How the makers of Predator spyware hid behind a Czech granny
Konrad Szczygieł (Frontstory.pl)
Illustration: Aleksandra Ołdak 2024-02-16
Konrad Szczygieł (Frontstory.pl)
Illustration: Aleksandra Ołdak 2024-02-16
Spyware is a weapon. It is sold to governments and law enforcement, and used in cases of national security to surveil terrorists and organized crime. Yet it is also frequently used in violation of human rights—against journalists, opposition figures, and politicians all over the world.
Cytrox, a company registered in North Macedonia, makes millions exporting a spyware called Predator. Until last summer, its director, who was legally responsible for this company, was a pensioner in the Czech Republic—unbeknownst to her. Reporters from Investigace.cz paid her a visit.
In the Zlin region of the Czech Republic, near the Polish border, lies a peaceful, mountainous village of 387 inhabitants. A bus stop seems to mark the center of the village. A small, newly built house with a beige façade and a black roof sits nearby. In front of the house is a small, well-kept garden. A man repairing some pipes in front of this house tells the investigace.cz reporter she is in the right place – yes, Mrs. Jeonovefa M. lives here. Before long, she’s there, opening the door, smiling and inviting a stranger inside her cozy living room.
It’s the end of May 2023 and Mrs. M., age 70, is, according to the North Macedonian company register, the director of Cytrox, a powerful tech company. Legally, she became the director in 2022. The company register has her name, address, and even a copy of her passport. But when asked if she ever heard of a company called Cytrox, she replied “no, never,” and asked how to spell its name.
Cytrox is the developer of a type of spyware called Predator. Unlike the better-known spyware Pegasus, created by Israeli company NSO Group, Predator is not deployed using so-called zero-click exploits. With Predator, the target has to somehow interact with the malicious software. This means that Predator is cheaper, according to publicly available information.
Cytrox uses creative ways to either get around this requirement or to manipulate the target into interacting with one of its infected links. One method involves cooperating directly with internet or mobile network providers in the specific country; another, deploying the spyware by being in close proximity to the targeted device. A more simple way is just to send it via email.
Spyware has been used by governmental actors against journalists, activists, and opposition figures all over the world. Use of this software gives the one who purchased services of a company like Cytrox unlimited access to the target’s private and professional life. Spyware can scan and send out everything inside the device it attacks, but it can also, for example, do things like turn on a target’s camera and microphone, thus providing live coverage to whomever purchased the service. This can offer material for possible blackmail or even prosecution, but it can also endanger the people with whom the target meets—for example, journalists’ sources.
Amnesty International states that the use of spyware is a violation of basic human rights. “The Intellexa alliance, European-based developers of Predator and other surveillance products have done nothing to limit who is able to use this spyware and for what purpose. Instead, they are lining their pockets and ignoring the serious human rights implications at stake… The only effective response is for states to impose an immediate worldwide ban on highly invasive spyware,” Amnesty International wrote in October 2023.
***
“Yes, that’s my passport. I don’t understand,” Mrs. Jeonovefa M. said to the investigace.cz reporter who showed her Cytrox’s company documents with her name, former address, and a copy of her passport.
Cytrox was set up as a joint stock company in March 2017 by five Israeli nationals and one Hungarian, according to information obtained by the Balkan Investigative Reporting Network (BIRN). In 2018, Ctyrox was acquired by WiSpear. In 2020, Cytrox ownership passed to a Hungarian company, Cytrox Holding.
According to The Predator Files, a report by Amnesty International published last year, Cytrox is a part of a constellation of companies known as Intellexa. Intellexa alliance was born in 2019 when various companies were linked together—a press release sent out in June 2019 lists its members: Nexa Technologies, Advanced Systems, WiSpear Systems, and Senpai Technologies.
Intellexa Co-CEO Tal Dilian in Limassol, Cyprus, April 22, 2020. Photo: Yiannis Kourtoglou / Reuters / Forum
The Intellexa group was founded in 2018 by former Israeli Defense Forces commander Tal Dilian. Dilian is also closely associated with another controversial spyware company: NSO Group, maker of Pegasus spyware. His first surveillance software company merged with NSO in 2014, per a Forbes report.
One part of the Nexa group is a Czech company based in Brno. Prior to early 2022, that company was called Nexa Technologies CZ s.r.o. The company’s current name is Setco Technology Solutions s.r.o., and its sole shareholder is French company FLANDRIN TECHNOLOGIES S.A.S.
Companies all over the world use what is called a nominee director. This person is appointed to formally represent the company: their role is only on paper, and they have no real power to influence the company or profit from it. In the case of offshore and shell companies, the nominee directors are typically professionals who may get paid to formally hold a secretarial position or directorship, sometimes in hundreds of companies. The nominee director may also be a tool used to formally meet the obligations set out by laws on company ownership transparency without revealing the real ownership or leadership structures.
