The Predator spyware marketed to the world by an Israeli software company and used in Greece and Egypt to spy on journalists, dissidents and others, was developed in North Macedonia – a violation of the Balkan country’s law. But local efforts to investigate why the software was built in Skopje appear stalled. The European Parliament also is probing the matter.
Reporting: Saska Cvetkoska, Ivana Nasteska, Bojan Stojanovski, Tasos Telloglou, Eliza Triantafillou; Additional reporting: Miroslava Simonovska
Key points
- A set of classified intelligence documents from North Macedonia obtained by news organizations Inside Story in Athens and Investigative Reporting Lab in Skopje show that Predator spyware, at the center of an international scandal, was illegally developed by Cytrox, in Skopje, North Macedonia – and government officials of North Macedonia knew about it but did nothing to stop it. Cytrox is owned by Intellexa, an Israeli firm founded by Tal Dilian. Intellexa is mired in an ongoing scandal about several governments’ use of the spyware to target dissidents, journalists and activists. The software has been sold in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia, the Citizen Lab reported.
- Documents show that the government of North Macedonia was aware as early as 2017 that Cytrox was illegally developing Predator spyware in the country, with the intent to distribute it elsewhere.
- Documents obtained by Inside Story and Investigative Reporting Lab (IRL) reveal the existence of a complex business structure in Skopje developed by individuals and companies with direct ties to Intellexa. At least 5 companies with links to Intellexa were registered with the official business registry of North Macedonia between 2017 and 2021. Two of them – Cytrox and CyShark – identified themselves as developers and traders of software when they requested licenses for export and production. There was no indication in their public applications that they were producing spyware, which would not have been allowed under the licenses they sought and obtained. However, the classified documents obtained by IRL and Inside Story show that the North Macedonia government was informed that Cytrox planned to illegally create spyware. Experts say the Government of North Macedonia should have acted to stop the production, but failed to intervene.
- Documents show that Cytrox and CyShark are part of a group of companies owned by Tal Dilian and his associates. Dilian is a former Israeli defense official who founded Intellexa, now based in Cyprus. Among the owners of Cytrox is Ivo Malinkovski, a member of a family of well-known Macedonian winemakers – and arms dealers.
- The Government of North Macedonia’s Ministry of Interior told parliamentarians that it is investigating to determine the circumstances in which Predator was created. But there has been no update and few signs that there is any progress.
As scandal is revealed, Parliament asks questions, but gets few answers
On June 19, 2022, a few months after it was revealed that Predator spyware had infected Greek journalist Thanassis Koukakis’s mobile phone a group of parliament members of North Macedonia, arrived in Geneva to participate in an intense training to improve their oversight of the country’s intelligence agencies and to ensure that these agencies respect human rights and democratic standards. Hosted by the Geneva Centre for Security Sector Governance, also known as DCAF, nine members of North Macedonia’s Parliament Commission for Oversight of the Work of the National Security Agency and Intelligence Agency, together with a dozen representatives from other North Macedonia government institutions, attended a training entitled “Highly invasive means like IMSI catchers, malicious softwares – their purpose and use.”
The welcoming email by DCAF lead cybersecurity expert Matej Kovacки opened the training by sharing information about various governments and private entities using two dangerously sophisticated spying software: Predator and Pegasus. By then, the public and the parliamentarians knew that Predator was sold by Intellexa – Dilian’s company – and had been invented by its Macedonian subsidiary Cytrox. This was first revealed by the interdisciplinary laboratory based at the University of Toronto Citizen Lab which reported in a December 2021 report that Predator, sold to hostile governments across the world, had been developed in Skopje. But the report lacked information about how that had been allowed to happen in North Macedonia in what was a clear violation of its laws.
The trainer asked the participants what they were doing to shine light on this disturbing discovery.
“I remember we all proudly said: ‘Yes, we did ask the Macedonian authorities. They told us they are already working on the problem. The staff from the Ministry of Interior told us investigative measures are underway to determine the circumstances and that the MPs will know accordingly once they have answers’,” former Minister of Interior and current MP Pavle Trajanov told IRL’s reporters in a face-to-face meeting.
The group would not meet again until five months later on November 14, 2022, this time at the mountain resort of Mavrovo in North Macedonia. For this second raining, representatives from the Ministry of Interior of North Macedonia, the Intelligence Agency, the Bureau for Public Security and the Agency for National Security also would attend. The guest list included some high level representatives including Victor Dimovski, the director of the North Macedonia Agency for National Security..
