Exploiting loopholes in Cyprus to build a notorious surveillance firm
By Jonathan Shkurko
In a recent investigative report by the International Consortium of Investigative Journalists (ICIJ), Cyprus is revealed to be a growing centre for the global spyware and surveillance technology trade.
The report shed light on the rise of cyber-surveillance companies in the region, with lax regulations allowing firms to operate with minimal oversight.
At the forefront of this surveillance technology wave is Tal Dilian, a former commander of an elite Israeli intelligence unit turned cyber arms dealer. The ICIJ investigation exposed Dilian’s wealth accumulation through his cyber-surveillance business based in Cyprus. The lack of a robust regulatory framework in Cyprus facilitated his operations, leading to the interception of personal data from millions of travellers passing through Larnaca airport.
Dilian’s former wife and business partner, Sara Hamou, played a crucial role in exploiting regulatory loopholes. Leaked documents reveal her involvement in managing legal issues related to surveillance projects across Europe, the Middle East, and Asia, the ICIJ says.
While Dilian has long been a known figure in the cyber-surveillance industry, Hamou’s influence, largely under the radar, has been instrumental in establishing their notorious spyware firm, Intellexa.
Intellexa’s flagship spyware, known as Predator, has raised significant concerns. The software transforms phones into surveillance devices, capable of accessing messages, calls, photos and even the device’s microphone. The ICIJ’s extensive review of leaked records shows Predator’s presence in at least 25 countries, including powerful paramilitary groups in Sudan, Egyptian intelligence services, and the Vietnamese government attempting to hack US officials’ phones.
Intellexa’s client list extends beyond oppressive regimes to include EU member states, utilising Predator to stifle dissent within their borders. The scandal involving data theft at Larnaca airport forced Dilian to relocate operations to Greece, but the fallout persisted.
Predator infected the phones of a Greek journalist and an opposition politician, prompting a US blacklist of companies selling Dilian’s spyware.
Despite the controversies, Hamou’s strategic manoeuvring shielded Intellexa from the full impact of these scandals. The ICIJ report underlined the complexity of their corporate network, designed to navigate EU regulations.
The lack of effective enforcement by Cypriot authorities raises questions about the country’s commitment to upholding EU laws governing spyware, the ICIJ claims.
Dilian’s success in Cyprus can be attributed to its close ties with Israel, providing a favourable environment for Israeli executives. The report highlighted how Dilian used Cyprus to avoid seeking approval from Israeli regulators while recruiting hacking experts.
It also unveiled Cyprus’ allure to Israeli executives, with the head of Cyprus’ intelligence services stating that 29 Israeli-owned surveillance technology companies operate on the island.
The ICIJ investigation also revealed Hamou’s involvement in an intricate corporate network linked to Dilian. She held ownership stakes in multiple companies connected to Dilian, effectively concealing their activities and ownership. The report details the transfer of valuable companies to Hamou’s ownership, including Lusata Investments, worth over $2.6 million.
The ICIJ says Hamou’s role extended beyond Cyprus, as she facilitated the relocation of Israeli executives to the island. Maravilhas Solutions Ltd., a company she registered, is an example of Cyprus’ role in aiding Israeli-owned cyber-surveillance companies.
The leaked documents outline Maravilhas’ involvement in projects across Singapore, the United Arab Emirates (UAE), Bulgaria and Belgium.
The ICIJ report further exposed the EU’s limited ability to address the growing influence of spyware technology. Broad exemptions for national security in EU privacy laws provide member states with justifications for employing spyware, contributing to the industry’s expansion. Cyprus, reportedly receiving spyware tools in return for allowing businesses to operate, showed the EU’s failure to challenge member states on national security grounds.
On March 10, 2022, the European Parliament decided to set up the Pega Committee to investigate alleged infringement or maladministration in application of EU law in relation to the use of Pegasus and equivalent spyware surveillance software.
In particular, the Pega Committee was asked to gather information on the extent to which EU member states or third countries are using intrusive surveillance to the extent that it violates the rights and freedoms enshrined in the Charter of Fundamental Rights of the EU.
As the ICIJ reported, Sophie in’t Veld, the Pega Committee rapporteur, criticised the EU’s indifference to what was unveiled in Cyprus.
“The European Commission is basically saying, we’re not going to enforce the law,” she said. “Europe is becoming more and more of a gangster’s paradise.”
This ICIJ report underlined the urgent need for the EU to address the regulatory gaps that allow the flourishing of the spyware trade, particularly in countries like Cyprus.
As surveillance technologies continue to violate privacy and undermine democratic institutions, the EU is now facing a critical test in safeguarding its values against the evolving threat, the ICIJ says.