Predator's control center has its roots in Skopje

Local regulators in North Macedonia turned a blind eye to Predator’s development on their territory. A revealing investigation resulting from a partnership between Inside Story in Athens and the Investigative Reporting Lab in Skopje.

This story was researched and produced by journalists Bojan Stojanovski, Ivana Nastesca, Saska Cvetkowska, Eliza Triantafillou and Tasos Telloglou.

The Predator spyware marketed to the world by an Israeli software company and used in Greece and Egypt to spy on journalists, dissidents and others, was developed in North Macedonia – in violation of the Balkan country’s laws. But local efforts to investigate why the software was built in Skopje appear stalled. The European Parliament is also probing the matter.

• A set of classified intelligence documents from North Macedonia obtained by the news organizations Inside Story in Athens and Investigative Reporting Lab in Skopje show that Predator spyware, at the center of an international scandal, was illegally developed by Cytrox, in Skopje, North Macedonia – and North Macedonian government officials knew about it but did nothing to stop it. Cytrox is owned by Intellexa, an Israeli firm founded by Tal Dilian. Intellexa is mired in an ongoing scandal about several governments’ use of the spyware to target dissidents, journalists and activists. The software has been sold in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia, the Citizen Lab reported.
• Documents show that the North Macedonian government was aware as early as 2017 that Cytrox was illegally developing Predator spyware in the country, with the intent to distribute it elsewhere.
• Documents obtained by Inside Story and Investigative Reporting Lab (IRL) reveal the existence of a complex business structure in Skopje developed by individuals and companies with direct ties to Intellexa. At least 5 companies with links to Intellexa were registered with the official business registry of North Macedonia between 2017 and 2021. Two of them –Cytrox and CyShark– identified themselves as developers and traders of software when they requested licenses for export and production. There was no indication in their public applications that they were producing spyware, which would not have been allowed under the licenses they sought and obtained. However, the classified documents obtained by IRL and Inside Story show that the North Macedonian government was informed that Cytrox planned to illegally create spyware.
• Documents show that Cytrox and CyShark are part of a group of companies owned by Tal Dilian and his associates. Dilian is a former Israeli defense official who founded Intellexa, now based in Cyprus. Among the owners of Cytrox is Ivo Malinkovski, a member of a family of well-known North Macedonian winemakers – and arms dealers.
• The government of North Macedonia’s Ministry of Interior told parliamentarians that it is investigating in order to determine the circumstances in which Predator was created. But there has been no update and there are few signs that any progress is being made.

As scandal is revealed, Parliament asks questions, but gets few answers

On June 19, 2022, a few months after it was revealed that Predator spyware had infected Greek journalist Thanassis Koukakis’s mobile phone, a group of North Macedonian parliament members arrived in Geneva to participate in an intense training to improve their oversight of the country’s intelligence agencies and to ensure that these agencies respect human rights and democratic standards. Hosted by the Geneva Center for Security Sector Governance, also known as DCAF, nine members of North Macedonia’s Parliament Commission for Oversight of the Work of the National Security Agency and Intelligence Agency, together with a dozen representatives from other North Macedonia government institutions, attended a training entitled „Highly invasive means like IMSI catchers, malicious software – their purpose and use.”

The welcoming email by DCAF lead cybersecurity expert Matej Kovacevski opened the training by sharing information about various governments and private entities using two dangerously sophisticated spy software programs: Predator and Pegasus. By then, the public and the parliamentarians knew that Predator was sold by Intellexa – Dilian’s company – and had been developed by its North Macedonian subsidiary, Cytrox. This was first revealed by Citizen Lab, the interdisciplinary laboratory based at the University of Toronto, which reported in December 2021 that Predator, sold to hostile governments across the world, had been developed in Skopje. But the report lacked information about how that had been allowed to happen in North Macedonia, in what was a clear violation of its laws.

The trainer asked the participants what they were doing to shine light on this disturbing discovery.

