On July 18, the U.S. Commerce Department added two European commercial spyware firms–Cytrox and Intellexa–to its export controls blacklist due to privacy violations and other rights abuses. Both entities are controlled by former Israeli intelligence officer Tal Dilian and registered in multiple European jurisdictions, including Greece, Hungary, Ireland, and North Macedonia. They have been implicated in a variety of wrongdoings, including a major scandal in Greece, where Cytrox’s Predator software was used to hack journalists’ and opposition politicians’ phones.
On July 18, the U.S. Commerce Department added two European commercial spyware firms–Cytrox and Intellexa–to its export controls blacklist due to privacy violations and other rights abuses. Both entities are controlled by former Israeli intelligence officer Tal Dilian and registered in multiple European jurisdictions, including Greece, Hungary, Ireland, and North Macedonia. The companies have been involved in various wrongdoings. One of these was a major controversy in Greece ,, where Cytrox Predator’s software was used by journalists and opposition politicians to hack their phones.
The blacklisting is not a one-off. In fact, it represents a continuing effort by the U.S. government to curb the commercial spyware industry. The designation of the two companies is the first major initiative on spyware since U.S. President Joe Biden signed an executive order in March that limits federal agencies’ use of commercial spyware, and it sends a clear message that selling high-grade surveillance products to abusive governments will have consequences. Cytrox and Intellexa’s designation on the entity list imposes severe licensing requirements on the companies, effectively banning them from transactions with U.S. companies and accessing the U.S. market.
Getting to this point has been a struggle. Global spyware is big business. Both governments and private companies have an unquenchable thirst for surveillance tools. According to my research, at least 74 governments around the world have contracted with commercial firms to acquire spyware or data extraction technology.
The web of companies supplying these products is diverse. Israeli firms dominate global spyware exports, but European and U.S.-based companies also play a role. Companies at the top end of the spyware market–such as Cytrox, Intellexa, and NSO Group, the Israeli market leader under U.S. sanctions since 2021–offer cutting-edge tools, including so-called zero-click hacks. These are malware programs that infiltrate devices without the user having to take any action to allow it in, such as opening an email or clicking on a bad link.
Although many of the abuses are linked to authoritarian regimes, such as the Saudi and Emirati governments’ reported use of NSO’s Pegasus malware to track the journalist Jamal Khashoggi before his assassination, democracies do not have clean hands, either. European countries such as Cyprus, Greece, and Spain have deployed spyware against civil society, independent journalists, and opposition politicians, as have illiberal democracies such as Hungary.
That is why U.S. leadership in reining in the spyware industry is such welcome news. Quite simply, few other countries have shown much interest in taking on commercial spyware firms, despite a parade of public scandals revealing major rights violations. The Biden administration started pursuing a measured strategy against spyware violators in 2021, when the Commerce Department put four spyware firms in Israel, Russia, and Singapore on its list of sanctioned entities, including NSO. Then, Biden signed the executive order in March of this year. In parallel, the United States also signed a joint declaration with 10 other countries against the misuse of spyware and establishing procedures to counter malicious cyberactivities. The White House sends a clear message that they are serious about tackling spyware abuse.
Yet for Washington’s actions to truly make a dent in the commercial spyware market, it needs other countries to join the fight–starting with Europe. The fact that two of the companies penalized for spyware are located in Europe shouldn’t be a shock. Although most European countries regulate spyware with strict laws, the enforcement of those rules has not been very effective. My research shows that a number of European spyware firms sell intrusive surveillance technology in their home markets and overseas, including Italy’s Memento Labs and Tykelab/RCS Lab, as well as Austria’s DSIRF. Moreover, European governments continue to deploy spyware to unlawfully surveil their citizens. In Spain, a scandal involving Catalan politicians and leaders was reported. Hungarian authorities also engaged in abuse. In a draft report submitted by Sophie in ‘t Veld, rapporteur for the European Parliament’s Committee of Inquiry to investigate the use of Pegasus and other spyware (PEGA), she writes that “the abuse of spyware is a severe violation of all the values of the European Union, and it is testing the resilience of the democratic rule of law in Europe.”
So what can be done? First, the European Commission could do far more to address the spyware problem within the EU. Currently, the European Parliament is the only pan-European institution tackling this problem, but it lacks executive power and faces roadblocks at every turn. The EU will not be able to make any real progress unless it takes a serious step in overcoming the obstructionism of EU members states. The commission has so far refrained from pressuring member governments to tighten their policies, highlighting Brussels’s limited ability or interest in fighting the problem. It would make a big difference if the commission sent a clear signal that cracking down on spyware is a priority. The EU has little to no reason not to take similar steps as those taken by the United States.
Second, democracies can be far more stringent when it comes to curbing their own use of spyware. Democracies continue to be interested in purchasing intrusive spying tools despite public scandals. A good example is India: Just three days after Biden signed his March executive order on spyware, the Financial Times reported that Modi’s government had released a $120 million bid for new spyware contracts. Notably, Indian officials were concerned about the “PR problem” from NSO’s Pegasus and were looking for alternative companies from which to purchase surveillance capabilities. While preventing autocratic leaders from obtaining spyware is a formidable challenge, there are far fewer excuses for democratic governments to be using these tools, whether that’s in Greece, India, Mexico, or Spain. Democracies need to demand that their government behave better, particularly when it comes down to illegally using surveillance tools on journalists and civil societies. Diplomatic pressure is also needed against governments that are guilty. In the case of Intellexa and Cytrox, the United States and its partners may not have significant leverage to wield against Hungary, where one of the Cytrox companies is based, but pressure could be exerted against other countries hosting these firms and their various entities. Already, there are reports that in response to Intellexa’s listing, the company’s Irish auditor has resigned.
Third, it is important not to overlook the Israel angle. Many notorious spyware firms are connected to Israel’s security establishment. Dilian, for example, cut his teeth working as a commander for the Israeli Defense Forces’ Unit 81, a crucible of advanced military technology responsible for developing intelligence products for special operations units and other defense agencies. Israel is a major hub and protector of the spyware industry. When other countries attempt to probe Israeli firms, they are often stonewalled. In July, a Spanish judge investigating the alleged hacking of ministers’ phones with Pegasus spyware was forced to close the court’s inquiry “due to the complete lack of legal cooperation from Israel.” There is no reason the Israeli government cannot follow the United States’ lead and enforce more stringent standards on non-military applications, rein in exports, and crack down on unaccountable companies. Israeli Prime Minister Benjamin Netanyahu’s upcoming visit to the White House is a good opportunity for U.S. officials to have a candid conversation about regulating abusive surveillance practices and the next steps each country can take.
White House export control designations of Cytrox, and Intellexa are to be applauded. It reinforces the administration’s ongoing commitment to curbing spyware violations. The United States shouldn’t be the only country to take action. Europe, Israel and other countries should also follow Biden and his administration in taking meaningful measures to curb the actions of spyware companies.