Who was tracking the mobile phone of journalist Thanasis Koukakis?

We reveal the case of a journalist and associate of inside story, with a rich history of investigative reporting, whose mobile phone had been turned by persons unknown into a spy device that recorded his every move and communication.
Χρόνος ανάγνωσης: 
12
'
picture showing surveillance cameras
[Scott Webb/Pexels]

For at least ten weeks, strangers could hear and see everything on the mobile phone of Thanasis Koukakis, whose revealing reports have been published in international media such as the Financial Times and CNBC.

The journalist was informed of the breach of his communications privacy and the hacking of his cell phone on March 28, 2022, when he received an official response from the University of Toronto's Citizen Lab after a request. The Citizen Lab, an interdisciplinary laboratory that focuses its research at the intersection of information and communication technologies, human rights and global security, has a core research goal of identifying digital threats against members of civil society, as well as monitoring the proliferation of the mercenary spyware industry. Prior to the hacking of Koukakis' phone, it had detected the hacking - with the same or other software - of dozens of mobile phones of journalists, activists and politicians, by, among others, the Saudi Prince Bin Salman and the government of Hungary, which eventually admitted to using the phone hacking software, as did the German government.

Such software was used to infect the mobile phone of Thanasis Koukakis.

The original Greek version of the article
This article appeared in inside story on the 11th of April 2022, in its original Greek version. Διαβάστε το παρόν άρθρο στην πρωτότυπη εκδοχή του στα ελληνικά ΕΔΩ.
The "Predator"

According to the three-page report of Citizen Lab, which we have at our disposal and was compiled after the technical analysis of a file was extracted from the journalist's mobile phone (sysdiagnose) and sent to the Canadian laboratory for testing, Thanasis Koukakis' phone, at least between July 12 and September 24, 2021, was infected with the spyware Predator. As Citizen Lab clarifies, "this does not exclude the possibility of other infections."

What this spyware can do can be answered in one word:everything, since it turns the mobile phone into a sophisticated surveillance device. "Predator is a surveillance tool that offers its operator full and continuous access to the target's mobile [phone] device. Predator allows the operator to extract secret passwords, files, photos, web browsing history, contacts as well as data such as mobile device information," reads the same Citizen Lab document.

"Predator can take screen captures, record the user's entries [on their mobile phone], and can also activate the device's microphone and camera. This enables attackers to monitor any activity taking place on or near a device, such as conversations taking place in a room.

Predator also allows its operator to record text messages sent or received (including those sent via "encrypted apps", or apps that allow messages to be hidden, such as WhatsApp or Telegram) as well as normal and VoIP phone calls (including phone conversations via "encrypted" apps)."

In other words, those who infected journalist Thanasis Koukakis' mobile phone could monitor everything from personal moments with his family and close people to confidential conversations with his "sources".

The Hellenic Authority for Communication Security and Privacy (ADAE) and the change in the law

Citizen Lab's findings alarmed the journalist, who in the past had reasonable suspicions that he may have been the target of electronic surveillance by unknown persons and therefore on 12 August 2020 he had addressed a complaint to the Hellenic Authority for Communication Security and Privacy (ADAE).

"I am writing to your Authority to investigate my complaint that my mobile phone and possibly my conversations via VoiceIP applications or my landline are being monitored," he wrote at the time and explained: "I am making this complaint following information conveyed to me by a third party relating to the existence of transcripts of my conversations relating to my telephone conversations from 15 May 2020 to 30 May 2020. Due to the accuracy of the words contained in the transcripts, and also due to the fact that some of the conversations recorded have taken place outdoors, it follows effortlessly that they have resulted from eavesdropping. On this basis I would like to be informed whether my mobile phone [...], my landline [...] my data connection [...] are being monitored or have at some time been put under surveillance."

In March 2021 the law that allowed those being monitored even for national security reasons, even only after the fact, to be informed, was amended. Henceforth, those who monitor persons for national security reasons, or say they monitor for the same, are unprosecutable. Members of the Hellenic Authority for Communication Security and Privacy (ADAE) and the Authority's own chairman appeared to disagree with the provision and made their disagreement public, while at least the deputy prime minister Panagiotis Pikramenos, who signed it along with Justice Minister Kostas Tsiaras, did not seem happy with the provision, and referred to the National Intelligence Service (EYP).