“I remember we all proudly said: ‘Yes, we did ask the North Macedonian authorities. They told us they are already working on the problem. The staff from the Ministry of Interior told us investigative measures are underway to determine the circumstances and that the MPs will know accordingly once they have answers’”, former Minister of Interior and current MP Pavle Trajanov told IRL’s reporters in a face-to-face meeting.

The group would meet again five months later, on November 14, 2022, this time at the mountain resort of Mavrovo in North Macedonia. For this second raining, representatives from the North Macedonian Ministry of Interior, the Intelligence Agency, the Bureau for Public Security and the Agency for National Security also attended. The guest list included some high level representatives including Victor Dimovski, the director of the North Macedonia Agency for National Security.

In light of events in neighboring Greece, where it was revealed in 2022 that journalists, government ministers and members of the opposition had been spied on by the Greek government using legal wiretapping procedures and the illegal spyware Predator, the parliamentarians would express new concerns, asking whether the North Macedonian government also possessed sophisticated spying software.

“Director Viktor Dimovski, after some nagging with us, said ‘yes, but claimed that so far they have never used it'”, Trajanov told IRL. But the parliamentary group asking the questions received few details – they are still looking for them.

Recent history shows that it is not particularly surprising that spy software is being developed in North Macedonia, or recently in Bulgaria, both countries with weak regulations and even weaker oversight.

A tech savvy city with a sketchy tech history becomes a spyware hotspot

In 2015 the Macedonian secret police and high level government officials were implicated in a scandal regarding illegal telephone surveillance on a massive scale – more than 20,000 individuals were wiretapped between 2008 and 2015, while Nikola Gruevski’s government was in power.

The then-director of the Administration for Security and Counterintelligence Saso Mijalkov was alleged to have illegally intercepted The Macedonian surveillance scandal that brought down a government conversations from 5,827 phone numbers, of more than 20,000 individuals. The targets included civil society activists, politicians from all parties, journalists, diplomats, businessmen.

In a related matter, Mijalkov was also investigated in 2016 by the Special Public Prosecutors in North Macedonia for running covert internet surveillance using the sophisticated spy software known as Finfisher. Goran Grujevski and Nikola Boskovski, two of Mijalkov’s closest confidantes among intelligence officers, were cited for destroying the equipment in an attempt to sabotage the prosecutors’ investigations.

In October 2017, Grujevski and Boshkovski were arrested in Greece, where they had requested political asylum. A court in Thessaloniki ruled they both should be extradited because they did not meet the conditions for political asylum. This decision, however, was overturned by Greece’s Supreme Court. The high court ruled that because they had been pardoned by then-President of North Macedonia Gjorge Ivanov, from the government that had succeeded Gruevski, they did not need to be extradited. They had been awaiting trial on charges of destroying the spying equipment in the wiretapping scandal, and could have faced 15 years in prison. President Ivanov’s pardon was widely criticized as a clear effort to protect a small circle of former ruling party members and their associates from criminal charges. In 2016 Ivanov revoked the pardon after a huge public outcry. But the two men then received asylum and are living in Greece.

That wiretap scandal in North Macedonia might have put an end to the authoritarian regime of the nationalist party led by Nikola Gruevski, but it did not end the connections between the weak Balkan democracy and worldwide spyware traders. At almost the same time that the wiretap scandal was winding down, North Macedonia was already becoming a host country for the development of what would become one of the most notorious spy software programs: Predator.

From wine and weapons to developing spyware

In early 2017, then-26-year-old Macedonian entrepreneur Ivo Malinkovski left his position as head of Chateau Kamnik, his family’s wine producing company, and founded and operated several tech startups in Skopje. His business became the development and production of the Predator.

In the early months of their existence, on October 6, 2017, two of the companies that Malinkovski ran –Cytrox and Cyshark– would ask the North Macedonian Ministry of Interior for authorization for manufacturing, sale and resale, and export of several software products that could be used to protect personal data – and to invade personal data. This was spelled out in classified documents obtained by IRL and Inside Story. The companies would be selling this equipment to governments and certified government agencies such as secret services, police, border agents, and marine police, the classified documents said. North Macedonia’s Ministry of Interior said it never authorized the production of the spyware. It also said it was unaware that it was being produced – but the documents tell a different story:

Among other things, the application wrote: “We note that our activity is the subject of work exclusively for the creation and production of software that we would offer as a final product on the domestic and foreign market only for government uses, as well as for special needs and purposes that fall under the authority of state authorities authorized by law and institutions.”