In the light of the events in neighboring Greece where it was revealed in 2022 that journalists, government ministers and members of the opposition party had been spied on by the Greek government using legal wiretapping procedures and the illegal spyware Predator, the parliamentarians would express new concerns, asking whether the North Macedonia government also possessed sophisticated spying software.
“Director Viktor Dimovski, after some nagging with us, said ‘yes, but claimed that so far they have never used it,” Trajanov told IRL. But the Parliamentary group asking the questions received few details, details they are still seeking.
Recent history shows that it is not particularly surprising that spy softwares are being developed in North Macedonia, or recently in Bulgaria, both countries with weak regulations and even weaker oversight.
A tech savvy city with a sketchy tech history becomes a spyware hotspot
In 2015 the Macedonian secret police and high level government officials were implicated in illegal telephone surveillance on a massive scale – more than 20,000 individuals were wiretapped between 2008 and 2015 while the Nikola Gruevski government was in power.
The then- director of the Administration for Security and Counterintelligence Saso Mijalkov was alleged to have illegally intercepted the conversations from 5,827 phone numbers for more than 20,000 individuals.The targets included civil society activists, politicians from all parties, journalists, diplomats, businessmen. In a related matter, Mijalkov was also investigated in 2016 by the Special Public Prosecutors in North Macedonia for running covert internet surveillance using sophisticated spy software known as Finfisher. Goran Grujevski and Nikola Boskovski, two of Mijalkov’s closest confidantes among intelligence officers, were cited for destroying the equipment in an attempt to sabotage the prosecutors’ investigations.
In October 2017, Grujevski and Boshkovski were arrested in Greece where they had requested political asylum. A court in Thessaloniki ruled they both should be extradited because they did not meet the conditions for political asylum. This decision, however, was overturned by Greece’s Supreme Court. The high court ruled that because they had been pardoned by then- President of North Macedonia Gjorge Ivanov, part of the government that had succeeded Gruevski, they did not need to be extradited. They had been awaiting trial on charges of destroying the spying equipment in the wiretapping scandal, and could have faced 15 years in prison. President Ivanov’s pardon was widely criticized as a clear effort to protect a small circle of former ruling party members and their associates from criminal charges. In 2016 Ivanov revoked the pardon after a huge public outcry. But the two men then received asylum and are living in Greece.
That wiretap scandal in North Macedonia might have put an end to an authoritarian regime of the nationalist party led by Nikola Gruevski, but it did not end the connections between the weak democracy and worldwide spyware traders. At almost the same time that the wiretap scandal was winding down, North Macedonia was already becoming a host country for the development of what would become one of the most notorious spying software: Predator.
From wine and weapons to developing spyware
In early 2017, then-26-year-old Macedonian entrepreneur Ivo Malinkovski left his position as head of Chateau Kamnik, his family’s wine producing company, and founded and operated several tech startups in Skopje. His business became the development and production of the Predator.
In the early months of their existence, on October 6, 2017, two of the companies that Malinkovski ran – Cytrox and Cyshark, would ask the Ministry of Interior of North Macedonian for authorization for manufacturing, sale and resale, and export of several software products that could be used to protect personal data – and to invade personal data. This was spelled out in classified documents obtained by IRL and Inside Story. The companies would be selling this equipment to governments and certified government agencies such as secret services, police, border agents, and marine police, the classified documents said. The Government of North Macedonia’s Ministry of Interior said it never authorized the production of the spyware and said it was unaware that it was being produced. But the documents tell a different story: the government was alerted to the plans to produce spyware, a violation of the law of North Macedonia.
The application said: We note that our activity is the subject of work exclusively for the creation and production of software that we would offer as a final product on the domestic and foreign market only for government uses, as well as for special needs and purposes that fall under the authority of state authorities authorized by law and institutions.
Signed by Malinkovski, the application said that the products the companies sought to create are regulated under the Law for Interception of Communication. Accordingly, the Ministry of Interior should have reviewed their full application, but there is no evidence or documentation to show that such a review occurred.
