WEBVTT 00:00:00.080 --> 00:00:03.290 JACK: You ever think about the proliferation of weapons? 00:00:03.290 --> 00:00:06.129 Well, shoot, let’s get into it. 00:00:06.129 --> 00:00:08.480 I want you to think about this guy, Sam Cummings. 00:00:08.480 --> 00:00:12.280 Here; I found an old vintage documentary made by CNN. 00:00:12.280 --> 00:00:18.080 HOST: This is Sam Cummings, and this fifty-seven-year-old is the biggest private military weapons dealer 00:00:18.080 --> 00:00:19.080 in the world. 00:00:19.080 --> 00:00:22.130 SAM: The business as a business is fascinating. 00:00:22.130 --> 00:00:26.470 HOST: Cummings has sold tens of millions of guns to armies and sportsmen. 00:00:26.470 --> 00:00:31.980 JACK: Okay, so how did he become the biggest private military weapons dealer in the world? 00:00:31.980 --> 00:00:36.860 [MUSIC] Well, the US Department of Defense taught him; that’s how. 00:00:36.860 --> 00:00:42.140 When he was eighteen, in 1945, he was recruited into the US Army, which at the time, they 00:00:42.140 --> 00:00:44.040 were just wrapping up WWII. 00:00:44.040 --> 00:00:48.550 There was a big ramp-up to provide all these weapons for armies around the world to use 00:00:48.550 --> 00:00:51.379 in wars, and then suddenly the war was over. 00:00:51.379 --> 00:00:53.530 So, where’s all the weapons gonna go? 00:00:53.530 --> 00:00:57.710 HOST: As a young arms buff, Cummings got his start at the CIA. 00:00:57.710 --> 00:01:00.730 His assignment was to buy surplus weapons in Europe. 00:01:00.730 --> 00:01:05.449 At the age of twenty-three, he left the spy agency and started his own business. 00:01:05.449 --> 00:01:12.979 JACK: Buying surplus weapons in the CIA gave him a crazy idea; how about buy a whole bunch 00:01:12.979 --> 00:01:17.770 of cheap weapons now that the war is over and then slowly sell them over time? 00:01:17.770 --> 00:01:22.270 He had all the contacts he needed to go buy them, and so, he did. 00:01:22.270 --> 00:01:27.329 He was selling them to the public, like to hunters or sportsmen, and was becoming known 00:01:27.329 --> 00:01:29.530 for having a big supply of weapons. 00:01:29.530 --> 00:01:34.770 But he wanted bigger deals, and so he started talking to governments around the world. 00:01:34.770 --> 00:01:40.460 He brought a bunch of AR-10 rifles down to Nicaragua and demonstrated that to them there. 00:01:40.460 --> 00:01:44.960 Well, the Nicaraguan military was like, ah, that’s cool; send us some of those. 00:01:44.960 --> 00:01:48.780 Then the Dominican Republic wanted some, and then Cuba wanted some. 00:01:48.780 --> 00:01:55.090 Yeah, he sold battle rifles to all these places including Fidel Castro, which I think was 00:01:55.090 --> 00:02:00.579 illegal because it was an embargo not to sell any weapons to Castro, yet it still happened. 00:02:00.579 --> 00:02:04.909 Fidel Castro bought rifles from him, and he did not seem to get into any trouble for that. 00:02:04.909 --> 00:02:07.240 I don’t think he cared who he sold to. 00:02:07.240 --> 00:02:09.380 If you had money, he’d sell you weapons. 00:02:09.380 --> 00:02:13.790 HOST: Every morning, Cummings uses a telex to keep in touch with his military customers 00:02:13.790 --> 00:02:16.420 and branch offices. 00:02:16.420 --> 00:02:20.130 A telex comes in from Sudan offering surplus military equipment. 00:02:20.130 --> 00:02:25.910 SAM: I would go about 25% more than that in dollars if my list is the same as your list. 00:02:25.910 --> 00:02:30.410 HOST: Cummings’ military weapons are shipped and stored at Interarms House in Manchester, 00:02:30.410 --> 00:02:31.410 England. 00:02:31.410 --> 00:02:36.240 At any given moment there are a quarter of a million guns here, and on little notice, 00:02:36.240 --> 00:02:40.080 Cummings says he would have no trouble equipping a fair-sized army. 00:02:40.080 --> 00:02:46.159 SAM: Depends how large the army would be, but let’s say an army of an average smaller 00:02:46.159 --> 00:02:50.550 African or Latin-American state is 25,000 to 50,000 men. 00:02:50.550 --> 00:02:51.819 No problem. 00:02:51.819 --> 00:02:55.640 JACK: Can you believe this kind of thing was going on in the fifties and sixties? 00:02:55.640 --> 00:02:59.930 HOST: Sam Cummings has sold or bought arms from almost every country in the world. 00:02:59.930 --> 00:03:04.269 Interarms has supplied Africa, and his company’s weapons have shown up in Egypt. 00:03:04.269 --> 00:03:09.040 His guns were used at the Bay of Pigs by Fidel Castro and in Nicaragua under Somoza. 00:03:09.040 --> 00:03:12.049 But Cummings’ best customers are countries in Asia. 00:03:12.049 --> 00:03:18.670 JACK: This guy became a billionaire selling hundreds of thousands of weapons to anyone 00:03:18.670 --> 00:03:22.990 who would pay, and a lot of time he would buy these weapons from Russia, which was in 00:03:22.990 --> 00:03:25.330 the middle of a cold war with the US. 00:03:25.330 --> 00:03:31.519 SAM: I would say the Russians build the best military weapons across the board and they 00:03:31.519 --> 00:03:35.819 also build them in tremendous quantity, which is the key factor in modern war. 00:03:35.819 --> 00:03:41.830 JACK: I don’t know, I feel like this guy’s only ally in life is money. 00:03:41.830 --> 00:03:46.220 He doesn’t mind selling weapons to places that are actively at war with his home country, 00:03:46.220 --> 00:03:47.220 you know? 00:03:47.220 --> 00:03:52.140 So, clearly he doesn’t have an allegiance to the US, and from watching this documentary, 00:03:52.140 --> 00:03:56.519 he seems to believe that all sides are evil and there’s just no way to take the moral 00:03:56.519 --> 00:03:59.370 high ground on any of these trade deals. 00:03:59.370 --> 00:04:03.170 He does seem to have some kind of allegiance to his family, though. 00:04:03.170 --> 00:04:08.960 He invited this CNN reporter on an eight-hour car ride where they were going on a family 00:04:08.960 --> 00:04:13.730 trip somewhere, and I think it’s pretty weird to have a reporter in the car with the 00:04:13.730 --> 00:04:16.090 whole family for eight hours. 00:04:16.090 --> 00:04:17.160 But, okay. 00:04:17.160 --> 00:04:21.690 HOST: He asked us not to take pictures of his wife or his college-age daughters for 00:04:21.690 --> 00:04:23.090 security reasons. 00:04:23.090 --> 00:04:29.600 JACK: Well, strangely enough, years later one of those daughters, Susan, killed her 00:04:29.600 --> 00:04:37.090 boyfriend by shooting him four times, and was convicted and had to serve prison time. 00:04:37.090 --> 00:04:44.740 (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:04:44.740 --> 00:04:49.990 I’m Jack Rhysider. 00:04:49.990 --> 00:04:53.210 This is Darknet Diaries. 00:04:53.210 --> 00:04:59.420 [INTRO MUSIC ENDS] 00:04:59.420 --> 00:05:10.000 JACK: Alright, so, let’s start out with what’s your name and what do you do. 00:05:10.000 --> 00:05:11.280 CROFTON: I’m Crofton Black. 00:05:11.280 --> 00:05:13.830 I’m a reporter at Lighthouse Reports. 00:05:13.830 --> 00:05:18.080 JACK: Lighthouse Reports is an investigative non-profit working with some of the world’s 00:05:18.080 --> 00:05:22.470 leading media companies on topics like migration and surveillance. 00:05:22.470 --> 00:05:26.880 A lot of episodes you hear on my show are sometimes slapped together in a matter of 00:05:26.880 --> 00:05:30.680 weeks and it’s only me doing the research, but not this episode. 00:05:30.680 --> 00:05:35.960 Here we have the luxury of talking with a real reporter who spent lots of time on this 00:05:35.960 --> 00:05:36.960 story. 00:05:36.960 --> 00:05:41.990 CROFTON: Well, this article was a big team effort, right, because — I mean, first of 00:05:41.990 --> 00:05:45.991 all, we at Lighthouse, we wouldn’t have got involved in it without the work that Inside 00:05:45.991 --> 00:05:53.520 Story in Greece did, and for me personally, working with those guys was just a huge privilege 00:05:53.520 --> 00:05:59.770 because they’re so knowledgeable and so capable, and the material they were able to 00:05:59.770 --> 00:06:03.470 dig up was truly astounding in some cases. 00:06:03.470 --> 00:06:11.310 I guess for me it was cool ‘cause I’m a plane-tracking guy for a long time and I 00:06:11.310 --> 00:06:17.470 got into this business as a — doing plane-tracking stuff when I was tracking CIA rendition flights. 00:06:17.470 --> 00:06:22.470 So, for me it was kind of funny to do a story that combined those two things. 00:06:22.470 --> 00:06:26.000 That’s never happened before and I wonder if it’ll ever happen again. 00:06:26.000 --> 00:06:30.970 So, yeah, I’ve got a personal space in my heart for this story for that reason, really. 00:06:30.970 --> 00:06:36.210 JACK: The team at Lighthouse Reports spent over six months researching this story, and 00:06:36.210 --> 00:06:40.139 they worked together with other reporters and journalists and researchers, places like 00:06:40.139 --> 00:06:43.270 Inside Story in Greece and Haaretz in Israel. 00:06:43.270 --> 00:06:47.820 They published similar stories, too, and when I first read this story, I was like, whoa, 00:06:47.820 --> 00:06:48.820 what? 00:06:48.820 --> 00:06:51.730 So, buckle up and let’s go for a ride. 00:06:51.730 --> 00:06:56.910 [MOTORCYCLE REVVING] The person at the center of this story is a guy named Tal Dilion. 00:06:56.910 --> 00:07:05.900 CROFTON: Tal’s an Israeli entrepreneur, a long-time guy in the cyber business, formally 00:07:05.900 --> 00:07:13.770 in the military like a lot of those guys are, came out, and he was involved in a very famous 00:07:13.770 --> 00:07:17.120 phone geolocation outfit called Circles back in the day. 00:07:17.120 --> 00:07:19.960 JACK: [MUSIC] So, I want to jump in here and underline this for a second. 00:07:19.960 --> 00:07:22.720 Tal went through the Israeli military. 00:07:22.720 --> 00:07:28.080 Specifically he was in Unit 81, which designs new tools for the Israeli military to use. 00:07:28.080 --> 00:07:33.199 I’ve heard that Unit 81 once designed a little microphone that was supposed to look 00:07:33.199 --> 00:07:37.840 like a rock so you could just set it down in an area you want to record audio in, and 00:07:37.840 --> 00:07:40.500 it’s hidden so nobody knows they’re being recorded. 00:07:40.500 --> 00:07:43.440 I imagine they make a lot of spy gear for the Israeli military. 00:07:43.440 --> 00:07:48.970 Yeah, so, Tal came out of that division, and when he left the military he created a company 00:07:48.970 --> 00:07:56.580 called Circles, which I believe was a surveillance company that used SS7 attacks to spy on mobile 00:07:56.580 --> 00:07:57.580 users. 00:07:57.580 --> 00:07:58.780 SS7 attacks are really fascinating. 00:07:58.780 --> 00:08:04.470 I’m not gonna get bogged down into the details of how they work, but real quick; SS7 is a 00:08:04.470 --> 00:08:10.330 way to exploit mobile carriers into getting info on the users or even taking over their 00:08:10.330 --> 00:08:11.500 phone number. 00:08:11.500 --> 00:08:17.099 I believe this company that Tal started, Circles, was using SS7 attacks to collect data from 00:08:17.099 --> 00:08:20.210 targets and intercept messages and phone calls. 