Signed by Malinkovski, the application said that the products the companies sought to create are regulated under the Law for Interception of Communication. Accordingly, the Ministry of Interior should have reviewed their full application, but there is no evidence or documentation to show that such a review occurred.

The manufacture, offer for sale, resale, import, export, re-export or possession of means of monitoring communications may not be carried out without an authorization issued by the Ministry of Interior. The approval from paragraph 1 of this article is issued on the basis of a submitted written request, in addition to which a technical specification of the type and characteristics of the means intended for monitoring communications must be submitted.

Article 3, Law on interception of communication

The applications sent on behalf of Cytrox and Cyshark were not complete. Malinkovski had neglected to attach the specifications of the equipment that the law required. North Macedonia’s Ministry of Interior gave the companies extra time to deliver the required documents, allowing them an additional month. The government unit tasked to review and authorize such products is the Counterintelligence Unit in the Ministry of Interior, better known to residents of North Macedonia as the Secret Police.

On November 7 2017, Malinkovski filed a new document with specifications that the original application had lacked. According to classified documents obtained by IRL and Inside Story, and reviewed by tech experts at IRL’s request, the software product in question is what would later be known as Predator, the linchpin of the global scandal. It features a sophisticated weapon to target civil society activists, journalists and other high value targets. Some of those, it was revealed later, were in neighboring Greece. It also was soon revealed that the smartphone surveillance system – the Predator spyware – was used by authoritarian hostile governments and paramilitary organizations around the world, such as the infamous Rapid Support Forces militia in Sudan and the government of Myanmar.

The Citizen Lab – the laboratory at the University of Toronto that focuses on digital espionage – revealed in 2021 that the phones of at least two Egyptian nationals had been hacked with „Predator” spyware, developed by a developer in North Macedonia called Cytrox. Public records in Skopje show that the CEO is Ivo Malinkovski. Rumors were spreading that the father, not the son, is actually behind the company, but Ilija Malinkoski denied the allegations in an interview with Balkan Insight. “Cytrox was reported to be part of Intellexa, the so-called ‘Star Alliance of spyware‘, which was formed to compete with NSO Group, and which describes itself as ‘EU-based and regulated, with six sites and R&D labs throughout Europe'”, the Citizen Lab report said.

But the software developed in Skopje for Intellexa was never granted the required authorization by the Ministry of Interior.

IRL reporters spoke with an officer in the Ministry of Interior tasked to handle the application. The first to respond had refused to make a recommendation. “I was not qualified to understand what the software is, so I gave it to another officer,” this person said. At least three sources in the Counterintelligence unit confirmed for IRL that no one wanted to deal with this request. The Ministry of Interior then said in an email to IRL that they did not approve the Cytrox and Cyshark requests.

The reasons for this reluctance may well be rooted in the wiretap scandal, which was revealed in 2015. “The Ministry of Interior has not authorized such software for the companies in question, nor has the Ministry of Interior purchased such software”, spokesperson Toni Angelovski said in an email dated December 15, 2022.

The North Macedonian connection

North Macedonia once made global headlines stemming from another Citizens Lab report, which revealed in 2015 the Gruevski government’s massive wiretapping scandal. And the tiny Balkan nation was again in the headlines on December 16th 2021, when NGO Citizen Lab in cooperation with Meta published two new reports. This time the focus was on the Predator software produced by Intellexa’s company Cytrox, based in Skopje. On the same day, the North Macedonian prime minister Zoran Zaev, who was on his way out of office, hosted a party in the exclusive winery Chateau Kamnik. The winery is owned by the Malinkovski family who are not only vintners, but have also been arms traders for almost three decades – and now, recent entrants into the cyber software business. 

