In 2022, the commander of the Greek Intelligence Service put together with his interlocutor from North Macedonia, a draft preliminary agreement for cooperation on cybersecurity. But they forgot to remove a subtle, albeit very important electronic trace, which was seen by inside story. This is Part B of the investigation resulting from Inside Story’s partnership with the Investigative Reporting Lab.
Tal Dilian’s group of companies developed and sold the Predator spyware in North Macedonia and Greece – so much we know already. What we did not know so far, was how the state agencies of the two countries attempted to cooperate on the matter –and almost concluded an agreement– before the 2022 spyware revelations in Greece sabotaged their operation.
Reporting: Tasos Telloglou, Eliza Triantafillou, Saska Cvetkoska, Bojan Stojanovski, Ivana Nasteska
Key points of this investigation
Inside Story in Athens and the Investigative Reporting Lab (IRL) in Skopje reveal today:
-The Greek government’s desire to legalise the state’s use of spyware, along the standards of North Macedonia.
-The content of the classified preliminary agreement put together in 2022 by then Greek National Intelligence Service (NIS) commander Panagiotis Kontoleon and the head of the Operational Technical Agency Skopje (OTA) Zoran Angelovski.
-The existence of an open channel of communication between the Greek Prime Minister’s Office under Grigoris Dimitriadis, and Intellexa, the vendor of -Predator spyware that has infected –or attempted to infect– the mobile phones of Greek journalists, politicians, business executives, members of the armed forces and others (who were simultaneously targeted by NIS’s legal, albeit abusive, wiretappings).
Rotem Farkash, the hacker
The intention of the Greek government to legalise the use of spyware was expressed as early as 2020 to a co-founder and developer of Cytrox, the company that created the now infamous Predator spyware and later became part of the Intellexa group of companies.
Born in 1987 to a Hungarian father and an Israeli mother, Rotem Farkash was raised in Tel Aviv. From an early age, he had an affinity for programming. As he states on his LinkedIn profile, he provided freelance consulting services to banks and security companies for 2,5 years (January 2011 – June 2012) by “bringing the hacker point of view to the table”. Prior to that, he served in the Israeli Defence Forces for five years. He boasted to people who have met him that, as a member of the Israeli cyber army, he had helped counter Palestinian suicide bombers’ attacks on Israelis.
In March 2017, Rotem Farkash founded Cytrox in Skopje along with six other Israeli businessmen. The initial funding for the company came from the state-owned Israel Aerospace Industries (IAI). Cytrox, as revealed in December 2021 by the University of Toronto’s Citizen Lab, is the company that developed the infamous Predator spyware, used extensively in Greece to target journalists, politicians, business executives, military personnel, etc. In 2018, Cytrox was acquired by Intellexa –a company owned by Tal Dilian, a former commander of a select technology unit of the Israel Defence Forces– with Rotem Farkash remaining in the group’s workforce.
Cytrox and its products attracted the attention of Tal Dilian, who decided to invest in the company, following a meeting he had in 2018 with the newly-elected at the time prime minister, Zoran Zaev. As early as 2017, the Macedonian government had become privy to the fact that Cytrox was developing the Predator spyware on its territory with the intention of distributing it elsewhere, but the government claims that it had not touched it. A source in Skopje has told Inside Story and IRL that NATO had previously advised North Macedonia not to cooperate with this company.
Moving to Greece
In the second half of 2020, Rotem Farkash’s professional obligations for Intellexa lead him to the decision to move to Paleo Faliro, a southern suburb of Athens by the beach. Bringing along his Audi R8 sports car with Hungarian license plates, he settled in a luxurious 8th floor flat with unobstructed views of Attica’s coastal front.
Roey Hayot, a close associate and employee at Intellexa’s Greek offices, who –unlike Farkash– appears on the company’s payroll records, moved into an apartment building across the street. The fact that Rotem Farkash was in Greece on Intellexa business is also proven by the fact that on August 10 2020, together with the company’s founder Tal Dilian and one other person, he travelled by private jet from Athens to Larnaca and then to Doha for a few days.
