved entities, the chances of these occurrences being a coincidence become significantly lower.”
During our first phone call with Hazan, he denied his connection to Intellexa. He also denied ever working with the companies responsible for the payments, which, according to the Greek police file, had been paying his companies for several years. We followed up via email with a detailed list of the payments he had received from Intellexa and related companies. We subsequently spoke to him on two more occasions. He confirmed that he had received the emails. On the final call, he said he would not comment on the allegations. He had not responded to another email with specific questions by the time the article was published.
Hazan owns property in Krnov via the company H.S. Three Holding s.r.o. In addition to Hazan’s seven companies, several other companies are based in a two-story orange building that resembles a school in the center of Krnov. One of them is FoxITech.
FoxITech’s owner, Michal Ikonomidis, has worked with Hazan and, according to a social media picture from September 2019, is a friend. FoxITech was founded in 2022 and represented at the notary’s office by the same proxy who represented Hazan when he founded his first company.
Ikonomidis’s details also appear in the context of Intellexa: FoxITech s.r.o.’s name and address are also listed on the registration information for the IP address hosting intellexa[.]gr in the RIPE registration database, with michali@shilo[.]eu, appearing on the contact information, alongside horef@shilo[.]eu.
We tried to reach out to FoxITech, but the phone number listed on the website turned out to be the phone number for the City Hall of Ostrava. The company’s email address doesn’t work either: the email bounceback response states that the email comes from one of Hazan’s domains, benderonetech[.]com.
Unwitting agents of a spyware empire?
When Investigace.cz last reported on Cytrox, we discovered that the person listed as the director of Cytrox was a pensioner from a village near Ostrava who had no knowledge of Intellexa. We asked whether she knew Hazan. The pensioner confirmed via her daughter that Hazan, who lives only an hour away, was an acquaintance of the family. The husband of the pensioner’s daughter, Amos Uzan, is an Israeli who, according to his LinkedIn profile, worked for the Israeli government between 2003-2009. This included a “security” role for the office of the Prime Minister of Israel between 2003-2006, followed by a role as a “spokesperson” for the Knesset from January 2008 until April 2009.
During this period, Ehud Olmert served in multiple ministerial positions, and served as Israeli Prime Minister (May 4, 2006 until March 31, 2009). Olmert has recently disclosed to reporters from Haaretz that he was, until recently, a paid advisor for Intellexa.
Intellexa
Rotem Farkash and Abraham Rubinstein founded two companies in 2017: Cytrox Holdings in Hungary and a subsidiary, Cytrox Software, based in North Macedonia. Farkash, who started his entrepreneurial career as a hacker, later became one of the most prominent figures in the Intellexa consortium.
Intellexa was formed in 2019 by the merger of Intellexa with the French group Nexa. The press release announcing the birth of this alliance stated that its members are Nexa Technologies, Advanced Middle East Systems, WiSpear and Senpai Technologies. Intellexa also completed the acquisition of Cytrox in 2019.
The Intellexa consortium was founded by former Israel Defense Forces commander Tal Dilian, who is closely associated with another controversial company, NSO Group, and its spy software, Pegasus. The Czech company Setco Technology Solutions, s. r. o. was also part of the French Nexa group. The company was dissolved by its owners in April of this year.
Amnesty International, in its extensive report The Predator Files, states that the use of spyware is a violation of basic human rights. “The Intellexa Alliance, the European developers of Predator and other surveillance products, has done nothing to restrict who can use this spyware and for what purpose. Instead, they are lining their pockets and ignoring the serious human rights implications… The only effective response is for states to impose an immediate global ban on highly invasive spyware.”
Although some countries try to limit the activities of spyware companies in some form – for example, Intellexa and NSO Group are no longer allowed to do business in the US – companies circumvent these obstacles in various ways. Moreover, it is up to the discretion of the individual countries where spyware companies are currently based whether to grant them export licenses. As part of the export licensing process, 25 countries – including, for example, North Macedonia – have committed to considering whether the service they are allowing to be exported potentially violates human rights. However, this is a voluntary code of conduct.
Meanwhile, there are more and more reports of spyware abuses. The Vietnamese government tried to hack into the phones of members of the US Congress; the Indian government spied on a journalist asking the prime minister uncomfortable questions; and techniques “strikingly similar to that developed by Intellexa” were used extensively by Russian intelligence services.
“Following the revelations about Intellexa’s activities and the imposition of sanctions, there has been a decline in the active use of Predator,” the cybersecurity firm Recorded Future said in its latest report. But according to their most recent analysis, this is far from the last we’ve heard of Predator. Predator’s operators, even at a great financial cost to Intellexa and its customers, continue to adapt its infrastructure in response to public reporting, and Predator continues to be deployed for attacks in many countries.
The Czech version of this story was published on investigace.cz.
Subscribe to Goulash, our original VSquare newsletter that delivers the best investigative journalism from Central Europe straight to your inbox!
A Czech journalist, Zuzana Šotová has worked for the Czech Center for Investigative Journalism since 2020.
Paul May is an ICA-trained anti-money laundering expert and a reporter at the Czech Center for Investigative Journalism, investigace.cz.