The arms business operates under the brand Mikei International, but the Malinkosvki family keeps their affairs away from the public spotlight. There is only one record of a press interview but no TV appearances, no hint of any scandals. When Mikei was sanctioned by the US government in 2009 for trading weapons with hostile regimes, no media reports were made. Unless you are a politician or a journalist, you would not know of their international weapons trade business. It is mostly under the public radar. For ordinary North Macedonians, the Malinkovski family is known as winemakers of Chateau Kamnik, a very popular brand.

The family’s weapons business and other enterprises remained under the public’s radar until 2017, when Ivo Malinkovski began to appear frequently in the media as a rising star in the global tech world.

“Young and successful, a hedonist, adrenalin sport junkie and owner of the IT company Cytrox” – this is how Ivo Malinkovski is described in the intro of an interview in the local lifestyle magazine Espresso. In several other media interviews Ivo Malinkovski gave in 2018, he was described as an owner of Cytrox, although the actual products and services the company offered were murky. None of it suggested what would soon be the so-called „Greek Watergate”. Shortly after the Citizen Lab published its findings, Ivo Malinkovski deleted all of his social media accounts.

According to official documents reviewed by IRL in the North Macedonia Business State Registry, there is ample evidence of Dilian’s footprint in North Macedonia. The Skopje-based company Cytrox was founded in March 2017 as a joint stock company by six foreign businessmen – five from Israel (Dror Harpaz, Sharon Adler, Avraham Rubinstein, Eyal Avraham Oren, Alon Arabov) and one from Hungary (Rotem Farkas). Ivo Malinkovski was listed as their CEO. According to the separate registry of true owners, the beneficial owner of Cytrox was Meir Shamir, a former air force veteran from Israel. All have ties to Tal Dilian, according to various public documents on file in several countries. Dilian is the head of Intellexa.

The filings also show that Dilian was broadening his holdings in North Macedonia. Four other companies were registered at the same address in Skopje – each of them with connections to Tal Dilian’s associates: Cyshark, Cygnet, Cintellexa and Cyberlab. All of them were registered between 2017 and 2020. Avraham Rubinstein appears among beneficiary owners in Cytrox and Cyberlab together with Rotem Farkas, while the latter’s father, Moshe, is co-owner of Cyshark together with Ivo Malinkovski. All have business connections to Dilian.

“It was one company basically, we all worked in the same offices and we were all working on the same tasks. Many of the employees had no idea how many companies were registered, we just know we worked for Intellexa. The pay was better than excellent, so no one cared”, an employee who wished to remain anonymous told IRL.

The former employee, who is also a software engineer, confirmed that what was being produced was Predator, although they did not know where or how it was being sold. “We also trained the employees in Greece. Everything was controlled from here because the main product of all Intelexa operations was in Skopje”.

The Skopje office was frequently visited by various Israelis, according to sources and data from the border police. The employee could not say who they all exactly were, but he was familiar with one man: Shahak Shallev. “He was the main guy, he was sent here from the start by the Israelis to oversee the operations of production”.

“We were tasked to recruit and hire, for example, personnel in Athens”, said the former employee.

At the moment, the offices of Cytrox in Skopje appear closed, as reporters witnessed. Public business registry records in North Macedonia show that there were changes in the ownership structure for Cyshark, one of the companies owned by Moshe Izrael Farkas. Now, at least on paper filed with the business registry, it is owned and run by the retired grandmother of Ivo Malinkovski on his mother’s side, Kalja Angelova.

European affair followed by silence in North Macedonia as scandal gathers steam

In the meantime, Cytrox from North Macedonia is recently receiving more attention from the European Parliament.

A special committee of the European Parliament, PEGA, is currently investigating how Predator was used, after realizing that in most European countries, as well as in repressive African regimes, several prominent politicians, journalists and civic activists were illegally targeted and surveilled after their telephones were infected with this or other similar software (Pegasus/NSO etc).