00:08:20.210 --> 00:08:25.630 Well, this became quite the service, so much so that NSO Group was like, hey, that’s 00:08:25.630 --> 00:08:27.630 cool. Can we buy it? 00:08:27.630 --> 00:08:30.150 Now, NSO Group is someone I’ve covered in detail before. 00:08:30.150 --> 00:08:34.339 That’s Episode 100, and it’s actually the most-listened to episode of this show. 00:08:34.339 --> 00:08:39.740 But to quickly recap who they are, NSO Group makes spyware called Pegasus and then sells 00:08:39.740 --> 00:08:44.260 it to governments around the world who then, well, spy on people. 00:08:44.260 --> 00:08:47.660 It infects the phone and then gives the government full visibility into it. 00:08:47.660 --> 00:08:53.980 So, when NSO saw how nifty this Circles company was, they purchased the company from Tal for 00:08:53.980 --> 00:08:56.470 $140 million. 00:08:56.470 --> 00:09:02.029 What would you do if you just sold your company for $140 million? 00:09:02.029 --> 00:09:07.010 Well, I’d move to a nice, warm island somewhere, and that’s just what Tal did, too. 00:09:07.010 --> 00:09:11.510 He moved to Cyprus, which is an island nation just off the coast of Israel in the Mediterranean 00:09:11.510 --> 00:09:12.510 Sea. 00:09:12.510 --> 00:09:17.750 But while there, he started talking with another Israeli named Abraham Avni. 00:09:17.750 --> 00:09:23.050 Abraham was a businessman and started a company called Pegasus Flight Center in Cyprus. 00:09:23.050 --> 00:09:24.709 I think they did charter planes. 00:09:24.709 --> 00:09:29.830 Together, Tal and Abraham started a new project; a surveillance tool. 00:09:29.830 --> 00:09:34.060 CROFTON: He had an outfit there called, I think, Wispear. 00:09:34.060 --> 00:09:36.100 We Spear, Why Spear, something like that. 00:09:36.100 --> 00:09:38.970 JACK: It might also be a weird spelling for ‘whisper’. 00:09:38.970 --> 00:09:45.130 Anyway, Tal started advertising this mobile surveillance technology, and that’s when 00:09:45.130 --> 00:09:49.240 Forbes is like, hey, that looks interesting. 00:09:49.240 --> 00:09:52.200 Do you mind showing us on camera what you’re working on? 00:09:52.200 --> 00:09:54.540 He’s like, sure; come on out. 00:09:54.540 --> 00:09:57.440 So, Forbes goes to Cyprus and interviews him. 00:09:57.440 --> 00:10:03.020 TAL: [MUSIC] Actually, maybe you don’t like to know it, but somebody knows exactly where 00:10:03.020 --> 00:10:09.970 you are all the time because each of our devices just says, hey, I’m here every, I think, 00:10:09.970 --> 00:10:10.970 fifteen minutes. 00:10:10.970 --> 00:10:16.170 Maybe I don’t keep it and maybe I don’t share it with others, but the knowledge is 00:10:16.170 --> 00:10:17.170 there. 00:10:17.170 --> 00:10:19.000 JACK: This video is wild. 00:10:19.000 --> 00:10:23.320 It’s one of those that when you watch it, your jaw just drops and you’re like, what 00:10:23.320 --> 00:10:24.680 the hell is this? 00:10:24.680 --> 00:10:28.680 Tal takes them to his van and then opens the back doors up, and there’s like, two racks 00:10:28.680 --> 00:10:31.630 of computers, routers, switches, servers. 00:10:31.630 --> 00:10:34.310 Inside it looks like your classic FBI spy van. 00:10:34.310 --> 00:10:38.830 There’s a desk and monitors and chairs and electronics panels, antennas. 00:10:38.830 --> 00:10:45.970 It’s nuts, and Tal is saying, yeah, so this is a $9 million spy van, and here, let me 00:10:45.970 --> 00:10:46.970 demonstrate. 00:10:46.970 --> 00:10:47.970 TAL: We send out two people out of the van. 00:10:47.970 --> 00:10:49.690 We will trace them. 00:10:49.690 --> 00:10:53.410 We will intercept them. 00:10:53.410 --> 00:10:54.690 We will infect them. 00:10:54.690 --> 00:11:00.420 JACK: He proceeds to use Wispear to lock on to these two people walking by, and somehow 00:11:00.420 --> 00:11:05.050 it grabs their data and he’s now in their phones spying on them. 00:11:05.050 --> 00:11:10.980 It’s a crazy piece of technology, but it’s even crazier that he was willing to show all 00:11:10.980 --> 00:11:14.050 this off on camera, to be published in Forbes. 00:11:14.050 --> 00:11:16.899 CROFTON: I think that’s his rep, you know. 00:11:16.899 --> 00:11:20.270 He’s known as a guy who — people call him a maverick. 00:11:20.270 --> 00:11:26.019 They say that he doesn’t play by the rules, that he does unexpected things, and I think 00:11:26.019 --> 00:11:31.430 that — I think you could class that video in the category of unexpected things, sure. 00:11:31.430 --> 00:11:36.760 I think it caused quite a stir when it came out the first — in the first place amongst 00:11:36.760 --> 00:11:38.490 people who follow this kind of stuff. 00:11:38.490 --> 00:11:45.500 It was kind of, oh, wow, this crazy video has appeared of — we never normally see 00:11:45.500 --> 00:11:47.329 this stuff. 00:11:47.329 --> 00:11:52.779 It obviously had a lot of ramifications for his business, which perhaps was unintended. 00:11:52.779 --> 00:11:54.010 I imagine it was unintended. 00:11:54.010 --> 00:11:58.769 JACK: Okay, so, Forbes publishes this video in September 2019. 00:11:58.769 --> 00:12:03.910 It rippled through the world, of course, but it also landed on the screens of the people 00:12:03.910 --> 00:12:08.310 within the Cyprus government, and they watched it in disbelief. 00:12:08.310 --> 00:12:14.070 A combination of both the police and the intelligence agency of Cyprus was shocked by this. 00:12:14.070 --> 00:12:18.710 They were like, you’re advertising more sophisticated spy tech than we have in our 00:12:18.710 --> 00:12:20.020 own government. 00:12:20.020 --> 00:12:23.990 But I think the main thing that Cyprus government got mad about was the fact that he was advertising 00:12:23.990 --> 00:12:27.670 this business that was being conducted out of Cyprus. 00:12:27.670 --> 00:12:30.889 This whole business is questionable. 00:12:30.889 --> 00:12:38.220 Espionage is illegal, you know, and here he’s selling tools to do it to who knows who. 00:12:38.220 --> 00:12:40.300 There are a lot of ethics at play here. 00:12:40.300 --> 00:12:45.940 So, a few months after this video aired, the Cyprus police decided to just take it down, 00:12:45.940 --> 00:12:47.260 take it all down. 00:12:47.260 --> 00:12:52.339 CROFTON: [MUSIC] They move in; they search his premises, they make — they arrest some 00:12:52.339 --> 00:12:57.620 employees, they go through his stuff, they impound the van, computer hardware, whatever. 00:12:57.620 --> 00:13:03.430 He’s out of the country at the time. 00:13:03.430 --> 00:13:07.750 They put out an arrest warrant for him, an arrest warrant for his business partner, Avni. 00:13:07.750 --> 00:13:14.959 Tal Dilion, who was absent at the time, he returned voluntarily to Cyprus from wherever 00:13:14.959 --> 00:13:15.959 he’d been. 00:13:15.959 --> 00:13:17.810 That was March 2020. 00:13:17.810 --> 00:13:18.810 He got arrested. 00:13:18.810 --> 00:13:19.810 He was questioned. 00:13:19.810 --> 00:13:21.220 He was released. 00:13:21.220 --> 00:13:27.850 JACK: It’s not clear what crimes Tal Dilion committed, but the Cyprus government made 00:13:27.850 --> 00:13:31.580 it clear that they just don’t want him running this business in their country. 00:13:31.580 --> 00:13:34.610 Tal got the message and agreed to pack it up. 00:13:34.610 --> 00:13:39.399 He had to move this whole operation somewhere new, and looked across the Mediterranean Sea 00:13:39.399 --> 00:13:42.139 and saw Greece. 00:13:42.139 --> 00:13:49.649 CROFTON: Dilion’s partner or wife, I believe, is a specialist in creating complex corporate 00:13:49.649 --> 00:13:50.649 structures. 00:13:50.649 --> 00:13:51.690 That’s a thing that she does. 00:13:51.690 --> 00:13:57.459 JACK: Tal began working on the paperwork to reestablish his company in Greece, and the 00:13:57.459 --> 00:14:01.310 whole time, he seemed to be a bit sore at the Cyprus government for ruining his plans. 00:14:01.310 --> 00:14:07.810 CROFTON: Well, he wrote an angry op-ed which was published in a newspaper where he basically 00:14:07.810 --> 00:14:13.420 said that the government was creating an unfriendly climate for business and that he was gonna 00:14:13.420 --> 00:14:14.870 take his business elsewhere. 00:14:14.870 --> 00:14:22.730 At least in terms of premises, that is, well, he did do that. 00:14:22.730 --> 00:14:24.470 He did take his office elsewhere; he took it to Athens. 00:14:24.470 --> 00:14:29.350 JACK: This, I think, put pressure on the Cyprus government to change their position. 00:14:29.350 --> 00:14:36.810 CROFTON: Ultimately, of course, the whole thing was maybe a bit of a storm in a teacup. 00:14:36.810 --> 00:14:40.500 After a year he was pretty much exonerated. 00:14:40.500 --> 00:14:49.430 The police who had carried out the raids were, I think — I mean, it was decided that basically 00:14:49.430 --> 00:14:53.880 they’d exceeded their powers in such and such a way or whatever. 00:14:53.880 --> 00:14:59.500 The whole thing was kind of smoothed over and I think eventually could have gone back 00:14:59.500 --> 00:15:02.790 to business as normal except by that time, he’d already decided that he wanted to set 00:15:02.790 --> 00:15:04.150 up a new office in Greece. 00:15:04.150 --> 00:15:12.120 JACK: You might be wondering, is this spyware, malware, virus thing legal? 00:15:12.120 --> 00:15:13.750 It’s just code. 00:15:13.750 --> 00:15:16.060 It’s just an app. 00:15:16.060 --> 00:15:18.510 To answer that, let’s go to Sudan. 00:15:18.510 --> 00:15:25.269 [MUSIC] In 2003, the Sudanese government had an armed militia called the Janjaweed, and 00:15:25.269 --> 00:15:28.949 they started conducting genocide on the people of Sudan. 00:15:28.949 --> 00:15:34.649 It’s believed that over a million children have been killed or tortured or raped or injured 00:15:34.649 --> 00:15:39.459 or just lost a parent in the last twenty years from this group. 00:15:39.459 --> 00:15:44.790 They’ve been accused of committing crimes against humanity so many times. 00:15:44.790 --> 00:15:50.490 The killings settled down for a while, but recently there’s been another flare up. 00:15:50.490 --> 00:15:53.180 Civil war has broke out in Sudan. 00:15:53.180 --> 00:15:58.199 The Janjaweed are back, but they changed their name now, and now they’re called the Rapid 00:15:58.199 --> 00:16:03.510 Support Forces, and the boss of them is Hemedti, and Hemedti is one of the richest people in 00:16:03.510 --> 00:16:08.600 Sudan and seems to be funding the war against the people of Sudan. 00:16:08.600 --> 00:16:14.009 Now, Crofton, the reporter we’ve been talking to in this episode, his specialty is tracking 00:16:14.009 --> 00:16:19.870 airplanes, and he was particularly zoomed in on the planes that Tal was getting on, 00:16:19.870 --> 00:16:25.899 and was trying to figure out if his flights had some connections with the business and 00:16:25.899 --> 00:16:27.220 his customers. 00:16:27.220 --> 00:16:33.589 CROFTON: This plane that we linked Tal Dilion flying into Khartoum and delivering some surveillance 00:16:33.589 --> 00:16:36.870 tech, that wasn’t for the regular army; it was for Hemedti. 00:16:36.870 --> 00:16:43.410 There was a bus stop; there was a flare-up between the two sides, and the Rapid Support 00:16:43.410 --> 00:16:49.670 Forces guys spirited this stuff away, took it out of Khartoum, took it off to Darfur. 