- Sam Cummings was the world's biggest private military weapons dealer.
- He sold tens of millions of guns to armies and sportsmen.
- He started his career buying surplus weapons from the CIA.
- He sold weapons to various governments, including Fidel Castro.
- One of his daughters was convicted of killing her boyfriend.
Shownotes Transcript
Ever think about the prolific of weapons? So let's get into IT. I want you to think about this guy, sam, coming here.
I found an old vintage documentation made by CNN. This is sam comings. And this fifty seven year old is the biggest private military weapons dealer in the world.
The business as a business .
is fascinating, coming to sold tens of millions of guns to army's and sportsman. Okay, so how did he become the biggest private military weapons dealer in the world? Well, the U.
S. Department of defense totem. That's how when he was eighteen, in nineteen forty five, he was recruit into the U. S.
Army, which at the time they were just wrapping up world war two, there was a big ramp up to provide all these weapons for armies around the world to use in wars. And then suddenly the world was over. So what's all the weapons? Gonna go as a Young arms buff coming.
Go to a start at the CIA. His assignment was to buy surplus weapons in. At the age of twenty three, he left the spy agency and started his own business, buying surplus weapons in A C. I.
A gave him a crazy idea, how about buy a whole bunch of cheap weapons now that the world is over, and then slowly sell them over time? He had all the contacts he needed to go buy them, and so he did, and he was selling them to the public, like to hunters or sports san, and was becoming known for having a big supply of weapons. But he wanted bigger deals.
And so he started talking to governments around the world. He brought a bunch of A R ten rifles down in nicaragua and demonstrated that to them there. Well, the nick iag, when military was like at at cool.
And as some of those, then the dominican republic, one at some, and then cuba, one in some. And yeah, he sold battle rifles to all these places, including fidel castro, which I think was illegal because I was an embargo not to sell any weapons to castro. Yet IT still have fidel castro bot rivals s from him.
And he did not seem to get in any trouble for that. I don't think he cared who he sold to. If you had money, he'd sell your weapons every morning coming uses a telex to keep in touch with his military customers and branch offices.
A telex comes in from sudan offering surplus military equipment. I would go about twenty five percent more than nine dollars if my is the same year life cominges military weapons are shipped and stored in interim house in manchester, england. At any given moment, there are a quarter of a million guns here. And on little notice coming, says he would have no trouble equipped a fair sized army. Depends how like the army would be, but say, an army of an average .
smaller african.
or that american status, twenty five to fifty thousand men, no problem. Can you believe this kind of thing was going on in the fifties and sixties? Sam coming is sold, but arms from almost every country in the world into arms are supplied africa, and his company's weapons have shown up.
In egypt. Guns were used at the baa pigs by fertile castro, and in Nicole under samosa becoming best customers and countries in the asia, this guy became a billionaire, selling hundreds of thousands of weapons to anyone who would pay. And a lot of time you would buy these weapons from russia, which was in the middle of a cold war with the U. S. I would say the russians built the best military weapons across the board, and they also build them in tremendous quantity.
which is the key factor .
in modern war. I don't know. I feel like this guy is only ally, and life is money. He doesn't mind selling weapons to places that are actively at war with his home country, you know. So clearly, he doesn't have an allegiance to the us.
And from watching this documentary, he seems to believe that all sides are evil, and there's just no way to take the moral high ground on any of these trade bills. He does seem to have some kind of allegiance to his family, though. He invited this CNN reporter on in eight hour car ride, where they were going on a family trip somewhere.
And I think it's pretty weird to have a reporter in the car with the whole family for eight hours. But OK, he asked us not to take pictures of his wife or as college age daughters for security reasons. Well, strAngely enough, years later, one of those daughters, Susan, killed her boyfriend by shooting him four times and was convicted and had to serve prison time.
These are true stories from the dark side of the internet. I'm jack reeder. This is dark net dies.
This episode is sponsored by delete me. I hope dark and aris has taught you something about how people can use your data against you. But what do you do once your data is out there? Because IT feels impossible to try to take IT off the internet, how are you meant to fight these massive data kers or selling your info? Well, you could try out the service called delete me.
Delete me does all the hard work of constantly monitoring and removing the personal information you don't want on the internet. Data brokers hate delete me because your personal profile is no longer there, is to sell, and then delete me will tell you what they found and where they found IT and what they managed to remove. I tried that, and they immediately got busy scaring the internet for my name and gave me reports on what they found on me. And then they got busy deleting things for me.
It's great to have someone on my team when IT comes to my privacy, take control of your data and keep your private life private by signing up for delete me now at a special discount for the dark net is s today, get twenty percent off you delete me plan when you go to join delete me dot com flash dark net diaries and use promo code D D 2 check out the only way to get twenty percent off is to go to join delete me dot com size dark net dies and enter code D D 2a that's join delete me dot com sah darner dies code dd twenty。 This episode is sponsored by arctic wolf. A snowball all starts off as no big deal, but let IT roll, gain speed and gather size, and soon IT becomes an avent capable wiping out your entire camp.
The same goes for social engineering attacks, where a single users mistake can put your whole organization at risk. This october, let arctic wolf be your guide to surviving the social engineering aviation register. Now for the twenty twenty four arctic gulf security awareness summit, where the outfit you with information insights you need to fill your social engineering survival kit, will offer tips, tools and take ways to keep security awareness top of mind all year along and show you a Better path past the hazards of human risk.
Register now and arctic wolf 点 com flash register that's arctic wolf 点 com slash register。 All right. So um let's start out with what's your .
name and what do you do on craft and black um i'm a report at lighthouse reports.
Lighthouse reports is an investigative and profit working with some of the world's leading media companies on topics like migration and surveilLance. And a lot of episodes you hear on my show are sometimes slap together in a matter of weeks, and it's just me doing the research, but not this episode. Here we have the luxury of talking with a real reporter who spent lots of time on this story.
Well, this article was like a big, a big team effort, right? Because, I mean, first of all, we are like we wouldn't have got involved in IT without the work that inside story greece did. And you know, for me personally, like working with those guys was just a huge privilege because, you know, they are so knowledgeable and so capable and the material they were able to dig up was like truly a standing in some cases.
