Cytrox Holdings Zrt (Hungary) Cytrox AD (North Macedonia) Balinese Ltd. (Israel) Peterbald Ltd. (Israel)
Cytrox is a company established in 2017 that makesmalware used forcyberattacks and covert surveillance. ItsPredatorspyware was used to target Egyptian politicianAyman Nour in 2021 and tospy on 92 phones belonging to businessmen, journalists, politicians, government ministers and their associates in Greece. In 2023, theU.S. Department of Commerce added the Cytrox companies Cytrox AD in North Macedonia, and Cytrox Holdings Zrt in Hungary to itsEntity List and on March 5, 2024, theU.S. Department of Treasury imposed sanctions upon Cytrox AD ofNorth Macedonia and the Intellexa Consortium, which is the parent firm of Cytrox AD, "for trafficking in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide."[1][2][3]
Cytrox was established in 2017, reportedly as a startup inNorth Macedonia and received initial funding from Israel Aerospace Industries.[4] ItsCrunchbase article describes it as providing an "operational cyber solution" to governments, including gathering information from devices and cloud services.[5] Cytrox's CEO isIvo Malinkovski.[5][6] A review of corporate registry documents by theUniversity of Toronto'sCitizen Lab indicated that Cytrox has a presence in Israel and Hungary.[5]
In 2019,Forbes reported that Cytrox was rescued byTal Dilian, a former commander of theIsrael Defense Forces (IDF), who acquired the company for under $5 million.[7] Dilian served in the IDF for 25 years prior to his departure, following accusations that he had unlawfully enriched himself.[8] Dilian demonstrated the company's surveillance kit toForbes by hacking into aHuawei device and obtaining itsWhatsApp messages without clicks from the victim.[7][8]
TheCitizen Lab said in 2021 that Cytrox was part of an alliance known as Intellexa, which it called "a marketing label for a range of mercenary surveillance vendors that emerged in 2019."[5][9] Dilian founded the Intellexa Group in 2018; the Intellexa Alliance combines the Intellexa Group and Nexa, a group of surveillance companies that operates mainly in France.[10]
In December 2021,Meta Platforms announced that Cytrox and six other surveillance-for-hire groups had been banned from using its platforms to target other users, in response to the Citizen Lab's findings about Cytrox's Predatorspyware being used to target two Egyptian dissidents in June. Meta also announced it had removed over 1,500Facebook andInstagram accounts associated with the seven companies, which it said were used to conductsocial engineering, reconnaissance and sending malicious links to victims in over 100 countries.[11][6]
In July 2023, theU.S. Department of Commerce added the Cytrox companies Cytrox AD in North Macedonia, and Cytrox Holdings Zrt in Hungary to itsEntity List, after determining that they posed a threat to the U.S.'s national security and foreign policy interests.[12][13][14][15]
Predator isspyware developed by Cytrox that targets theAndroid andiOS operating systems.[9] In May 2022, researchers atGoogle's Threat Analysis Group (TAG) reported that Predator bundled fivezero-day exploits in one package and sold it to several government-backed actors, who used it in three separate campaigns. According to the researchers, Predator worked closely with a component named Alien, which "lives inside multiple privileged processes and receives commands from Predator."[16][9]
An analysis of the spyware conducted byCisco Talos in May 2023 revealed that the spyware's Alien component actively implements the low-level functionality required by Predator to surveil its targets, instead of merely acting as a loader for Predator as was previously understood. In Talos's sample, Alien exploited five vulnerabilities, four of which affectedGoogle Chrome and the last of which affectedLinux and Android, to infect the targeted devices.[17][9] After infecting a device, Predator has full access to its microphone, camera and user data such as contacts and text messages.[18][19] Additionally, Predator has access to a device's location services and messaging apps such as WhatsApp,Telegram andSignal. It also allows hackers to intercept and falsify messages.[19]
An October 2023 investigation conducted by news organisations led by theEuropean Investigative Collaborations network, known as the Predator Files, found that Predator has been sold to at least 25 countries, including Austria, Germany, Switzerland, the Democratic Republic of the Congo, Jordan, Kenya, Oman, Pakistan, Qatar, Singapore, the United Arab Emirates and Vietnam.[18] Reportedly it was also sold to theRapid Support Forces in theSudan.[20][21]
In March 2024, a number of individuals and legal entities associated with the Intellexa Consortium were named by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) for their involvement in the development, operation and distribution of commercial spyware. According to OFAC, the Intellexa Consortium was acting as a marketing label for numerous malicious cyber companies, enabling targeted and mass surveillance through the provision of commercial spyware and surveillance tools packaged in the Predator spyware suite.[22]
In September 2024, the U.S. Treasury announced five further sanctions targets, including senior executives and associates at Intellexa. The targets of the sanctions are alleged to have been involved in the sale of "Predator" to authoritarian governments:[23] – Felix Bitzios, the owner of an Intellexa consortium company alleged to have sold Predator to an unnamed foreign government; – Merom Harpaz and Panagiota Karaoli, named by the Treasury as senior Intellexa executives; – Andrea Nicola Constantino Hermes Gambazzi, who according to the Treasury processed transactions for companies within the Intellexa consortium; – Aliada Group, a company based in the British Virgin Islands and a member of the Intellexa group, alleged to have enabled tens of millions of dollars in transactions for the consortium.