People who have visited Rotem Farkash’s residence describe it as a student flat, where a room with empty shelves was dominated by a desk and a computer with two large screens. The property in Paleo Faliro in which Farkash was staying, coincidentally belongs to a former New Democracy MP that hails from a shipping family with a large real estate portfolio managed by a real estate company. The rent for the apartment was paid by Kestrel, a company owned by Stavros Komnopoulos. The head of the Kestrel group has been familiar to arms procurement circles – and to law courts – since the 1980s.
Rotem Farkas’ flat is not the only point where Kestrel and Intellexa meet. As Inside Story has revealed, Rafnar, a company linked to Kestrel, provided guarantees in a lease signed in October 2020 by Intellexa with a Fais Group company for the offices it rented in Elliniko.
According to people who interacted with Rotem Farkash during the months of his stay in Greece and wish to remain anonymous, he described himself as the creator of software that counters cyberattacks, adding that he sold to governments “software to track criminals” – a description that matches that of spyware. They further mention that Farkash claimed that he came to Greece following an invitation by the Greek government, when they had already agreed to use the company’s software. He also claims that he had met with various government officials and that he had received assurances from the Greek government that they would pass a law to make the use of spyware legal. In May 2021, he unexpectedly left his home in Paleo Faliro and moved back to Israel. According to his acquaintances, he told them that there was some kind of disagreement between his company partners and that he was thinking of leaving permanently and selling his shares.
We sent Rotem Farkash questions about his alleged contacts with Greek government officials and the content of their conversations, but did not receive a reply.
The interest of Mitsotakis’ government in the ex-post legalisation of spyware
What Rotem Farkash claimed about the government’s intention to legalise the use of spyware during casual conversations with his Greek friends in the second half of 2020, appears to be confirmed by the fact that Mitsotakis’ government had contacted towards the end of 2020 the Operational Technical Agency Skopje (OTA), which has been the agency in charge of lifting the confidentiality of communications in North Macedonia since 2018.
A person with good knowledge of the content of the Athens-Skopje talks that began in late 2020, told Inside Story and IRL that the Greeks were interested in learning from North Macedonia how the OTA works and how the country’s intelligence services and other law enforcement agencies use spyware in a legal way. In turn, North Macedonia expressed interest in the digitisation of the Greek public sector – with the Ministry of Digital Governance being the responsible implementing ministry – and various cybersecurity issues.
Unlike NIS, OTA is not a secret service, but the fruit of the painful experiences lived by the citizens of North Macedonia during repeated surveillance scandals. The most recent one of these took place during the Gruevski administration, when more than 20,000 people were placed under surveillance between 2008 and 2015. The targets included civil society activists, politicians from all parties, journalists, diplomats and businessmen.
Following Gruevski’s fall, the US and European Union forced the Macedonian government to set up a technical agency –politically neutral, reporting to parliament and not to political power– to handle requests from intelligence, police and customs services to monitor citizens of the country. The institutional framework of North Macedonia also allows the use of spyware with –at least on paper– various safeguards against possible abuse.
Mitsotakis’ government’s desire to legalise the use of spyware, expressed in the second half of 2020, actually came after the pilot testing of Predator spyware, which, as Inside Story has reported, had already started in Greece as early as August 2019, shortly after New Democracy came to power.
When the contacts between NIS and OTA began, Intellexa already had six or seven months of presence in Greece. It was founded in March 2020, while the first fake domains mimicking well-known Greek websites in order to infect with Predator the mobile devices of individuals in Greece had been created by July 2020. We know that journalist Thanasis Koukakis was one of the first Predator targets in the long list of names that includes politicians, business executives and officials of the armed forces, among others. His first targeting took place on 31 July 2020, by which stage NIS had already proceeded with lifting the confidentiality of his communications and listening to the journalist’s conversations for “national security reasons”.
As the news organizations Investigate Europe and Reporters United recently revealed, Mitsotakis’ government has come out in favour of the Europe-wide use of spyware against journalists – “for national security reasons.”
The secret memorandum of cooperation for the exchange of classified information between NIS and OTA
People with knowledge of the content of the contacts between Athens and Skopje told Inside story and IRL that the first face-to-face meeting between Greek and Macedonian officials took place in early 2021 at the level of NIS and OTA commanders.
