Cybersecurity researchers from Facebook and a university have exposed a vast network of activity from surveillance-for-hire firms from India to Israel that they claim has used hacking tools and hundreds of fake personas to monitor journalists, dissidents and politicians around the world.
As part of the investigation, Facebook parent firm Meta took down hundreds of Facebook and Instagram accounts tied to the seven different spy organizations, which included Black Cube, the intelligence firm that disgraced media mogul Harvey Weinstein allegedly hired to track actresses and journalists, according to reporting from the New Yorker.
Meta said it notified around 50,000 people that had been targeted in one way or another by the spying-for-hire firms.
The investigations from Meta and the University of Toronto’s Citizen Lab offer two of the more comprehensive looks yet into a booming private spy business that the Biden administration has tried to crack down on out of concern for human rights.
Citizen Lab, a digital rights research center at the University of Toronto, discovered invasive spyware allegedly built by one of the surveillance firms, Cytrox, on the phone of former Egyptian presidential candidate Ayman Nour, a critic of Egyptian President Abdel Fattah el-Sisi.
“While these ‘cyber mercenaries’ often claim that their services only target criminals and terrorists, our months-long investigation concluded that the targeting is in fact indiscriminate,” and includes critics of authoritarian regimes and human rights activists, Meta researchers said in a report published Thursday.
The seven surveillance firms and organizations that Meta investigated offer clients a range of services, from easy-to-use hacking tools for infiltrating mobile phones, to access to social media accounts to monitor targets.
Black Cube’s services involved posing as film producers, graduate students and non-government organization (NGO) workers in an effort to surveil targets around the world.
Another Israeli firm, Bluehawk CI, used social media accounts to pose as journalists for Fox News and other news outlets in an effort to trick their targets into being interviewed on camera, according to Meta.
In addition to Black Cube, Bluehawk and Cytrox, Meta said it disabled Facebook and Instagram accounts tied to Israeli firms Cobwebs Technologies and Cognyte; Indian firm BellTroX; and an entity in China that Meta did not identify.
“We have not been contacted by Facebook (Meta) and are unaware of any claims it has allegedly made about our services,” Meital Levi Tal, a Cobwebs spokesperson, said in an email to CNN. “CobWebs operates only according to the law and adheres to strict standards in respect of privacy protection.”
Black Cube said in a statement to CNN that it does not engage in any phishing or hacking, and “does not operate in the cyber world.”
“Black Cube is a litigation support firm which uses legal [human intelligence] investigation methods to obtain information for litigations and arbitration,” the Black Cube statement continued. “Black Cube works with the world’s leading lawfirms in proving bribery, uncovering corruption, and recovering hundreds of millions in stolen assets. Black Cube obtains legal advice in every jurisdiction in which we operate in order to ensure that all our agents’ activities are fully compliant with local laws.”
BellTroX could not be reached for comment. None of the three other named surveillance firms responded to CNN’s requests for comment.
Facebook rebranded itself as Meta in October amid intense scrutiny from US lawmakers over how the platform handles misinformation that causes real-world harm.
Staying in the shadows
The new findings show the lengths that private spies for hire will go to avoid public scrutiny and hide their operations.
Cytrox, an obscure spyware firm that Citizen Lab researchers said was founded in North Macedonia, is a case in point. Cytrox has a corporate presence under various names in Israel and Hungary, the researchers said.
Surveillance industry analysts say Cytrox is one of several competitors in the spyware market to NSO Group, the Israeli firm that the Commerce Department has moved to block from doing business with US tech firms.
The Biden administration alleges that NSO Group’s spyware has been used by foreign governments to target journalists and embassy workers. NSO Group has rejected the allegations, saying its products serve US national security interest.
Citizen Lab analyzed the phone of Nour, the Egyptian politician, and concluded that it had been hacked this summer by spyware built by both Cytrox and NSO Group.
Nour ran for Egyptian president against former authoritarian ruler Hosni Mubarak in 2005, and subsequently spent three years in prison on election fraud charges that were denounced by the US. Nour has lived in exile in Turkey for several years, where he has criticized el-Sisi, the current Egyptian president.
In a statement issued Thursday through his Nour’s political party, Ghad El-Thawra, Nour accused the Egyptian, Saudi and Emirati governments of being involved in the hacking of his phone.
Nour told CNN that he “couldn’t find any explanation or justification for the attack on my private life in this unfortunate and unacceptable way, both legally and morally.”
The Washington embassies of Egypt, the United Arab Emirates and Saudi Arabia did not respond to a request for comment on Thursday on the allegations.
Bill Marczak, senior research fellow at Citizen Lab, told CNN that “multiple factors point to the Egyptian government as responsible for hacking” the phones of Nour and the host of a popular Egyptian news program, who Citizen Lab said chose to remain anonymous.
“Our scanning identified the Egyptian government as a Cytrox … customer, the websites used in the hacks of the two targets bore Egyptian themes, and the messages that initiated the hack were sent from Egyptian WhatsApp numbers,” Marczak said.
It was not immediately clear who used the Pegasus spyware on Nour’s phone. NSO Group did not respond to a request for comment.
Cytrox’s founder is young entrepreneur Ivo Malinkovski, according to digital records reviewed by Citizen Lab and articles in North Macedonia press.
Until at least late Wednesday, a LinkedIn page for Malinkovski featured a photo of him holding a Cytrox coffee mug. The photo was removed after CNN messaged the LinkedIn account seeking comment.
CNN’s Natasha Bertrand contributed reporting.