In the summer and fall of 2019, travelers at Larnaca International Airport may have been pleasantly surprised by its recently upgraded Wi-Fi system. But the speedy internet came with a catch: The company that installed new equipment also set up three access points that stole personal information from over 9 million mobile devices that passed through Cyprus’ main travel hub during that time.

The company responsible for this data theft was owned by Tal Dilian, a former commander of an elite Israeli intelligence unit turned cyber arms dealer. In intercepting data from Larnaca airport, Dilian was biting the hand that fed him: He had become fantastically wealthy by basing his cyber-surveillance business in Cyprus, using the island to export spyware around the globe.

Travelers look at the departure times of flights at the Larnaca International Airport in September 2019. Image: IAKOVOS HATZISTAVROU/AFP via Getty Images

Dilian’s rise is closely tied to Cyprus’ emergence as a hub for cyber-surveillance companies in Europe. The island nation lacks an effective regulatory framework for overseeing the development or export of cyber-surveillance products, allowing these companies to operate with little oversight. While the European Union has extensive laws governing spyware, Cypriot authorities have appeared unwilling to enforce those rules. A Cyprus official even told parliament this summer that his ministry had never issued a license for the export of spyware before being forced to backtrack under questioning.

The Cyprus Confidential documents provide an inside look into the ease with which cyber-surveillance firms on the island evade oversight. They show how Dilian and his business partner and ex-wife, Sara Hamou, have exploited these loopholes to create one of the most notorious spyware firms in the world.

ICIJ has reviewed more than 1,800 emails written by Hamou contained in both the Cyprus Confidential leaked records and Pandora Papers documents. They reveal her efforts to conceal the activities and ownership of a network of firms that spread surveillance technology — which has been used to muzzle journalists and government critics — worldwide. The emails also show Hamou’s involvement in managing legal issues related to implementing surveillance projects in Europe, the Middle East and Asia.

While Dilian has been a well-known figure in the private cyber-surveillance industry for over a decade, Hamou, a lawyer based in Cyprus, has largely avoided public scrutiny. But her work has made it possible for Dilian to establish a corporate presence in the European Union and circumvent restrictions against dealing with human rights abusers.

An ICIJ review of leaked records from Cyprus Confidential and the Pandora Papers, as well as public corporate documents, shows that she has sat on the boards of more than 20 companies with ties to Dilian. She held ownership stakes in at least three of those firms and has also owned another three companies, all connected to him. A May 2023 report by the PEGA Committee, which was established by the European Parliament to investigate spyware abuses, described her as a “central figure” in an “intricate network of companies” linked to Dilian — a corporate alliance known as Intellexa.

Dilian and Hamou did not respond to repeated requests from ICIJ to comment on this story.

Intellexa’s spyware, which is called Predator, turns a phone into a device that spies on its owner. It is designed to gain access to any data stored on, or transmitted from, a device — messages, calls, photos and the phone’s microphone. Predator has been found in at least 25 countries, according to a European Investigative Collaborations investigation published in October. It has been sold to some of the world’s most brutal regimes, including a powerful paramilitary group in Sudan, the Egyptian intelligence services and the Vietnamese government, which used the technology to try to hack the phones of U.S. officials.

Intellexa’s clients also include EU member states, which have used Predator to muzzle dissent at home. After being forced to relocate the company’s operations to Greece after the revelations about data theft at Larnaca airport, Dilian soon became embroiled in another scandal: Predator was found to have infected the phones of a prominent Greek journalist and an opposition politician. This sparked a public uproar and parliamentary investigation, and prompted the United States this summer to blacklist two companies that sell Dilian’s spyware.

Three Greek journalists targeted by Predator spyware — Stavros Malichudis, Eliza Triantafillou and Thanasis Koukakis — answer questions at a European Parliament committee investigating the use of surveillance spyware in Belgium in 2022. Image: Thierry Monasse/Getty Images

Dilian has avoided the fallout from these scandals, thanks in large part to Hamou’s efforts. The Cyprus Confidential documents show that she took possession of a company worth over $2 million from Dilian in the past year. They also show how she built a far-reaching corporate network to develop and sell spyware that reportedly stretches across Europe, from North Macedonia to Hungary to Greece to Ireland, and has shielded Intellexa from would-be regulators. As a result, the spyware conglomerate continues to do a booming business.