According to some reports, later that year, the Macedonian side met with the Minister of Digital Governance Kyriakos Pierrakakis in Athens. Pierrakakis’ entourage denied any meeting with representatives of the OTA. According to another information source, the only contact Pierrakakis had with officials from North Macedonia was the meeting in Athens with the Vice President of North Macedonia, Nikola Dimitrov, which according to the Greek side was about the digitization of the state.
In February 2022 a new meeting between Kontoleon and Angelovski took place in Thessaloniki, which led to the drafting of a preliminary agreement between the two commanders a month later, in March 2022. The draft was communicated to the office of Prime Minister Kyriakos Mitsotakis.
“The two agencies will take all necessary measures to keep the very existence of this MoU […] confidential”, reads a draft of the preliminary agreement seen by Inside Story and IRL, put together in the first half of 2022 to be signed by the heads of the Greek NIS and the Macedonian OTA.
“The cooperation will be personally managed by the heads of the agencies”, reads the same draft, dated March 2022, one month before the revelations of Inside Story about the infection of journalist Thanasis Koukakis’ mobile phone with Predator spyware.
“NIS and OTA […] will cooperate and share unclassified as well as classified information based on the following mutually agreed upon:
1. Participants will work together to improve professional development in cybersecurity and build a cybersecurity skills base, including through possible initiatives related to mutual recognition of qualifications and diversity. […]
2. Participants will establish and maintain an operational dialogue and identify opportunities for collaboration to enhance the ability of both to protect their citizens from malicious acts in cyberspace.
3. Requests for information may be made by either side, and the response will be based on the level of security and be subject to applicable rules and regulations in place for the disclosure of classified information.
4. Requests for information will only be in relation to technologies related to cyberthreats, terrorism, criminal activity, which the participants consider as threats to their national interests.
5. In the event of an immediate threat being identified by either side under this MoU, the agencies will share the information as soon as possible and assist the partner to eliminate the threat for the benefit of both countries”.
The existence of this preliminary agreement on cybersecurity between NIS and OTA was confirmed by the former NIS commander Panagiotis Kontoleon, in his closed-door testimony to the parliamentary committee of inquiry on the phone-tappings, on 15 September 2022. He reportedly stated that the Greek government had been informed about this preliminary agreement.
This also becomes evident from the draft seen by Inside Story, which is addressed – in addition to Kontoleon – to the office of the Greek Prime Minister. The head of the office at the time, until his resignation on 5 August 2022, was Kyriakos Mitsotakis’ nephew, Grigoris Dimitriadis, who was removed from his position in the wake of the revelation of PASOK’s current leader Nikos Androulakis’ surveillance by NIS.
A person with knowledge of the negotiations between Athens and Skopje told Inside Story that the Memorandum of Cooperation between the NSA and the OTA was not signed in the end, due to the reports that appeared in the Greek pressabout the monitoring of journalist Thanasis Koukakis’ mobile phone with Intellexa software.
We addressed official questions to NIS and the resigned Panagiotis Kontoleon and Grigoris Dimitriadis about the meetings with Macedonian officials and the content of the preliminary agreement, but received no response.
The OTA in its own replies officially confirms that there was contact with the Greek NIS, on cybersecurity and digitisation issues:
“The Operational Technical Service (OTA) is an autonomous and independent state agency. As part of its responsibilities and activities, the OTA, among other things, carries out cooperation and contacts with many domestic, foreign and international authorities, which are carried out through official channels of communication. Such were the meetings [OTA] held in the first half of 2022 with the leadership of the Greek National Intelligence Service (NIS), as the responsible bodies for monitoring communications in both countries. In these meetings, no classified information was shared and no documents were signed. No MoU was signed either.
The theme of the meetings was the exchange of experiences in the field of digitization of systems, towards the improvement of security during digitization, which includes cyber security, for which the presentation on the process of digitization of Greek society, which […] has made excellent progress and results, was extremely useful.
The visits and the results of the talks were reported to the [North Macedonia] Parliamentary Committee for the implementation of the supervision of the surveillance measures of communications, as well as to representatives of the government”.