And you know, I guess for me, I was cool because, you know, i'm A i'm a plain tracking guy for a long time and you know I I got into this business as you know doing playing tracking stuff when I was tracking C I A rendition flights. Um so you know for me I was kind of funny to do a story that combine those two things um that's never happened before and I wonder if I would ever happen again. So yeah, i've got a personal space in my heart for the story for that reason really.
The team at lighting reports spent over six months researching the story, and they work together with other reporters and journalists and researchers, places like inside story in greece and how reds in israel. They publish similar stories too. And when I first read the story house, like, wow, what? So buckle up and let's go for right? The person at the center of this story is .
a guy named to dalian tells an israeli uh long time guy in the cyber business um formally in the military like a lot of those guys are came out um and he was involved in a very famous phone geolocation outfit called circles back in the day.
So I want to jumping here and underlying this for a second. Till went through the israeli military specifically. He was in eighty one, which designs new tools for the israeli military use.
I've heard that one eighty one, once designed a little microphone that was supposed to look like a rock, so you could just set IT down in an area you want to record audio in, and it's hidden so nobody knows they're being recorded. I imagine they make a lot of Spike here for the israeli military. So tel came out of that division.
And when he left the military, he created a company called circles, which I believe was a surveilLance company, used S, S, seven attacks. Despite on mobile users, S, S, seven attacks are really fascinating. I'm not going to get bogged down into the details of how they work.
Real quake S. S seven is a way to exploit mobile Carriers into getting info on the users or even taking over their phone number. And I believe this company that tell started circles was using s seven attacks to collect data from targets and intercept messages and phone calls.
Well, this became quite the service, so much so that N S. O group was like, hey, that's cool. Can we buy IT now anos o group is someone I ve covered in detail before that episode one hundred, and it's actually the most listening to episode of the show.
But to quickly recap, the o group makes spy work called pegi and then sells IT to governments world, who then, well, spy on people. IT infects the phone and then gives the government full visibility. And so when N S O saw how nifty this circles company was, they purchase the company from town for a hundred and forty million dollars.
Now what would you do if you just sold your company for one hundred and forty million dollars? Well, i'd moved to a nice warm island somewhere, and I just would tell IT to, he moved to cyprus, which is an island nation just off the coast of israel in the military, ian cy, but while there he started talking with another israeli named Abraham ivi. Abraham was a businessman and started a company called pegi flight center in cyprus.
I think they did charter plains. And together, toe and Abraham started a new project of surveilLance. Tall.
he had an outfit, the calls, I think we should we spare? We spare something like that also .
be a weird spelling for whisper. Anyway, toe started advertising this mobile surveilLance technology. And that's when forbes is like, hey, that looks interesting. Do you mind showing us on camera what you're working on? And he's like a sure come on now so forms goes to cyprus and interviews him.
Actually, maybe you don't like to know IT, but somebody knows exactly where you are all the time because each of our devices just says, hey, i'm here every, I think fifteen minutes. Maybe I don't kepit IT that maybe I don't share with others, but the knowledge is there. This video is wild is one of those that you watch IT your orders job and you like, what deal is this?
How takes them to his van and then opens the back doors up. And there's like two racks of computers, routers, switches, service inside IT looks like your classic FBI by vendors like a desk and monitors and chairs and electronics, panels and tennis. It's nuts.
And tilly saying, yes, so this is a nine million dollars by van. And here, let me demonstrate, and we send two people out of the van. We will trace them.
We will intercept them. We will infect them. He proceeds to use, whispered to lock on to these two people walk by and somehow IT grabs their data, and he's now in their phones, spying on them. It's a crazy piece of technology, but it's even crazier that he was willing to show all these off on camera to be published in forms.
I think that that his rap, you know, he he's known as the guy who like people called him my majorie. They say that he doesn't play by the rules, that he doesn't expected things. And and I think that I think you could class that video in the category of unexpected things.
sure. I mean, I think that caused quite a stir when I came out the first in the first place among people who follow this kind of stuff, like IT was, you know, was like kind of, oh, wow, you know, this crazy video appeared of, know, we never Normally see this stuff. And IT obviously had a lot of ramifications for his business, which perhaps was unintended. I imagine IT was unintended.
Okay, so forbes publishes this video. In september two thousand and nineteen, IT rippled through the world, of course, but IT also landed on the screens of the people within the cyprus government. And they watched in in disbelief.
A combination of both the police and the intelligence agency of cyprus was shocked by this. They were like, your advertising, more sophisticated by tech than we have in our own government. But I think the main thing that cyprus government got mad about is the fact that he was advertising this business that was being conducted out of cypress.
I mean, this whole business is questionable. Espana is illegal, you know? And here he's selling tools to do IT to who knows who.
There are a lot of ethics. I play here. So a few months after the video aired, the cyprus decided to just take IT down, take IT all down.
They move in in. They search es premises. They make, they arrest some employees. They go through his stuff.
They impounded the van, computer hardware, whatever he's out of the country at the time. They put out in a rest, warn for him and arrest, warn for his business partner, revenue. Tell dillon, who was absent at the time.
He returned voluntarily to cyprus from wherever he's been. That was much twenty twenty. He got arrested, he was questioned, he was released.
It's not clear what crimes tell dalian committed, but the cyprus government made IT clear that they just don't want him running this business in their country. Toe got the message and agreed to pack IT up. He had to move this whole Operation somewhere new and look across the meditation inan sea and .
saw greece dillons a partner, or wifi, believe is a special list in creating complex corporate structures. That's the thing that he does tell.
Began working on the paperwork to reestablish his company, greece. And the whole time he seemed to be a bit so at the cyprus government for .
ruining his plans well he he he wrote like an angry ope's um which was published in a newspaper where he basically said that the government was you know creating an unfriendly climate for for business and that he was gonna his business elsewhere and you know at least in terms of um premises that is what he he did do that like he did take his official way. He took IT to athons.