The complexity of this corporate network appears to be a tactic used to slip through the cracks of EU regulations. “It is like a smokescreen,” said Sophie in’t Veld, the rapporteur of the PEGA Committee, which issued the EU report on spyware. “It is a method they apply to stay under the radar.”

The companies’ surveillance tools have not only violated the privacy of individuals but undermined democratic institutions in Europe and beyond. As a result, in’t Veld worries that Europe is failing to uphold the values that it publicly espouses — and becoming increasingly out of step with its democratic allies.

“It is untenable that Intellexa is on the blacklist in the U.S. and gets the red carpet treatment in Europe,” she said. “The walls will close in on them. But not today, that’s very obvious.”

The Rise of a Spyware Empire

Sara Hamou founded a skin care company, Medovie, in 2019 that advertises itself as blending the wisdom of traditional Chinese medicine with advanced scientific research. She invested all her savings in Medovie, she told the magazine The Successful Founder, and touted her products’ life-changing effects for customers struggling with conditions such as psoriasis or eczema. “It’s more than just a business,” she said. “There’s a spiritual dimension to what we do.”

Sara Hamou, who helped ex-spouse Tal Dilian build a vast corporate network for Intellexa. Image: Sarah Hamou/LinkedIn

Hamou’s work on behalf of Dilian’s surveillance companies has not been so concerned with spiritual well-being. She fell into his orbit soon after joining Trident Trust, a global provider of corporate services, in December 2008. Trident Trust was charged with setting up a corporate network for Dilian’s first spyware company, Circles. While the company was based in Cyprus, leaked documents from the Pandora Papers show how Trident Trust’s attorneys, including Hamou, created a complex partnership between seven British Virgin Island-based companies that served to conceal its owners’ identities — the sort of intentionally opaque structure that Dilian would later rely on with Intellexa.

Like the corporate networks she creates, Hamou’s identity can be difficult to pin down: Born in Warsaw, Poland, to a Polish mother and a Lebanese father, Hamou attended law school in England before relocating to Cyprus, where she has spent most of her career. In interviews, she has described her entrepreneurial ambitions in feminist terms: “Growing up in a Middle Eastern environment, where women were typically never the CEOs, I want to show that we are just as capable,” she told one magazine.

Circles turned Dilian into a multimillionaire. The firm sold its spyware to countries around the world, including the Thai military and the United Arab Emirates, reportedly making over $100 million in annual sales at its peak. Dilian and his partners sold Circles for a reported $130 million to a U.S. private equity firm in 2014, with Dilian pocketing over $20 million in the sale. The network of seven companies reportedly retained a 12% stake in the firm, which was merged with Israel’s NSO Group and renamed Q Cyber Technologies. That stake was worth millions of dollars more when Q Cyber Technologies was sold again in a 2019 deal that valued the company at roughly $1 billion.

Dilian’s base in Cyprus was an important factor in his corporate success. He established his business operations there in 2008 — leaked documents show that he also owned a house, known as “Chalet Bel Air,” in a Swiss ski village. Israeli cyber-surveillance companies, which are largely run by veterans of its military and intelligence communities, need to win export licenses from a branch of the Israeli Defense Ministry that assesses whether foreign sales would harm Israeli national security or its international standing. Cyprus gave Dilian the ability to sell his spyware without seeking the approval of Israeli regulators while still allowing him to return frequently to his home country to recruit hacking experts as they exited Israel’s national security establishment.

Intellexa Co-CEO Tal Dilian poses for a picture at his house in Limassol, Cyprus in April 2020. Image: Yiannis Kourtoglou/Reuters

Cyprus’ close ties to Israel have also made it a particularly attractive destination for Israeli executives. Makarios Drousiotis, a Cypriot investigative journalist and former presidential adviser, wrote in his book “Mafia State” that the head of Cyprus’ intelligence services told him in 2019 that there were 29 Israeli-owned surveillance technologies companies operating on the island.

When Dilian was ready to launch Intellexa, the business alliance that sells the Predator spyware, he took Hamou with him. In 2017, she acquired half of the shares of Censura, a Cyprus firm created by Dilian; in 2019, she became its sole owner. The firm, meanwhile, received hundreds of thousands of dollars in “consulting” fees from Intellexa and several other companies connected to Dilian, internal records show. That includes payments from Intellexa’s various corporate entities, which Censura charged roughly $40,000 between 2019 and 2021.