The proofreader from Intellexa
During his September 2022 testimony to the Greek parliament’s committee of inquiry on the wiretappings, Panagiotis Kontoleon (who had also resigned due to Androulakis’ surveillance), after confirming the existence of a preliminary agreement between NIS and OTA, was reportedly quick to stress that NIS has nothing to do with Intellexa, the company that sells the Predator spyware. Inside story and IRL has seen evidence that this statement is untrue.
The draft of the preliminary agreement that we have seen in electronic form contains a small –but important to the story– electronic trace that proves that Intellexa not only has a direct relationship with NIS, but also to the office of Prime Minister Mitsotakis. This document, which was to be signed by the agencies of two countries, Greece and North Macedonia, contains written corrections by a former high-ranking Israeli Defence Ministry official who, after his demobilization, worked with Intellexa.
His name is Nir Ben Moshe and he can be traced as an editor of the electronic document (with his name written in Hebrew), when the function “track changes” is activated. A source said to Inside Story that the draft had been sent to Intellexa.
Nir Ben Moshe is not just any Israeli citizen, having served in several key state positions. In 2015, he was appointed head of a special unit in the Ministry of Defence known as Malmab, that is responsible for the security of the Ministry of Defence, Israeli arms industries and entities in Israel involved in the development and production of weapons of mass destruction, as well as the means of defence against such weapons.
Malmab, due to the classified nature of its activities and its close relations with Shin Bet, is sometimes described as Israel’s fourth intelligence agency (alongside Shin Bet, Mossad and the Israeli army’s intelligence services).
In 2021, Nir Ben Moshe left Israel’s Ministry of Defence and turned to the private sector. In May 2022, some israeli reports indicated that he was considering working with a company owned by Tal Dilian. Commenting on this professional move, sources in the Israeli security establishment told the media that Nir Ben Moshe’s move to Tal Dilian’s side “is legal, but it stinks. It’s kosher, but it presents some ethical issues”. The Israeli security establishment, where the founder of Intellexa originates from, has accused Tal Dilian of using the knowledge he gained as commander of an Israeli army elite technology unit to establish companies that manufacture cyberattack products that infiltrate mobile phones. He is also being criticised for moving his companies to Cyprus (note: and then to Greece) to avoid supervision by the Israeli Ministry of Defence – namely the former employer of Nir Ben Moshe.
According to travel documents seen by Inside Story, Nir Ben Moshe visited Athens in the first ten days of March 2022 and was in Israel when he made the corrections to the NIS – OTA draft on behalf of Intellexa. Travel between Greece and Israel was frequent. On 23 March 2022 Nir Ben Moshe flies from Greece to Albania and back and on the same day departs again from Greece to Turkey. It is unknown whether these trips were made for personal or business reasons. The last time he boarded a flight from Greece was in October 2022, when he departed for the US. According to what he writes on his LinkedIn profile, since March 2022 he has founded a consulting company inspired by his initials (NIRBM) – its website does not work.
Another piece of evidence that seals Nir Ben Moshe’s business relationship with Intellexa is that, on 12 April 2022, he appears to be travelling from Larnaca to Athens in a private jet linked to Tal Dilian and in which, as Inside Story has revealed in a joint investigation with Lighthouse Reports and Haaretz, surveillance technology was delivered to Sudan from somewhere in the EU (the equipment was found in the hands of one of the world’s most notorious and terrifying paramilitary groups, the Rapid Support Forces).
An individual from Macedonia’s intelligence services who spoke to Inside Story and IRL on condition of anonymity, said that they do not know Nir Ben Moshe, nor do they know why a copy of the draft to be signed by the heads of NIS and OTA was in the hands of Intellexa and even corrected by a partner of Intellexa. “The Greek side had mentioned that they had a contractor, but they never mentioned the name Intellexa”, they said.
Nir Ben Moshe, Intellexa, Grigoris Dimitriadis, Panagiotis Kontoleon and the NIS did not provide a reply to the questions we asked them.
The production of this research was supported by a grant from Investigative Journalism for Europe (IJ4EU) funds.