And this, I think, pressure on the cyprus government to change their position .
ultimately like of course, the whole thing was maybe a bit of a storm in a teacup like you you know after a year, you know he was pretty much exaggerated. The police who um heard uh Carried out uh the rates were I think I mean, I was I was decided that basically they had exceeded their powers in such as such a way or whatever. The whole thing was kind of smooth over and I think eventually could have gone back to businesses Normal except by that time, he already decided that he wanted to set up a new office in in greece.
You might be wondering, is this spy malware virus thing legal? It's just cold. It's just an APP.
Can I answer that? Let's go to suit down. In two thousand and three, the sudanese government had an armed militia called the janga wide. They started conducting genocide on the people of sudan.
It's believed that over a million children have been killed or tortured, or raped or injured, or just last apparent in the last twenty years from this group. They've been accused of committing crimes against humanity. So many times the killings settle down for a while, but recently there's been another flare up.
Silver war has broke out in sudan. The jaweed were back, but they change their name now. And now they called the rapid support forces.
And the boss of them is her meet. And her mei is one of the rich st. People in sedan, seems to be funding the war against the people of sudan.
Now crafting the reporter we've been talking to in the service. His specialty is tracking airplanes. And he was particularly zoom in on the planes that tow was getting on. I was trying to figure out if his flights had some connections with the business and his customers.
You know, this plan that we linked to tell dalian flying into cartoon and delivering some surveilLance attack that wasn't for the regular army IT was for her. Mei, um and there was a bus stop. There was like a the flare R P between the two sides and the rapid support forces.
Guys spirit ted, this stuff a away took IT out of a cartoon and took IT off to dark. Um this was like a may last year. So when we when we wrote the piece um there were allies who we spoke to, you know spoke about the kind of potentially lethal implications of someone like committee having access to top of the range phone hacking technology. So I mean yeah to socket back to your question, sudan's rapid support forces is extremely high on the list of people who is hard to find a legitimate reason for selling phone having equipment too, I believe .
so if tw is selling his spier to people in sudan who are using IT to kill innocent civilians, then how much of that responsibility should fall back on to tell the kid he has for sale can be weapon ised against innocent people. Malaria groups who are actively killing their citizens, attempting genocide and are accused of crimes against humanity, now have this by wear in their hands and can use IT. I think conducting weapons deals with sudans militia groups should be illegal, but is this spyware a weapon? So anyway, that was one of the trade deals that crafton was tracking by watching tells flights in and out of start.
So he head to greece, and greece has a new government at this point. And the new government comes in in twenty nineteen.
No, I I react my brain trying to understand why greece, why not just establish a base in israel, his home country, where he's a military veteran there, he knows people there, he can just Operate out of there. But I have a theory, I believe tw really likes what the N. S.
O group is doing, which is creating mobile by war and selling IT to governments from around the world. But he also saw all the heat and scrutiny that anos o group is under. They have to work closely with israeli government to share with them who are doing business with, and there may be some restrictions that have been put on the anus.
So group like who they can can do business with. If there worn restrictions, there is a lot of public outcries scrutiny. The anozer group of what they should be doing and not doing, which can spoil deals.
I believe. Tw saw this huge fire that the N. S. O. Group had started and decided to take the wheel and drive right into IT, but he would sort of sidestep all the bureaucracy that and isl was tied up in if the israeli government required some kind of oversight into the affairs of Venus.
So group then forget that, lets set up sharp in a different country. And if I so couldn't sell l to certain regimes, tell me I saw that as an opportunity to do business with forbidden customers. Tom knows that some people he sells the prior to miss use IT.
But his response to this, well, he told forbes, we are not the policeman of the world, and we are not the world which makes me think he may be interested in doing business with to anyone. And if that's the case, i'm not sure he only does business with governments. He might be selling a spider to anyone who can afford IT.
In two thousand and nineteen, town started thinking bigger. That van kitted out with that we speer technology. He wanted to crank that thing up even higher.
Now he's not the kind of guy that's tapping away on the keyboard writing melar. No, what he is looking for are other companies that are already doing that because he'd wanna purchase those companies. Two companies called his eye side truck and nixa cyclops made this phone hacking software LED predator. And I believe IT was a citizen lab that first showed us a glimpse into .
what predator is. So I am a senior researcher at the citizen line at the of toronto, and I do a lot of the technical work at citizen lab in tracking what we call the mercenary fired industry. So companies like, and I saw, or h pyrocles.
which makes predator, a couple of people in egypt felt like something weird was going on on their phone. One was a journalist. One was a politician. They heard about citizen lab, and they reached out asking them to examine .
their phones. That's right. yeah. We first discovered samples of credit back in november, december two thousand and twenty one is funny we were actually checking people's phones for uh pages but uh we found one phone and something else cut her I which was there was a suspicious process running on the phone right when the forensic da was gathered called pye oed to uh which which suck as is quite .
suicide payload to didn't magine any previously known know where that they had been tracking on phones。 So of course, IT was time to crack this open and look closer.
right? We could see precisely what input or or arguments were passed into this process when I was started up and those arguments included A U R L, which was was very long, looked looked quite dodgy uh and when we went out and fetched this U R L, we were actually able to obtain a uh binary file for an iphone, in other words in application um and analysis of this application quite clearly established that IT was spyware. IT had the capability to uh for instance, um extra trade files from the phone, take passwords, uh turn on the microphone and listening to what was going on. So we were actually able to analyze the the the final final pillowed of of of the spy, understand what I was doing a, and through analysis of of the payload as well as analysis of that URL and the website in the URL, we were able to make an attribution back to .
a this was a big fighting, and they published this for everyone to see. The report was loaded with tons of information, too. I mean, not only was IT like here's the man where we found, but it's like, here's what IT does, here's how you can detect to its on your phone.