Four months after the law was changed, the authority responded to Koukakis's first complaint that "no event was found to constitute a violation of the law" - but one event had occurred, giving those who were monitoring him full access to Koukakis's mobile phone. The response from the ADAE came with a long delay of almost a year, on 29 July 2021, after the amendment to the law had been made and 17 days after the - confirmed by Citizen Lab - infection of the journalist's mobile phone with Predator spyware, which occurred on 12 July 2021.

The competent authority in response to the complaint of Thanasis Koukakis writes "[...] after a technical audit carried out by ADAE [...]] in the networks serving your mobile and fixed telephone connections with numbers [...], [...], [...] and [...], no event was found which would constitute a breach of the legislation on the confidentiality of communications". In simple terms, no one was found to be (illegally) intercepting him via the networks of the telecommunications providers of which he is a customer. In its response, the Authority refers the journalist to its website, where there is a brochure from 2014 with instructions on "Protecting Smartphone Devices."

We note that there are also legal interceptions of conversations which are carried out by law enforcement authorities and government agencies after a request for a waiver of secrecy, prosecutorial approval and the issuance of a relevant order. In these cases the software has been purchased through a public procedure by the authorities and after approval is knowingly placed by the mobile phone companies (providers) to monitor a specific person or persons. There have been times in the past when this has been done without approval and resulted in the infamous surveillance over the Vodafone network.

Months go by and we arrive on December 16, 2021, when Citizen Lab releases a long-form investigation into a previously unknown spyware, with possible customers (and) in Greece. Its name is now known to us. It is "Predator", which was used by unknown persons to surveil Thanasis Koukakis and possibly other targets within Greece.

Separate research by Meta (facebook, instagram) on the cyber crime industry, also published on December 16, 2021, came to a similar conclusion regarding Cytrox customers with somewhat greater certainty. "Our investigation identified customers in Egypt, Armenia, Greece, Saudi Arabia, Oman, Colombia, Colombia, Ivory Coast, Vietnam, the Philippines and Germany. Cytrox and its clients' targets include politicians and journalists around the world, including Egypt and Armenia."

The company behind Predator and its business in Greece

Citizen Lab's research claims that Predator was developed by a small and virtually unknown North Macedonian start-up called Cytrox, founded in 2017 and was acquired by Cyprus-based Wispear (renamed Passitora Ltd) owned by Tal Dillian, former CEO of Unit 81, an elite technology unit under the Israeli military's intelligence services.

Dillian (with Maltese citizenship) and his company monopolized the Cypriot news after the somewhat unusual interview - for the secretive field of spy technology - that the then 58-year-old Israeli businessman gave to Forbes in the summer of 2019. Speaking to journalist Thomas Brewster, he essentially brags about a black van of his company with tinted windows cruising the streets of Larnaca, loaded with equipment that allegedly passed through Cypriot customs as a weather station - when in fact it can actually intercept all kinds of content from mobile phones within a radius of several hundred meters. The van, as Dillian says in his interview, is just one part of the rich cyber-weapon arsenal available from Intellexa (with him as co-founder), aka "the Star Alliance of spyware."

According to his claims, these tools are intended for use by law enforcement agencies and have been developed to track terrorists, drug cartels and the world's most dangerous criminals. As to the criticism of this type of spying technology, which has been found to be directed not only at terrorists and criminals, Dillian responds: "Don't blame the dealers, blame the customers. [...] We work with the good guys. And sometimes the good guys go too far."

A little while after the interview with Forbes, the "spy van", as it was called, opened the floodgates in Cyprus. Finally in November 2021, the criminal investigation into the case was concluded with the suspension of criminal prosecution for the individuals involved and Wispear was fined €950,000 for violating the principles of legality, objectivity and transparency.

But Tal Dillian claimed in Forbes and reiterated in news his statements that the spying tools marketed by Intellexa are intended for government law enforcement agencies worldwide, the lawsuit filed against him (among others) by one of the four shareholders of Aliada (parent company of Wispear/Passitora), based in the British Virgin Islands, says otherwise. The lawsuit was filed in a Tel Aviv court in December 2020 by Avi Rubinstein, who among other accuses Dillian that his Forbes interview cost the company a lucrative deal with a private client with whom the company had done business in the past.

According to Tal Dillian's Linkedin, he's now based in Greece, where inside story in his latest report -following investigations by Citizen Lab and META- had tracked down his corporate trail with the help of the Linked Business platform.

