Towards the tip of 2023, an Israeli safety researcher from Tel Aviv stated that he was approached on LinkedIn with a chance to work overseas with “good pay.” He stated that the corporate’s HR division instructed him that it was a “reputable” offensive safety firm that was ranging from scratch in Barcelona, Spain.
However throughout the entire recruiting course of, the researcher recounted to TechCrunch, issues felt a bit off.
“The entire secrecy was very bizarre. Some staff that interviewed me didn’t use their full names, they took tremendous lengthy to disclose the place the corporate even is, not to mention its identify. Why is it such a secret if all the pieces’s legit?” the researcher instructed TechCrunch. “It looks like an organization that may get sanctioned sooner or later, and issues may get soiled.”
When he spoke to the corporate’s chief expertise officer, the researcher stated that he was instructed one thing alongside the strains of, “we are going to solely have legit prospects and in contrast to different corporations gained’t promote to shady nations.”
Alexey Levin, the hiring CTO and a former researcher on the sanctioned adware maker NSO Group, instructed the researcher that the corporate making an attempt to rent him was referred to as Palm Seashore Networks, and that it develops all the pieces from the zero-day exploits used for compromising gadgets to the adware implant itself, referring to the surveillance software program that will get put in on a goal’s gadget, in line with the researcher.
The researcher stated that Levin additionally instructed him that Palm Seashore Networks had a minimum of one U.S. authorities buyer. (Levin didn’t reply to a request for remark.)
However why discovered a adware startup in Barcelona, which simply years earlier was on the middle of a wide-reaching political scandal the place Spanish authorities officers used adware to focus on native politicians who pushed for independence? Similar to many different startups within the metropolis; the researcher stated that firm staff instructed him that it was as a result of dwelling within the metropolis is just like dwelling in Israel, that there are good tax advantages, and good climate.
These are a number of the explanation why within the final couple of years, Barcelona has develop into an unlikely hub for adware corporations, in line with a number of individuals who work within the offensive cybersecurity trade who spoke with TechCrunch, in addition to enterprise information we have now seen.
Having Barcelona develop into a vital regional outpost for offensive cybersecurity corporations places the adware downside squarely on the doorstep of Europe, which has a fractious relationship with surveillance tech, as a result of scandals in Cyprus, Greece, Hungary, and Poland — all involving Israeli adware makers.
“It’s a regarding growth if a serious metropolis in Europe turns into a hub for adware makers,” Natalia Krapiva, the authorized counsel at nonprofit Entry Now, which focuses on investigating and researching adware, instructed TechCrunch. Krapiva stated that the adware enterprise “goes hand in hand with corruption and abuse of energy.”
“Spanish residents, media, and policymakers needs to be rigorously scrutinizing these companies when it comes to whether or not their operations are according to nationwide and EU legal guidelines and whether or not the Spanish authorities could also be concerned in abusing their surveillance instruments, particularly given Spain’s historical past with Pegasus,” stated Krapiva.
John Scott-Railton, a senior researcher on the Citizen Lab, the place he and his colleagues have for greater than a decade investigated abuses carried out with adware instruments, additionally expressed concern. Scott-Railton famous that previously there have been instances of adware abuse not solely in opposition to human rights activists and dissidents in non-democratic nations like Ethiopia and Saudi Arabia, but additionally in opposition to U.S. diplomats and focused people, together with politicians and residents inside Europe’s borders.
“This may add gas to the hearth of Europe’s adware disaster. If expertise is a information, it’s solely a matter of time earlier than this tech winds up utilized by prospects in opposition to Spain’s allies and EU companions,” Scott-Railton instructed TechCrunch. “Governments that permit this trade to flourish take a big gamble with their very own secret capabilities and human capital. These capabilities have a tendency to empty outwards, together with to potential future adversaries, as soon as mercenary adware and exploit builders come to city and begin hiring.”
Solar, seafood, and adware
Other than Palm Seashore Networks, because it was identified on the time, Barcelona is house to a number of different exploit and adware makers that too are taking advantage of town’s sunny, temperate climate, contemporary seafood, and vibrant expat neighborhood.
Amongst them are Paradigm Shift, a spin off of the embattled startup Variston, which misplaced workers and was struggling to outlive in 2024; and Epsilon, which is led by Jeremy Fetiveau, an trade veteran who used to work for a division inside U.S. protection large L3Harris that was created after the corporate acquired the Australian startup Azimuth.” Fetiveau didn’t return a request for remark.
Town is claimed to be additionally house to an unnamed group of Israeli researchers who moved to Barcelona from Singapore to work on creating zero-day exploits. The existence of this unnamed group in addition to Epsilon’s presence in Barcelona was first reported by Israeli newspaper Haaretz, whose article sparked protection in native newspapers and information web sites.
Different cybersecurity corporations have a presence in Barcelona, even when they don’t seem to be headquartered there. Andrijana Šekularac, the chief govt of Austrian cybersecurity firm SAFA lives within the metropolis, in line with her public LinkedIn profile. SAFA has sponsored offensive cybersecurity conferences, together with OffensiveCon and Hexacon, and employs a minimum of two safety researchers with previous expertise at adware corporations, in line with their public LinkedIn profiles. Šekularac additionally didn’t reply to a request for remark.