But IT also showed the links to how they know that this is the predator spyware made by cy trucks. But he doesn't stop there. IT goes on to say, who sidetracked was, who tell dillion was, and all these other companies that may also be involved with this. And then IT goes underway who those companies may be selling this too, actually listing some of the governments that may have .
about this yeah I mean, one of the interesting things that struck us about this company, uh, with this this sort of cluster of companies like h intellects and cyrix that are behind because there was this very tangled corporate web spanning multiple different countries and IT was IT was tough to figure out exactly what was going on. Like where were the people actually writing the spy work code physically located? Um I mean, we did see some references in the spy worse code like they were trying to avoid targeting phone numbers in israel even though the company is a sensibly or was a sensibly psychotic based in northern massoni a um so there's all these weird links which are kind of hard little bit hard to to make sense of.
And I just want to stop in and show respect for this skill for a moment. It's one thing to be able to analyze binary files for an iphone, but it's a whole other skills said to try to determine the geopolitical ramifications for such an exploit being sold on the mercenary marketplace. You know, in fact, IT was a just citizen.
He was investigating this. They shared their findings with the security team at meta, facebook, who was also investigating. And the combined forces of citizen lab and meta meant that these reports they published were very impressive.
Okay, so let's try to connect some of the dots ourselves of what happened there. An egyptian politician who was living in exile and an egyptian journalists were both found to have predator on their phones. If two people from egypt are infective with this IT may mean the egyptian government is using this technology to spy on their civil society, which is spooky.
You'd think they'd be using this to stop terrorists or catch criminals, but they're using IT to see what stories a journalist is working on next. This is awful, but when we back up a second and say, okay, so who makes predator? This company called side trucks shows up, and we see that cy truck was bought by tie dan.
But we also read about this other company called nixa. Nixa was formally known as aosis. Aosis was invited for illegally selling weapons to libya. In fact, amazes was charged with crimes against humanity for helping livia conduct torture.
But guess what, while the executives of that company were facing these and diamonds to started making deals with them, I don't know exactly what, but at the very least, he was using their technology somehow, either through a partnership or a deal he made with them. And with that technology, he combined the names together, cyclic and nexus, to form a new company called combining this new technology. With that, spivin whispered stuffy already had IT meant that intellectually had quite the arsenal of ways to gather data, alpha phone and track its location.
And he doesn't seem to be bothered by making deals with the company that's been accused of conducting crimes against humanity. The where that meat came up with show that predation may have been sold to the following governments, egypt, armenia, sad arabia, columbia, vietnam, Philippines, germany and greece. Of course greece, right? I mean, tw was reestablishing his whole business in greece at the same time.
If he had some kind of partnership with high ups in the greek government, then that might be a good reason to move there. I mean, if he had some connections, then that might help him be able to conduct business without having that long arms long messing things up. Well, some greek journalists saw this report by meta and citizen lab, and they're like what spyware may have been sold to the great government. We've Better read a story on this, a news outlet called inside story road to peace basically saying, look at predator may be in the wild here and Grace a nice morning right?
And someone one person who read that report is um a journalist called fanatics coccus and he read the report and IT made him IT made him very suspicious because one of the people who was mentioned in passing was a man called feel expensive and feed expense the else with someone who could focus the journalist had been investigating a couple of years before and I think seeing like the target of his former investigation tied into the corporate structure of a bike company that was Operating in greece kind of set off some some red flags for him and I believe that's what made him to go to the guys that this is in lab and ask him asked him to check .
his phone right yeah we we started getting some outreach from greece and and a spoil we found figured um so the first uh confirmation we were able to produce century around this uh financial journal alist fanatics coccus h based greece who had contacted us um and he was already a little bit suspicious for a number of reasons about uh uh potential surveilLance. He noticed his phone acting a little bit weird. He had flagged some uh text messages that that he thought were a little bit odd um so we instructed him on on how to forward some forensic information on this phone. We reviewed IT and a low in the hole we were able to to determine that his phone had been hacked successfully with with predator and I believe that was july twenty twenty one.
The greek paper inside story exposed IT. And once news broke out, IT erupted in an explosion of articles. Then the committee to protect journalists, china in amnesty international, echo the story. The council of europe spoke up. IT was news that could not be silenced.
IT was kind of a rolling thing that just got bigger and bigger. There was all kinds of questions and rumors about who was behind the use of the predator software in greece and how IT connected to the, if you like, kind of, quote unquote like official phone tapping software. And this was puzzling you.
Why know is that is IT two different entities doing IT? Is that you know one entity doing IT but just doing IT two different ways? Like what's going on there? And that was that was definitely a question that was in the greek context that was troubling a lot .
of people yeah I mean, one of the the really nice things to see in greece was that there was this such tenacity on behalf of the investigative journalist community there they were so invested, so interested in this story and we don't really see that in a lot of other countries that that um where we uncovers fie word uses perhaps because there the more impressive or uh there's not as much of a um you know tradition and or uh uh not really in great like in greece you have you have this you know oh the birth place of democracy and grain in in the public consciousness. So is there's a lot of people, I think, who feel some responsibility to to a take action to deliver up to that to that legacy. Um so just incredible, incredible work by the the investigate journalists and greece taking the story forward, constantly pushing the government and ministers for information .
and driving .
this case forward。
The Green .
government spoke up and said, we've never heard of so clearly, okay? But now that this story made such a thing, other people started wondering if their phones were being targeted to. So some more greek people who thought something weird was going on on their phone, send the data to citizen lab for analysis.
India, more instances predator were found at this point, three people from greece civil society were confirmed to have predictor on their phone. One of these people was a journalist, and the other was the opposition leader, nicos Andrea, as a politician. Now, by this time, citizen, that was getting pretty good at understanding how all this worked. First, the victim would receive a fishing text message, and these were crafted fishing messages.