The manufacture, offer for sale, resale, import, export, re-export or possession of means of monitoring communications may not be carried out without an authorization issued by the Ministry of Interior. The approval from paragraph 1 of this article is issued on the basis of a submitted written request, in addition to which a technical specification of the type and characteristics of the means intended for monitoring communications must be submitted”, article 3 of the Macedonian law on interception of communication says.
The applications sent on behalf of Cytrox and Cyshark were not complete. Malinkovski had neglected to attach the specifications of the equipment that the law required. The Government of North Macedonia’s Ministry of Interior gave the companies extra time to deliver the required documents, allowing them an additional month. The government unit tasked to review and authorize such products is the Counterintelligence Unit in the Ministry of Interior, better known to residents of North Macedonia as the Secret Police.
On November 7 2017, Malinkovski filed a new document with specifications that the original application had lacked. According to classified documents obtained by IRL and Inside Story, and reviewed by tech experts at IRL’s request, the software product in question is what would later be known as Predator, the linchpin of the global scandal. It features a sophisticated weapon to target civil society activists, journalists and other high value targets. Some of those, it later was revealed, were in neighboring Greece. It also was soon revealed that the smartphone surveillance system – the Predator spyware – was used by authoritarian hostile governments and paramilitary organizations around the world such as the infamous Rapid Support Forces militia in Sudan and the government of Myanmar.
The Citizen Lab – a laboratory at the University of Toronto that focused on digital espionage – – in 2021 revealed that the phones of at least two Egyptian nationals had been hacked with ‘Predator’ spyware developed by a developer in North Macedonia called Cytrox. Public records in Skopje show that the CEO is Ivo Malinkovski. Rumors were spreading that the father, not the son, is actually behind the company , but Ilija Malinkoski denied the allegations in an interview with Balkan Insight.
“Cytrox was reported to be part of Intellexa, the so-called “Star Alliance of spyware,” which was formed to compete with NSO Group, and which describes itself as “EU-based and regulated, with six sites and R&D labs throughout Europe,” the Citizen Lab Report said.
But the software developed in Skopje for Intellexa was never granted the required authorization by the Ministry of Interior.
IRL reporters talked with an officer in the Ministry of Interior tasked to handle the application. The first to respond had refused to make a recommendation. “I was not qualified to understand what the software is, so I gave it to another officer,” this person said. At least three sources in the Counterintelligence unit confirmed for IRL that no one wanted to deal with this request. The Ministry of Interior then said in an email to IRL that they did not approve the Cytrox and Cyshark requests.
The reasons for this reluctance may well be rooted in the wiretap scandal, which was revealed in 2015.
”The Ministry of Interior has not authorized such software for the companies in question, nor has the Ministry of Interior purchased such software,” spokesperson Toni Angelovski said in an email dated Dec. 15, 2022. “
Wiretap scandal may have foreshadowed the North Macedonian connection
North Macedonia once made global headlines stemming from another Citizens Lab report that revealed in 2015 the Gruevski government’s massive wiretapping scandal. And the tiny Balkan nation was again in the headlines on December 16th 2021 when NGO Citizen Lab in cooperation with Meta published two new reports. This time the focus was on the Predator software produced by tIntellexa’s company Cytrox, based in Skopje. On the same day, the prime minister of North Macedonia Zoran Zaev, who was on his way out of office, hosted a party in the exclusive winery Chateau Kamnik. The winery is owned by the Malinkovski family who are not only vintners, but also arms traders for almost three decades, and now, and a recent entrant into the cyber software business. But, while the revelers sipped on wine, very few knew that the family whose winery hosted the party was at that moment deeply involved in one of the world’s hottest spying affair linked to the use of Predator.
The arms business operates under the brand Mikei International, but the Malinkosvki family keeps their affairs away from the public spotlight. There is only one record of a press interview but no TV appearances, no hint of any scandals. When Mikei was sanctioned by the US government in 2009 for trading weapons with hostile regimes, no media reports were made. Unless you are a politician or a journalist, you would not know of their international weapons trade business. It is mostly under the public radar. For ordinary Macedonians, the Malinkovski family is known as winemakers of Chateau Kamnik, a very popular brand
The family’s weapons business and other enterprises stayed under the public’s radar until 2017, when Ivo Malinkovski, began to frequently appear in the media as a rising star in the global tech world.
