The International Press Institute (IPI) today expressed serious alarm over the confirmed surveillance of Greek journalist Thanasis Koukakis for more than two months using a powerful spyware tool, Predator. IPI calls on the competent Greek law enforcement authorities to thoroughly investigate and publicly identify the source of the surveillance.

On April 11 it was revealed via media reports that Koukakis, an experienced investigative journalist covering financial and banking issues in Greece, had his mobile phone infected for at least ten weeks in 2021 by Predator, an advanced spyware tool developed by a North Macedonian company called Cytrox.

According to a forensic analysis by experts at Citizen Lab, the device was compromised using Predator between July 12 and September 24, 2021. The investigation identified the source of the hacking to be a Greek phone number, which sent Koukakis a text message containing an infected link to a fake website.

Citizen Lab said it could not confirm whether the spyware was used by the Greek government or a private company. It is not known which of Koukakis’s communications were monitored or which of his sources were compromised.

Like the better-known Pegasus spyware developed by Israeli firm NSO Group, Predator allows the user to gain full access to a target’s phone to extract data, contacts and messages, including those sent through encrypted applications, as well as turn on the microphone and access the camera.

However, unlike the zero-click infections provided by Pegasus, Predator is malware which requires the target to first click on an infected link. Moreover, while NSO’s sales are regulated by the Israeli Ministry of Defence, Cytrox is part of a wider and under-regulated spyware-for-hire industry.

On April 11, the Greek government spokesperson appeared to suggest that the alleged surveillance had been carried out by a private actor or “individual”, rather than a government body. “It goes without saying that the competent authorities must do what is right in order to clarify this case and bring justice. Obviously, it does not mean in a country like Greece, in a state of law, any individual can watch another individual”, he said. He was not questioned on whether the Greek security or intelligence services had themselves acquired the spyware technology.

Answers needed

IPI Deputy Director Scott Griffen said the surveillance of Koukakis posed serious threats to source confidentiality as well as journalist safety and called for an immediate investigation by Greek law enforcement authorities to establish the source of the surveillance.

“Greek authorities must immediately provide greater clarity and answers about how, and by whom, this invasive spyware technology has been abused in Greece”, he said. “If it believes a private actor or individual is responsible, the government should publicly provide evidence for its suspicions and law enforcement should hold those actors responsible. At the same time, Greece should take immediate steps to regulate such technology so that it cannot be abused in the future. We also urge the government to clearly confirm or deny whether its own law enforcement or intelligence agencies have acquired Predator or other privately developed spyware products, now or in the past.”

Griffen added that the surveillance of Koukakis was believed to be the first publicly confirmed case of a journalist in Europe being spied on using Predator. “While NSO Group has come under significant and greatly needed scrutiny, its Pegasus spyware is just one of a number of tools on a global and drastically under-regulated market”, he said. “A large and growing spyware-for-hire industry exists to provide advanced cyber-surveillance tools to governments and private actors. As the Pegasus Project has shown, a lack of oversight and safeguards has meant these tools have often been abused to surveil journalists, sometimes with deadly consequences.

“Moving forward, it is vital that the European Parliament’s new inquiry committee for Pegasus expand its focus to look beyond just NSO’s tools to the full range of spyware available on the European market, including those developed by Cytrox and its wider group, Intellexa. The European Commission should also push for forceful implementation by Member States of the new Recast Dual-Use Regulation, so that the full scale of the trade and acquisition of such technologies within the bloc can be properly scrutinized. Until the lid is lifted on which states are using and abusing spyware, and unless strict and effective regulation of these cyberweapons is introduced, these surveillance revelations will continue to have a chilling effect on press freedom and investigative journalism both in Greece and across the EU.”

Surveillance fears

Koukakis is a journalist for Greek media outlet Newsbomb and a contributor to the investigative platform Inside Story, as well as international media such as the Financial Times and CNBC. He specializes in writing about corruption and money laundering in the banking sector. At the time, he had been investigating issues related to Greek bank loans, the prosecution of tax evasion crimes, and forged and fictitious invoices, among other stories, according to Inside Story.