Some of the common themes are really anything that I creates or or engender a sense of of urgency to interact with the message to ensure that the target h clicks on these in a time we fashion. Um so uh for instance, things about uh large unpaid h phone biller or something like, oh you own the phone company eight thousand dollars, you know it's do you know in two days click to pay something um or you know uh things that are interesting to the target given uh the upcoming events in the targets. Life like, uh you're a package delivery is when we see a lot, uh click here to a customized the delivery, the package and we couldn't reach you click to we schedule delivery or um you know things like the upcoming vaccine appointment or upcoming here's your boarding pass for your upcoming flight or here's your registration for this conference. Uh so they can use cues from from the targets of life to make this uh um seem very plausible for the targets to click on once the .
user clicks the link IT trigger a series of exploited on the phone that may seem like it's just one click, but there's a whole bunch of steps that have to happen for the phone to get infected. The website exploits something within the safari browser, which then gets a foothold on the phone and from their downloads, additional, nowhere to infect the phone, and after a few steps, IT then has the spyware binary file on the phone, which is able to watch what's going on with the camera, listen on the microphone, scrape passwords, read texts, and, of course, report where the person is. Now, the tRicky thing about this now, where was as soon as IT would infect the phone, IT would erase the tracks of the whole infection process.
So while you may have taken a few exploits to get IT to work, those exploits were not visible to citizen lab since traces of how I got in were wiped instinct, because that means they can go to apple and show them in this vulnerability that needs to be patched. It's like they caught the spy and the building would have no idea how I got in. So you don't know which door or window to go check on.
And you have to think, hold on, if the greek government paid all this money for this software, surely they didn't get IT just to infect these three people. So who else is being targeted with us? People demanded that the greek government says something now that three people had their phones infected and they said, okay um yeah well, we've heard of this predator spyware but that's not something we have flat out denying IT for a second time.
But people didn't accept that as a good answer. In fact, they of narrow down who would do such a thing, and they land IT on. This must be the work of E.
Y, P, which is greeks intelligence agency pronounced a. Because here's the thing, this technology is supposedly only sold to intelligence agencies. So either they did IT or they know who did IT, or should be investigating to find out who did IT.
And if they don't know who did IT, then they are bad of their jobs, you know? So ape has to knows something about this. And this circles back to the greek prime minister too, because as soon as he took office in two thousand and nine, he moved the greek intelligence agency to be under the direct control of the prime minister's office.
But not all news outlets were angry about this Grace. In fact, a lot of mainstream media, greece was on the government side, trying to sand to the journalist for bringing up these stories, even sAnderson, the people who are infected by the, since they were critical of the government, IT was a mess. Now, well, how all this was going on in greece, a big conference was kicking off and plug called I S S world.
I S S world is one of the kind of premier may be the premier surveilLance technology conference that IT happens a few times a year in different locations. As one in prog, it's showcasing everything from A A large booth features hidden away in a kind of inner santos presentations of like nso groups that is this a phone hacking tech um all the way down to like you know open sw analytics sweets I guess you know hidden there's hidden camera stuff there, audio gathering stuff. But you know it's like the maker of the highest and surveilLance technology sales you'll find um exhibiting there you know the world's most famous spyware companies like intellects like canada, like um uh and so group um I I I I mean .
they're not .
like as famous thus. So when you list a bunch .
of companies like that, I just feel like, oh my god, there's going to be a huge story for every one of those companies who you've done business with, who have they sped on, what shade deals are they dealing with? We keep picking on N S O. But I really feel like just walk into the I S S. World conference and every one of these companies are are any of them above border? Any of them like, oh, we're very clean or are they all yeah this is a cyber er weapon that you can use to spying your citizens think you we don't care, we will look .
the other way well you know they like you you they are all tell you that the above board and very clean um you know that's that's a constant refrain of the industry um and you know IT goes back to what we said earlier about like who who do you sell to? What are they using IT for um and indeed to the question of like to these guys even know you know to these companies even know can they know a lot of them will say that they they are very careful about who they sell to but oh well we can't actually monitor to what they .
do with IT uh yeah that's a whole of the degree of responsibility, right? Because how exactly do these targeting systems work like we have this predator and intellective thing, right? Like does this whole kit and infrastructure, everything gets sold to the customer? And then once it's delivered into, lets just kind of steps back and wipe your hands, clean up the whole thing? Or is IT some kind of hacking as a service type of thing where the customer tells in alexa, here's what we want you to target and then intellectually does all the infections and delivers the data that they got off the phone? Or maybe it's a mix of intellects are doing the infection and once despite where is on the phone, then the customer can access that data whenever they want like listen to the phone calls or see where the person is.
We don't know exactly how involved anyone isn't on this and you see how this changes like whether responsibility lands, right? Like isn't this an important thing to know? Is the government doing hacking themselves? Or is this company doing IT with authorization from a government? I mean, think about IT like this.
The fishing message that that journalist got IT looked like a Normal article from a financial news website, but the domain was changed from that G, R. To online. And that is what hosted the nowhere.
So someone had to register this domain, get IT, hosted somewhere, stage somewhere on IT, and then integrated into the predator package, and not to mention crafted a message that the target is likely to click on. And these domains get burned fairly often. So you need to create new ones all the time.
And in a great dad into the package, is the customer doing all that work with intellects are setting all this stuff up to make IT easier for the customer to simply point and show. So they had the conference. Do we get kind of any information about predator? How much costs? anything?
There was a, there was a document that leaked online right after that conference. See what IT was. This was a predit package for a ten, ten targets at once, one hundred, one hundred successful infections, but ten running at the same time. One click infection. Eight million dollars.
That was the Price tag. One click infection. I imagine this means that someone has to click once for their phone to be infected, which is pretty sophisticated, i'll say, but the brethering for spyware is zero.
Or maybe you could do something like send a message to someone rather sleeping. And when the phone tries to process IT like display the preview for what the websites going to look like, then that preview somehow contains the malware that can infect the phone. Then when the phone gets infected, the text message can be deleted.
And you have no idea that anything happened to your phone. And so has this capability that sounds like intellects a wishes they did too. We're going to do a quick commercial break here, but come back because things are really heat up in greece and you're not going to miss.
This episode is sponsored by a threat locker. Ransom supply chain attacks and zero day exploit es can strike without warning, leaving your businesses sensitive data and digital assets vulnerable. But imagine a world where your cyber s security strategy could prevent these threats that the power of threat locker, zero trust and point protection platform robot cyber security is a unnegotiable to safeguard organizations from cyberattacks.
