Two Egyptians living in exile had their iPhones compromised in June 2021 using Predator spyware built by North Macedonian developer Cytrox (The Citizen Lab)

two egyptians june predator north macedonian

Key Findings

  • Two Egyptians—exiled politician Ayman Nour and the host of a popular news program (who wishes to remain anonymous)—were hacked with Predator spyware, built and sold by the previously little-known mercenary spyware developer Cytrox.
  • The phone of Ayman Nour was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different government clients.
  • Both targets were hacked with Predator in June 2021, and the spyware was able to infect the then-latest version (14.6) of Apple’s iOS operating system using single-click links sent via WhatsApp.
  • We obtained samples of Predator’s “loader,” the first phase of the spyware, and analyzed their functionality. We found that Predator persists after reboot using the iOS automations feature.
  • We conducted Internet scanning for Predator spyware servers and found likely Predator customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.
  • Cytrox was reported to be part of Intellexa, the so-called “Star Alliance of spyware,” which was formed to compete with NSO Group, and which describes itself as “EU-based and regulated, with six sites and R&D labs throughout Europe.”

1. Background

We confirmed the hacking of the devices of two individuals with Cytrox’s Predator spyware: Ayman Nour, a member of the Egyptian political opposition living in exile in Turkey, and an Egyptian exiled journalist who hosts a popular news program and wishes to remain anonymous.

Ayman Nour is the president of the Egyptian political opposition group Union of the Egyptian National Forces. Nour is also a former Egyptian presidential candidate and founder and chairperson of the Ghad al-Thawra party.

In 2005, Nour ran against former Egyptian President Hosni Mubarak. After the election, Nour was convicted of “forging signatures on petitions” filed to create his political party—a charge which was widely considered to be “politically inspired”—and imprisoned for more than four years. Nour was finally released from prison in 2009 on health grounds and after international pressure.

Nour was a candidate of the Ghad Al-Thawra party in the 2012 Egyptian presidential elections. He was excluded from the elections along with a number of other opposition candidates. In 2013, after opposing President Abdel Fattah El-Sisi’s military coup, Nour fled Egypt for Lebanon. In 2015, the Egyptian embassy in Lebanon declined to renew his passport and Nour departed Lebanon for Turkey, where he has resided since 2015. He remains a vocal critic of Sisi’s regime, describing his government as an “oppressive military regime.” He has also accused Sisi’s government of “extreme human rights violations” and of turning the country into a “fully autocratic state.”

The second target whose phone we confirmed was hacked with Cytrox’s Predator spyware is an Egyptian exiled journalist and an outspoken critic of the Sisi regime. This target has chosen to remain anonymous.

1. Enter: Cytrox 

Founded in 2017, Cytrox’s business activity is blandly described in Crunchbase as providing governments with an “operational cyber solution” that includes gathering information from devices and cloud services. In Pitchbook, their technology is defined as “cyber intelligence systems designed to offer security” to governments and assist with “designing, managing and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices as well as from cloud services.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts