Towards the end of 2023, an Israeli security researcher living in Tel Aviv said on LinkedIn that he was approached with the opportunity to work abroad for a “good salary.” He said he was told by the company's human resources department that the company was a “legitimate” offensive security company that started from scratch in Barcelona, Spain.
But throughout the hiring process, things felt a little off, researchers told TechCrunch.
“The whole secrecy thing was very strange. Some of the employees who interviewed me didn't give their full names, and it took them a very long time to reveal their names or even the location of their company. “If everything is legal, why is it so secret?'' the researcher told TechCrunch. “It seems like this is a company that could be subject to sanctions in the future, which could make things worse.”
The researcher said that when he spoke to the company's chief technology officer, he was told things like, “We only have legitimate customers and, unlike other companies, we don't sell to shady countries.” Ta.
Alexei Levin, chief technology officer and former researcher at licensed spyware maker NSO Group, said the company trying to hire him was Palm Beach Networks, which would compromise devices. According to researchers, the spyware implant itself refers to the surveillance software that is installed on the targeted device.
Levin also said Palm Beach Networks had at least one U.S. government customer, researchers said. (Mr. Levin did not respond to a request for comment.)
But why would he found a spyware startup in Barcelona, which a few years earlier had been at the center of a widespread political scandal in which Spanish government officials used spyware to target local politicians seeking independence? Like many other startups in the city? Researchers said company employees told them that living in the city was similar to living in Israel, with tax benefits and nice weather.
These are the reasons why Barcelona has become an unlikely hub for spyware companies in recent years, according to multiple people working in the offensive cybersecurity industry who spoke to TechCrunch and business records we reviewed. This is part of the reason.
Barcelona has become a key regional outpost for aggressive cybersecurity companies, with a rocky relationship with surveillance technology due to scandals in Cyprus, Greece, Hungary and Poland, all involving Israeli spyware makers. The spyware problem will be brought squarely to Europe's doorstep.
Natalia Krapiva, general counsel at Access Now, a nonprofit organization specializing in spyware research and research, told TechCrunch that “it's alarming to see major European cities become hubs for spyware creators.” . Krapiva said the spyware business is “closely linked to corruption and abuse of power.”
“Spanish citizens, media and policymakers need to know whether its operations comply with national and EU law, especially given Spain's history with Pegasus, and whether the Spanish government is involved in the misuse of surveillance tools. “These companies need to be carefully scrutinized in terms of their potential.” Krapiba.
John Scott Railton, a senior research fellow at Citizen Research Institute who has spent more than a decade investigating abuses by spyware tools with his colleagues, also expressed concern. Scott Railton has targeted individuals in the past, including human rights activists and dissidents in non-democratic countries like Ethiopia and Saudi Arabia, as well as U.S. diplomats and politicians and citizens within European borders. He also pointed out that there were cases of spyware being misused. .
“This will add fuel to the flames of Europe's spyware crisis. If experience is any guide, it is only a matter of time before this technology is used by customers against Spain's allies and EU partners.” “Scott-Railton told TechCrunch. “Governments that allow this industry to thrive are gambling with their own covert capabilities and human capital. When mercenary spyware and exploit developers come to town and start hiring, those capabilities tends to leak out, including to potential future enemies.”
View of the Sagrada Familia at sunset in Barcelona, Spain, October 19, 2024. (Photo by Joan Valls/Urbanandsport/NurPhoto/GETTY IMAGES)
sun, seafood, spyware
Apart from Palm Beach Networks, as it was then known, Barcelona was also home to several other exploit and spyware makers, all benefiting from the city's sunny, warm climate, fresh seafood, and vibrant We make the most of our foreign community.
That includes Paradigm Shift, which was spun off from troubled startup Variston, which lost staff and struggled to survive into 2024. And Epsilon is a company led by industry veteran Jeremy Fettibault, who previously worked in the unit created after US defense giant L3Harris acquired Australian startup Azimuth. ” Mr. Fethibeau did not respond to a request for comment.
The city is also said to be home to a group of anonymous Israeli researchers who moved from Singapore to Barcelona to work on developing zero-day exploits. The existence of this unknown team and Epsilon's presence in Barcelona was first reported by the Israeli newspaper Haaretz, which triggered coverage in local newspapers and news websites.
Other cybersecurity companies are based in Barcelona, even if their headquarters are not there. Andrijana Šeklarak, CEO of Austrian cybersecurity firm SAFA, lives in the city, according to her public LinkedIn profile. SAFA sponsors offensive cybersecurity conferences such as OffensiveCon and Hexacon, and employs at least two security researchers with past experience at spyware companies, according to its public LinkedIn profile. Sheklarak also did not respond to a request for comment.