00:16:49.670 --> 00:16:54.550 This was in May last year. 00:16:54.550 --> 00:17:04.329 So, when we wrote the piece, there were analysts who we spoke to — spoke about the potentially 00:17:04.329 --> 00:17:10.650 lethal implications of someone like Hemedti having access to top-of-the-range phone-hacking 00:17:10.650 --> 00:17:11.650 technology. 00:17:11.650 --> 00:17:18.480 So, yeah, to circle back to your question, Sudan’s Rapid Support Forces is extremely 00:17:18.480 --> 00:17:24.020 high on the list of people who it’s hard to find a legitimate reason for selling phone-hacking 00:17:24.020 --> 00:17:25.450 equipment to, I believe. 00:17:25.450 --> 00:17:32.330 JACK: So, if Tal is selling his spyware to people in Sudan who are using it to kill innocent 00:17:32.330 --> 00:17:38.140 civilians, then how much of that responsibility should fall back onto Tal? 00:17:38.140 --> 00:17:43.190 The kit he has for sale can be weaponized against innocent people. 00:17:43.190 --> 00:17:47.780 Militia groups who are actively killing their citizens, attempting genocide, and are accused 00:17:47.780 --> 00:17:53.460 of crimes against humanity now have this spyware in their hands and can use it? 00:17:53.460 --> 00:17:58.120 I think conducting weapons deals with Sudan’s militia groups should be illegal. 00:17:58.120 --> 00:18:02.760 [PLANE ENGINE] But is this spyware a weapon? 00:18:02.760 --> 00:18:09.130 So, anyway, that was one of the trade deals that Crofton was tracking by watching Tal’s 00:18:09.130 --> 00:18:11.750 flights in and out of Sudan. 00:18:11.750 --> 00:18:18.650 CROFTON: So, he heads to Greece, and Greece has a new government at this point. 00:18:18.650 --> 00:18:22.580 The new government comes in in 2019. 00:18:22.580 --> 00:18:27.130 JACK: Now, I wracked my brain trying to understand; why Greece? 00:18:27.130 --> 00:18:33.299 Why not just establish a base in Israeli, his home country where he’s a military veteran 00:18:33.299 --> 00:18:34.299 there? 00:18:34.299 --> 00:18:35.299 He knows people there. 00:18:35.299 --> 00:18:36.630 He could just operate out of there. 00:18:36.630 --> 00:18:38.960 But I have a theory. 00:18:38.960 --> 00:18:44.929 I believe Tal really likes what the NSO Group is doing, which is creating mobile spyware 00:18:44.929 --> 00:18:47.130 and selling it to governments around the world. 00:18:47.130 --> 00:18:50.810 But he also saw all the heat and scrutiny that NSO Group was under. 00:18:50.810 --> 00:18:54.750 They have to work closely with the Israeli government to share with them who they’re 00:18:54.750 --> 00:18:59.860 doing business with, and there may be some restrictions that have been put on the NSO 00:18:59.860 --> 00:19:02.720 Group, like who they can and can’t do business with. 00:19:02.720 --> 00:19:06.720 If there weren’t restrictions, there is a lot of public outcry and scrutiny of the 00:19:06.720 --> 00:19:11.659 NSO Group of what they should be doing and not doing, which can spoil deals. 00:19:11.659 --> 00:19:17.890 I believe Tal saw this huge fire that the NSO Group had started and decided to take 00:19:17.890 --> 00:19:22.770 the wheel and drive right into it, but he would sort of sidestep all the bureaucracy 00:19:22.770 --> 00:19:24.970 that NSO was tied up in. 00:19:24.970 --> 00:19:29.789 If the Israeli government required some kind of oversight into the affairs of NSO Group, 00:19:29.789 --> 00:19:31.010 then forget that. 00:19:31.010 --> 00:19:33.070 Let’s set up shop in a different country. 00:19:33.070 --> 00:19:39.110 If NSO couldn’t sell to certain regimes, Tal might have saw that as an opportunity 00:19:39.110 --> 00:19:42.400 to do business with forbidden customers. 00:19:42.400 --> 00:19:49.820 Tal knows that some people he sells his spyware to misuse it, but his response to this? 00:19:49.820 --> 00:19:51.169 Well, he told Forbes. 00:19:51.169 --> 00:19:55.330 TAL: We are not the policemen of the world and we are not the judges of the world. 00:19:55.330 --> 00:19:59.460 JACK: Which makes me think he may be interested in doing business with anyone. 00:19:59.460 --> 00:20:04.039 If that’s the case, I’m not sure he only does business with governments. 00:20:04.039 --> 00:20:06.950 He might be selling his spyware to anyone who can afford it. 00:20:06.950 --> 00:20:10.669 In 2019, Tal started thinking bigger. 00:20:10.669 --> 00:20:16.179 That van kitted out with that WiSpear technology, well, he wanted to crank that thing up even 00:20:16.179 --> 00:20:17.179 higher. 00:20:17.179 --> 00:20:21.340 Now, he’s not the kind of guy that’s tapping away on the keyboard writing malware. 00:20:21.340 --> 00:20:27.040 No; what he’s looking for are other companies that are already doing that, because he’d 00:20:27.040 --> 00:20:29.020 want to purchase those companies. 00:20:29.020 --> 00:20:33.610 Two companies caught his eye; Cytrox and Nexa. 00:20:33.610 --> 00:20:39.549 Cytrox made this phone-hacking software called Predator, and I believe it was Citizen Lab 00:20:39.549 --> 00:20:42.550 that first showed us a glimpse into what Predator is. 00:20:42.550 --> 00:20:44.020 BILL: So, I’m Bill Marczak. 00:20:44.020 --> 00:20:50.280 I am a senior researcher at the Citizen Lab at the University of Toronto, and I do a lot 00:20:50.280 --> 00:20:56.659 of the technical work at Citizen Lab in tracking what we call the mercenary spyware industry. 00:20:56.659 --> 00:21:01.910 So, companies like NSO or Cytrox, which makes Predator. 00:21:01.910 --> 00:21:06.980 JACK: A couple of people in Egypt felt like something weird was going on on their phone. 00:21:06.980 --> 00:21:09.840 One was a journalist; one was a politician. 00:21:09.840 --> 00:21:14.220 They heard about Citizen Lab and they reached out, asking them to examine their phones. 00:21:14.220 --> 00:21:15.220 BILL: That’s right, yeah. 00:21:15.220 --> 00:21:21.950 We first discovered samples of Predator back in November, December 2021. 00:21:21.950 --> 00:21:30.049 It’s funny; we were actually checking people’s phones for Pegasus, but we found one phone 00:21:30.049 --> 00:21:36.409 and something else caught our eye, which was there was a suspicious process running on 00:21:36.409 --> 00:21:42.590 the phone right when the forensic data was gathered called Payload 2, [MUSIC] which struck 00:21:42.590 --> 00:21:44.150 us as quite suspicious. 00:21:44.150 --> 00:21:50.419 JACK: Payload 2 didn’t match any previously-known malware that they had been tracking on phones. 00:21:50.419 --> 00:21:55.140 So, of course, it was time to crack this open and look closer. 00:21:55.140 --> 00:21:56.140 BILL: Right. 00:21:56.140 --> 00:22:03.090 We could see precisely what input or arguments were passed into this process when it was 00:22:03.090 --> 00:22:13.420 started up, and those arguments included a URL, which was very long, looked quite dodgy. 00:22:13.420 --> 00:22:20.650 When we went out and fetched this URL, we were actually able to obtain a binary file 00:22:20.650 --> 00:22:21.779 for an iPhone. 00:22:21.779 --> 00:22:25.360 In other words, an application. 00:22:25.360 --> 00:22:29.520 Analysis of this application quite clearly established that it was spyware. 00:22:29.520 --> 00:22:38.679 It had the capability to, for instance, exfiltrate files from the phone, take passwords, turn 00:22:38.679 --> 00:22:41.000 on the microphone and listen in to what was going on. 00:22:41.000 --> 00:22:48.570 So, we were actually able to analyze the final payload of the spyware and understand what 00:22:48.570 --> 00:22:57.000 it was doing, and through analysis of the payload as well as analysis of that URL and 00:22:57.000 --> 00:23:02.950 the website in the URL, we were able to make an attribution back to Predator. 00:23:02.950 --> 00:23:08.510 JACK: This was a big finding, and they published this for everyone to see. 00:23:08.510 --> 00:23:11.260 The report was loaded with tons of information, too. 00:23:11.260 --> 00:23:15.400 I mean, not only was it like, here’s the malware we found, but it’s like, here’s 00:23:15.400 --> 00:23:19.530 what I does, here’s how you can detect if it’s on your phone, but it also showed the 00:23:19.530 --> 00:23:24.990 links to how they know that this is the Predator spyware made by Cytrox. 00:23:24.990 --> 00:23:27.130 But it doesn’t stop there. 00:23:27.130 --> 00:23:31.770 It goes on to say who Cytrox was, who Tal Dilion was, and all these other companies 00:23:31.770 --> 00:23:34.890 that may also be involved with this. 00:23:34.890 --> 00:23:42.179 Then it goes on to say who those companies may be selling this to, actually listing some 00:23:42.179 --> 00:23:44.150 of the governments that may have bought this. 00:23:44.150 --> 00:23:45.150 BILL: Yeah. 00:23:45.150 --> 00:23:49.630 One of the interesting things that struck us about this company, or this sort of cluster 00:23:49.630 --> 00:23:55.590 of companies like Intellexa and Cytrox that are behind Predator, is there was this very 00:23:55.590 --> 00:24:02.450 tangled corporate web spanning multiple different countries and it was tough to figure out exactly 00:24:02.450 --> 00:24:03.780 what was going on. 00:24:03.780 --> 00:24:08.660 Where were the people actually writing the spyware code physically located? 00:24:08.660 --> 00:24:14.340 We did see some references in the spyware’s code; like, they were trying to avoid targeting 00:24:14.340 --> 00:24:20.549 phone numbers in Israel even though the company is ostensibly or was ostensibly Cytrox-based 00:24:20.549 --> 00:24:21.880 in Northern Macedonia. 00:24:21.880 --> 00:24:27.470 So, there’s all these weird links which are hard — a little bit hard to make sense 00:24:27.470 --> 00:24:28.470 of. 00:24:28.470 --> 00:24:33.150 JACK: I just want to stop and show respect for this skill for a moment. 00:24:33.150 --> 00:24:37.480 It’s one thing to be able to analyze binary files for an iPhone, but it’s a whole other 00:24:37.480 --> 00:24:42.409 skill set to try to determine the geopolitical ramifications for such an exploit being sold 00:24:42.409 --> 00:24:45.030 on the mercenary marketplace, you know? 00:24:45.030 --> 00:24:48.570 In fact, it wasn’t just Citizen Lab who was investigating this. 00:24:48.570 --> 00:24:53.760 They shared their findings with the security team at Meta, Facebook, who was also investigating, 00:24:53.760 --> 00:24:58.559 and the combined forces of Citizen Lab and Meta meant that these reports they published 00:24:58.559 --> 00:24:59.990 were very impressive. 00:24:59.990 --> 00:25:05.059 Okay, so let’s try to connect some of the dots ourselves of what happened here. 00:25:05.059 --> 00:25:10.340 An Egyptian politician who was living in exile and an Egyptian journalist were both found 00:25:10.340 --> 00:25:12.370 to have Predator on their phones. 00:25:12.370 --> 00:25:18.990 If two people from Egypt are infected with this, it may mean the Egyptian government 00:25:18.990 --> 00:25:24.740 is using this technology to spy on their civil society, which is spooky. 