Koukakis told IPI in an interview that he previously had suspicions his private communications were being monitored. In August 2020, he filed a complaint with the Greek Communications Confidentiality Authority (ADAE), a body which handles communications security and privacy, with a request for information about whether his electronic communications had been surveilled through his telecom provider. Under the then law, ADAE was required to provide citizens with such information. However, it did not respond to his request for a year.

During that time, the Greek New Democracy government of Prime Minister Kyriakos Mitsotakis amended the law on the right of citizens to be informed about the secrecy of their communications. Under the changes passed in April 2021, ADAE was blocked from informing citizens about surveillance if it had been carried out on the grounds of national security. Previously, after surveillance had finished, ADAE could notify the person that their personal communications had been monitored and provide information about the justification. The new law also had a retroactive effect on previous surveillance operations.

Four months after the law was changed, ADAE finally responded to Koukakis confirming that following an investigation with internet and telecommunication service providers, it had concluded that no illegal incident regarding the privacy of communications had occurred. After the hacking was confirmed by Citizen Lab on March 28, 2022, Koukakis filed a fresh complaint with ADAE.

Since the spyware infection was confirmed, Koukakis told IPI has had experienced serious “agony and anxiety” and that his multiple sources had expressed concern after the breach of his communications was reported. “You feel very insecure and it’s like your house has been robbed”, he said. Koukakis also expressed frustration at the lack of communication and transparency from ADAE.

New spyware tool: Predator

Cytrox was founded in 2017 and then bought a year later by Cypriot company WiSpear (renamed Passitora Ltd), which is owned by Tal Dillian, a former commander of Unit 8100, a secretive technology unit which is part of the Israeli military’s Special Operations Division of the Military Intelligence Directorate. His company Intellexa develops and sells surveillance tools and malware that enable its clients to compromise iOS and Android devices. In previous interviews, Dillian said the technology is intended for international law enforcement agencies.

Investigative reporting by Inside Story in Greece has identified that Intellexa’s headquarters are based in Greece. On its website, the company says it is an “EU based and regulated company, with six sites and R&D labs throughout Europe.” Relatively little else is known about the company or its other products. Citizen Lab, which has been researching Cytrox, said it does not currently have evidence that the firm has sold its products to non-state actors. It is unknown how much Cytrox costs to purchase. Like NSO Group, it markets its products for helping investigate paedophiles, organized terror groups and human trafficking rings.

According to 2021 research by Meta, Cytrox has clients in Greece, as well as Serbia, Germany, Egypt, Armenia, Saudi Arabia, Oman, Colombia, Ivory Coast, Vietnam and the Philippines. Meta said journalists were among those targeted using Cytrox tools in these countries, but did not provide specific examples. It said it had taken enforcement action to stop such surveillance-for-hire companies abusing its products for espionage.

Greek authorities have not confirmed whether they have purchased technology from Cytrox. Reports in December 2019 revealed that Greece’s National Intelligence Service (EYP) had intended to procure a new cybersurveillance technology and that branches of the Hellenic Police, such as the Directorate of Information Management and the Counter-Terrorism Service, had expressed an interest. The report said Pegasus was being studied as an option but did not mention Predator or other products sold by Cytrox or Intellexa.

In November 2021, the Greek government faced criticism from IPI and other press freedom organizations over allegations of surveillance involving Stavros Malichudis, a journalist with the investigative outlet Solomon. Revelations published by Greek newspaper Efimerida ton Syntakton (EFSYN) indicated the EYP had secretly been conducting monitoring of Malichudis. In response, the Greek authorities defended the work of the EYP and denied that the surveillance would have been conducted illegally. No other information has since been provided. During a recent press freedom mission to Greece carried out by the Media Freedom Rapid Response (MFRR), IPI questioned a government minister over the surveillance, who was unable to provide additional information.

IPI and its partners in the Media Freedom Rapid Response (MFRR) will be sending an official letter to the Greek government in the coming days seeking clarifications and answers about the surveillance of Thanasis Koukakis.

 

This statement by IPI is part of the Media Freedom Rapid Response (MFRR), a Europe-wide mechanism which tracks, monitors and responds to violations of press and media freedom in EU Member States and Candidate Countries.