“Young and successful, a hedonist, adrenalin sport junkie and owner of the IT company Cytrox”, this is how Ivo Malinkovski is described in the intro of an interview in the local lifestyle magazine Espresso. In several other media interviews Ivo Malinkovski gave in 2018, he was described as an owner of Cytrox, although the actual products and services the company were offering were murky. None of it suggested what would soon be nicknamed The Greek Watergate. Shortly after the Citizen Lab published its findings, Ivo Malinkovski deleted all of his social media accounts.
According to official documents reviewed by IRL in the North Macedonia Business State Registry, there is ampl evidence of Dilian’s footprint in North Macedonia. The Skopje-based company Cytrox was founded in March 2017 as a joint stock company by six foreign businessmen – five from Israel (Dror Harpaz, Sharon Adler, Avraham Rubinstein, Eyal Avraham Oren, Alon Arabov) and one from Hungary (Rotem Farkash). Ivo Malinkovski was listed as their CEO. According to the separate registry of true owners, the beneficiary owner of Cytrox was Meir Shamir, a former air force veteran from Israel. All have ties to Tal Dilian, according to various public documents on file in several countries. Dilian is the head of Intellexa.
The filings also show that Dilian was broadening his holdings in North Macedonia. Four other companies were registered at the same address in Skopje- each of them with connections to Tal Dilian’s associates: Cyshark, Cygnet, Cintellexa and Cyberlab. All of them were registered between 2017 and 2020. Avraham Rubinstein appears among beneficiary owners in Cytrox and Cyberlab together with Rotem Farkash while Rotem Farkash’s father, Moshe, is co-owner of Cyshark together with Ivo Malinkovski. All have business connections to Dilian.
“It was one company basically, we all worked in the same offices and we were all working on the same tasks. Many of the employees had no idea how many companies were registered, we just know we worked for Intellexa. The pay was better than excellent, so no one cared“, an employee who wished to remain anonymous told IRL.
The former employee, who is also a software engineer, confirmed that what was being produced was Predator, although they did not know where or how it was being sold. “My suspicions are that the exports were made through companies in Cyprus. Whether it’s legal or not, I wouldn’t know, my job involved other responsibilities. We also trained the employees in Greece. Everything was controlled from here because the main product of all Intelexa operations was in Skopje. Why, I wouldn’t know, maybe the lower production costs, the fact that we are off the EU radar, there are many factors”.
The Skopje office was frequently visited by various Israelis, according to sources and data from border police. The employee could not say who they all exactly were, but he was familiar with one man– Shahak Shallev. “He was the main guy, he was sent here from the start by the Israeli to oversee the operations of production”
One of the companies registered in Skopje was CyberLab. It was run by the R&D director of Intellexa, Shahak Shalev, former top cybersecurity intelligence officer in the Israeli Military. IRL can confirm that Shalev resided in North Macedonia from 2017 until the end of September 2022 at the height wiretapping in Greece, which led to several government investigations and the resignation of the Greek director of the Intelligence Services (EYP) and the Priminister’s left hand and nephew Grigoris Dimitriadis . CyberLab, according to the official documents, was managed by Ivo Malinkovski, but the true owner was a Dutch company called Inpedio, owned by Avraham Rubenstein and Rotem Farkash. Shahak Shalev, based on his bio on his Linkedin profile, remains the Vice president of Technology at Inpedio. Both cyber companies, Cytrox and Inpedio, received initial funding back in 2017 by the state-owned israel Aerospace Industry.
Skopje as a haven for former Intellexa Greek employees
At least two former Intellexa employees working in Athens were tracked down by reporters frequently visiting Skopje, even after they stopped working for the Greek company. According to travel and other data collected by reporters, their visits to North Macedonia most likely started in the second half of 2022, right after the revelation of phone tapping of another prominent Greek politician, Nikos Androulakis, the leader of Greece’s socialist opposition party PASOK.
“We were tasked to recruit and hire, for example, personnel in Athens”, said the former employee.
At the moment, the offices of Cytrox in Skopje appear closed, as reporters witnessed. Public business registry records in North Macedonia show that there were changes in the ownership structure for Cyshark, one of the companies owned by Moshe Izrael Farkash. Now, at least on paper filed with the business registry, it is owned and run by the retired grandmother of Ivo Malinkovski on his mother’s side, Kalja Angelova.
European affair followed by silence in North Macedonia as scandal gathers steam
In the meantime, Cytrox from North Macedonia is recently getting more attention from the European Parliament.
