Flight of the Predator
Private jet reveals business spyware web of Israeli tycoon from EU to Africa
AOJ71H 18 May 2022 10:26 Khartoum DOF/220518 C750 -LCLK -HSSK
On a dusty May morning in Khartoum an executive jet taxied to a halt under the blistering sun. Two jeeps with tinted windows stood ready to meet it from one of the most notorious and feared militias in the world, the Rapid Support Forces. The sleek white Cessna flew in from Cyprus and remained on the ground in Sudan’s capital for just 45 minutes, long enough to draw a disturbing line of connection between the ferocious contest for power in Sudan and a spyware scandal roiling Greece.
Details of the Cessna’s arrival, its passengers and cargo were meant to remain secret — logged in an inaccessible location, foregoing the usual procedures. The secrecy was a testament to the power of Mohamed Hamdan Dagalo, known as Hemedti, Sudan’s richest man and the owner of a private army that is the heir to the murderous legacy of the Janjaweed, infamous for their crimes against humanity in Sudan’s troubled Western region, Darfur.
According to three independent sources, the cargo was high-end surveillance technology, made in the European Union, with the potential to tip the balance of power in Sudan thanks to its capacity to turn smartphones into audio-visual informants on their owners. When news of its arrival reached Hemedti’s rivals the equipment was seen as so dangerous that an RSF commander speaking on condition of anonymity said it was smuggled out of Khartoum to the militia’s stronghold in Darfur to prevent its seizure by the army.
Sudan, Africa’s largest country prior to civil war and partition, is in fragile transition from decades of military dictatorship under Omar al-Bashir — now in prison awaiting possible extradition to the International Criminal Court. Waves of popular protests in Khartoum in 2019 resulted in a civilian council that shares power uneasily with the military. On paper, Hemedti is second in command to Abdel Fattah al-Burhan, commander in chief of Sudan’s Armed Forces. In reality, the militia leader vies for outright control of the country. He commands Sudan’s gold industry, his soldiers fight for a price in foreign conflicts and he has forged links to Russia’s mercenary Wagner Group. Hemedti also met with Israeli intelligence twice since June 2021, with a private jet used by Mossad tracked to Khartoum. In the last year alone, RSF fighters have been implicated in enforced disappearances of protestors in Khartoum and indiscriminate shooting of civilians, including children, in Darfur.
The Khartoum flight opened a rare window on a secretive and lucrative business, linking the blood-soaked Sudanese militia to a cabal of powerbrokers in Greece, a corporate network spanning Cyprus, the British Virgin Islands and Ireland, and above all to a crisis spreading across the EU — the widespread availability of sophisticated software that can track and hack mobile phones worldwide, threatening democratic institutions and human rights defenders.
Lighthouse Reports and its partners Haaretz in Israel and Greece’s Inside Story have been investigating the activities of Intellexa, a spyware firm whose activities spread from Europe across much of the global south. Months of digging into company records and interviews with confidential sources in multiple countries uncovered a network of companies connected to Tal Dilian, a former Israeli intelligence operative, who has bought up an array of sophisticated surveillance technology and established an EU foothold in Greece and Cyprus.
The eight-seater Cessna, which plays a significant role in Dilian’s operations, was revealed by a social media post from an Intellexa engineer – a selfie showing its subject aboard a jet with a grey leather and mahogany interior that left enough of a digital trail to isolate and identify that plane. Lighthouse Reports and partners have analysed and cross-referenced hundreds of flight records, linking the plane to key locations in Intellexa’s business, and combed dozens of passenger lists, along with corporate filings, employment records and other confidential and open source data. The findings conclusively connect the plane to Dilian, his known associates and employees in his company — including to Merom Harpaz, a central figure in his business network.
Intellexa, Tal Dilian and Merom Harpaz did not respond to requests for comment. No response was received from a Rapid Support Forces media inquiries address.
In tracing the movements of the Cessna in recent months as it criss-crossed Greece, Cyprus, Israel, the Middle East and Africa, the outlines emerge of an international scandal that destabilises the countries it lands in, all the while funnelling some of the world’s most dangerous technology into the hands of some of its most high-risk regimes.
“Equipping the RSF with sophisticated surveillance technology will not only exacerbate the brutal repression and killing of Sudan’s remarkably brave protestors and squash hopes for democracy in the region,” Anette Hoffmann, senior research fellow at the Clingendael Institute, told this investigation. “Such advanced spyware in the hands of the RSF will tilt the balance of power in favour of a ruthless former militia and Russia ally, bringing Sudan one step closer to an open confrontation with the country’s armed forces and increasing the risk of civil war.”