00:25:24.740 --> 00:25:30.260 You’d think they’d be using this to stop terrorists or catch criminals, but they’re 00:25:30.260 --> 00:25:34.380 using it to see what stories a journalist is working on next? 00:25:34.380 --> 00:25:36.990 This is awful. 00:25:36.990 --> 00:25:42.720 But when we back up a second and say, okay, so, who makes Predator, this company called 00:25:42.720 --> 00:25:44.830 Cytrox comes up. 00:25:44.830 --> 00:25:50.510 We see that Cytrox was bought by Tal Dilion, but we also read about this other company 00:25:50.510 --> 00:25:52.330 called Nexa. 00:25:52.330 --> 00:25:55.080 Nexa was formally known as Amesys. 00:25:55.080 --> 00:25:59.740 Amesys was indicted for illegally selling weapons to Libya. 00:25:59.740 --> 00:26:06.210 In fact, Amesys was charged with crimes against humanity for helping Libya conduct torture. 00:26:06.210 --> 00:26:07.360 But guess what? 00:26:07.360 --> 00:26:11.840 While the executives of that company were facing these indictments, Tal started making 00:26:11.840 --> 00:26:12.840 deals with them. 00:26:12.840 --> 00:26:17.600 I don’t know exactly what, but at the very least he was using their technology somehow, 00:26:17.600 --> 00:26:20.799 either through a partnership or a deal he made with them. 00:26:20.799 --> 00:26:25.770 With that technology, he combined the names together, Cytrox and Nexa, to form a new company 00:26:25.770 --> 00:26:31.159 called Intellexa, combining this new technology with that spy van WiSpear stuff he already 00:26:31.159 --> 00:26:32.159 had. 00:26:32.159 --> 00:26:38.220 It meant that Intellexa had quite the arsenal of ways to gather data off a phone and track 00:26:38.220 --> 00:26:39.909 its location. 00:26:39.909 --> 00:26:44.400 He doesn’t seem to be bothered by making deals with a company that’s been accused 00:26:44.400 --> 00:26:46.940 of conducting crimes against humanity. 00:26:46.940 --> 00:26:52.850 The report that Meta came up with showed that Predator may have been sold to the following 00:26:52.850 --> 00:27:01.360 governments; Egypt, Armenia, Saudi Arabia, Colombia, Vietnam, Philippines, Germany, and 00:27:01.360 --> 00:27:02.360 Greece. 00:27:02.360 --> 00:27:03.950 Of course Greece, right? 00:27:03.950 --> 00:27:09.090 Tal was reestablishing his whole business in Greece at the same time. 00:27:09.090 --> 00:27:13.860 If he had some kind of partnership with high-ups in the Greek government, then that might be 00:27:13.860 --> 00:27:15.779 a good reason to move there. 00:27:15.779 --> 00:27:21.220 If he had some connections, then that might help him be able to conduct business without 00:27:21.220 --> 00:27:24.270 having that long arm of the law messing things up. 00:27:24.270 --> 00:27:30.159 Well, some Greek journalists saw this report by Meta and Citizen Lab, and they were like, 00:27:30.159 --> 00:27:33.130 what, spyware may have been sold to the Greek government? 00:27:33.130 --> 00:27:34.679 We better write a story on this. 00:27:34.679 --> 00:27:39.899 A news outlet called Inside Story wrote a piece basically saying, look out; Predator 00:27:39.899 --> 00:27:41.950 may be in the wild here in Greece. 00:27:41.950 --> 00:27:44.250 A nice warning, right? 00:27:44.250 --> 00:27:51.630 CROFTON: Someone — one person who read that report is a journalist called Thanasis Koukakis. 00:27:51.630 --> 00:27:58.240 He read the report and it made him a bit suspicious because one of the people who was mentioned 00:27:58.240 --> 00:28:03.520 in passing was a man called Felix Bitsios, and Felix Bitsios was someone who Koukakis, 00:28:03.520 --> 00:28:07.860 the journalist, had been investigating a couple of years before. 00:28:07.860 --> 00:28:14.960 I think seeing the target of his former investigation tied into the corporate structure of a spy 00:28:14.960 --> 00:28:21.100 company that was operating in Greece kind of set off some red flags for him, and I believe 00:28:21.100 --> 00:28:26.809 that’s what led him to go to the guys at Citizen Lab and ask him — ask them to check 00:28:26.809 --> 00:28:28.809 his phone. BILL: Right. 00:28:28.809 --> 00:28:34.870 Yeah, we started getting some outreach from Greece, and spoiler alert; we found spyware. 00:28:34.870 --> 00:28:42.120 So, the first confirmation we were able to produce centered around this financial journalist, 00:28:42.120 --> 00:28:48.730 Thanasis Koukakis based in Greece, who had contacted us, and he was already a little 00:28:48.730 --> 00:28:53.279 bit suspicious for a number of reasons about potential surveillance. 00:28:53.279 --> 00:28:55.620 He noticed his phone acting a little bit weird. 00:28:55.620 --> 00:29:01.400 He had flagged some text messages that he thought were a little bit odd. 00:29:01.400 --> 00:29:06.360 So, we instructed him on how to forward some forensic information from his phone. 00:29:06.360 --> 00:29:11.130 [MUSIC] We reviewed it and lo and behold, we were able to determine that his phone had 00:29:11.130 --> 00:29:16.380 been hacked successfully with Predator, and I believe it was July 2021. 00:29:16.380 --> 00:29:23.529 JACK: The Greek paper Inside Story exposed it, and once news broke out, it erupted in 00:29:23.529 --> 00:29:25.760 an explosion of articles. 00:29:25.760 --> 00:29:30.880 Then the Committee to Protect Journalists chimed in, Amnesty International echoed the 00:29:30.880 --> 00:29:35.610 story, the Council of Europe spoke up; it was news that could not be silenced. 00:29:35.610 --> 00:29:40.040 CROFTON: Okay, it was kind of a rolling thing that just got bigger and bigger. 00:29:40.040 --> 00:29:47.900 There was all kinds of questions and rumors about who was behind the use of the Predator 00:29:47.900 --> 00:29:58.220 software in Greece and how it connected to the, if you like, quote, unquote, “official” 00:29:58.220 --> 00:30:00.200 phone-tapping software. 00:30:00.200 --> 00:30:02.799 This was puzzling. Why? 00:30:02.799 --> 00:30:04.590 Is it two different entities doing it? 00:30:04.590 --> 00:30:09.200 Is it one entity doing it but just doing it two different ways? 00:30:09.200 --> 00:30:11.769 What’s going on there? 00:30:11.769 --> 00:30:15.350 That was definitely a question that was — in the Greek context that was troubling a lot 00:30:15.350 --> 00:30:16.520 of people. 00:30:16.520 --> 00:30:24.250 BILL: Yeah, one of the really nice things to see in Greece was that there was this — such 00:30:24.250 --> 00:30:29.110 tenacity on behalf of the investigative journalist community there. 00:30:29.110 --> 00:30:34.240 They were so invested, so interested in this story, and we don’t really see that in a 00:30:34.240 --> 00:30:40.040 lot of other countries that — where we uncover spyware abuses, perhaps because they’re 00:30:40.040 --> 00:30:48.519 more repressive or there’s not as much of a tradition or it’s not really — in Greece 00:30:48.519 --> 00:30:54.029 you have this — oh, the birthplace of democracy ingrained in the public consciousness. 00:30:54.029 --> 00:30:59.980 So, there’s a lot of people, I think, who feel some responsibility to take action, to 00:30:59.980 --> 00:31:02.960 live up to that legacy. 00:31:02.960 --> 00:31:09.150 So, just incredible, incredible work by the investigative journalists in Greece taking 00:31:09.150 --> 00:31:14.140 this story forward, constantly pushing the government and ministers for information, 00:31:14.140 --> 00:31:16.059 and driving this case forward. 00:31:16.059 --> 00:31:18.269 JACK: The Greek government spoke up. 00:31:18.269 --> 00:31:19.269 SPEAKER: [SPEAKING GREEK] 00:31:19.269 --> 00:31:24.100 JACK: …and said, well, we’ve never heard of this Predatory spyware, so clearly it’s 00:31:24.100 --> 00:31:26.600 not us, okay? 00:31:26.600 --> 00:31:31.450 But now that this story made such a stink, other people started wondering if their phones 00:31:31.450 --> 00:31:33.330 were being targeted, too. 00:31:33.330 --> 00:31:38.090 So, some more Greek people who thought something weird was going on on their phone sent the 00:31:38.090 --> 00:31:44.260 data to Citizen Lab for analysis, and yeah, more instances of Predator were found. 00:31:44.260 --> 00:31:49.679 At this point, three people from Greece’s civil society were confirmed to have Predator 00:31:49.679 --> 00:31:50.909 on their phone. 00:31:50.909 --> 00:31:56.250 One of these people was a journalist and the other was the opposition leader, Nikos Angelakis, 00:31:56.250 --> 00:31:57.480 a politician. 00:31:57.480 --> 00:32:01.549 Now, by this time, Citizen Lab was getting pretty good at understanding how all this 00:32:01.549 --> 00:32:02.549 worked. 00:32:02.549 --> 00:32:06.720 First, the victim would receive a phishing text message, and these were crafty phishing 00:32:06.720 --> 00:32:07.720 messages. 00:32:07.720 --> 00:32:12.840 BILL: Some of the common themes are really anything that creates or engenders a sense 00:32:12.840 --> 00:32:17.910 of urgency to interact with the message to ensure that the target clicks on these in 00:32:17.910 --> 00:32:19.720 a timely fashion. 00:32:19.720 --> 00:32:26.110 So, for instance, things about a large, unpaid phone bill or something. 00:32:26.110 --> 00:32:28.289 Like, oh, you owe the phone company $8,000. 00:32:28.289 --> 00:32:31.500 It’s due in two days. 00:32:31.500 --> 00:32:34.840 Click here to pay, or something. 00:32:34.840 --> 00:32:41.080 Or things that are interesting to the target given, upcoming events in the targets life. 00:32:41.080 --> 00:32:45.659 Like, oh, you have a package delivery, is one we see a lot. 00:32:45.659 --> 00:32:48.810 Click here to customize the delivery of the package. 00:32:48.810 --> 00:32:55.250 We couldn’t reach you; click here to reschedule delivery, or things like the upcoming vaccine 00:32:55.250 --> 00:32:59.630 appointment or upcoming — here’s your boarding pass for your upcoming flight or 00:32:59.630 --> 00:33:01.529 here’s your registration for this conference. 00:33:01.529 --> 00:33:07.360 So, they can use queues from the target’s life to make these seem very plausible for 00:33:07.360 --> 00:33:08.420 the target to click on. 00:33:08.420 --> 00:33:12.900 JACK: [MUSIC] Once the user clicks the link, it triggers a series of exploits on the phone. 00:33:12.900 --> 00:33:17.289 It may seem like it’s just one click, but there’s a whole bunch of steps that have 00:33:17.289 --> 00:33:19.830 to happen for the phone to get infected. 00:33:19.830 --> 00:33:24.460 The website exploits something within the Safari browser which then gets a foothold 00:33:24.460 --> 00:33:28.530 on the phone, and from there it downloads additional malware to infect the phone, and 00:33:28.530 --> 00:33:35.370 after a few steps, it then has the spyware binary file on the phone which is able to 00:33:35.370 --> 00:33:40.289 watch what’s going on with the camera, listen on the microphone, scrape passwords, read 00:33:40.289 --> 00:33:44.570 texts, and of course, report where the person is. 00:33:44.570 --> 00:33:49.809 Now, the tricky thing about this malware was as soon as it would infect the phone, it would 00:33:49.809 --> 00:33:53.289 erase the tracks of the whole infection process. 00:33:53.289 --> 00:33:58.070 So, while it may have taken a few exploits to get it to work, those exploits were not 00:33:58.070 --> 00:34:03.360 visible to Citizen Lab since traces of how it got in were wiped. 