Except for INTELLEXA SA, (established on 11 March 2020), there are two more companies in Greece plus a branch with the same parent company, the Irish company THALESTRIS LIMITED. These are HERMES TECHNOLOGIES S.A., APOLLO TECHNOLOGIES S.A. (established 11 March 2020) and FEROVENO LIMITED (established in Greece on 15/10/2020 as a branch of a Cypriot company).

Greek INTELLEXA, APOLLO TECHNOLOGIES and HERMES TECHNOLOGIES in 2020 (the last fiscal year posted in the General Register of Companies) recorded a combined turnover of €1,512,125.

In INTELLEXA, APOLLO TECHNOLOGIES and HERMES TECHNOLOGIES, Felix Bitzios (he was also the legal representative of the FEROVENO branch until 15/11/2021), while the phone number of INTELLEXA SA registered with the EBEA is answered by the accounting firm ELG KIRIAKIDIS FINANCE SA. Felix Bitzios was the former "face" of the Libra group (of Logothetis family interests) in Greece. [The Libra group has taken legal action against Bitzios and associates (including accountant Elias Kyriakidis) since 2020 for unrelated matters].

Reading the publication of inside story in January, Thanasis Koukakis identified in these companies people that were of interest to him journalistically in the past. Alarmed, he wanted to find out if he too had been targeted by Predator spyware. Initially he contacted the director of META's Threat Disruption department (facebook, instagram) and then he got in touch with Bill Marzak, a senior researcher at Citizen Lab, a scientist with great technical proficiency in spyware detection, who confirmed to the Greek journalist that he had been a victim of this particular spyware. The colleague made a new complaint to the ADAE on April 6, asking the Authority to investigate the case thoroughly.

The infection of Thanasis Koukakis' mobile phone was caused by a seemingly innocent text message received at noon on July 12, 2021 from a Greek mobile phone. "Thanasis do you know about this issue?," the message read, accompanied by a link to blogspot.edolio5[.]com, an similar url to the blog edolio5.blogspot[.].com. All it took was one click to install the spyware.

Meta's investigation had uncovered a wide grid of domains that Cytrox is believed to have used to spoof legitimate news entities in the countries of interest and to mimic legitimate URL shortening services and social media in order to "infect" its target users with its spyware.

The relevant annex of the Meta survey includes more than 310 fake websites. Of these, 42 appear to have been set up solely to mislead potential targets within Greece.

Ιστοσελίδες ελληνικού ενδιαφέροντος
adservices[.]gr[.]com heiiasjournai[.]com pronews[.]gr[.]com
altsantiri[.]news hellasjournal[.]company protothema[.]live
bi[.]tly[.]gr[.]com hellasjournal[.]website sepenet[.]gr[.]com
bmw[.]gr[.]com hempower[.]shop stonisi[.]news
citroen[.]gr[.]com insider[.]gr[.]com suzuki[.]gr[.]com
cnn[.]gr[.]com kathimerini[.]news tiny[.]gr[.]com
crashonline[.]site kranos[.]gr[.]com tly[.]gr[.]com
ebill[.]cosmote[.]center nassosblog[.]gr[.]com tovima[.]live
efsyn[.]online newsbeast[.]gr[.]com ube[.]gr[.]com
enikos[.]news nissan[.]gr[.]com viva[.]gr[.]com
ereportaz[.]news onlineservices[.]gr[.]com yout[.]ube[.]gr[.]com
espressonews[.]gr[.]com orchomenos[.]news youtube[.]gr[.]live
ferrari[.]gr[.]com paok-24[.]com zougla[.]gr[.]com
fimes[.]gr[.]com politika[.]bid zougla[.]news
Why surveil Thanasis Koukakis?

We asked Thanasis Koukakis what he was investigating at the time the illegal software on his device was installed. During this time he was talking to sources about the judicial progress of loans that Piraeus Bank had granted to the Logothetis Group. Last week inside story spoke to a financial insider who was talking to the journalist at the time and who also asked for his own phone to be examined. The result for him was negative, no software had been installed. "But I was calling Thanasis and he seemed to be off the grid when he wasn't."

During the same period Koukakis was investigating cases of fake and fictitious invoices and the change in the law for the ex officio prosecution of tax evasion crimes until the final issuance of the fine by the AADE or until the issuance of an irrevocable decision by the administrative courts.