AOJ71H 18 May 2022 15:09 Larnaca DOF/220518 C750 -HSSK -LCLK
Returning from Khartoum that afternoon, the Cessna touched down in Larnaca, Cyprus, rolling to a halt outside the headquarters of a local aviation consultancy, Pegasus Flight Centre. Less than an hour’s drive away, in an exclusive suburb of Limassol, is a luxurious villa with an enticing kidney-shaped pool which the millionaire Israeli entrepreneur, Dilian, shares with his wife, Sara Hamou, a Polish corporate offshoring specialist.
Since leaving the Israeli army’s elite Unit 81 intelligence division, which he commanded, Dilian has specialised in surveillance tools. Basing himself in Cyprus, he first built a pioneering phone tracking firm called Circles, which he sold in 2014. He also went into business with an Israeli community leader in Cyprus, Abraham Shahak Avni, part owner of Pegasus Flight Centre.
For Avni, aviation is a fragment of a diverse portfolio. He describes himself as “a visionary entrepreneur, investor and philanthropist” whose interests span medical services, robotics, autonomous drones and intelligence products for law enforcement agencies. In partnership with Avni’s company CIS, Dilian set up a wifi interception firm called WiSpear, and kitted out a van with millions of dollars’ worth of surveillance equipment, which he began to exhibit at industry trade fairs in 2017.
Two years later, Dilian and Avni launched a more ambitious project: an “intelligence alliance” designed to “completely encompass” the needs of government agencies. The press release announced a “one-stop-shop”, a group of companies that could offer infection of devices and data extraction, wifi traffic interception, open source datamining, covert social media activities and phone geolocation, along with high powered big data analysis to make sense of it all.
In preparation for this Dilian had gone on a spending spree. He purchased Cytrox, a Hungarian and North Macedonian startup which developed phone hacking software called Predator. He brokered a marketing deal with French interception firm Nexa and invested in other companies in the area of cyber intelligence.
By uniting the capabilities of different industry niches under one roof Dilian hoped to rival the biggest players in the mercenary spyware market — in particular Israel’s NSO Group, now notorious for their Pegasus hacking software. The new alliance was to be called Intellexa.
Asked to explain the difference between NSO and Intellexa, a senior source in Israel’s offensive spyware industry said: “NSO worked in accordance with Israeli law and at times even on behalf of the state of Israel. Ethically both this firm and the Israeli policy were questionable as sales were made to oppressive regimes — but it was regulated. Intellexa on the other hand does not follow Israeli law and sells to similar but also worse clients — including those that are a risk to Israel’s own national interest. A company that does not abide by Israeli law and is not subject to any regulator is de facto a pirate organisation.”
In a sign of things to come, Intellexa’s birth into the world was accompanied by chaos. Dilian evidently intended it to be based in Cyprus, according to an undated name registration in the country’s corporate filing system. But before the paperwork was completed, the plan blew up in his face. In August 2019 he gave an on-camera interview to Forbes, in which he touted his multi-million dollar spy van, claiming it could “hack a smartphone and snoop on all the messages within” — even those protected by encrypted apps like WhatsApp and Signal. He sent a couple of colleagues off on a walk outside the van, announcing “we will trace them, we will intercept them, we will infect them.” The video, in which Harpaz can also be seen, was not well received by some factions of the Cyprus establishment who were concerned that Dilian’s operation rivalled the national intelligence agency.
Amid claims of illegal data gathering, Dilian’s employees were arrested, offices raided and equipment impounded. As warrants were issued for himself and Avni, he signalled his intention to move his base of operations elsewhere. “No company can tolerate an unstable business and legal environment, which does not provide any protection against rumours affecting corporate activities,” he said.
Faced with arrest by the Cypriot authorities, Dilian was eager for a new corporate home and he had already been putting the foundations in place since 2019 a short plane-ride away in Greece. As the police investigation into his activities in Cyprus gathered pace, culminating in a fine for his company WiSpear, Dilian had already been reorganising his business and putting Intellexa to work on behalf of his new hosts.