In December 2021, the Citizen Lab reported that Predator was used to hack the devices of two individuals, Egyptian opposition politicianAyman Nour and an unnamed exiled journalist, in June.[5][6][9] As a result, Apple was forced to release asoftware update for iOS to close the zero-day exploits used to perform the attack.[24]
In September 2023, researchers at the Citizen Lab and the TAG reported that Egyptian opposition politicianAhmed Tantawi was targeted using Predator after announcing his presidential bid. The Citizen Lab said the effort likely failed due to Tantawi having his phone in "lockdown mode", which is recommended byApple foriPhone users at high risk.[25][26][27] It also said it had "high confidence" that the attack was conducted by the Egyptian government.[26] Apple subsequently issued security updates to patch the vulnerabilities exploited by Predator.[26][27]
During the2022 Greek wiretapping scandal, it was revealed that Predator was being used to surveil several politicians (including opposition politicianNikos Androulakis) and journalists, with the Greek government reportedly being implicated in buying and utilising Predator.[28][29] The Greek government admitted to spying on journalist Thanasis Koukakis, but denied using Predator or maintaining any association with Intellexa.[30] In October 2022, Koukakis sued Intellexa and its executive forbreach of privacy.[31][30]
In March 2023,The New York Times reported that Artemis Seaford, a dual U.S.-Greek national and former security policy manager at Meta, had her phone infected with Predator while in Greece.[32][33]
In July 2023, the investigation team of the Hellenic Data Protection Authority announced that it had found 220 text messages containing a link polluted with Predator, that had been sent to 92 telephone numbers in order to turn them into spying devices. The news websiteInside Story published the content of many of them,[34][35] which had been sent mostly in 2021. Their recipients included many politicians, ministers and their associates, including associates of the Prime Minister (e.g.Dimitris Avramopoulos,Giorgos Patoulis,Giorgos Gerapetritis,Kostis Hatzidakis,Thanos Plevris,Michalis Chrysochoidis,Adonis Georgiadis,Nikos Dendias,Christos Spirtzis), businessmen (e.g.Theodoros Karipidis [el]), journalists, EYP cadres, at least one bishop and the editor of the newspaperKathimerini, Alexis Papachelas. These names had been included in a list of persons alleged to have been spied upon by EYP and Predator, which had been published in November 2022 by theDocumento newspaper.[35]
In October 2023, various American lawmakers were targeted byVietnam using Predator, including RepresentativeMichael McCaul (R-TX) and SenatorsJohn Hoeven (R-ND),Chris Murphy (D-CT) andGary Peters (D-MI).[36] Experts on Asia at various think tanks and several journalists, includingCNN's lead national security reporterJim Sciutto, were also targeted.[37]
the Hungary-based Cytrox Holdings Zartkoruen Mukodo Reszvenytarsasag (Cytrox Holdings ZRT), which the Treasury described as having originally developed Predator before the consortium moved its software production to Cytrox AD of North Macedonia;
^Sara Aleksandra Fayssal Hamou was born inWarsaw to a Polish mother and Lebanese father, attended law school in England, joined Trident Trust in December 2008, is closely associated with DJC Accountants of Cyprus and allegedly established numerous entities in support of Tal Dilian's interests usingCyprus as a hub. Trident Trust allegedly supports members of the inner circle ofVladimir Putin. Sara Hamou is the ex-wife of Tal Dilian and his business partner and is an attorney based in Cyprus that allegedly has implemented numerous surveillance projects in Asia, Africa, the Middle East and Europe.[38][40][41]
