U.S. Treasury sanctions Israeli founder of Intellexa for the company's role in developing and selling 'commercial spyware technology used to target Americans' including U.S. government officials, journalists, and researchers

The United States imposed for the first time on Tuesday personal sanctions against former Israeli intelligence officer Tal Dilian who is behind the cyber firms Cytrox and Intellexa, which developed the Predator spyware software used for mobile phone surveillance.

While NSO and Candiru operate from Israel in accordance with Israeli law, Intellexa is outside the supervision of the Israeli Defense Ministry. These companies are at the center of a global scandal following the discovery of several cases involving the use of espionage technology against politicians, journalists, and other targets in Greece and other countries.

The U.S. Treasury announced Tuesday that its "Office of Foreign Assets Control designated two individuals and five entities associated with the Intellexa Consortium for their role in developing, operating, and distributing commercial spyware technology used to target Americans, including U.S. government officials, journalists, and policy experts."

"The proliferation of commercial spyware poses distinct and growing security risks to the United States and has been misused by foreign actors to enable human rights abuses and the targeting of dissidents around the world for repression and reprisal," the Treasury statement continued.

The new personal sanctions require the freezing of all Dilian's assets, as well as those of his father-in-law and the various companies in the U.S., or those that are under the control of U.S. citizens.

Any such business interest is required to be reported to the Office of Foreign Assets Control, which is responsible for administering the U.S. Department of Commerce's blacklist.

The sanctions also prohibit all U.S. citizens from carrying out any business activity with Dilian and any of his companies, unless they obtain a special permit.

The Treasury Department's statement further notes that financial institutions, companies, and individuals who continue to conduct business with Dilian may also face sanctions. Among the activities that may lead to sanctions are any donations or payments and goods or services rendered to or from Dilian and his associates.

In July 2023, Intellexa and Cytrox were added to a U.S. blacklist of companies acting against American interests, but this is the first occasion that personal sanctions have been imposed on company executives, including Dilian.

So far, the company has appeared on the Chamber of Commerce's list as an entity that official government bodies and agencies are not authorized to conduct business with. As of today, the sanctions have turned personal, and thus mark a step-up in the U.S.'s struggle against global offensive cyber risks.

In this regard, today's decision represents the result of a long struggle that began in 2021, when the U.S. Commerce Department added the Israeli spyware firms NSO group and Candiru, alongside companies from Russia and Singapore, to its Entity List for activities contrary to the U.S.'s national security or foreign policy interests.

In addition to the sanctions imposed on Dilian, a former commander of the Israeli army's intelligence corps' Unit 81, sanctions were also levied on Dilian's partner and ex-wife, Sara Hemo, who is defined by the U.S. government as an "off-shoring specialist who has provided managerial services to the Intellexa Consortium," including renting its offices in Greece.

Sanctions were also imposed on five other business entities in the Intellexa Consortium, four of which were already added to the U.S. Commerce Department's Entity List last year. These include Intellexa in Greece, which exports spyware tools to undemocratic regimes around the world; Intellexa Limited in Ireland, which markets surveillance tools and owns part of the consortium's assets; Cytrox in North Macedonia and Cytrox Holdings in Hungary, which developed the Predator spyware; and Thalestris, the consortium's holding company.

While these companies operate from Israel in accordance with Israeli law, Intellexa is outside the supervision of the Israeli Defense Ministry. Blacklisting the company last year marked the U.S. effort to not only restrain the Israeli spyware industry, but also monitor Israelis abroad.

"Today's actions represent a tangible step forward in discouraging the misuse of commercial surveillance tools, which increasingly present a security risk to the United States and our citizens," said Under Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson.

"The U.S. remains focused on establishing clear guardrails for the responsible development and use of these technologies while also ensuring the protection of human rights and civil liberties of individuals around the world," continued Nelson.

Several investigative reports have been published in recent years, including in Haaretz, concerning Intellexa's activities around the world. The first report was about the company's move from Cyprus to Greece.

Dilian and the firm faced a criminal investigation in Cyprus in the past, and a firm affiliated with it was found guilty this year of illegally siphoning data from Larnaca's airport – though Dilian himself was cleared of all charges.

It represented the first case of a European national being targeted by the Predator spyware created by the Israeli-owned firm Cytrox, which is owned by Intellexa.

It was later revealed that the head of the socialist party in Greece was also the target of espionage, as well as a senior official at Meta.

Collaborating with a group of journalists, Haaretz exposed how Intellexa's Predator spyware was also sold to a Sudanese militia and even to militants in Bangladesh – countries that Israelis are prohibited from doing business with.

Since then, there has an ongoing series of reports about the company and its spyware – manufactured by Cytrox – which, as Haaretz exposed, received an initial investment from Israel Aerospace Industries, which later withdrew its involvement in the company.

Cyber companies Sekoia.io and Recorded Future simultaneously released investigations about the sanctions that revealed a new Predator spyware infrastructure in 11 countries with repressive regimes. Most of the countries had already been identified, but the new infrastructure has also been discovered for the first time in the Philippines and Botswana, researchers from Recorded Future's Insikt Group noted.

Extensive infrastructure was also discovered in Saudi Arabia, Angola, Armenia, Egypt, Indonesia, Kazakhstan, Oman, Madagascar, and Trinidad and Tobago.

An industry expert in Israel's spyware industry told Haaretz that the sanctions prove that the U.S. will not let up on Israel. "Like at the start with the executive order, and then with its denial of visas, this step shows that the U.S. is serious about its intentions towards the industry and that it will reach you – even if you operate from Europe or the Persian Gulf," said the source. "NSO Group and Candiru were a signal, and it's now a war."

BREAKING: US Treasury sanctions commercial spyware consortium & key enablers for spyware abuses.

OFAC designations = America’s big gun.

First time they’re used against a mercenary spyware company.

Huge deal, let me break the #sanctions against #Intellexa down 1/ pic.twitter.com/nqdLqDwmSv

— John Scott-Railton (@jsrailton) March 5, 2024

According to John Scott-Railton, a senior researcher at the Citizen Lab institute who is at the forefront of the fight against mercenary spyware companies, this is a dramatic development. "This is the first time that we've seen the use of such sanctions, the most serious kind that America has, against spyware companies, and I find it hard to believe that this will be the last time."

"If I were an industry executive, I would be panicking right now," continued Scott-Railton. "The American decision is also a signal to Europe, which is at the height of their own spyware crisis. The U.S. is creating a new surveillance model here, and it remains to be seen whether the Europeans will impose similar sanctions."