AOJ71H 12 April 2022 18:41 Athens DOF/220412 C750 -LCLK -LGAV
The Cessna arrived in Athens the day after the fuse was lit on a slow-burning scandal that would come to engulf the whole of Greece’s political elite, one of its leading businessmen and a handful of other notables. The fuse was Thanasis Koukakis, a veteran business reporter described by colleagues as “dogged”, who has worked with international media including the Financial Times.
Koukakis had long suspected that his phone was tapped but discovered instead that it was also infected with Intellexa’s Predator software. Whereas spying on journalists might have provoked an outcry elsewhere in the EU, Greece is now the lowest placed European country in the rankings on media freedom published by the international watchdog Reporters Without Borders. Koukakis turned to Inside Story, a partner in this investigation, and one of the few independent investigative teams in Athens. They verified the reporter’s account, assembled the evidence and put the story out but it was largely ignored.
The Greek government denied any knowledge of Predator, blaming private actors, while its supporters in the domestic media rubbished Koukakis’ claims of a deeper scandal, saying there was no evidence of other victims. Three days after the Predator revelation a second report emerged, this time from Reporters United – another pillar of Greece’s nascent investigative scene. It published documents that showed Koukakis had been wiretapped by Greece’s intelligence agency (EYP) a year prior to his phone being infected with spyware.
The government refused to elaborate on the “national security” concerns that prompted them to intercept the calls of a respected journalist. And the EYP connection was even more troubling as the conservative government of Kyriakos Mitsotakis had changed the law within days of coming into power in 2019 to bring the intelligence agency under the direct control and oversight of the prime minister’s office — an office overseen by Mitsotakis’ own nephew, Grigoris Dimitriadis. This is the same Dimitriadis whom senior sources in Israel’s cyber industry said had previously held talks with NSO, the vendor of Pegasus.
Koukakis never believed he was alone in being targeted: “From the beginning, I considered it unlikely that such a complicated technical monitoring structure as Predator would have been set up by the Greek government to monitor only one journalist.”
The suggestion that Predator was trained on a single individual was rendered even less credible in the light of a cluster of internet domains, attributed to Intellexa’s subsidiary Cytrox, exposed by researchers from Meta and Citizen Lab, housed at the University of Toronto, Canada. This included dozens of domains mimicking Greek news sites. Lighthouse Reports used a domain intelligence database to catalogue the creation dates of the Greek lookalikes and discovered an ongoing campaign of fake news site registration, running from summer 2020. While the domains masqueraded as legitimate news sources they were in fact malicious sites that injected malware into the devices of unsuspecting visitors. Koukakis’ phone was infected after clicking on one of these links.
Documents seen by this investigation show that many of these infected domains were registered by a developer and known associate of Tal Dilian in the Czech Republic. Meanwhile, company records show that, as he moved his office out of Cyprus, Dilian had assembled a bewildering tapestry of Intellexa-linked companies spanning multiple other countries.
Dilian created his corporate network through a number of intermediaries — principally Hamou, a former senior advisor at an offshore trust specialist, but also Felix Bitzios, a businessman whose work on bad debts at Piraeus Bank was the subject of Koukakis’ reporting in 2019. Three companies called Intellexa were registered, in Greece, Ireland and the British Virgin Islands. All three were owned by an Irish holding company, Thalestris. As Inside Story dug into company registers in Greece and Cyprus they found that Thalestris also controlled companies named Apollo, Hermes, Mistrona, Dernova, Lorenco and Feroveno — some of which were seemingly registered to a rubble-strewn vacant lot in downtown Limassol. Thalestris, in turn, was partly dependent on money from another Virgin Islands entity, Chadera Enterprises, which — behind a veil of anonymity — was ultimately controlled by Dilian and two of his associates, leaked documents reveal.
Although the Thalestris holding company kept control of most of these Greek and Cypriot subsidiaries, there were two exceptions when key associates of Dilian’s work in Greece were given a piece of the pie, corporate filings reveal. Lorenco was sold to Intellexa’s top executive in Greece, Merom Harpaz, while a 35% stake in the Greek Intellexa company went to Dilian’s fixer, Felix Bitzios, via another Cyprus-based company, Santinomo.
The baffling structure served to obfuscate the links between Dilian and Intellexa, shrouding the group’s accounts in a near-impenetrable smokescreen. But on the ground, some facts remained the same as before. Feroveno, for example, shares a telephone number with Avni’s personal assistant — who corresponded with executives of Italy’s Hacking Team about the purchase of interception software in 2013; who wrote on behalf of Dilian requesting Cypriot government assistance in closing a deal with the Netherlands in 2019; and who also acts as operations director of Pegasus Flight Centre, outside which the white Cessna parked on its return from Sudan.
