How an Israeli cyber-surveillance kingpin and his attorney ex-wife exploited Cypriot loopholes to build one of the world’s most notorious spyware firms.
In the summer and fall of 2019, travelers at Larnaca International Airport may have been pleasantly surprised by its recently upgraded Wi-Fi system. But the speedy internet came with a catch: The company that installed new equipment also set up three access points that stole personal information from over 9 million mobile devices that passed through Cyprus’ main travel hub during that time.
The company responsible for this data theft was owned by Tal Dilian, a former commander of an elite Israeli intelligence unit turned cyber arms dealer. In intercepting data from Larnaca airport, Dilian was biting the hand that fed him: He had become fantastically wealthy by basing his cyber-surveillance business in Cyprus, using the island to export spyware around the globe.
Dilian’s rise is closely tied to Cyprus’ emergence as a hub for cyber-surveillance companies in Europe. The island nation lacks an effective regulatory framework for overseeing the development or export of cyber-surveillance products, allowing these companies to operate with little oversight. While the European Union has extensive laws governing spyware, Cypriot authorities have appeared unwilling to enforce those rules. A Cyprus official even told parliament this summer that his ministry had never issued a license for the export of spyware before being forced to backtrack under questioning.
The Cyprus Confidential documents provide an inside look into the ease with which cyber-surveillance firms on the island evade oversight. They show how Dilian and his business partner and ex-wife, Sara Hamou, have exploited these loopholes to create one of the most notorious spyware firms in the world.
ICIJ has reviewed more than 1,800 emails written by Hamou contained in both the Cyprus Confidential leaked records and Pandora Papers documents. They reveal her efforts to conceal the activities and ownership of a network of firms that spread surveillance technology — which has been used to muzzle journalists and government critics — worldwide. The emails also show Hamou’s involvement in managing legal issues related to implementing surveillance projects in Europe, the Middle East and Asia.
While Dilian has been a well-known figure in the private cyber-surveillance industry for over a decade, Hamou, a lawyer based in Cyprus, has largely avoided public scrutiny. But her work has made it possible for Dilian to establish a corporate presence in the European Union and circumvent restrictions against dealing with human rights abusers.