These zero-day and spyware companies are part of Barcelona's broader cybersecurity and startup ecosystem. According to the Catalan government, more than 10,000 people worked in more than 500 cybersecurity companies in Barcelona as of last year, an increase of about 50% compared to five years ago.
Contact Us Want more information about Epsilon, Head and Tail, Paradigm Shift, or other government spyware makers? From your non-work device, on Signal (+1 917 257 1382) or on Telegram and Keybase @lorenzofb or by email You can contact Lorenzo Franceschi-Bicchierai securely. You can also contact TechCrunch via SecureDrop.
Barcelona is a hotbed not only for surveillance technology makers but for startups in general, with some ranking the city as the top startup hub in Europe. The city is the birthplace of food delivery startup Glovo, and rival DeliveryHero acquired a majority stake in the Catalan company in 2021, valuing it at €2.3 billion. Orthodontic startup Impress raised $125 million in 2022 and $114 million in 2024. Business travel management platform TravelPerk raises $105 million in 2024. The company is among more than 2,200 other startups, according to the Barcelona-Catalunya Startup Hub, a regional government project that tracks the region's startup ecosystem.
The city is attractive to workers because it has a lower cost of living than other European startup hubs such as London, Amsterdam, and Berlin. And there is probably a more obvious reason, at least for those who have been to Barcelona. Barcelona has NSO Group, Circles and Intelexa, as well as Tel Aviv, Cyprus and Greece.
Beyond the city's attractiveness, there are other reasons that draw Israeli security researchers in particular to Barcelona. As Haaretz reported in late December 2024, Israel has become more stringent in granting licenses to export spyware to other countries in the wake of the scandal involving NSO Group, leaving the door open for companies to move abroad. It has become. It has become more difficult for companies to export spyware from Israel to the rest of the world, including the European Union, than from within the EU.
One source told Haaretz that the process was “not a migration to Spain, but an expulsion to Spain.”
Although Paradigm Shift openly advertises itself as an offensive cybersecurity company and posts job postings for roles well suited to this type of business, other companies, like Varistone before them, are less transparent. It's not expensive. Paradigm Shift is led by Leone Pontolieri, according to company business records, and Filippo Roncalli and Simone Fellini, according to their public LinkedIn profiles. The three companies were part of the Italian startups acquired by Varistone when it started operations in Barcelona in 2018, and were among the first spyware companies to start operations in Catalonia.
Representatives for Paradigm Shift did not respond to requests for comment.
A stealth startup with many names
Palm Beach Networks has so far refrained from publicly alleging involvement in human rights abuses, unlike what spyware maker NSO Group and its predecessors Hacking Team and Finfisher have done in the past. I'm avoiding it. However, the company has an interesting history of name changes, a strategy that other spyware vendors have previously used to hide their corporate ownership. Israeli spyware maker Candiru had rebranded several times before the company was added to the US government's trade embargo list in 2021, and NSO itself had a complex corporate structure.
According to the Israeli researchers, the name Palm Beach Networks was “a bit secretive and was only mentioned at a later stage by Levin and others.”
After all, Palm Beach Networks is already an outdated name, likely the second iteration of a startup with a different identity.
The company Defense Prime Inc. became Palm Beach Networks on May 11, 2023. On June 16, 2023, a company called Head and Tail started operations in Barcelona. Palm Beach Networks subsequently disbanded on June 28, 2024, according to business records filed in Florida and Spain.
Defense Prime and Palm Beach Network appear to be closely related due to overlapping executives and key personnel.
A person named Sai Gopal is listed in Spanish business records as an authorized signatory of Head and Tail, and a person with the same name is listed in Florida business records as Defense Prime's financial director. Gopal could not be reached for comment.
Business records also show Alexei Levin, the chief technology officer who tried to hire an Israeli security researcher at Palm Beach Networks, is a director at Head & Tail. . Representatives for Head and Tail did not respond to TechCrunch's request for comment.
A current executive at the spyware maker told TechCrunch on condition of anonymity that Levin works for Palm Beach Networks. The executive previously said Levine was an early developer at NSO Group and later worked at Candiru.
On its official website, Head and Tail doesn't explicitly mention the fact that it develops surveillance technology, but instead says that it's a company that develops “threat intelligence, vulnerability assessments, security awareness training, incident response, and a myriad of other cyber… He says he is working on “security issues.” The company posts job openings in Barcelona, Madrid and Sevilla.
After all, the Israeli researcher had heard from acquaintances that Palm Beach Networks pays some of its employees eye-popping salaries well above the country's overall annual average. I turned down the opportunity to work at the company.
The researcher fears he will end up like some NSO Group employees who have had to deal with the fallout from human rights scandals, Facebook blocking and deleting personal accounts, and threats of visa denials. He said he is doing so.
“You can get enough money elsewhere and not have to worry about what happens or who you work for,” the researcher said. Customers are. ”