Following months of meticulous paperwork, Dilian’s arrival in Greece seemed to meet with success. The company’s Greek office near the abandoned airport and former refugee camp, Hellinikon, grew rapidly, expanding to a dozen employees. It was also used as a training centre and even had an area with prayer mats for those coming from Muslim countries. Flight records show the Cessna shuttling regularly between Athens, Larnaca and potential clients in the Middle East and elsewhere.
AOJ71H 15 June 2022 8:01 Prague DOF/220615 C750 -LCLK -LKPR
As the white Cessna parked up in the Czech capital it was not alone on the tarmac. Delegates at the ISS World conference, hosted in an imposing business hotel east of Prague’s historic centre, were jetting in for Europe’s premier spyware trade fair. Sometimes known as the “souk of spooks”, it is a bustling marketplace for police and intelligence agencies from around the world to purchase new tools, and for the intercept companies to demonstrate them. Attendance is strictly limited to government employees and contractors, who rub shoulders and talk shop over colourful smoothies, flutes of sparkling wine and dainty pastries.
This year’s get-together came at a time of heightened European concern about the surveillance industry. The previous summer, a media consortium had thrown a spotlight on NSO Group’s Pegasus software, showing how it had been indiscriminately used by the company’s clients to hack the phones of human rights activists, politicians and journalists. As a result, the company had been sanctioned by the US and was now — along with the industry as a whole — the target of an ongoing inquiry at the European Parliament. At the opening ceremony In Prague, however, the industry’s bête noir was warmly welcomed as “the very famous NSO Group”.
Behind closed doors, salespeople gave government delegates demos of how their products could gather WhatsApp contact data, hoover up internet browsing records and track and hack phones. There were so many interception devices at work in the space that delegates’ phones weren’t functioning properly. “I can only get 2G reception,” one of the trainers complained, referencing the downgrading of mobile signal that often accompanies attempts to grab personal data from a device. Others preferred to just leave their phones at home. Slogans around the room promised the prevention of “past and future crimes”, a safer world, and the ultimate triumph of truth and justice. Intellexa, one of the event’s sponsors, shared a thronged back room with rivals like Rayzone, Septier, Cleartrail and NSO.
A leaked business proposal — dated shortly after the Prague fair — outlined the capabilities of Dilian’s new flagship product. Predator was expanded and rebranded as the Nova Remote Intelligence and Analytics Solution. The system comprised “a fully functional standalone cyber intelligence platform with social engineering tools.” This is industry jargon for tools which fool people into clicking on malicious links, thinking they come from friends or other trusted sources. It offered “one-click infection via multiple attack vectors”, licenced for 10 targets at once, with a “magazine of 100 successful infections”. The price tag, including “remote data extraction”, project management and 12 months warranty, was $8 million.
Intellexa was clocking up air miles in the search for customers. In the months leading up to Prague, the white Cessna set off from Greece and Cyprus to visit Dubai, Abu Dhabi and Riyadh. Confidential documentation seen by Lighthouse Reports and partners shows that the company was also pushing hard for deals in Africa, and had engaged a network of known arms dealers to offer its products across the continent. As well as Sudan, the target client list included Mozambique, Angola, Kenya and Equatorial Guinea.
Inside the EU, governments are supposed to regulate any sales of surveillance technology to other countries. But authorities in Greece and Cyprus, when approached for this investigation, refused to disclose whether Intellexa or its associated companies have either applied for, or received, the requisite legal paperwork to actually carry out any non-EU sales.
The most recent set of published accounts for Thalestris, Intellexa’s Irish holding company, declared $35.6m of sales, over three quarters of which were in the Middle East. But two sources with knowledge of the company’s finances said that it had made sales of nearer $200m over the last three years.
While Intellexa’s stock was high at the industry event in Prague its activities on the ground were once again destabilising its host country. Since the revelation of the hacking of the journalist Koukakis in April, the Greek government repeatedly denied any role in or knowledge of the spyware operation. But Greece’s small independent media organisations refused to let go of the story, and its denials were looking increasingly threadbare.
AOJ71H 4 August 2022 15:12 Tel Aviv DOF/220804 C750 -LGKR -LLBG
The arrival of the white Cessna in Tel Aviv was not unusual. Along with Athens and Larnaca, Ben Gurion airport was its most regular stopover. But what happened next was highly unusual, as the jet remained on the ground for 10 weeks. Back in Athens, what was now becoming known as “Greece’s Watergate” was reaching boiling point.