A Dutch member of the European Parliament and rapporteur of the PEGA Committee, Sophie in ‘t Veld, presented in a press conference the findings of the committee’s draft report, developed within a seven-month period and said that all member-states of the European Union have such software available, even if they do not admit it. On page 36, a chapter is devoted to the North Macedonian connections.

The Dutch MP wrote to Tal Dilian asking for details. “The company Cytrox, hosted by Intellexa, began as a start-up in North Macedonia, but according to Forbes, you saved it from bankruptcy with five million dollars. It seems that the corporate structure is widely spread, with corporate presence in Hungary, Israel and share transfer in a corporate entity on the British Virgin Islands. Could you please provide us with information on your current and previous role in Cytrox as well as the link between Cytrox and Intellexa? Can Intellexa comment on why it is present on the British Virgin Islands? Can Intellexa clarify whether Cytrox transferred part of its shares on the British Virgin Islands?” states the letter to Dilian, which has not been answered.

According to Sophie in ‘t Veld, however, the problem was that the software was abused, which constitutes an enormous threat for democracy on the whole continent.

“Unfortunately, the upcoming Greek elections are causing the media to recycle legends and fairy tales about our activities. We have no intention of participating in this witch hunt, as we are not involved in the election campaign. We are fully regulated by EU law, we act in accordance with the law and we continue to cooperate with the relevant authorities.”

Comment by Sophie in ‘t Veld on the basis of the above response:

“‘Fully regulated by EU law’ is a sales slogan, it is empty unless Intellexa explains exactly what rules it is referring to and how it complies. They have already been fined for not cooperating with the Greek authorities and for breaking the rules in Cyprus. Apparently they exported spy software to Sudan, which seems to violate EU export rules. In addition, Intellexa has refused to cooperate with the European Parliament. They never responded to any of our letters and invitations, yet they took the time to have their lawyers send angry letters to the PEGA committee.

If they are fully compliant, why have they refused to answer any questions? (Note: the questions were asked last summer, long before the Greek elections)

And let’s not forget that their spyware has been used illegally. Don’t they have an obligation (at least) to check if their clients respect the law?”

Response by Intellexa’s lawyer, Andros Pelekanos

The North Macedonia Ministry of Internal Affairs claimed in an email to IRL that they never issued approval for the production and sale of this software and that their responsibility ended there. Experts disagree, as does the North Macedonia Parliament committee tasked to follow the work of security agencies. North Macedonia’s Ministry of Interior should have filed a criminal complaint, these experts said.

Svetlana Nikoloska, professor of Security Sciences at the Faculty of Security of the „St. Kliment Ohridski” University, said that the North Macedonian institutions should be very attentive to the problem of illegal monitoring of communications. Moreover, for such illegal activities, the Ministry of the Interior should act automatically in coordination with the public prosecutor, she added. “Such illegal behaviors are contained in several criminal acts that are prosecuted ex officio”, said Nikoloska.

“The Ministry of the Interior had information that the North Macedonian company Cytrox plans to import and export communications surveillance software. Although they claim to have never authorized the request for production of this software, the ministry should have done more”, Nikoloska said.

She cited Article 286 of the North Macedonia Criminal Code, which stipulates a fine or a sentence of up to three years in prison for anyone who, with the intention of unauthorized production, puts into circulation, imports, exports, or distributes a protected topography of an integrated circuit or software.

“If the software used in Greece for monitoring communications was produced in our country, measures and actions can be taken to discover, shed light and provide evidence only at the request of the Greek police. That cooperation goes on a bilateral level or through INTERPOL, but there should be a specific request, and in that case the department for computer crime and digital forensics can work on the case”, Nikoloska said. But so far, there has been no effort to coordinate. Greek judicial sources said that they have not contacted the North Macedonian authorities in Skopje on the matter of production of illegal spyware. Asked in Nicosia, Cyprus, where the main export activity of Dilian’s company is coordinated, Cypriot judicial authorities confirmed that they were not in contact with their North Macedonian counterparts on the matter.

The production of this research was supported by a grant from Investigative Journalism for EuropeFunding cross-border investigative journalism in Europe | IJ4EU (IJ4EU) funds.