Threat locker implements a proactive, denied by default approach to cyber security, blocking every action process and user, unless specifically authorized by your team. This least privilege strategy mitigates the exploitation ation of trusted applications and ensures twenty four, seven, three, sixty five protection of your organza. The core of the at locker is its protect sweet, including application allow, listing, ring fencing and network control.
Additional tools like the threat locker, detect E D R, storage control, elevation control and configuration manager enhancer cybersecurity posture, and streamline internal IT and security Operations. To learn more about how threat locker can help mitigate unknown threats in your digital environment and along your organization with respect and compliance frameworks, visit threat locker dot com. That's threat locker dot com. No, while all this is going on crafting black, the journalist with lighthouse reports was following where towns little sestina airplane was flying off. You trying to make sense of why, how would be visiting some of these locations?
The sector was kind of key to our reporting because, you know, we we found out about the sector through researching, you know, the company and the people in the company and what they were doing and where they were going. And that LED us to the seasonal.
And the seasonal obviously LED us to a bunch of destinations, you know, not only going backers and force between greece and cyprus, going to prog for the for the spy welfare, but IT was also in sudan. IT was in sudan at the time that our sources on the ground said that, you know, this transfer of surveilLance tech took place. IT was also inside arabia, ia.
IT was also in U. A. We were able to follow IT. We were able to trace IT for, you know, a few months going around the place. IT was an israel, quite a lot. So, you know, obviously, IT raises questions about the extent to which you know to dalian is or isn't doing business in israel because that .
plane was for sure there a fair ambient. They're not the best of friends but the least faith that right they've got some disagreements. And I I just wonder like how much tell how to say, like, okay, is this million dollar deal worth more than my ali ship to my homeland? Like a people in my country are getting spied on because of is, or maybe he made a deal that you can only spy on your own people. Aby, don't spy on if I hear you expire on israeli, i'm GTA pull the plug on this software. yeah.
I mean, I think there's a lot of back channels between these countries where you know there's possibly more kind of intelligence CoOperation that you might think you know, I think that there's a long history of the U A buying israeli surveilLance tech. Um I don't think is particularly surprising that sady ravi should be a client. I think these guides are there a good market right back in greece.
With this scandal erupting, a newspaper called a documentation was saying that they found thirty five more people who are infected with this and started publishing the names of these people. And then every sunday after that, they kept publishing even more names of people. Effectives predator at this list was growing big.
There was a media type on there, cabinet minister, senior military, special friends of the prime minister's wife. I respect a newspaper editor, even a popular comedian. Then the greek government was asked again, and this time they said, well, actually I would like, people got tapped and we do wiretaps sometimes, but it's for national security.
And we don't use predator to do this. But anywhere tap we do do that's legal. Well, the pressure continues to mount.
And IT was focused on APP. The intelligence department. I was a .
great government, were back in kind of summer last year where they were actually two resignations from government on one of them was the the head of the intelligence agency and the other one was uh this guy called the mitri artist who was the nephew he's the nephew of the prime minister um and he's also the kind of head at the time of the, let's say, the prime minister's kind of in the office, if you like the sky is at the top of IT.
Now, even though people resigned, the government didn't admit to doing anything illegal. They said, what happened might have been legal, but I was also wrong. Animals laugh.
Sh, not once these people resigned, journalists and investigators were looking into who these people were. And IT turned out that one of them was the nepal of the prime minister, and he actually had some kind of connection with anastos group. I think they were trying to discuss the peg is often .
are while back he IT, the intelligence had quit. And it's interesting that on exactly the same day, the plane that we've been tracking that's been Carrying out its business based in greece, but going all over the place also IT and IT goes to israel. And once he gets there, IT just sits there for a months and doesn't move again.
Of course, journalists and investigators continued asking the greek government questions, which LED us to learn something new.
The sale of the tech to sudan was confirmed by the government after the fighting broke out again and so on. Wait.
so the sudanese government said, yeah, we did buy IT.
Now the greek government confirmed that IT had been sold to sudan.
How do they know?
Well, they issue the export license.
what? What what? What is happen here? Someone that into lex, a applied for ign export license to sell their spyware to a group in sudan who is notorious for committing crimes against humanity. And the greek government is like, yeah, approved. Go for IT.
Doesn't this put some kind of responsibility now on the greek government for assisting to down and the proliferation of digital weapons? I'm just so tired of things being blatantly wrong in the world and nothing being done about IT. I need some help here.
Hello, hello.
let me just turn. All the vibrations are right.
How are you? This is john Scott reelin. He's been on the show a few times, and I just like to call jsr. He works with bill at citizen lab, and he got his hands on this predit now, where, and analyzed further, I told him how mad and upset and frustrated I was about all this. And G S R, B G S R.
Tried to help know, you know, the thing I did first was neuroscience. That was my old.
yeah.
Oh my god. And one of the big things I was working on, their plastic, and one of the big things that is known about the brain, is that anxiety suppresses plasticity. And the suppression of plasticity is a good candidate for one of the major courses of depression.
Wow, wow. Wo i'm not ready to get that deep about my feelings right now? Hold on, let's reset. Why I call jsr was because I wanted to talk with him about the ethics of all this, not how I get depressed about IT. Okay, so let's try to understand the implications of all this. So this world of, I mean, what do you even classify this type of um of software do do you call IT a cyber weapon?
I like to call a mercenary spider, although i've noticed that a lot of other groups call IT commercial spare. But I like the the mercenary term in paris. Sort of the osa of these people are probably working for states where as commercial, uh, to my year, could prefer to a much broader a category of things.
Yeah and you know, look at this. I stumbled upon this thing called the I. S. S. World conference, which seems to be just a value of all these mercenary spyware groups.
That's right. And I like to frame, sort of like this after snow, a lot of governments who didn't really know all the cool toys that the U. S. Government had suddenly not only learned, but we're like, hey, I got to get some of that and you have this other dynamic, which is kind of like the first generations of people working with like tear one government programs, developing expectation to les are starting to look for a bigger paycheck.
