Bill Marczak

So I'm Bill Marzak. I am a senior researcher at the Citizen Lab at the University of Toronto. And I do a lot of the technical work at Citizen Lab in tracking what we call the mercenary spyware industry. So companies like NSO or Citrux, which makes Predator.

So I'm Bill Marzak. I am a senior researcher at the Citizen Lab at the University of Toronto. And I do a lot of the technical work at Citizen Lab in tracking what we call the mercenary spyware industry. So companies like NSO or Citrux, which makes Predator.

That's right, yeah. We first discovered samples of Predator back in November, December 2021. It's funny, we were actually checking people's phones for Pegasus, but we found one phone and something else caught our eye, which was there was a suspicious process running on the phone right when the forensic data was gathered called Payload 2, which struck us as quite suspicious.

That's right, yeah. We first discovered samples of Predator back in November, December 2021. It's funny, we were actually checking people's phones for Pegasus, but we found one phone and something else caught our eye, which was there was a suspicious process running on the phone right when the forensic data was gathered called Payload 2, which struck us as quite suspicious.

Right. We could see precisely what input or arguments were passed into this process when it was started up. And those arguments included a URL, which was very long, looked quite dodgy. And when we went out and fetched this URL, we were actually able to obtain a binary file for an iPhone. In other words, an application file.

Right. We could see precisely what input or arguments were passed into this process when it was started up. And those arguments included a URL, which was very long, looked quite dodgy. And when we went out and fetched this URL, we were actually able to obtain a binary file for an iPhone. In other words, an application file.

And analysis of this application quite clearly established that it was spyware. It had the capability to, for instance, exfiltrate files from the phone, take passwords, turn on the microphone and listen in to what was going on. So we were actually able to analyze the final payload of the spyware and understand what it was doing.

And analysis of this application quite clearly established that it was spyware. It had the capability to, for instance, exfiltrate files from the phone, take passwords, turn on the microphone and listen in to what was going on. So we were actually able to analyze the final payload of the spyware and understand what it was doing.

And through analysis of the payload, as well as analysis of that URL and the website and the URL, we were able to make an attribution back to Predator.

And through analysis of the payload, as well as analysis of that URL and the website and the URL, we were able to make an attribution back to Predator.

Yeah, I mean, one of the interesting things that struck us about this company, or this sort of cluster of companies like Intellexa and Citrox that are behind Predator, is there was this very tangled corporate web spanning multiple different countries, and it was tough to figure out exactly what was going on. Like, where were the people actually writing the spyware code physically located?

Yeah, I mean, one of the interesting things that struck us about this company, or this sort of cluster of companies like Intellexa and Citrox that are behind Predator, is there was this very tangled corporate web spanning multiple different countries, and it was tough to figure out exactly what was going on. Like, where were the people actually writing the spyware code physically located?

I mean, we did see some references in the spyware's code, like they were trying to avoid targeting phone numbers in Israel, even though the company is ostensibly or was ostensibly Citroën based in northern Macedonia. So there's all these weird links, which are kind of hard, a little bit hard to make sense of.

I mean, we did see some references in the spyware's code, like they were trying to avoid targeting phone numbers in Israel, even though the company is ostensibly or was ostensibly Citroën based in northern Macedonia. So there's all these weird links, which are kind of hard, a little bit hard to make sense of.

Right. Yeah, we started getting some outreach from Greece. And spoiler alert, we found spyware. So the first confirmation we were able to produce centered around this financial journalist, Phanasis Koukakis, based in Greece, who had contacted us. And he was already a little bit suspicious for a number of reasons about potential surveillance. He noticed his phone acting a little bit weird.

Right. Yeah, we started getting some outreach from Greece. And spoiler alert, we found spyware. So the first confirmation we were able to produce centered around this financial journalist, Phanasis Koukakis, based in Greece, who had contacted us. And he was already a little bit suspicious for a number of reasons about potential surveillance. He noticed his phone acting a little bit weird.

He had flagged some text messages that he thought were a little bit odd. So we instructed him on how to forward some forensic information from his phone. We reviewed it, and lo and behold, we were able to determine that his phone had been hacked successfully with Predator in, I believe it was July 2021.

He had flagged some text messages that he thought were a little bit odd. So we instructed him on how to forward some forensic information from his phone. We reviewed it, and lo and behold, we were able to determine that his phone had been hacked successfully with Predator in, I believe it was July 2021.

Yeah, I mean, one of the really nice things to see in Greece was that there was such tenacity on behalf of the investigative journalist community there. They were so invested, so interested in this story. And we don't really see that in a lot of other countries where we uncover spyware abuses, perhaps because they're more repressive or there's not as much of a tradition or...

Yeah, I mean, one of the really nice things to see in Greece was that there was such tenacity on behalf of the investigative journalist community there. They were so invested, so interested in this story. And we don't really see that in a lot of other countries where we uncover spyware abuses, perhaps because they're more repressive or there's not as much of a tradition or...