A special committee of the European Parliament is currently investigating how Predator was used,after realizing that in most European countries, as well as in repressive African regimes several prominent politicians, journalists and civic activists were illegally targeted and surveilled after their telephones were infected with this or other similar software (Pegasus/NSO etc).
A Dutch member of the European Parliament and rapporteur of the PEGA Committee , Sophie in ‘t Veld in a press conference presented the findings of the committee’s draft report developed within a seven-month period and said that all member-states of the European Union have such software available, even if they do not admit it. On page 36, a chapter is devoted to the Macedonian connections. The MP wrote to Tal Dilian asking for details.
“The company Cytrox, hosted by Intellexa, began as a start-up in North Macedonia, but according to Forbes you saved it from bankruptcy with five million Dollars. It seems that the corporate structure is widely spread, with corporate presence in Hungary, Israel and share transfer in a corporate entity on the British Virgin Islands. Could you please provide us with information on your current and previous role in Cytrox as well as the link between Cytrox and Intellexa. Can Intellexa comment on why it is present on the British Virgin Islands? Can Intellexa clarify whether Cytrox transferred part of its shares on the British Virgin Islands?“ states the letter to Dilian which has not been answered.
In a reply to the reporters lawyers of Intellexa, as well as Dillian and Harpaz lawyers Andros Pelecanos instead of answers, responded with attacks.
“Unfortunately, the upcoming Greek elections cause the media to recycle legends and fairy tales concerning our activities. We have no intention participating in this witch hunt as we are not part of the election campaign. We are fully regulated under EU regulation, act in compliance with the law and continue cooperating with the relevant competent authorities“, Intellexa answered.
According to the Dutch MP, however, the problem was that the software was abused which constitutes an enormous threat for democracy on the whole continent.
“Fully regulated by EU law” is a sales slogan, it is hollow unless Intellexa would explain exactly which rules they refer to and how they are compliant. They have already been fined for not cooperating with the Greek authorities and for breach of the rules in Cyprus. They have apparently exported spyware to Sudan, which seems to be in Breach of EU export rules. Moreover Intellexa has refused to cooperate with the European Parliament. It never responded to any of our letters and invitations, however they did find the time to have their lawyers send angry letters to PEGA. If they are fully compliant, why have they refused to answer any questions? And let’s not forget that their spyware has been used illegitimately. Don’t they have a duty of care (at the very least) to check if their customers are respecting the law?“, Sophie in ‘t Veld said in a comment of Inside Stories.
The North Macedonia Ministry of Internal Affairs claimed in an email to IRL that they never issued approval for the production and sale of this software and that their responsibility ended there. Experts disagree, as does the North Macedonia Parliament committee tasked to follow the work of security agencies.
The Government of North Macedonia’s Ministry of Interior should have filed a criminal complaint, these experts said.
The professor and PHD of security sciences from the Faculty of Security at the University “St. Kliment Ohridski”, Svetlana Nikoloska, said that the institutions of North Macedonia should be very attentive to the problem of illegal monitoring of communications. Moreover, for such illegal activities, the Ministry of the Interior should act automatically in coordination with the public prosecutor, she said.
“Such illegal behaviors are contained in several criminal acts that are prosecuted ex officio,” said Nikoloska.
The Ministry of the Interior had information that the Macedonian company “Cytrox” plans to import and export communications surveillance software. Although the Ministry of Interior officially claims to have never authorized the request for production of this software, the ministry should have done more, Nikoloska said.
She cited Article 286 of the North Macedonia Criminal Code, which stipulates a fine or a sentence of up to three years in prison for anyone who, with the intention of unauthorized production, puts into circulation, imports, exports, or distributes a protected topography of an integrated circuit or software.
“If the software used in Greece for monitoring communications was produced in our country, measures and actions can be taken to discover, shed light and provide evidence only at the request of the Greek police. That cooperation goes on a bilateral level or through INTERPOL, but there should be a specific request, and in that case the department for computer crime and digital forensics can work on the case,” she said.
But so far, there has been no effort to coordinate. Greek judicial sources said that they have not contacted the Macedonian authorities in Skopje on the matter of production of illegal spyware. Asked in Nicosia, Cyprus where the main export activity of Dilian’s company is coordinated, Cypriot judicial authorities confirmed that they were not in contact with their Macedonian counterparts on the matter.