And you know, could he approach to retirement? Thus begins this massive like technology and knowledge transfer from some of the most developed cyberhomes ers in the world towards the rest of the world. That's the proliferation as people, whether it's from american or chairman or italian um uh where british countries are like, hey, we could we could really make a business out of this stuff and then you add to that kind of this dramatic rise in israel's hy tech sector, combined with a really permissive environment towards export law, and you get yourself a global industry in this technology.
Yeah, I spoke about this in episode nine eight, which is called zero day brokers. There are people who came through the N. S. A. And were developing explains while working there.
And they realized that they could start their own company developing exploits and then sell that to the essay and make for more money doing that than if they were to work at the and say, and yet, some of this tech looks hot. So I can imagine some other countries wanting this capability to. And while their international forces may not be sophisticated enough to develop IT, they may have the cash to buy IT.
And who knows whether buying viruses and male from, you know so i'm trying to find that line, my head of when this when this goes wrong. Where's that ethical line? And you know, i've got i've got spy tools myself, right? I can walk into the store and by binoculars and a camera, an audio recording device um and and and you know I practice hacking things.
So sometimes i've got little little devices that can yeah school round and and you know some of that stuff available commercially at defcon. And nobody really puts put a big thing about that. I go this is awful.
You you're giving us to the criminals of the world um yeah just kind of is out there. But there's something about this that's that's different. And can you do you have a good sense of when that wind shifts to? This is a stinky wind.
This is stinky wind. yeah. I think that in a democracy, the people who elect the government should have some degree of understanding of how much power the government has to completely prime into their personal lives.
And when the government can exercise that power, and what is so scary about mercenary spor like predator or peg as is that IT offers a security service, a total view into a person's private world in ways that we're never designed to respect, you know, existing law about search warrants or scissors or anything like that um and can just provide that as a turn key of the intent really is to provide its total view on an individual. I think it's also the case that there are a lot of auto cats around the world who want this technology because they really want to hold lot of power. And they recognize that making their citizens afraid of having their lives basically dumped out on the digital table silently and reality without any warning, h is a core part of how they stay in power.
That fear, technology of fear, is a big part of IT and the fact that pegasus doesn't respect national borders is a great way for autocrats to basically call back power into states that they would others SE have no ability to act in right IT shouldn't be the case that an autocrat in togo um has dissidents in the U. K. afraid. Uh, but that can be the case when you require this kind of technology because you can experience completely devait consequences of speaking up against the autocratic dictator from around the world. That kind of stuff is net dangerous 啊 to democracy and freedom IT .
appears to me that sometimes when governments get this kind of capability, the temptation is just too high to use IT on their wife's friends, their opposition leader, like it's just stuff that this shall not be targeted. And do you have any thoughts of out like, man a, this you've gotten really get permission once you like once you if you buy this tour, you've got a really you know have a lot of oversight on how is used or something like, I don't know what's the solution there to keep you from being tempted to use IT on your enemies well and .
on on your perceived enemies right? So like we know from extradition documents for example, like panamas, then president carney really got himself a bunch um well who did he put under monitoring people like his business rivals, but also his mistress in every morning he would according to these documents set you know put his headphones on in his office and listen the conversations and read the messages of people who he didn't like um that image of a president of angry uh trying into the lives of anybody who he felt like IT is a scary image to all of us and it's scary because that's not like part of the social contract right um that's not a power that government should have and any of the existing powers that government has in a new society like the united states are circumscribed by law right? Uh I know my rights, you can say at a traffic stop but with something like taxes.
If you know your local police department has acquired um gis and has used IT against you, uh do you know your rights? Do you know whether they were within uh, their rights or authorities to use IT? Do you know where that their use of that was properly overseen? What's happening is that this technology is landing in jurisdictions that don't yet have any legal protections around how this stuff gets you citizens have nothing to protect them. Uh and that's really, really scary because you want there to be limits on the power of state without those limits you're existing in a tyrannical or autocratic regime.
I just realized something and I don't have time to really research this furthers. I'm just gonna off the cuff here. But like google and facebook, they know a ton about us, right? They have access to our emails, text members, friends circles, contacts, even on location.
And the police have sometimes ask google or facebook for the information on one of their users. And if given the right warns or whatever google needs, google will turn over that data to the cops. And I don't know that concept of loan kind of prompts me to pull focus in on these big tech companies and how they can spy on us harder than predicting and IT builds into their terms of service.
But the thing that I just thought about is what happens when some other country wants data on a google user like the sudanese government. They might be like, hey ah ah this guy here ah yeah he's committed crimes, right? Um can you tell us everything you know about google? Does google have to comply with local law, forceful and be like, well, this request came from your military so yeah okay, but prove, here you go. I guess I wanna know how does google handle data requests from tyrant's or autocratic regimes?
I see what you're saying and companies should fight, uh, as hard as they can to prevent you badly formed or wrong request for the city will be in a Better universe if that stuff was not collected. But IT is that said, I think that something like uh, peg is or predator quality is actually even more invasive in some ways.
Then what those apps have, uh, in part because your your phone really is for most people at this point, this just like nexus of your public and private brain. And what's really scary is the idea that governments could access this secretly without you ever having to know about IT and without a warm, without any kind of overside and without any kind of potential consequence or accountability if they abuse that power, uh, if they get in there and they use IT to hurt you. And we've already seen cases where the fruits of hacking are used to hurt in the harm people.
So as I see is there is a constant battle to try to protect the degree of individual privacy from big, powerful interest, whether his governments or corporations and uh what we should be fighting this battle on multiple fronts at once. But what we shouldn't do is say, well, OK, you know, one, one bad apple is already violating our privacy, so we shouldn't be angry when another bad apple does IT. It's different also, you think about IT like this.