These zero-day and adware corporations are a part of a broader cybersecurity and startup ecosystem in Barcelona. As of final yr, in line with the Catalan regional authorities, there have been greater than 10,000 folks working for greater than 500 cybersecurity corporations in Barcelona, or round 50% extra staff than 5 years earlier.
Contact Us
Do you may have extra details about Epsilon, Head and Tail, Paradigm Shift, or different authorities adware makers? From a non-work gadget, you’ll be able to contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or through Telegram and Keybase @lorenzofb, or e-mail. You can also contact TechCrunch through SecureDrop.
Barcelona isn’t only a hotbed for surveillance tech makers, however startups on the whole, with some rating town among the many high startup hubs in Europe. Town is the founding house for meals supply startup Glovo, which competitor DeliveryHero valued at €2.3 billion in 2021 when it acquired a majority stake within the Catalan firm; orthodontics startup Impress, which raised $125 million in 2022 and $114 million in 2024; and enterprise journey administration platform TravelPerk, which raised $105 million in 2024; amongst greater than 2,200 different startups, in line with the Barcelona and Catalonia Startup Hub, a neighborhood authorities mission that tracks the startup ecosystem within the area.
Town is engaging to staff as a result of its price of dwelling is cheaper than different European startup hubs like London, Amsterdam, and Berlin. Then, there’s the maybe extra apparent causes, a minimum of for anybody who’s been to Barcelona: Town has good seashores, just like Tel Aviv, Cyprus, and Greece, locations which can be or had been house to adware corporations like NSO Group, Circles, and Intellexa.
There are additionally different causes, aside from town’s attractiveness, which have introduced Israeli safety researchers specifically to Barcelona. As Haaretz reported on the finish of December 2024, Israel has develop into extra restrictive in granting licenses to export adware to different nations within the wake of the scandals involving NSO Group, leaving the door open for corporations to maneuver overseas. It’s now tougher for corporations to export adware from Israel to the remainder of the world, together with the European Union, than from inside the bloc itself.
One particular person instructed Haaretz that this course of shouldn’t be “emigration to Spain, it’s expulsion to Spain.”
Whereas Paradigm Shift is brazenly promoting itself as an offensive cybersecurity firm, with job listings for roles that match this sort of enterprise, different corporations aren’t as clear, similar to Variston was. Paradigm Shift is headed by Leone Pontorieri, in line with the corporate’s enterprise information, in addition to Filippo Roncari and Simone Ferrini, in line with their public LinkedIn profiles. The three had been a part of an Italian startup that was acquired by Variston in 2018, when the corporate launched in Barcelona, and one of many first adware corporations to arrange its operations within the Catalan metropolis.
Representatives for Paradigm Shift didn’t reply to a request for remark.
A stealthy startup with many names
Palm Seashore Networks has to date prevented any public claims of involvement in human rights abuses, in contrast to adware makers NSO Group, and earlier than it Hacking Staff and FinFisher, have prior to now. However the firm does have an intriguing historical past of adjusting names, a method that different adware distributors have beforehand used to masks their company possession. Israeli adware makers Candiru rebranded a number of instances earlier than the corporate was added to the U.S. authorities’s commerce ban listing in 2021, and NSO itself had a posh company construction.
The identify Palm Seashore Networks “was a bit secretive and solely stated by Levin and others at later levels,” in line with the Israeli researcher.
Because it seems, Palm Seashore Networks might already be an out of date identify, and the second iteration of a startup with a special id.
An organization referred to as Protection Prime Inc. turned Palm Seashore Networks on Might 11, 2023. On June 16, 2023 an organization referred to as Head and Tail began operations in Barcelona. Then on June 28, 2024, Palm Seashore Networks was dissolved, in line with enterprise information filed in Florida and Spain.
Protection Prime and Palm Seashore Networks look like linked to Head and Tail as a result of overlapping executives and key figures.
An individual named Sai Gopal is listed as Head and Tail’s licensed signatory in Spanish enterprise information, and somebody with the identical identify was listed because the treasurer of Protection Prime in Florida enterprise information. Gopal couldn’t be reached for remark.
Enterprise information additionally present Alexey Levin, the CTO who tried to rent the Israeli safety researcher for Palm Seashore Networks, is the director of Head and Tail. Representatives from Head and Tail didn’t return TechCrunch’s request for remark.
A present govt at a adware maker, who requested to stay nameless, instructed TechCrunch that Levin works at Palm Seashore Networks. Beforehand, the chief stated, Levin was an early developer at NSO Group, after which additionally labored at Candiru.
On its official web site, Head and Tail makes no express point out of the truth that it develops surveillance expertise, however as an alternative says it addresses “a myriad of cybersecurity points, together with menace intelligence, vulnerability assessments, safety consciousness coaching, and incident response.” The corporate has job listings for Barcelona, Madrid, and Sevilla.
Ultimately, the Israeli researcher turned down the prospect to work at Palm Seashore Networks, though folks he is aware of instructed him the corporate pays a few of its staff eye-watering salaries that vastly exceed the nation’s gross annual common.
The researcher stated he was nervous he might find yourself like some NSO Group’s staff, who’ve needed to take care of the fallout from human rights scandals, Fb blocking and deleting their private accounts, and the U.S. authorities threatening to disclaim their visas.
“I might get ok cash elsewhere and never have to fret about what is going to occur or who I’m working for,” stated the researcher, “particularly after I felt they aren’t a clear firm and I wouldn’t know who the purchasers are.”