00:34:03.360 --> 00:34:07.789 This stinks because it means they can’t go to Apple and show them this vulnerability 00:34:07.789 --> 00:34:09.270 that needs to be patched. 00:34:09.270 --> 00:34:15.070 It’s like they caught the spy in the building but have no idea how he got in, so you don’t 00:34:15.070 --> 00:34:17.649 know which door or window to go check on. 00:34:17.649 --> 00:34:22.670 You have to think, hold on, if the Greek government paid all this money for this software, surely 00:34:22.670 --> 00:34:25.909 they didn’t get it just to infect these three people. 00:34:25.909 --> 00:34:29.340 So, who else is being targeted with this? 00:34:29.340 --> 00:34:32.909 People demanded that the Greek government say something now that three people had their 00:34:32.909 --> 00:34:33.919 phones infected. 00:34:33.919 --> 00:34:39.349 They said, oh, okay, yeah, well, we’ve heard of this Predator spyware, but that’s not 00:34:39.349 --> 00:34:43.210 something we have, flat-out denying it for a second time. 00:34:43.210 --> 00:34:46.230 But people didn’t accept that as a good answer. 00:34:46.230 --> 00:34:51.500 In fact, they sort of narrowed down who would do such a thing, and they landed on this must 00:34:51.500 --> 00:34:57.140 be the work of EYP, which is Greek’s intelligence agency, pronounced ‘eep’. 00:34:57.140 --> 00:35:02.050 Because here’s the thing; this technology is supposedly only sold to intelligence agencies. 00:35:02.050 --> 00:35:07.450 So, either they did it or they know who did it or should be investigating to find out 00:35:07.450 --> 00:35:08.680 who did it. 00:35:08.680 --> 00:35:11.859 If they don’t know who did it, then they’re bad at their jobs, you know? 00:35:11.859 --> 00:35:16.130 So, EYP has to know something about this. 00:35:16.130 --> 00:35:20.450 This circles back to the Greek prime minister, too, because as soon as he took office in 00:35:20.450 --> 00:35:26.010 2019, he moved the Greek intelligence agency to be under the direct control of the prime 00:35:26.010 --> 00:35:27.970 minister’s office. 00:35:27.970 --> 00:35:31.240 But not all news outlets were angry about this in Greece. 00:35:31.240 --> 00:35:36.670 In fact, a lot of mainstream media in Greece was on the government’s side, trying to 00:35:36.670 --> 00:35:41.190 slander the journalists for bringing up these stories, even slandering the people who were 00:35:41.190 --> 00:35:45.120 infected by the spyware since they were critical of the government. 00:35:45.120 --> 00:35:46.760 It was a mess. 00:35:46.760 --> 00:35:51.950 Now, while all this was going on in Greece, a big conference was kicking off in Prague 00:35:51.950 --> 00:35:54.230 called ISS World. 00:35:54.230 --> 00:36:02.140 CROFTON: [MUSIC] ISS World is — it’s one of the kind of premiere — maybe the premiere 00:36:02.140 --> 00:36:04.730 surveillance technology conference. 00:36:04.730 --> 00:36:06.900 It happens a few times a year in different locations. 00:36:06.900 --> 00:36:08.390 There’s one in Prague. 00:36:08.390 --> 00:36:15.340 It’s showcasing everything from a large booth featuring — hidden away in a kind 00:36:15.340 --> 00:36:24.030 of inner sanctum — presentations of NSO Group’s, Pegasus’ phone-hacking tech, 00:36:24.030 --> 00:36:30.839 all the way down to open-source analytic suites. 00:36:30.839 --> 00:36:38.859 I guess hidden — there’s hidden camera stuff there, audio-gathering stuff, but it’s 00:36:38.859 --> 00:36:43.480 the mecca of the highest-end surveillance technology sales. 00:36:43.480 --> 00:36:51.119 You’ll find exhibiting there the world’s most famous spyware companies like Intellexa, 00:36:51.119 --> 00:36:54.630 like Candiru, like NSO Group. 00:36:54.630 --> 00:36:57.000 JACK: Rayzone, Septier… 00:36:57.000 --> 00:37:00.150 CROFTON: Rayzone, Septier, yep. 00:37:00.150 --> 00:37:02.690 They’re not quite as famous as the others, but they’re… 00:37:02.690 --> 00:37:07.590 JACK: So, when you list a bunch of companies like that, I just feel like, oh my gosh, there’s 00:37:07.590 --> 00:37:10.590 gotta be a huge story for every one of those companies. 00:37:10.590 --> 00:37:11.829 Who have they done business with? 00:37:11.829 --> 00:37:13.180 Who have they spied on? 00:37:13.180 --> 00:37:14.910 What shady deals are they dealing with? 00:37:14.910 --> 00:37:20.530 We keep picking on NSO, but I really feel like — just walk into the ISS World Conference, 00:37:20.530 --> 00:37:24.260 and every one of the companies are — are any of them above-board? 00:37:24.260 --> 00:37:27.570 Are any of them like, oh no, we’re very clean? 00:37:27.570 --> 00:37:33.730 Or are they all — oh yeah, this is a cyber weapon that you can use to spy on your citizens 00:37:33.730 --> 00:37:34.740 with if you want. 00:37:34.740 --> 00:37:36.460 We don’t care; we’ll look the other way. 00:37:36.460 --> 00:37:42.990 CROFTON: Well, they’ll all tell you that they’re above-board and very clean. 00:37:42.990 --> 00:37:49.710 That’s a constant refrain of the industry and it goes back to what we said earlier about 00:37:49.710 --> 00:37:53.080 who’d you sell to and what are they using it for. 00:37:53.080 --> 00:37:58.100 Indeed, to the question of like, do these guys even know, do these companies even know, 00:37:58.100 --> 00:38:02.280 can they know; a lot of them will say that they are very careful about who they sell 00:38:02.280 --> 00:38:05.600 to, but oh well, we can’t actually monitor what they do with it. 00:38:05.600 --> 00:38:09.619 JACK: Yeah, that’s a whole other degree of responsibility, right? 00:38:09.619 --> 00:38:13.100 Because how exactly do these targeting systems work? 00:38:13.100 --> 00:38:16.790 We have this Predator and Intellexa thing, right? 00:38:16.790 --> 00:38:22.270 Does this whole kit and infrastructure and everything get sold to the customer, and then 00:38:22.270 --> 00:38:25.530 once it’s delivered, Intellexa just kinda steps back and wipes their hands clean of 00:38:25.530 --> 00:38:26.819 the whole thing? 00:38:26.819 --> 00:38:32.590 Or is it some kind of hacking-as-a-service type of thing where the customer tells Intellexa, 00:38:32.590 --> 00:38:37.370 here’s what we want you to target, and then Intellexa does all the infections and delivers 00:38:37.370 --> 00:38:39.460 the data that they got off the phone? 00:38:39.460 --> 00:38:44.930 Or maybe it’s a mix of Intellexa doing the infection and once the spyware is on the phone, 00:38:44.930 --> 00:38:48.630 then the customer can access that data whenever they want, like listen to the phone calls 00:38:48.630 --> 00:38:50.550 or see where the person is. 00:38:50.550 --> 00:38:54.920 We don’t know exactly how involved anyone is in all this. 00:38:54.920 --> 00:38:58.940 You see how this changes where the responsibility lands, right? 00:38:58.940 --> 00:39:01.369 Isn’t this an important thing to know? 00:39:01.369 --> 00:39:07.329 Is the government doing the hacking themselves or is this company doing it with authorization 00:39:07.329 --> 00:39:09.640 from a government? 00:39:09.640 --> 00:39:14.370 Think about it like this; the phishing message that that journalist got, it looked like a 00:39:14.370 --> 00:39:21.050 normal article from a financial news website, but the domain was changed from .gr to .online, 00:39:21.050 --> 00:39:22.940 and that is what hosted the malware. 00:39:22.940 --> 00:39:28.220 So, someone had to register this domain, get it hosted somewhere, stage the malware on 00:39:28.220 --> 00:39:32.880 it, and then integrate it into the Predator package, not to mention craft a message that 00:39:32.880 --> 00:39:35.290 the target is likely to click on. 00:39:35.290 --> 00:39:40.400 These domains get burned fairly often, so you need to create new ones all the time and 00:39:40.400 --> 00:39:42.440 integrate that into the package. 00:39:42.440 --> 00:39:47.490 Is the customer doing all that work or was Intellexa setting all this stuff up to make 00:39:47.490 --> 00:39:52.700 it easier for the customer to simply point and shoot? 00:39:52.700 --> 00:40:01.579 So, at the conference, do we get any information about Predator, how much it costs or anything? 00:40:01.579 --> 00:40:07.250 CROFTON: There was a document that leaked online right after that conference. 00:40:07.250 --> 00:40:11.520 Let’s see what it was. 00:40:11.520 --> 00:40:21.200 This was a Predator package for ten targets at once. 00:40:21.200 --> 00:40:25.150 A hundred successful infections, but ten running at the same time. 00:40:25.150 --> 00:40:26.630 One-click infection. 00:40:26.630 --> 00:40:28.890 $8 million. 00:40:28.890 --> 00:40:30.900 That was the price tag. 00:40:30.900 --> 00:40:35.740 JACK: [MUSIC] One-click infection. 00:40:35.740 --> 00:40:40.911 I imagine this means that someone has to click once for their phone to be infected, which 00:40:40.911 --> 00:40:44.000 is pretty sophisticated, I’ll say. 00:40:44.000 --> 00:40:49.540 But the brass ring for spyware is zero-click, where maybe you could do something like send 00:40:49.540 --> 00:40:53.660 a message to someone while they’re sleeping and when the phone tries to process it, like 00:40:53.660 --> 00:40:58.520 display the preview for what the website’s gonna look like, then that preview somehow 00:40:58.520 --> 00:41:01.670 contains the malware that can infect the phone. 00:41:01.670 --> 00:41:06.310 Then when the phone gets infected, the text message can be deleted and you have no idea 00:41:06.310 --> 00:41:09.740 that anything happened to your phone. 00:41:09.740 --> 00:41:16.430 NSO has this capability, and it sounds like Intellexa wishes they did, too. 00:41:16.430 --> 00:41:21.210 We’re gonna do a quick commercial break here but come back, because things are really 00:41:21.210 --> 00:41:23.730 heating up in Greece and you’re not gonna want to miss this. 00:41:23.730 --> 00:41:28.850 [PLANE ENGINE] While all this is going on, Crofton Black, the journalist with Lighthouse 00:41:28.850 --> 00:41:33.480 Reports, was following where Tal’s little Cessna airplane was flying off to, trying 00:41:33.480 --> 00:41:37.080 to make sense of why Tal would be visiting some of these locations. 00:41:37.080 --> 00:41:43.710 CROFTON: The Cessna was kind of key to our reporting because we found out about the Cessna 00:41:43.710 --> 00:41:49.000 through researching the company and the people in the company and what they were doing and 00:41:49.000 --> 00:41:53.119 where they were going, and that led us to the Cessna. 00:41:53.119 --> 00:41:58.710 The Cessna obviously led us to a bunch of destinations not only going backwards and 00:41:58.710 --> 00:42:05.230 forwards between Greece and Cyprus, going to Prague for the spyware fair, but it was 00:42:05.230 --> 00:42:07.500 also in Sudan. 00:42:07.500 --> 00:42:13.730 It was in Sudan at the time that our sources on the ground said that this transfer of surveillance 00:42:13.730 --> 00:42:15.310 tech took place. 00:42:15.310 --> 00:42:17.760 It was also inside Arabia. 00:42:17.760 --> 00:42:19.619 It was also in the UAE. 00:42:19.619 --> 00:42:20.619 We were able to follow it. 00:42:20.619 --> 00:42:24.900 We were able to trace it for a fair few months going around the place. 