The effort to portray Koukakis as an isolated victim fell apart on July 26 when opposition leader and MEP Nikos Androulakis had his phone checked at the European Parliament as part of a security sweep. The device was found to have received the same infected message as Koukakis. Three days later Greece’s intelligence agency admitted it had also spied on Androulakis, leader of the socialist PASOK party, for a period in 2021, a repeat of the same doubling up of eavesdropping technologies that Koukakis suffered.
Meanwhile, Grigoris Dimitriadis, the prime minister’s nephew, de facto head of his office and overseer of the Greek intelligence agency, had been identified as the government’s connection to the spyware scandal in early June.
Now, as the Cessna sat on the tarmac at Ben Gurion, Reporters United produced evidence of his business links to Felix Bitzios, Dilian’s fixer and the part owner of Intellexa in Greece.
The “tall guy”, as Dimitriadis is referred to in the Greek press, resigned without giving any reason on August 5. The head of Greece’s intelligence agency, Panagiotis Kontoleon, followed suit. The government denied Dimitriadis’ exit had anything to do with Intellexa’s activities and said Kontoleon stepped down owing to failures in legal surveillance activities.
Grigoris Dimitriadis and Felix Bitzios did not respond to requests for comment.
The two departures came as a jolt after a series of supine domestic investigations had skirted the core issue of who was operating the Predator hacking software in Greece. The Greek National Transparency Authority, one of three official probes, concluded that there was no contract between the state and Intellexa but did this without looking at Intellexa’s bank accounts. It delayed two months before visiting the company’s offices and failed to meet with any of its legal representatives. Similar shortcomings marked the parliamentary inquiry, led by members of the ruling party, which refused to call key witnesses, and in October cleared the prime minister of any knowledge of the spying affair.
The emerging crisis in Greece also dragged the attention of a European parliamentary committee away from the Pegasus scandal it had been set up to probe. In early September the PEGA inquiry staged a hearing in Brussels on events in Greece where Koukakis gave testimony. In early November its members spent four days in Greece and Cyprus seeking evidence on whether European laws had been broken. A senior Greek government official, who asked not to be named, summed up the contempt in which the mission was held: “We piss on PEGA,” he said.
PEGA’s rapporteur, Sophie in ‘t Veld, described the Greek government denials as “implausible” and asked why there has been no police investigation into Predator. As it stands, “it’s like catching somebody with their lips covered in chocolate and crumbs, claiming that they were never near the cookie jar”. The spyware market, she said, poses a threat to democratic institutions in Europe and around the world. “This stuff is like gangrene. It will infect one part of the body and then spread. You cannot contain it.”
With any strategy to contain the scandal now in tatters and the circumstantial evidence all-but overwhelming the Greek prime minister’s repeated denials, the corrosive effect of powerful spyware technology on even developed democracies is on full show. On November 5 the tabloid newspaper Documento published the first 35 names on what it claims is the full list of the Predator targets in Greece. Every Sunday the roll call is added to and now includes serving cabinet ministers, the inner circle of a powerful shipping and media tycoon, a popular comedian, friends of the prime minister’s wife, senior military figures and the country’s most respected newspaper editor. The list goes on.
While this new Sunday ritual is heavy on sex, lies and blackmail, it provides almost none of the evidence and sourcing that marked earlier independent reporting. So far none of those named have publicly confirmed whether they were infected.
Greece’s government has vowed to impose some form of ban on the sale of spyware but has not moved with any seriousness to close down the spyware operator on its doorstep. The white Cessna has resumed its shuttle runs with brief stops in North Africa and Switzerland. Four thousand kilometres away to the south and east in Sudan’s Jebel Marra, the mountain range that rises above Darfur, sources confirm that the surveillance system, bought from a company headquartered in the EU, is now operational.
To keep up to date with Lighthouse investigations sign up for our monthly newsletter
Our investigations don’t end when we publish a story with media partners. Reaching big public audiences is an important step but these investigations have an after life which we both track and take part in. Our work can lead to swift results from court cases to resignations, it can also have a slow-burn impact from public campaigns to political debates or community actions. Where appropriate we want to be part of the conversations that investigative journalism contributes to and to make a difference on the topics we cover. Check back here in the coming months for an update on how this work is having an impact.