In Cyprus, Hamou established a close relationship with an accounting firm, DJC Accountants, that seemingly ensured a lack of scrutiny of the activities and ownership of Censura’s clients. Over the summer of 2019, for instance, the firm told Hamou that Cyprus standards required her to disclose the ownership of one of Dilian’s firms as part of an audit of Censura. Failure to do so, the accountant warned, would result in a qualified opinion expressing the auditor’s lack of confidence about certain aspects of the financial statement.

“Can we not disclose?” one of Hamou’s executives asked.

“Of course you can,” the accountant replied.

DJC Accountants’ subsequent audit of Censura did not include any information about the firm’s ownership or the promised qualified opinion highlighting the absence of this detail.

DJC Accountants did not respond to ICIJ’s request for comment on its relationship with Hamou and Dilian.

Hamou built a corporate network for Intellexa that extended far beyond Cyprus. A lawsuit filed in Tel Aviv district court in 2020 by one of Dilian’s former business partners, Avi Rubinstein, claimed that Hamou, alongside others, was working with Dilian to “smuggle” out assets from an Intellexa company to his detriment. According to Rubinstein, they did so by establishing companies in the British Virgin Islands, Ireland, Greece, Switzerland, Italy, the Czech Republic and Spain. This court case also marked one of the early public mentions of the pair’s romantic relationship: “The couple has a child and they are listed as residing at the same address in Cyprus,” Rubinstein claimed. The lawsuit was eventually settled out of court.

As pressure on Dilian grew as a result of the scandals in Cyprus and Greece, he also transferred a valuable company to Hamou’s ownership. One of the documents sent to Censura’s accountants, seemingly by mistake, is a letter signed by Dilian to the Bank of Cyprus authorizing the issuance of two checks, for a total of nearly $800,000, from a company called Lusata Investments. The annual audit of the Cyprus-based firm shows that the company holds over $2.6 million in assets. Dilian and Hamou owned Lusata Investments jointly upon its incorporation in 2019, until full ownership was transferred to her in 2023.

Hamou seemed to take naturally to the peripatetic lifestyle of working by Dilian’s side. Travel records from this time show that she was rarely in one city for more than a week: She jetted regularly between Zurich, Dublin, Jakarta and Dubai, among other cities — all places where Intellexa maintained a corporate presence or sold its spyware. In response to a question from her accountant about Censura’s contributions to an annual leave fund, she responded simply: “Me and Tal are owners – we don’t take holidays. :)”

Do you have a story about corruption, fraud, or abuse of power?

ICIJ accepts information about wrongdoing by corporate, government or public services around the world. We do our utmost to guarantee the confidentiality of our sources.

‘A Gangster’s Paradise’

While Dilian pioneered the use of Cyprus as a hub for his cyber-surveillance business, many other such firms soon spread across the island. They proliferated to such an extent that one Cyprus legislator opined last year that his country was being turned into “a greenhouse for companies which produce spyware.”

Hamou played an important role in Cyprus’ transformation into a cyber surveillance hub. The leaked documents show how she assisted several Israeli executives, many of whom had clear business ties to Dilian, in moving their lives and businesses to the island.

In November 2018, Hamou was scrambling to register a new company in Cyprus. Maravilhas Solutions Ltd., one of her colleagues wrote to a bank, would “specialize in accessorizing and improving vehicles,” such as by providing phone and internet services. Hamou’s colleague expanded on the firm’s activities in correspondence with her accounting firm in 2020, writing that it “design[s] products for a specific project,” such as “car installations” or “suitcase development for hardware.”

Maravilhas exemplifies Cyprus’ role in aiding Israeli-owned cyber-surveillance companies to spread spyware around the globe. One of its founders was Yair Tamir, who at the time was working at Q Cyber Technologies — the firm created by the merger of Dilian’s Circles and NSO Group. Tamir did not respond to questions sent to him by ICIJ about Maravilhas’ operations.