00:42:24.900 --> 00:42:32.260 It was in Israel quite a lot, so obviously it raises questions about the extent to which 00:42:32.260 --> 00:42:36.110 Tal Dilion is or isn’t doing business in Israel, because that plane was for sure there 00:42:36.110 --> 00:42:37.110 a fair amount. 00:42:37.110 --> 00:42:41.680 JACK: Yeah, but you just mentioned Saudi Arabia, and Saudi Arabia and Israel, they’re not 00:42:41.680 --> 00:42:42.720 the best of friends. 00:42:42.720 --> 00:42:44.050 We’ll say that, right? 00:42:44.050 --> 00:42:47.060 They’ve got some disagreements. 00:42:47.060 --> 00:42:49.930 I just wonder how much Tal had to say. 00:42:49.930 --> 00:42:56.170 Like, okay, is this million-dollar deal worth more than my allyship to my homeland? 00:42:56.170 --> 00:43:00.430 If people in my country are getting spied on because of this — or maybe he made a 00:43:00.430 --> 00:43:03.010 deal of like, you could only spy on your own people, Saudi Arabia. 00:43:03.010 --> 00:43:04.010 Don’t spy on us. 00:43:04.010 --> 00:43:08.730 If I hear you spying on Israelis, I’m gonna pull the plug on this software. 00:43:08.730 --> 00:43:13.700 CROFTON: Yeah, I mean, I think there’s a lot of back channels between these countries 00:43:13.700 --> 00:43:19.620 where there’s possibly more intelligence corporation than you might think. 00:43:19.620 --> 00:43:27.930 I think there’s a long history of the UAE buying Israeli surveillance tech. 00:43:27.930 --> 00:43:32.460 I don’t think it’s particularly surprising that Saudi Arabia should be a client. 00:43:32.460 --> 00:43:36.080 I think these guys are — they’re a good market, right? 00:43:36.080 --> 00:43:42.170 JACK: Back in Greece with this scandal erupting, a newspaper called Documento was saying that 00:43:42.170 --> 00:43:46.550 they found thirty-five more people who were infected with this, and started publishing 00:43:46.550 --> 00:43:48.220 the names of these people. 00:43:48.220 --> 00:43:53.809 Then every Sunday after that, they kept publishing even more names of people infected with Predator. 00:43:53.809 --> 00:43:55.079 This list was growing big. 00:43:55.079 --> 00:44:00.270 There was a media tycoon on there, a cabinet minister, senior military officials, friends 00:44:00.270 --> 00:44:06.180 of the prime minister’s wife, a respected newspaper editor, and even a popular comedian. 00:44:06.180 --> 00:44:09.680 Then the Greek government was asked again, and this time they said… 00:44:09.680 --> 00:44:10.680 SPEAKER: [SPEAKING GREEK] 00:44:10.680 --> 00:44:15.460 JACK: Well, actually, it does sound like what happened was that some people got wire-tapped, 00:44:15.460 --> 00:44:20.940 and we do wire-tap sometimes, but it’s for national security and we don’t use Predator 00:44:20.940 --> 00:44:22.010 to do it. 00:44:22.010 --> 00:44:25.800 But any wire-tapping we do do, that’s legal. 00:44:25.800 --> 00:44:26.800 Uh-huh. 00:44:26.800 --> 00:44:32.819 Well, the pressure continued to mount and was focused on EYP, the intelligence department 00:44:32.819 --> 00:44:33.819 of the Greek government. 00:44:33.819 --> 00:44:40.010 CROFTON: We’re back in kind of summer last year where there were actually two resignations 00:44:40.010 --> 00:44:41.110 from government. 00:44:41.110 --> 00:44:48.660 One of them was the head of the intelligence agency and the other one was this guy called 00:44:48.660 --> 00:44:57.130 Dimitriadis, who was the nephew — he’s the nephew of the prime minister and he’s 00:44:57.130 --> 00:45:03.599 also the kind of head at the time of the — let’s say the prime minister’s kind of in a office, 00:45:03.599 --> 00:45:05.640 if you like; this guy is at the top of it. 00:45:05.640 --> 00:45:10.790 JACK: Now, even though people resigned, the government didn’t admit to doing anything 00:45:10.790 --> 00:45:11.790 illegal. 00:45:11.790 --> 00:45:17.180 They said, what happened might have been legal, but it was also wrong. 00:45:17.180 --> 00:45:19.760 SPEAKER: [SPEAKING GREEK] 00:45:19.760 --> 00:45:25.359 JACK: Now, once these people resigned, journalists and investigators were looking in to who these 00:45:25.359 --> 00:45:30.480 people were, and it turned out that one of them was the nephew of the prime minister, 00:45:30.480 --> 00:45:33.950 and he actually had some kind of connection with the NSO Group. 00:45:33.950 --> 00:45:37.480 I think they were trying to discuss the Pegasus software a while back. 00:45:37.480 --> 00:45:38.600 CROFTON: He quit. 00:45:38.600 --> 00:45:40.359 The intelligence head quit. 00:45:40.359 --> 00:45:46.920 It’s interesting that on exactly the same day, the plane that we’ve been tracking 00:45:46.920 --> 00:45:52.660 that’s been carrying out its business based in Greece but going all over the place also 00:45:52.660 --> 00:45:57.100 quits, and it goes to Israel and once it gets there, it just sits there for months and doesn’t 00:45:57.100 --> 00:45:58.260 move again. 00:45:58.260 --> 00:46:04.120 JACK: Of course, journalists and investigators continued asking the Greek government questions, 00:46:04.120 --> 00:46:06.099 which led us to learn something new. 00:46:06.099 --> 00:46:14.579 CROFTON: The sale of the tech to Sudan was confirmed by the government after the fighting 00:46:14.579 --> 00:46:15.790 broke out again in Sudan. 00:46:15.790 --> 00:46:18.819 JACK: Wait, so the Sudanese government said, yeah, we did buy it? 00:46:18.819 --> 00:46:21.990 CROFTON: No, the Greek government confirmed that it had been sold to Sudan. 00:46:21.990 --> 00:46:24.050 JACK: Wait; how did they know? 00:46:24.050 --> 00:46:26.359 CROFTON: Well, they issued the export license. 00:46:26.359 --> 00:46:28.640 JACK: What? What? 00:46:28.640 --> 00:46:30.920 What is happening here? 00:46:30.920 --> 00:46:36.400 Someone at Intellexa applied for an export license to sell their spyware to a group in 00:46:36.400 --> 00:46:41.880 Sudan who is notorious for committing crimes against humanity, and the Greek government 00:46:41.880 --> 00:46:44.660 is like, yep, approved. 00:46:44.660 --> 00:46:45.970 Go for it. 00:46:45.970 --> 00:46:51.080 Doesn’t this put some kind of responsibility now on the Greek government for assisting 00:46:51.080 --> 00:46:54.380 Sudan in the proliferation of digital weapons? 00:46:54.380 --> 00:47:01.000 Ugh, I’m just so tired of things being blatantly wrong in the world and nothing being done 00:47:01.000 --> 00:47:02.410 about it. 00:47:02.410 --> 00:47:04.720 I need some help here. 00:47:04.720 --> 00:47:06.500 [RINGING] Hello, hello. 00:47:06.500 --> 00:47:08.280 JOHN: Hi, Jack. 00:47:08.280 --> 00:47:12.790 Let me just turn all the vibrations off. 00:47:12.790 --> 00:47:14.030 JACK: Alright. 00:47:14.030 --> 00:47:15.599 JOHN: How are you? 00:47:15.599 --> 00:47:17.350 JACK: This is John Scott-Railton. 00:47:17.350 --> 00:47:20.800 He’s been on the show a few times and I just like to call him JSR. 00:47:20.800 --> 00:47:25.190 He works with Bill at Citizen Lab, and he got his hands on this Predator malware and 00:47:25.190 --> 00:47:26.960 analyzed it further. 00:47:26.960 --> 00:47:33.210 I told him how mad and upset and frustrated I was about all this, and JSR, being JSR, 00:47:33.210 --> 00:47:34.210 tried to help. 00:47:34.210 --> 00:47:35.290 JOHN: You know, the thing I did first was neuroscience. 00:47:35.290 --> 00:47:36.530 That was my old thing. 00:47:36.530 --> 00:47:38.530 JACK: No way. JOHN: Yeah. 00:47:38.530 --> 00:47:39.530 JACK: Oh my god. 00:47:39.530 --> 00:47:42.220 JOHN: One of the big things — so, I was working on neuroplasticity and one of the 00:47:42.220 --> 00:47:49.720 big things that is known about the brain is that anxiety suppresses plasticity, and the 00:47:49.720 --> 00:47:56.460 suppression of plasticity is a good candidate for one of the major causes of depression. 00:47:56.460 --> 00:47:58.910 JACK: Whoa, whoa, whoa. 00:47:58.910 --> 00:48:02.920 I’m not ready to get that deep about my feelings right now. 00:48:02.920 --> 00:48:05.660 Hold on. Let’s reset. 00:48:05.660 --> 00:48:11.309 Why I called JSR was because I wanted to talk with him about the ethics of all this, not 00:48:11.309 --> 00:48:12.970 how I get depressed about it. 00:48:12.970 --> 00:48:16.430 Okay, so let’s try to understand the implications of all this. 00:48:16.430 --> 00:48:23.490 So, this world of — I mean, what do you even classify this type of software? 00:48:23.490 --> 00:48:24.660 Do you call it a cyber weapon? 00:48:24.660 --> 00:48:31.619 JOHN: I like to call it mercenary spyware, although I’ve noticed that a lot of other 00:48:31.619 --> 00:48:33.559 groups call it commercial spyware. 00:48:33.559 --> 00:48:38.150 But I like the mercenary term in part because it sort of denotes the idea that these people 00:48:38.150 --> 00:48:43.050 are probably working for a state, whereas commercial, to my ear, could refer to a much 00:48:43.050 --> 00:48:45.970 broader category of things. 00:48:45.970 --> 00:48:51.780 JACK: Yeah, and looking at this, I stumbled upon this thing called the ISS World Conference, 00:48:51.780 --> 00:48:57.160 which seems to be just a venue of all these mercenary spyware groups. 00:48:57.160 --> 00:49:04.960 JOHN: That’s right, and I like to frame it sort of like this; after Snowden, a lot 00:49:04.960 --> 00:49:11.600 of governments who didn’t really know all the cool toys that the US government had suddenly 00:49:11.600 --> 00:49:17.220 not only learned but were like, hey, I gotta get some of that. 00:49:17.220 --> 00:49:23.410 You have this other dynamic which is kind of like the first generations of people working 00:49:23.410 --> 00:49:29.849 within tier-one government programs developing exploitation tools. 00:49:29.849 --> 00:49:36.200 I was starting to look for a bigger paycheck and a cushy approach to retirement. 00:49:36.200 --> 00:49:44.700 Thus begins this massive technology and knowledge transfer from some of the most developed cyber 00:49:44.700 --> 00:49:47.480 powers in the world towards the rest of the world. 00:49:47.480 --> 00:49:54.819 That’s the proliferation as people — whether it’s from American or German or Italian 00:49:54.819 --> 00:49:59.809 or British countries, they’re like, hey, we could really make a business out of this 00:49:59.809 --> 00:50:00.829 stuff. 00:50:00.829 --> 00:50:07.540 Then you add to that this dramatic rise in Israel’s high-tech sector combined with 00:50:07.540 --> 00:50:13.450 a really permissive environment towards export law, and you get yourself a global industry 00:50:13.450 --> 00:50:14.450 in this technology. 00:50:14.450 --> 00:50:19.460 JACK: Yeah, I spoke about this in Episode 98, which is called Zero-Day Brokers. 00:50:19.460 --> 00:50:23.450 There are people who came through the NSA and were developing exploits while working 00:50:23.450 --> 00:50:27.260 there, and they realized that they could start their own company developing exploits and 00:50:27.260 --> 00:50:31.160 then sell that to the NSA and make more money doing that than if they were to work at the 00:50:31.160 --> 00:50:32.160 NSA. 00:50:32.160 --> 00:50:38.470 Yeah, some of this tech looks hot, so I can imagine some other companies wanting this 00:50:38.470 --> 00:50:39.610 capability, too. 00:50:39.610 --> 00:50:44.770 While their internal forces may not be sophisticated enough to develop it, they may have the cash 00:50:44.770 --> 00:50:46.400 to buy it. 00:50:46.400 --> 00:50:50.560 Who knows where they’re buying viruses and malware from, you know? 00:50:50.560 --> 00:50:55.740 So, I’m trying to find that line in my head of when this goes wrong. 