The spyware used against Roberta Mezzola, the President of the European Parliament, was created and sold by a European company.
The link sent to Metzola in response to a post on "X" was designed to infect the device of anyone who clicked on it with Predator surveillance software.
Predator is manufactured and sold by the Intellexa alliance, a collection of surveillance technology firms controlled by a holding company based in Ireland, according to an Amnesty International report that revealed the hacking attempt. It allows the attacker to gain full access to the victim's devices, including microphones, cameras, text messages and apps. Similar links were sent to the Commission's official account and to the account of Emilie Haber, the former German ambassador to the US.
"We didn't click on it and report it right away," Mezzola says. "My phone is clean." She said she believed the attempted hacking attack was related to a fisheries dispute between the EU and Vietnam.
Founded by Tal Dilian, a former Israeli army officer, Intellexa is one of the jewels in the crown of the EU's burgeoning spyware industry. With offices in Cyprus, Greece, Ireland, Hungary, the Czech Republic and France, as well as North Macedonia and the United Arab Emirates, it "touts itself as an 'EU-based and regulated company'," according to Amnesty. It has sold the Predator to Austria, Germany and Switzerland, as well as governments with a history of human rights abuses such as Qatar, Congo, the UAE, Pakistan and Vietnam.
Intellexa, reached through a lawyer representing it in Brussels, did not respond to a request for comment.
The EU may have earned a reputation as a force in tech regulation - it has clashed with Facebook over privacy and X over disinformation - but its approach to spyware is purely laissez-faire . While the United States fights commercial spyware, the EU prefers not to take action. This has led to a proliferation of firms on the continent that take advantage of its technical talents and, more importantly, its lax licensing and export laws.
The lack of EU rules on who and how can use spyware also means that a range of governments in the bloc - from education ministries to national revenue agencies and law enforcement - have access to some of the most intrusive surveillance technologies.
"Remarkably, even when directly under the crosshairs of spyware developed by an EU-based company... the EU is unable to free itself from vested interests and take meaningful action," wrote John Scott-Railton, senior researcher at the human rights group The Citizen Lab, for "X." He notes that using a link to spyware in a public forum like "X" shows that "the proliferation of mercenary spyware is out of control."
Although the global industry is estimated at around 12 billion dollars, there is no reliable figure for Europe's share in it. Researchers believe that almost every EU country has at least one spyware champion: Notable examples include the Bulgarian company Circles, which sold a product used to tap the phone of a journalist in London, and the Czech Republic's MOBILedit, which Ukrainian forces security they used in their war against Russia.
Being based in the EU offers various advantages. Not only does it give a company's products a stamp of legitimacy, but the single market provides easy access to customers across the bloc. In addition, the absence of general provisions allows companies to seek the most favorable legal environment.
"In the EU, spyware companies take advantage of the fact that different regulations exist and set up offices in member states known to have weak export controls," says Steven Feldstein, an expert at the Foundation for International Peace. Carnegie" in Washington.
Security firm UTX Technologies - later acquired by Cognyte - maintains a presence in both Cyprus and Lithuania, meaning that if it fails to obtain an export license in one country, it can apply in the other. Similarly, before 2020, the company Circles also had an office in Cyprus, but closed it after a group of activists called on the authorities to check what it was exporting.
"Europe is becoming a breeding ground for spyware, facilitating the export of various tools," said Ilia Siatica, program director for government surveillance at Privacy International. "Even if you sanction one company, as in cutting off one of the heads of Hydra, two more appear. As long as there is demand, there will be supply"
The spyware industry has a long history in the EU, with companies such as Italy's Hacking Team and Germany's FinFisher making their way by selling software designed to snoop on personal devices.
"We must not forget that spyware was born in Europe," said Vitor Ventura, principal security researcher at Cisco Talos. "It wasn't illegal for those first companies to release it, and there's nothing saying they can't do it now."
The biggest event in the European spyware industry takes place every year in a bright red building on the outskirts of Prague. Known as ISS World, the event has been dubbed the "eavesdropper's ball". It bills itself as "the world's largest gathering of regional law enforcement, intelligence and national security analysts."
There is almost no advertising except for a few digital screens at the venue. Participants who smoke at the entrance wear reversed badges to conceal their affiliation. But inside the halls there is activity.
At this year's event in June, police and security forces from Austria, Germany, Kosovo, Russia, Sweden, Ukraine and 96 other countries arrived in casual clothes, notebooks in hand. Brochures from previous years seen by Politico show government delegations from all EU countries except Luxembourg attended. In 2013, the participants included representatives of the European embassies of Togo, Afghanistan, Algeria, Morocco, Russia and Yemen.
