In 2017, state-owned Israeli arms maker invested in two firms in bid to compete with NSO. It sold Cytrox to Intellexa, a firm operating outside of Israel, but documents show it’s still linked to the other
Six years ago, the state-owned defense contractor Israel Aerospace Industries (IAI) announced it was investing millions in two promising foreign firms: One registered in the Netherlands providing “cutting-edge cybersecurity solutions,” the other registered in Hungary and focusing on “cyberintelligence” for governments.
However, documents show the two firms – Inpedio and Cytrox – were actually set up by the same Israeli nationals that were involved in developing and then later selling the spyware known as Predator. That same spyware is currently at the heart of a massive political scandal in Greece, where it was used to hack the phones of a journalist and senior politicians – and raising privacy and rights concerns across the European Union.
In its June 2017 press release, the IAI presented Inpedio and Cytrox as two separate firms. Inpedio’s product, it said, “protects cellular iOS and Android devices from sophisticated attacks.” Cytrox, meanwhile, was said to do the opposite, “gathering intelligence from end devices” – like cell phones.
The former was supposed to offer defensive services, researching possible security breaches in computers and mobile devices to protect them against cyberattacks. The latter would go on to develop Predator, a spyware which exploits loopholes in cyber defenses to hack into mobile devices.
Documents and sources say they were formed as twin firms to offer potential clients a full spectrum of cyber solutions – defensive and offensive. According to former workers in Cytrox, the firms initially operated jointly from the same offices, and workers from Inpedio were also involved in the early development of the Predator spyware.
IAI made the investment through its Singaporian subsidiary Custodio PTE. The dual investment was supposed to “expand IAI’s cyber R&D and its global footprint in this field,” as its press release noted at the time. But while it later sold its stake in Cytrox, it held on to Inpedio – though the firm has all but shut down and the millions invested have been lost.
Two firms, one office
Haaretz has reviewed corporate documents from the Netherlands, Hungary, North Macedonia, Singapore and Israel that show that the two firms’ founders and directors were the same Israelis. Inpedio was registered in the Netherlands in 2016 by two founders: Rotem Farkash and Abraham Rubinstein. The very same Farkash and Rubinstein would establish Cytrox Holdings in Hungary – where IAI invested in – and a subsidiary, Cytrox Software, in North Macedonia, in 2017. The two registered Cytrox with their Inpedio email accounts.
Farkash is a hacker-turned-cyber-entrepreneur who later became a partner and senior official in Intellexa, an alliance of digital surveillance firms founded in Cyprus and Greece by former Israeli army intelligence commander Tal Dilian. Rubinstein, a tech entrepreneur, ended up suing Dilian for diluting his own shares in Intellexa. That dispute has since been resolved.
IAI’s June 2017 press release did not disclose specific details, but documents seen by Haaretz show it initially bought 31 percent in Cytrox. IAI even had a director in the firm. After a year and a half, during which the offensive cyber firm failed to take off, IAI sold its stake to the British Virgin Islands firm that controls Intellexa. Two years later, Dilian’s Intellexa completed its takeover of Cytrox.
In 2022, misuse of Predator by Cytrox’s clients would thrust its new owners into the heart of a storm – one that rode the coattails of the NSO affair to cast Israeli-owned spyware firms as a global menace.
Although IAI was quick to jump out of their Cytrox holdings and distance themselves from the explosive field of offensive cyber, they remained invested in Inpedio with a minority stake. And through Inpedio, they also have a share in its wholly-owned subsidiary CyberLab, which served as its Macedonian branch.
Per documents, CyberLab was established by a Macedonian national who was also a senior Cytrox official. Another man, Shahak Shalev, an Israeli Army cyber unit veteran, was registered – using his Cytrox email – as a manager. According to information and sources, employees at CyberLab and other firms founded by the same Israelis, worked from the same office used by Cytrox and Inpedio in the Macedonian capital of Skopje, and were also involved in Predator’s development.
“It was one company basically… we were all working on the same tasks… we worked for Intellexa,” an anonymous local worker told reporters from Inside Story in Greece and the Skopje-based Investigative Reporting Lab. Shalev, whose LinkedIn still describes him as Inpedieo’s VP of Technology, was said to be “the main guy, sent by the Israelis to oversee the operations of production”.
Former workers say that despite the fact that they shared an office, there were attempts – after IAI sold its stake in Cytrox – to keep the operations of Cytrox and Inpedio separate. Nonetheless, while Inpedio was struggling to develop a defensive product, some of its workers were still involved with Cytrox. While the latter would go on to succeed in developing its spyware, Inpedio is considered a fruitless venture – a firm that burned through its investments and failed to produce any real sales.
Shalev, Farkash and Rubinstein did not respond to requests for comment.
Kaymera/NSO
Cytrox was just one of many Israeli firms set up abroad. After completing the takeover of the firm, Intellexa made its Predator spyware part of a comprehensive portfolio of digital surveillance tools it offers. As Haaretz investigations have revealed last year, those were also being sold to an infamous militia in Sudan and to Bangladesh – countries Israelis are currently banned from doing business with, at least officially.
These revelations, along with the “Greek Watergate” scandal, prompted a rare admission from Israeli officials regarding Dilian’s business – operating outside of Israel. The former director general of the Defense Ministry said that, “It certainly disturbs me that a veteran of our intelligence and cyber units, who employs other former senior officials, operates around the world without any oversight”.
Sources said IAI’s 2017 investment in twin firms Cytrox and Inpedio was done according to what is called the Kaymera/NSO model: one firm selling offensive capabilities to governments, like the infamous Pegasus spyware, while the other “peddles products that defend against that same technology [like Kaymera]… allowing startups such as NSO and Kaymera to play opposing sides of the cyberwars,” as a 2014 press release from NSO and Kaymera explained in its own words.
NSO, infamous for its Pegasus spyware, operates from Israel under defense exports oversight, and has emerged last decade as the dominant player in the field. Meanwhile, per sources, Israel’s big defense contractors, like IAI, were late to the game, allowing NSO to become the market leader and state favorite. NSO’s spy tools spearheaded Prime Minister Benjamin Netanyahu’s “cyber-diplomacy” with Arab and African states.
However, as a cyber firm in the military and homeland security space, NSO “is the exception,” an industry source explains. “Most of Israel’s activities in this field are usually done through Elta (IAI), Elbit and Rafael – not through privately owned firms with a singular focus.”
As NATO ups arms spending, Israeli exports break record
Israel plans to sell its Merkava tanks to Cyprus
FARA shows how NSO is lobbying Biden admin and Congress
Global Russian disinformation op targeted Israel, U.S. Jews
Despite embargo: Israeli arms maker sold to Myanmar
Armenian officials hacked with Israeli spyware (Azerbaijan?)
17 Iranian ‘ghost tankers’ bring oil worth $1 billion to Syria
92 flights from Israeli base reveal arms exports to Azerbaijan
The dual investment in Cytrox and Inpedio, both registered abroad, was supposed to allow Israel to make up for lost time and compete with the Israeli-regulated NSO. But while one arm of the Israeli state promoted local firms selling under strict regulations, another arm invested in two foreign-registered Israeli firms, which could allegedly skirt that same oversight.
Israel Aerospace Industries said in response that it “deals solely in defensive cyber. IAI has a minority stake of less than 10 percent in Inpedio, which is a defensive cyber company that is now in the process of being liquidated. IAI has no connection to the details in this report. IAI offers advanced defensive solutions to companies and states, adhering to export regulations”.