00:50:55.740 --> 00:50:57.850 Where’s that ethical line? 00:50:57.850 --> 00:51:01.530 I’ve got spy tools myself, right? 00:51:01.530 --> 00:51:07.630 I can walk into the store and buy binoculars and a camera and an audio-recording device. 00:51:07.630 --> 00:51:16.250 I practice hacking things, so sometimes I’ve got little devices that can screw around. 00:51:16.250 --> 00:51:20.680 Some of that stuff’s available commercially at Defcon and nobody really puts a big stink 00:51:20.680 --> 00:51:25.079 about that, like, oh, this is awful; you’re giving this to the criminals of the world. 00:51:25.079 --> 00:51:27.550 It just kinda is out there. 00:51:27.550 --> 00:51:31.910 But there’s something about this that’s different, and can you — do you have a good 00:51:31.910 --> 00:51:35.809 sense of when that wind shifts to this is a stinky wind? 00:51:35.809 --> 00:51:38.040 BILL: It’s a stinky wind, yeah. 00:51:38.040 --> 00:51:43.630 I think that in a democracy, the people who elect the government should have some degree 00:51:43.630 --> 00:51:50.510 of understanding of how much power the government has to completely pry into their personal 00:51:50.510 --> 00:51:55.260 lives and when the government can exercise that power. 00:51:55.260 --> 00:52:03.130 What is so scary about mercenary spyware like Predator or Pegasus is that it offers a security 00:52:03.130 --> 00:52:12.369 service, a total view into a person’s private world in ways that were never designed to 00:52:12.369 --> 00:52:20.820 respect existing law about search warrants or search and seizures, anything like that, 00:52:20.820 --> 00:52:22.950 and can just provide that as a turnkey. 00:52:22.950 --> 00:52:27.780 So, the intent, really, is to provide this total view on an individual. 00:52:27.780 --> 00:52:31.990 I think it’s also the case that there are a lot of autocrats around the world who want 00:52:31.990 --> 00:52:36.430 this technology because they really want to hold onto power and they recognize that making 00:52:36.430 --> 00:52:41.460 their citizens afraid of having their lives basically dumped out on the digital table 00:52:41.460 --> 00:52:46.150 silently and remotely without any warning is a core part of how they stay in power. 00:52:46.150 --> 00:52:50.440 That fear or that technology of fear is a big part of it, and the fact that Pegasus 00:52:50.440 --> 00:52:56.980 doesn’t respect national borders is a great way for autocrats to basically claw back power 00:52:56.980 --> 00:53:00.680 into states that they would otherwise have no ability to act in, right? 00:53:00.680 --> 00:53:08.420 It shouldn’t be the case that an autocrat in Togo has dissidents in the UK, afraid. 00:53:08.420 --> 00:53:12.890 But this can be the case when you acquire this kind of technology, because you can experience 00:53:12.890 --> 00:53:17.799 completely devastating consequences of speaking up against an autocrat or a dictator from 00:53:17.799 --> 00:53:18.799 around the world. 00:53:18.799 --> 00:53:22.770 That kind of stuff is just net dangerous to democracy and to freedom. 00:53:22.770 --> 00:53:27.970 JACK: It appears to me that sometimes when governments get this kind of capability, the 00:53:27.970 --> 00:53:34.640 temptation is just too high to use it on their wives’ friends, their opposition leader. 00:53:34.640 --> 00:53:36.990 It’s just stuff that shouldn’t be targeted. 00:53:36.990 --> 00:53:44.040 Do you have any thoughts about, man, this — you’ve gotta really get permission once 00:53:44.040 --> 00:53:50.690 you — if you buy this tool, you’ve gotta really have a lot of oversight on how it’s 00:53:50.690 --> 00:53:51.690 used or something. 00:53:51.690 --> 00:53:55.910 I don’t know, what’s the solution there to keep you from being tempted to use it on 00:53:55.910 --> 00:53:56.910 your enemies? 00:53:56.910 --> 00:54:00.300 I mean, use it on civil society, right? 00:54:00.300 --> 00:54:02.210 CROFTON: Well, on your perceived enemies, right? 00:54:02.210 --> 00:54:06.859 So, we know from extradition documents, for example; Panama’s then president Ricardo 00:54:06.859 --> 00:54:09.300 Martinelli apparently got himself a bunch of Pegasus. 00:54:09.300 --> 00:54:11.710 Well, who did he put under monitoring? 00:54:11.710 --> 00:54:15.680 People like his business rivals but also his mistress, and every morning he would, according 00:54:15.680 --> 00:54:19.790 to these documents, sit and put his headphones on in his office and listen to the conversations 00:54:19.790 --> 00:54:24.640 and read the messages of people who he didn’t like. 00:54:24.640 --> 00:54:33.190 That image of a president, angry and jealous, prying into the lives of anybody who he felt 00:54:33.190 --> 00:54:38.820 like it is a scary image to all of us, and it’s scary because that’s not part of 00:54:38.820 --> 00:54:40.760 the social contract, right? 00:54:40.760 --> 00:54:46.309 That’s not a power that government should have. 00:54:46.309 --> 00:54:51.010 Any of the existing powers that government has in a society like the United States are 00:54:51.010 --> 00:54:52.650 circumscribed by law, right? 00:54:52.650 --> 00:54:56.510 I know my rights, you can say at a traffic stop. 00:54:56.510 --> 00:55:02.809 But with something like Pegasus, if your local police department has acquired Pegasus and 00:55:02.809 --> 00:55:05.980 has used it against you, do you know your rights? 00:55:05.980 --> 00:55:09.760 Do you know whether they were within their rights or authorities to use it? 00:55:09.760 --> 00:55:12.730 Do you know whether their use of it was properly overseen? 00:55:12.730 --> 00:55:17.720 What’s happening is that this technology is landing in jurisdictions that don’t yet 00:55:17.720 --> 00:55:21.480 have any legal protections around how this stuff gets used. 00:55:21.480 --> 00:55:27.140 Citizens have nothing to protect them, and that’s really, really scary because you 00:55:27.140 --> 00:55:30.460 want there to be limits on the power of the state. 00:55:30.460 --> 00:55:34.440 Without those limits, you’re existing in a tyrannical or autocratic regime. 00:55:34.440 --> 00:55:40.000 JACK: God, I just realized something, and I don’t have time to really research this 00:55:40.000 --> 00:55:43.880 further, so I’m just gonna go off the cuff here, but Google and Facebook, they know a 00:55:43.880 --> 00:55:45.750 ton about us, right? 00:55:45.750 --> 00:55:50.640 They have access to our e-mails, text messages, friend circles, contacts, even our location. 00:55:50.640 --> 00:55:55.030 The police have sometimes asked Google or Facebook for the information on one of their 00:55:55.030 --> 00:56:01.430 users, and if given the right warrant or whatever Google needs, Google will turn over that data 00:56:01.430 --> 00:56:02.430 to the cops. 00:56:02.430 --> 00:56:08.490 I don’t know, that concept alone kinda prompts me to pull focus in on these big tech companies 00:56:08.490 --> 00:56:13.339 and how they can spy on us harder than Predator can, and it’s built into their terms of 00:56:13.339 --> 00:56:14.539 service. 00:56:14.539 --> 00:56:20.130 But the thing that I just thought about is what happens when some other country wants 00:56:20.130 --> 00:56:24.940 data on a Google user, like the Sudanese government? 00:56:24.940 --> 00:56:28.059 They might be like, hey, this guy here? 00:56:28.059 --> 00:56:30.700 Yeah, he’s committed some crimes, right? 00:56:30.700 --> 00:56:33.799 Can you tell us everything you know about him, Google? 00:56:33.799 --> 00:56:39.599 Does Google have to comply with local law enforcement and be like, well, this request 00:56:39.599 --> 00:56:42.220 came from your military, so, yeah, okay; approved. 00:56:42.220 --> 00:56:43.340 Here you go. 00:56:43.340 --> 00:56:50.990 I guess I want to know, how does Google handle data requests from tyrannical or autocratic 00:56:50.990 --> 00:56:51.990 regimes? 00:56:51.990 --> 00:56:59.869 BILL: I see what you’re saying, and companies should fight as hard as they can to prevent 00:56:59.869 --> 00:57:02.330 badly-formed or wrong requests for this data. 00:57:02.330 --> 00:57:06.940 We’d be in a better universe if that stuff was not collected, but it is. 00:57:06.940 --> 00:57:13.390 That said, I think that something like Pegasus or Predator is actually even more invasive 00:57:13.390 --> 00:57:21.410 in some ways than what those apps have, in part because your phone really is, for most 00:57:21.410 --> 00:57:26.790 people at this point, it’s just — nexus of your public and private brain. 00:57:26.790 --> 00:57:33.230 What’s really scary is the idea that governments could access this secretly without you ever 00:57:33.230 --> 00:57:37.960 having to know about it and without a warrant, without any kind of oversight, and without 00:57:37.960 --> 00:57:44.240 any kind of potential consequence or accountability if they abuse that power, if they get in there 00:57:44.240 --> 00:57:46.039 and they use it to hurt you. 00:57:46.039 --> 00:57:51.369 We’ve already seen cases where the fruits of hacking are used to hurt and harm people. 00:57:51.369 --> 00:58:02.280 So, as I see this, there is a constant battle to try to protect a degree of individual privacy 00:58:02.280 --> 00:58:09.490 from big, powerful interests, whether it is governments or corporations. 00:58:09.490 --> 00:58:14.620 We should be fighting this battle on multiple fronts at once, but what we shouldn’t do 00:58:14.620 --> 00:58:21.710 is say, well, okay, one bad apple is already violating our privacy, so we shouldn’t be 00:58:21.710 --> 00:58:24.579 angry when another bad apple does it. 00:58:24.579 --> 00:58:32.510 It’s different, also, if you think about it like this; it’s different when an entity 00:58:32.510 --> 00:58:36.950 that is seeking to monitor your behavior in order to sell you something learns something 00:58:36.950 --> 00:58:42.590 about you than an entity that can put you in jail and deny you your freedom based on 00:58:42.590 --> 00:58:48.599 that information — has access to it, and that’s why, in many cases, I think it’s 00:58:48.599 --> 00:58:52.210 appropriate for the police to have a harder time getting access to people’s private 00:58:52.210 --> 00:58:56.319 information than you or I might if we wanted to buy a bunch of user data, because the consequences 00:58:56.319 --> 00:58:57.319 are so great. 00:58:57.319 --> 00:58:58.650 JACK: Good point. 00:58:58.650 --> 00:59:03.710 BILL: You know, Jack, as you’re talking about these things, here’s kind of how I 00:59:03.710 --> 00:59:12.230 think about this; there’s certain questions about citizens that are probably illegitimate 00:59:12.230 --> 00:59:18.960 for governments to ask, certain questions like do they really believe in so-and-so — President 00:59:18.960 --> 00:59:21.230 So-and-so, right? 