Soon after Maravilhas was incorporated, it signed a services agreement with a subsidiary of Q Cyber Technologies. In a sign of Hamou’s centrality to these corporate networks, she was serving as a director of both firms at the time. The agreement stated that Maravilhas would provide “the supply and shipment of hardware equipment, its installation at customers’ sites, and support and maintenance services.”

Maravilhas soon sent a flurry of invoices to the Q Cyber Technologies subsidiary. On Nov. 18, 2018, it billed the firm $40,800 for specialist technicians and logistics for an “Installations project in Singapore.” Two days later, it sent two more invoices totaling over $100,000 for an “Installations project in U.A.E.”

“THANK YOU FOR YOUR BUSINESS!” the invoices read.

The leaked documents do not provide any further details on the nature of Maravilhas’ work in the UAE and Singapore. Both countries have checkered human rights records but have strong ties with Israel’s defense and intelligence industries.

NSO Group has claimed that it exports its products from Cyprus, though the Cypriot government denied that it has ever granted an export license to the company. Arrangements such as the one with Maravilhas — in which a company owned by an employee completes projects for the firm — could help explain that seeming contradiction.

It is untenable that Intellexa is on the blacklist in the U.S. and gets the red carpet treatment in Europe.

—Sophie in’t Veld, rapporteur of the European Parliament’s committee on spyware abuses

Maravilhas also assisted in the completion of projects in EU countries. In early February 2019, Hamou informed her accountants that Maravilhas was purchasing goods from an Israeli company for a Q Cyber Technologies project in Bulgaria. In September of that year, meanwhile, Hamou’s accountants informed her that Cyprus tax authorities, at the request of another European country, had inquired about a May transaction in which Maravilhas had purchased nearly $120,000 of goods from an Israeli company and shipped them to Belgium.

For Israeli companies, it may have been simpler to work with an EU-incorporated company such as Maravilhas to sell goods to other European countries. But this roundabout method for shipping equipment also could be a tactic used by cyber-surveillance executives to evade export laws. In leaked correspondence from a separate investigation, a lawyer for a French company that was part of the Intellexa alliance wrote that if cyber-surveillance equipment was combined with other goods and routed to a third country before going on to its final destination, the company did not have to declare the end user to export authorities.

The Cyprus Confidential documents also show how Maravilhas was deeply embedded in Israel’s cyber-surveillance industry. In January 2019, an Israeli company that specializes in cellular monitoring and interception, Septier Communication, paid Maravilhas over $100,000 for the “Installation of active system.” The invoice says the equipment was being used for “Indo Project,” and Maravilhas’ financial records list a project in Indonesia at roughly the same time. Maravilhas also signed confidentiality agreements with at least seven Israeli companies, including Israel Cargo Logistics, a freight logistics firm based at Ben Gurion Airport; PICSIX, a firm founded by former intelligence officers that provides phone interception technology; and the Rayzone Group, which touts its expertise in “designing and developing high-end intelligence solutions.”

Maravilhas clearly worked with some of these Israeli firms to implement cyber-surveillance projects. Upon learning of the tax authority’s inquiry into the company’s shipment to Belgium, Hamou emailed a representative of Israel Cargo Logistics, asking her to “clarify all…asap.”

Maravilhas’ business partners extend far outside Israel. The firm paid over $25,000 to Byron Lawn Ranger, which advertises itself as a landscaping company in a small town on the east coast of Australia. The payment came at the end of 2018. The Cyprus firm’s ledger lists the payment under “Project Installation” but gives no further details.

Neither Maravilhas’ accountants nor Cyprus regulators seem to have asked any questions about the company’s business with such an unlikely partner. And while Maravilhas clearly worked to hide the identity of its business partners and clients, the European Union has found itself largely powerless to do anything about it. EU privacy laws contain broad exemptions for national security, which many member states have invoked to justify their use of spyware. Many European governments also appear to see the cyber-surveillance industry as powerful allies, not internal threats: Cyprus, for example, has reportedly received access to spyware tools from Dilian-connected companies in return for allowing their businesses to operate on the island nation.

For in’t Veld, the PEGA Committee rapporteur, the EU’s lack of interest in challenging its member states’ national security justifications for the use of spyware is an abdication of its responsibility to protect democracy and the rule of law. The European Commission “is basically saying, we’re not going to enforce the law,” she told ICIJ. “And that means Europe is becoming more and more of a gangster’s paradise.”