Awaiting potential customers were 115 exhibitors, dressed to impress and with their brightest smiles, eager to demonstrate that their products could mean the difference between missing or preventing a terrorist attack.
"Big tech is working against you in strengthening encryption, we can help you," one company representative pointed out.
"With the latest car hacking software, you can see when the suspect stops and which door is open," promised another.
Among the companies represented were Candiru, Feedback Italia and Rayzone Group, as well as Britain's BAE Systems and France's Airbus, which are among Europe's largest military manufacturers.
The main attraction, however, was Israel's NSO Group. Lit in white, the company's booth featured a table offering wine, cashews and olives with rosemary under the motto "illuminating the darkness."
NSO's flagship spy product, Pegasus, has been used against opposition politicians in Hungary and Poland; it was used by Madrid to spy on Catalan activists and politicians; and was allegedly used by Morocco to persecute French government officials, including President Emmanuel Macron. It was also used to spy on Amazon boss Jeff Bezos for eight months and was installed on the phone of the wife of Jamal Khashoggi, the journalist who was killed and dismembered at the Saudi embassy in Istanbul.
In September, digital rights organizations Citizen Lab and Access Now revealed that Galina Timchenko, a Russian journalist based in Latvia and founder of the independent news outlet Meduza, was infected with Pegasus during a meeting with Russian dissidents in Berlin. Evidence increasingly points to Latvia as the likely perpetrator of the attack, Access Now told Politico.
"This spyware should be banned here in Europe," said Ivan Kolpakov, editor-in-chief of Meduza. "It's surprising that it was banned in the US before it was banned in Europe. There are a lot of fans in Europe, and we're not just talking about Poland and Hungary, but also Western European countries."
What does regulation have to do with it?
The news that European politicians had been targeted by spyware first sparked outrage, then a collective shrug.
Following the publication in 2021 of Project Pegasus - an investigation by a consortium of European publications - next year Parliament launched a commission of inquiry to investigate abuses across the bloc. Lawmakers interviewed NSO Group's general counsel Chaim Gelfand and undertook fact-finding missions to Israel, Hungary, Spain, Greece and Poland.
Gelfand revealed that the company had sold to 14 EU governments and suspended two of them for abuses. "We're trying to do the right thing, and that's more than other companies operating in the industry," he told committee members in June 2022.
The liability stops there. In October, the Commission revealed to Politico that it was preparing guidelines for EU governments on how to use spyware in line with EU data protection and national security laws — but adopting them would be the responsibility of national governments, which have not yet tend to adopt measures that would limit their access to surveillance technologies. In the EU, national security is the responsibility of individual countries.
During a hearing in Parliament, Justice Commissioner Didier Reynders, himself a target of spyware, admitted that his office has limited means to intervene.
Stéphane Dugen, director of the Institute for Cyber Peace and a former Europol official, said that because governments have failed to fund independent technologies to monitor criminals' communications, police services are turning to private companies for solutions.
"If law enforcement agencies tomorrow can't buy cars or have people on the streets, what are they going to do? They're going to outsource the physical surveillance of criminals to private companies," says Dugen. "That's what it's all about."
A forthcoming EU media freedom law could make it harder for national law enforcement agencies to use spyware specifically against journalists. But the Commission has avoided other, more decisive steps to curb the use or abuse of spyware by various levels of government.
The 2021 Act to limit the export of technology such as spyware has had little impact so far. To begin with, the Commission does not check whether it is implemented by national governments. Meanwhile, a report by the parliamentary committee investigating Pegasus said there was "ample evidence" that adoption of the law was "weak and fragmented", with some countries deliberately ignoring it.
"There is no oversight, and the few rules that exist are not enforced at all by the commission," said Sophie in 't Veld, the commission's lead lawmaker.
Europe's approach contrasts sharply with that of Washington, where President Joe Biden has taken a much tougher approach. In March, the US leader issued an executive order banning the government from purchasing commercial spyware. His administration also blacklisted NSO Group and added Europe's Intellexa and its subsidiary Cytrox to that list, meaning US companies cannot do business with them.
Biden's repression is felt beyond the country's borders. In response, Israel's Defense Export Control Agency narrowed its domestic companies' eligible export destinations to 38 democratic countries, mostly EU members.
Given that Israel is one of the market leaders in this area, the change - combined with the lack of consequences for companies involved in scandals - can only make the European market more interesting for companies looking for customers in less favorable parts of the world.
"In no case has justice been served, even if there is legal protection on paper," says Inn 't Veld. "The US is working to blacklist these companies, but here in Europe they are getting royal treatment"./BGNES
-------------------------------------------
Antoinette Rousi, Politico