00:59:21.230 --> 00:59:25.750 Because once governments start having the ability to get those questions asked and to 00:59:25.750 --> 00:59:29.470 do so in secret, they may start — there may be a temptation to use that information 00:59:29.470 --> 00:59:32.799 to retaliate and to harm people. 00:59:32.799 --> 00:59:37.950 Part of why it’s critically important to stem the proliferation of spyware like Pegasus 00:59:37.950 --> 00:59:44.720 and Predator is not just because it’s bad when dictators are able to hack dissidents 00:59:44.720 --> 00:59:46.500 and chill dissidents. 00:59:46.500 --> 00:59:52.849 But because in democracies, we really also do not want this kind of capability lurking 00:59:52.849 --> 00:59:58.950 around out there tempting governments, local, state, and national, to abuse it in ways that 00:59:58.950 --> 01:00:02.900 will ultimately erode the freedoms that we cherish. 01:00:02.900 --> 01:00:09.210 Think about it this way; when you make a choice to speak out publicly against a government 01:00:09.210 --> 01:00:15.140 policy that you disagree with, in a democracy you should have some perception not just that 01:00:15.140 --> 01:00:19.840 you are free to speak your mind; you can’t be jailed for saying ‘I disagree with this’, 01:00:19.840 --> 01:00:26.110 but also that it would be inappropriate for the government to retaliate against you for 01:00:26.110 --> 01:00:29.220 doing this, right? 01:00:29.220 --> 01:00:33.180 What form of retaliation is scarier than the idea that the government could suddenly choose 01:00:33.180 --> 01:00:39.160 to basically penetrate as deep as it can into your private world and look at all your stuff? 01:00:39.160 --> 01:00:40.539 What a terrifying thought. 01:00:40.539 --> 01:00:44.410 That is the thought that people in East Germany lived with every day. 01:00:44.410 --> 01:00:48.181 That is the thought that people living in dictatorships live with every day, the potential 01:00:48.181 --> 01:00:52.079 that an angry official could just be like, well, let’s see what Jack’s worried about 01:00:52.079 --> 01:00:54.130 at 2:00 AM, right? 01:00:54.130 --> 01:00:56.530 Let’s see what health concerns bother him. 01:00:56.530 --> 01:01:01.210 Let’s see what things he’s talking about in the evening with his partner. 01:01:01.210 --> 01:01:05.181 JACK: But I think it comes down to why, because if you’re trying to say we think he’s 01:01:05.181 --> 01:01:10.230 a terrorist and we want to know what he’s doing at 2:00 AM, that’s almost legitimate 01:01:10.230 --> 01:01:13.050 to open up my phone and see what I’m up to. 01:01:13.050 --> 01:01:17.530 But if it’s like, no, we just want to see if he’s gonna talk about us on his next 01:01:17.530 --> 01:01:21.599 podcast, then that’s — wait, hold on, you can’t be doing that. 01:01:21.599 --> 01:01:27.130 BILL: Yeah, so the — and this is the question, and there are two parts to it. 01:01:27.130 --> 01:01:34.640 The first is would they be doing it with proper authority under law or are they just doing 01:01:34.640 --> 01:01:38.980 it like in a 24 episode because there’s a ticking time bomb, right? 01:01:38.980 --> 01:01:43.110 Spyware merchants love the idea that they are just like, all these terror plots and 01:01:43.110 --> 01:01:47.210 bad actors — and the only thing you can do is Kiefer Sutherland it and just hack them 01:01:47.210 --> 01:01:48.210 immediately, right? 01:01:48.210 --> 01:01:49.789 Forget the law; we need to get the bad guys. 01:01:49.789 --> 01:01:56.400 But the thing is we know from recent and older history that if governments start being enabled 01:01:56.400 --> 01:02:01.089 to do that, bad things inevitably follow. 01:02:01.089 --> 01:02:03.730 Temptation to abuse it always follows. 01:02:03.730 --> 01:02:07.380 Some of the biggest problems that we have today in the United States around privacy 01:02:07.380 --> 01:02:11.829 come from the post-September 11th period, things like the Patriot Act, right? 01:02:11.829 --> 01:02:13.550 Hugely invasive stuff. 01:02:13.550 --> 01:02:19.270 But then the other question — and this is equally important — is does the society, 01:02:19.270 --> 01:02:24.400 does the governmental office that’s receiving this data have the mechanisms in place to 01:02:24.400 --> 01:02:28.299 prevent abuse if the people who happen to be holding this stuff in their hands are not 01:02:28.299 --> 01:02:32.380 good people or could be giving in to the wrong temptations? 01:02:32.380 --> 01:02:37.630 Part of why it’s important that we have laws and rule of law is that you want a person 01:02:37.630 --> 01:02:40.980 who’s got some of the power of the state in their hands, whether it’s a cop or an 01:02:40.980 --> 01:02:44.280 investigator, a prosecutor, politician, or whatever, they have to feel that there will 01:02:44.280 --> 01:02:48.630 be consequences if they misuse that power and they have to know what the guardrails 01:02:48.630 --> 01:02:51.500 are around how they can use that power. 01:02:51.500 --> 01:02:54.369 The problem — one of the big problems with mercenary spyware is that it’s arriving 01:02:54.369 --> 01:02:57.890 in jurisdictions that don’t yet have any laws, that say how police should or shouldn’t 01:02:57.890 --> 01:03:00.940 or a prosecutor should or shouldn’t use this technology. 01:03:00.940 --> 01:03:06.230 In a situation like that, the potential for abuse is huge in part because what’s gonna 01:03:06.230 --> 01:03:08.900 be the consequence, right? 01:03:08.900 --> 01:03:11.970 People in authority might not even believe there would be any consequence if they abuse 01:03:11.970 --> 01:03:12.970 the technology. 01:03:12.970 --> 01:03:18.230 That’s part of why people like me feel that it’s so important to slow the proliferation 01:03:18.230 --> 01:03:22.520 down, because the faster this stuff arrives at jurisdictions that don’t have any laws 01:03:22.520 --> 01:03:26.029 around this, the more likely you are to see abuse. 01:03:26.029 --> 01:03:31.630 I think unfortunately we’re stuck with the existence of this technology, but slowing 01:03:31.630 --> 01:03:36.240 down the rate of proliferation is, I think, the best approach we have to limiting the 01:03:36.240 --> 01:03:42.099 global harm that it’s gonna cause, and it is my firm belief that as more and more governments 01:03:42.099 --> 01:03:48.670 pay attention, they will recognize that a totally uncontrolled — a digital Mogadishu 01:03:48.670 --> 01:03:52.970 of spyware where everybody is using this stuff all the time is a really a bad outcome for 01:03:52.970 --> 01:03:56.319 most governments and that you will need a degree of protection. 01:03:56.319 --> 01:04:03.230 The problem is that willingness to act is, I think, unfortunately contingent on a lot 01:04:03.230 --> 01:04:05.579 of governments feeling the sting first. 01:04:05.579 --> 01:04:09.490 I don’t think it’s an accident that a large number of US government personnel had 01:04:09.490 --> 01:04:14.089 to get hacked with Pegasus spyware before the US took really decisive action. 01:04:14.089 --> 01:04:19.029 JACK: Well, the US is taking decisive action against Intellexa now. 01:04:19.029 --> 01:04:24.450 Reuters published a story a few weeks ago saying the US Commerce Department has blacklisted 01:04:24.450 --> 01:04:26.430 both Intellexa and Cytrox. 01:04:26.430 --> 01:04:28.109 They’ve been sanctioned. 01:04:28.109 --> 01:04:31.619 I think this essentially means it’s prohibited in the US to do business with these companies, 01:04:31.619 --> 01:04:34.990 and I don’t really know how this impacts them. 01:04:34.990 --> 01:04:38.589 Perhaps US banks can’t do business with them now or maybe it’s harder for them to 01:04:38.589 --> 01:04:40.250 fly on US airlines. 01:04:40.250 --> 01:04:41.910 I’m not exactly sure. 01:04:41.910 --> 01:04:46.890 But also, if they have investors, this doesn’t look good for business, you know? 01:04:46.890 --> 01:04:50.500 It could shake investors who want to expand to the US someday. 01:04:50.500 --> 01:04:53.740 But yeah, that’s not happening now. 01:04:53.740 --> 01:04:59.640 Intellexa is part of a dizzying web of companies that are operating in different countries. 01:04:59.640 --> 01:05:05.680 The parent company is called Thalestris, which is in Ireland, for some reason, and their 01:05:05.680 --> 01:05:11.240 holding company has declared that they’ve made $35 million in sales from just doing 01:05:11.240 --> 01:05:13.660 business in the Middle East. 01:05:13.660 --> 01:05:19.960 But other sources have said that they made close to $200 million in sales in the last 01:05:19.960 --> 01:05:21.079 three years. 01:05:21.079 --> 01:05:29.680 So, it seems like life and business is great for Tal Dilion and Intellexa. 01:05:29.680 --> 01:05:34.089 This will definitely be a company that I’ll be keeping an eye on in the future. 01:05:34.089 --> 01:05:39.100 But with the noise that they seem to be making, sounds like everyone is gonna be watching 01:05:39.100 --> 01:05:43.059 them, too. 01:05:43.059 --> 01:05:52.130 (OUTRO): [OUTRO MUSIC] A big thank-you to Crofton Black from Lighthouse Reports for 01:05:52.130 --> 01:05:54.640 coming on the show and sharing this story with us. 01:05:54.640 --> 01:05:59.530 Also, thanks to Bill Marczak and John Scott-Railton from Citizen Lab for telling us what they 01:05:59.530 --> 01:06:00.530 know. 01:06:00.530 --> 01:06:05.060 If you liked this episode, you’ll probably also like the episodes about NSO Group, which 01:06:05.060 --> 01:06:07.390 are episodes 99 and 100. 01:06:07.390 --> 01:06:10.359 But also, this isn’t Greek’s first big hacking scandal. 01:06:10.359 --> 01:06:15.240 If you want to hear another crazy story about Greece, check out Episode 64, called Athens 01:06:15.240 --> 01:06:16.809 Shadow Games. 01:06:16.809 --> 01:06:21.650 If you like this show, if it brings value to you, consider donating to it through Patreon. 01:06:21.650 --> 01:06:25.470 By directly supporting the show, it helps keep ads at a minimum and it tells me you 01:06:25.470 --> 01:06:26.490 want more of it. 01:06:26.490 --> 01:06:31.650 So, please visit patreon.com/darknetdiaries and consider supporting the show. 01:06:31.650 --> 01:06:36.380 You’ll also get ten bonus episodes there as well as an ad-free version of the show. 01:06:36.380 --> 01:06:37.839 So, thank you. 01:06:37.839 --> 01:06:41.700 This show is made by me, the hesitant skeleton, Jack Rhysider. 01:06:41.700 --> 01:06:46.540 Our editor is the bear-slayer, Tristan Ledger, mixing done by Proximity Sound who just released 01:06:46.540 --> 01:06:48.309 a book on how to use pro tools. 01:06:48.309 --> 01:06:53.529 It’s called Pro Tools Post-Audio Cookbook 2023, and he’s done audio production on 01:06:53.529 --> 01:06:58.640 films, music, and spoken word, and jam-packs the book with tons of great tips on how you 01:06:58.640 --> 01:07:00.010 could be a better audio producer. 01:07:00.010 --> 01:07:04.270 I’ll have a link in the show notes on where to get the book. 01:07:04.270 --> 01:07:06.350 Our theme music is by the mysterious Breakmaster Cylinder. 01:07:06.350 --> 01:07:13.560 I don’t like ultra-wide screen monitors because the loading bar on them is just so 01:07:13.560 --> 01:07:14.560 long. 01:07:14.560 --> 01:07:22.050 This is Darknet Diaries.