But a nominee director does not necessarily know that they’ve been named nominee director. There have been cases where the directors of companies had no idea they held this position—they may have signed papers they didn’t understand, or even had their identities stolen and used fraudulently.
“I haven’t traveled anywhere for the last three years, you know, because of Covid,” continues Mrs. Jeonovefa M. “I have traveled to Israel a couple of times, when I was helping my daughter set up her business. See, her husband is originally from Israel, let me call them,” she says, getting up and walking outside through a glass door leading to a terrace.
Mrs. Jeonovefa M.’s daughter and her business partner own a beauty brand, which imports its products—ranging from mud from the Dead Sea to various lotions and shampoos—from Israel. The daughter also teaches Hebrew. The daughter’s husband owns a company that does “business consulting and real estate investment in the Israeli and Czech Republic markets.“ But neither Mrs. Jeonovefa M.’s son-in-law nor her daughter know anything about the company, she says, after she returns from the terrace.
“Will you be staying longer?” Mrs. Jeonovefa M. asks the investigace.cz reporter before saying good-bye. “These mountains are beautiful, we even have a cable car right there,” she offers, pointing. The reporter leaves her contact information and asks Mrs. Jeonovefa M. to write or call if she gets more information from her family
She never heard from her. And when investigace.cz tried to contact her daughter through her cosmetics business, no one replied.
In August 2022, it came to light that Predator was being used in Greece, against politicians, businessmen and media figures. A scandal ensued. Greece’s Data Protection conducted an investigation, which in turn revealed that 92 smartphones belonging to businessmen, journalists, prosecutors, state officers, politicians, and government ministers and their associates were targeted with Predator via 350 SMS messages, sent through online messaging services.
Greece’s Prime Minister Kyriakos Mitsotakis in Granada, Spain, October 5, 2023. Photo: Alexandros Michailidis / Shutterstock
The nephew of Greece’s prime minister, who served as his Secretary General and was responsible for Greek National Intelligence Services (EYP) from 2019 to 2022, filed a defamation lawsuit. A trial is ongoing. The case has been called an insult to freedom of speech and an attempt to silence independent journalism in the country.
A few days after the investigace.cz reporter visited Mrs. Jeonovefa M., Cytrox’s legal director changed. Based on a copy of the company’s records, it is now Sylwia J., a 25-year-old from Poland. A reporter from Frontstory.pl went to her Warsaw address, listed in the company documents. The apartment is located in a post-Soviet apartment building in the city center, surrounded by hotels and skyscrapers. No one in the residential building had ever heard of Sylwia J. When our reporter knocked on the door of the apartment listed in the company documents, they were greeted by a man. He explained that he lived there with his partner. He had never heard of Miss J.. Neither had the building’s security guard. Nor had the owner of the apartment (that is, the person who rents it out to the tenant with whom our reporter spoke).
We managed to find Miss J. on social media and confirmed it was indeed her by comparing her passport photo—a copy of which is in the Cytrox company documents—with her pictures online. The reporter from Fronstory.pl contacted Miss J. through her Instagram account. He explained that she is listed as the director of a North Macedonian company called Cytrox and asked her for an interview. “Hmm, I think it’s a mistake or a name coincidence,” she replied. When the reporter explained that her Warsaw address is listed as well, she asked what it was that he wanted to know. He requested that she call him, but she preferred for him to send over written questions. He asked how she got involved with Cytrox; if she knew what the company does; and if she had ever heard of Predator. She read the messages but didn’t reply. Shortly after this exchange, she disabled her Instagram account. It is now back online but with a different username.
Based on her Instagram account, it is unclear what Miss J. does for a living or where she really lives. Most of the content on her profile depicts her traveling all around the world. It is unclear whether she knew about her job as director of a spyware company.
Cytrox never replied to investigace.cz’s questions.
In response to the use of spyware against journalists, the European Commission has proposed a complete ban on this practice. Several countries, including the Czech Republic, have opposed this ban. EU commissioner Věra Jourová explained to investigace.cz that a journalist may also be involved in some activities that justify the use of spyware. “We can never rule out the possibility that one day a spy or a criminal may decide to obtain a press pass and abuse it.”
Subscribe to Goulash, our original VSquare newsletter that delivers the best investigative journalism from Central Europe straight to your inbox!
A Czech journalist, Zuzana Šotová has worked for the Czech Center for Investigative Journalism since 2020.
Konrad Szczygieł is an investigative journalist at FRONTSTORY.PL. Previously, he was a reporter at Superwizjer TVN and OKO.Press. Since 2016, he has worked with Fundacja Reporterów (Reporters Foundation). He was shortlisted for a Grand Press award (2016, 2021) and an Andrzej Woyciechowski award (2021). He is based in Warsaw.