It's different when an entity that is seeking to monitor your behavior in ord to sell you something, learn something about you, that an entity that can put you in jail and deny you your freedom based on that information has access to IT. And that's why, in many cases, I think it's appropriate for the police to have a harder time getting access to people's inform. Then you are I might if we wanted to buy a bunch of use data. Because the consequences are so great。
Good point. Uh.
you know jack, like as as you're talking about these things, here's here's kind of like how I how I think about this. There are certain questions about citizens that are probably illegitimate for governments to ask certain questions like, you know, do they really believe in so in so president so and so right uh because once government started having the ability to get those questions ask to do so in secret, they may start there may be tentation to use that information to retaliate uh and to harm people and part of why is critically important to stem the proliferation of spiral like peaches and predator is not just because it's bad when dictators are able to hack dissidents and chill dissidents, but because in democracies, we really also do not want this kind of capability looking around out there, tempting government's, local, state and national to abuse IT in ways that will ultimately rote the freedoms that we church.
Think about this way, like when you make a choice to speak out publicly against the government policy that you disagree with in a democracy, you should have some perception, not just that you are free, you are free to speak your mind. You can't be jailed for saying i'd disagree with this, but also that IT would be inappropriate for the government to retaliate against you for doing this right. And what what form of retaliation is scary of idea that the government could suddenly choose to basically penetrate as deep as I can into your private world and look at all your stuff.
What a terrifying thought. That is the thought the people in his germany live with everyday. That is the thought that people, living indicator ships, live with every day, the potential that an angry official, al, could just be like, well, let's see what jacks worried about IT two A M right? Let's see what health concerns bother him. Let's see what things he's like talking about in the evening with his partner. But I think IT comes down to why?
Because if you if you're trying to say, like we think he's a terrorist, if we want to know what he doing that too, I am that's almost legion. Lemon, to open up my phone and see you what i'm up to but if it's like, no, we just want to see if his gonna talk about us on this next podcast then then that's way you hold on. You can't be doing that .
yeah so the and this is and this is the question like and there there are two parts to IT. The first is, what they doing IT with proper authority under law? Or are they doing IT like in a twenty four episode? Because you know this, a ticking time bomb, right? And spare merchants love the idea that they are just like all these terror plots and bad actors.
And the only thing you can do is key for super lending. And just like hacked them immediately, right? Forget the law, we need to get the bad guys. But the thing is, we know from recent and older history that if governments start being able to do that, bad things inevitably follow. Temptation to abuse. IT always follows some of the biggest problems that we have today in states around privacy come from the post september oral of period, things like the patria, right? Hugely invasive, stop.
But in the other question, and this is just like equally important, is does the society, does the governmental office that receiving this data have the mechanisms in place to prevent abuse if the people who happened to be holding the stuff in their hands are not good people or could be giving into the wrong contents, tions. Part of why is important that we have laws and rule of law is that you want a person who has got some of the power of the state in their hands, like, like there to copper and investigator, prosecutor, politician, whatever. They have to feel that there will be consequences if they must use that power.
And they have to know what the guard rails are around how they can use that power. The problem, one of the big problems with mercenary spor is that it's arriving in jurisdictions that don't yet have any laws that say how police should or shouldn't prosecution tish an use this technology in a situation like that, the potential for abuse is huge, in part because like what's going to be the consequence, right? People in authority might not even believe there would be any consequence if they abuse the technology.
That's part of why people like me feel that is so important to slow the proliferation down. Because the faster the stuff arrives at jurisdictions that don't have any laws around this, the more likely you are to see abuse, I think, unfortunately, were stuck with the existence of this technology. But slowing down the rate of proliferation is, I think, the best approach we have, the limiting the global harm is going to cause.
And IT is my firm belief, that is, more and more governments pay attention. They will recognize that a totally uncontrolled, a digital moggy issue is bayway, where everybody is using the stuff all the time, is a really bad outcome for most governments, and that you will need a degree of protection. The problem is that willingness to act is like, I think, unfortunately, contention on a lot of governments like feeling this thing.
First, I don't think it's an accident that a large number of U. S. Government personal had to get hacked with pegasi power before the U. S. Took really decisive actor.
All the U. S. Is taking the size of action against intellects.
And now reuters published the story a few weeks ago saying the U. S. Commerce department has blacklisted both intellectually and cracks.
We've been sanctioned. I think this essentially means is prohibited in the U. S.
To do business with these companies. And I don't really know how this impacts them. Um perhaps U.
S. Banks can do business with them now or maybe it's harder for them to fly on U. S.
airlines. I'm not exactly sure. But also, if they have investors, this doesn't look good for business.
You know I I could shake investors who want to expand the U. S. someday. But yeah, that's not happen. Now, intellect a is part of a dizzying web of companies that are Operating in different countries. The parent company is called the lustrous, which is in ireland for some reason.
And their holding company has declared that they've made thirty five million dollars in sales from just doing business in the middle ast. But other sources have said that they've made close to two hundred million dollars in sales in the last three years. So IT seems like life and business is great for.
Tell dalian in in alexa. This will definitely be a company that i'll be keeping an iron in the future. But with the noise that they seem to be making, sounds like everyone is gonna watching them too.
A big thank you to craft in black from lighting reports for coming on the show and showing the story with us. Also seeks to build marzak and john Scott rilton from citizens map for telling us what they know. If you like to this episode, you'll probably also like the epo des about anos group, which are epo des ninety nine and one hundred.
But also, this isn't greeks first big hacking scandal. If you want to hear another crazy story about Grace, check out episode sixty four called athons shadow games. If you like the show, if IT brings value to you, considered donating to IT through patron by directly supporting the show, that helps keep ads and a minimum, and IT tells me you are more of IT, so please visit patriot t.
Com, slash darker net diaries and consider supporting the show. You will also get ten bonus episodes there as well as an add free version of the show. So thank you. The show is made by me, the hesitant skeleton jacky cider.
Our editor is the bear slater trust and leger mixing done by proxy sound who just released a book and how to use pro tools IT called pro tools post cook book two thousand and twenty three. And he's done the audio production on films, music and spoken word and jam packed the book with tones of great tips on how you can be a Better audio producer. I'll have a link in the show notes on where to get the book.
Our sea music is by the mysterious s breakfast or solder. I don't like ultra wide screen monitors because the loading bar on them is just like so long. This is dark days.