Illicit Coalitions

In April 2022, Greek news outlet Inside Story revealed the first confirmed case of the use of “Predator” spyware against a Greek journalist. Since then, the list of people found to have been surveilled by the technology has grown, including acting and former ministers, opposition politicians, journalists and businessmen. 

Developed by a North Macedonian startup called Cytrox and marketed by Intellexa, a company based in Greece, Predator turns a person’s cell phone into what Eliza Triantafillou, an investigative journalist at Inside Story, has called “a perfect spy”.

It can activate a phone’s camera and microphone and allow snoopers to extract all the content on a mobile device – even communications conducted through encrypted messaging applications.

This joint investigation by Inside Story and the Investigative Reporting Lab in North Macedonia reveals the role of Cytrox in developing, marketing and exporting spyware in European countries and elsewhere under the Intellexa umbrella.

It also exposes the involvement of state intelligence services in facilitating illicit surveillance of their own citizens for nefarious purposes.

💥 #IJ4EU investigation reveals:
The Predator software, used for spying on journalists, dissidents and politicians – illegally developed and sold from North Macedonia.
Investigation by @insidestory_gr in Athens & @IrlMacedonia in Skopjehttps://t.co/bZ1s4wnbT9 pic.twitter.com/nWqGlJSDQI

— IPI – The Global Network for Independent Media (@globalfreemedia) April 12, 2023

The joint investigation obtained a set of classified intelligence documents from North Macedonia showing that Predator spyware was illegally developed by Cytrox, in Skopje, North Macedonia — and North Macedonian government officials knew about it but did nothing to stop it.

The team’s reporting revealed the existence of a complex corporate structure in Skopje developed by individuals and companies with direct ties to Intellexa. Among the owners of the various entities were former Israeli defence official Tal Dilian and Ivo Malinkovski, a member of a family of well-known North Macedonia winemakers. There were also arms dealers.

Other key findings of the investigation included:

• The Greek government’s efforts to legalise the state’s use of spyware, following a legal framework adopted by North Macedonia.
• The content of a classified preliminary agreement put together in 2022 by the then commander of the Greek National Intelligence Service, Panagiotis Kontoleon, and Zoran Angelovski, the head of the Operational Technical Agency Skopje, a statutory body charged with preventing the abuse of surveillance of electronic communications.
• The existence of an open channel of communication between the Greek Prime Minister’s Office under then chief-of-staff Grigoris Dimitriadis and Intellexa, the vendor of Predator spyware.

One of the most surprising revelations was a secret memorandum of understanding that the Greek National Information Service (NIS) was drafting with their counterparts in North Macedonia that was – shockingly – edited by an Intellexa operative.

In other words, the company that markets and distributes Predator spyware had a direct hand in drafting the MOU between authorities in the two countries – even though the Greek government has repeatedly said it has no contact with Intellexa.

⚠️Το κέντρο ελέγχου του Predator έχει τις ρίζες του στα Σκόπια

📌Το 1o κείμενο της πολύμηνης cross-border έρευνας του @insidestory_gr μαζί με τους καλούς συναδέλφους του @IrlMacedonia [και τη βοήθεια του #IJ4EU] για τις γραμμές που ενώνουν 🇲🇰 & 🇬🇷 στην υπόθεση του #Predatorgate pic.twitter.com/nagW1RxUxE

— Eliza Triantafillou (@e_triantafillou) April 12, 2023

Wide impact

All in all, the investigation shows close communication between the Greek Prime Minister’s Office and Intellexa and the involvement of the North Macedonia government in the affair.

It also sheds light on the corporate structure of this notorious vendor of spyware that has infected — or attempted to infect — the mobile phones of Greek journalists, politicians, business executives, members of the armed forces and others, some of whom were simultaneously targeted by NIS wiretaps.

In Greece, the investigation’s findings triggered statements from the opposition parties. The revelations were republished not only by non-government-aligned media but also by a significant number of more “systemic” media. The story even made it into the pages of Haaretz newspaper in Israel.

In North Macedonia, the investigation sparked debate in parliament. A few days after the publication of the second part of the investigation, the U.S. government added the main companies of the Intellexa “group” to their economic trade blacklist as part of the Biden administration’s efforts to counter the misuse of commercial spyware.

A couple of days after that, the Greek Data Protection Authority made public an overdue statement on their actions regarding spyware in Greece.

See the stories below.

Published stories

English

• Predator's control centre has its roots in Skopje ( Inside Story, Greece, April 12, 2023 )
• Intellexa makes corrections on a Greek Intelligence Service document ( Inside Story, Greece, July 13, 2023 )
• Israeli company developed spyware in Skopje, local officials looked the other way ( Investigative Reporting Lab, North Macedonia, April 12, 2023 )
• Intellexa makes corrections on a Greek Intelligence Service document ( Investigative Reporting Lab, North Macedonia, July 13, 2023 )

Greek

• Το κέντρο ελέγχου του Predator έχει τις ρίζες του στα Σκόπια ( Inside Story, Greece, April 12, 2023 )
• H Intellexa διορθώνει κείμενο της ΕΥΠ ( Inside Story, Greece, July 13, 2023 )

Macedonian

• Шпионскиот софтвер „Предатор“ нелегално се правел во Скопје додека надлежните замижувале ( Investigative Reporting Lab, North Macedonia, April 12, 2023 )
• Како класифицирани документи на македонските и грчките разузнавачки агенции завршија во рацете на креаторите на шпионскиот софтвер Предатор ( Investigative Reporting Lab, North Macedonia, July 13, 2023 )