He also investigated cases of expenditure by the Ministry of Migration and Asylum that were regarded as classified (development of IT systems). He had gathered information on the amendment of the conditions on guarantees in defence contracts to reduce the maximum participation guarantee threshold from 5% to 2% and the reduction of the performance guarantee threshold from 10% to 5% and the abolition of the participation guarantee requirement in framework agreements and negotiated procedures without publication of a contract notice. It was also investigating the inter-state agreement for Kalamata airport, the DEPA-EFE legal dispute, cases of overpricing of renewable energy sources, money laundering through cooperative banks, and the sending of large remittances by Greeks who were found on foreign banks' tax evasion lists.

Who has Predator in Greece?

If we rely on a report on "To Vima" published by journalist Vassilis Lambropoulos published in late December 2019, the National Intelligence Service intended to purchase a "very expensive system" in order "to start monitoring Viber, WhatsApp and dozens of other Internet communications applications immediately". There was similar interest, it said, from agencies of the Hellenic Police, such as the Hellenic Police Intelligence Division and the Special Violent Crime Squad (Counter-Terrorism Squad).

"Also, the acquisition of special software, using the latest technology, such as the notorious Pegasus, by an Israeli company, which is widely used by intelligence services abroad, in order to bug the suspect phone by sending messages and then manage to record every action made by the user from any mobile application," we read in the same report in To Vima. At the end of 2021, the National Intelligence Service (EYP) leaked that it had bought the system, was testing it but was unable to track applications.

Bill Marzak of Citizen Lab communicated the following to inside story, answering the question of whether it was a government agency or a private company behind the Koukakis surveillance: "We know that the website used to attack Thanasis is connected to many other websites that focus mainly on Greek issues, so whoever targeted Thanasis seems to be targeting people in Greece. Technically we can't say exactly whether it's the Greek government or a private company. However, we have not seen a case in which powerful spy software like Cytrox's Predator has been sold to a private company for its own use. Intellexa may sell products and services to private companies, but I would be shocked if they sold Predator to private companies. While governments generally have the legal authority to monitor, it's hard to imagine a scenario where a private company could legally use the Predator. Still, this type of software typically costs many millions of dollars, which a private company probably couldn't afford."

We also addressed questions to INTELLEXA, through a contact form on its website and by email to the accounting firm it works with. The company states two addresses in Kifissia and Elliniko. The building in Elliniko has an external camera and a bell with no company name, but an employee there assured us that we were at the correct address, but that no one was in Greece at the time to answer our questions, recommending that we write to the contact form. After disclosing that a Greek journalist had fallen victim to "Predator" according to our information, we asked if the company (or any entity associated with it or Tal Dillian) had sold surveillance software to the Greek government or any domestic government agency/authority or to a private client.

Up to the time of publication we had not received a response.

Given that such a powerful (and very expensive) tool can only be in the hands of a state agency/law enforcement agency or a wealthy private citizen, the questions that need to be urgently answered by the Greek government are:

  • What are the reasons that justify in a state governed by law the monitoring of journalists by state agencies with fundamentally illegal software?
  • If the state has nothing to do with the surveillance of Thanasis Koukakis and it is a private job, then how can a company sell to anyone with the right amount of money in their pocket such dangerous "weapons" that can target any Greek citizen, from journalists to politicians? Isn't this a danger to national security?
Εικόνα etriantafillou
Σπούδασε κατά λάθος Οικονομική Επιστήμη στην ΑΣΟΕΕ και το 2004 ξεκίνησε να εργάζεται ως οικονομικός συντάκτης στην Κυριακάτικη Ελευθεροτυπία. Το 2010 δημιούργησε την πρώτη αντιγραφή του σατιρικού Τhe Onion, στην Ελλάδα. Παραμένει στον χώρο των ηλεκτρονικών ΜΜΕ. Είναι ανορθόγραφη.
Εικόνα telloglou
Σπούδασε νομικά κι από το 1986 εργάζεται σε εφημερίδες και κανάλια ως δημοσιογράφος. Εκπομπές-σταθμοί ήταν «Το μαύρο κουτί» (Mega), οι «Φάκελοι» (Mega), οι «Νέοι Φάκελοι» (ΣΚΑΪ), και οι «Ιστορίες» (ΣΚΑΪ). Τώρα παρουσιάζει την εκπομπή «Special Report» με τον Αντώνη Φουρλή (Ant1).

Διαβάστε ακόμα

Σχόλια

Εικόνα Anonymous

Σας πείσαμε; Εμείς σας θέλουμε μαζί μας!
Χωρίς τους υποστηρικτές μας
δεν μπορούμε να υπάρχουμε.