How EU countries spy on their citizens — The Organised Crime and Corruption Watch, regional edition no. 5

Independent media in Hungary revealed that the autocratic Viktor Orban regime secretly purchased the Pegasus spyware, commonly used by governments on journalists, activists, and political opponents. The same spyware was used extensively in Poland to keep tabs on lawyers and politicians. The software, produced by the Israeli NSO Group, is the focus of a special investigation committee. The company hosts a sales event in Prague yearly, but Czech officials deny using the technology.  In Romania and Slovakia, the governments refuse to say if they are using spyware, even though, in the past, they have. Bulgaria is hosting the operation of a spyware company, while the general prosecutor alleges he was spied on.

This collaborative newsletter is based on the research of seven investigative outlet members of The Organised Crime and Corruption Reporting Project: Investigace.cz (Czech Republic), Bird.bg (Bulgaria), Frontstory.pl (Poland), Rise Project (Romania), Investigative Center of Ján Kuciak – icjk.sk (Slovakia),  Átlátszó (Hungary), Context Investigative Reporting Project  (Romania). The team explores each edition’s organized crime or corruption topic and showcases the most relevant facts.

Hungarian journalists spied on by the Orban regime

In 2021, 300 Hungarian telephone numbers were found in a leaked database obtained by an international investigation led by Forbidden Stories. This leak revealed that Pegasus, a spyware manufactured by an Israeli cybersecurity firm, had been used in Hungary — the EU country’s first confirmed use of Pegasus.

Pegasus is officially used against targets suspected of involvement in organized crime. However, the investigation revealed the Hungarian government has also used Pegasus to monitor its critics.

Four Hungarian journalists were on the list of the targeted people, all of whom worked for independent outlets that were not part of the pro-government media ecosystem. In July 2021, the phone of photographer Dániel Németh was secretly hacked, and the Pegasus spyware had been installed on it. Németh co-authored an award-winning Atlatszo article revealing that the Hungarian government elite, including Orban, uses luxury yachts and private jets registered abroad. Besides, the phone of Brigitta Csikász, a journalist of Atlatszo at the time, was also hacked several times in 2019 with Pegasus.

Other spying targets included Hungarian public figures, lawyers and politicians, and businessmen like the owner of the media company Central Media Group. An international student of the Central European University also became a target. An NGO called Hungarian Civil Liberties Union (HCLU) has launched various legal proceedings on behalf of several targets of the Pegasus spyware.

According to a recent Direkt36 story, the Hungarian parliament’s national security committee voted on acquiring the spyware in a closed session, requested by the Special Service for National Security. Lajos Kósa, a politician from Hungary’s governing party, acknowledged the acquisition of the spyware but said the law carried out the surveillance. Details are unknown, as the meeting minutes of the National Security Committee meeting on the acquisition are classified until 2050. A report issued by the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) found that all cases met the legal criteria, and surveillance was needed for national security reasons.

Hungary refused to cooperate with the European Parliament’s special committee on the Pegasus spying software. The delegation has asked to meet Judit Varga, the Minister of Justice, but they have yet to receive a response.

Besides Pegasus, it was revealed last year that Hungarian diplomats posted to European countries regularly gathered information on the travels of independent Hungarian journalists, among them two Atlatszo journalists as well, while actively facilitating the foreign visits of people associated with the pro-government media.

Black Cube, used by the power to discredit journalists

Hungarians have had negative experiences with other spyware software as well: Based on the report of Citizenlab and Wikileaks documents, Atlatszo reported in 2013 that the Hungarian secret service is among the users of Finfisher, a surveillance software package commonly used to monitor political opponents and NGOs. In 2015, files leaked from the Italian-based commercial spyware company Hacking Team revealed that Hungary had been a client since 2008. They paid almost 2 million euros for the services.

Between 2017 and 2018, Hungarian NGOs and individuals were contacted by agents using false identities to discredit them during the 2018 election campaign. The Israeli private intelligence firm Black Cube was involved in the campaign on behalf of the Hungarian government. At the National Security Committee meeting, Fidesz MEPs prevented the Black Cube case from being put on the agenda. Last year, Atlatszo investigated that covert intelligence methods were used to support Viktor Orban’s smear campaign against NGOs by targeting journalists, experts, and political analysts with elements similar to the Black Cube operation. Video interviews made under suspicious circumstances were presented as exposés in pro-government newspapers.

From Pegasus to Predator in Poland

In 2017, the Polish secret services paid 8 million euros for the Pegasus spyware. Most of the money came from the Justice Fund (officially intended to support victims of crime), which Justice Minister Zbigniew Ziobro oversees. The invoice for the Israeli manufacturer NSO Group was issued by the Central Anti–Corruption Bureau, which is subordinate to the government.

 

According to CitizenLab researchers from the University of Toronto, who monitor the global business of surveillance tools, as well as Associated Press (AP) journalists, among the people who Pegasus has surveilled in Poland was Roman Giertych, a lawyer who is one of the biggest critics of the ruling party – and Ewa Wrzosek, a prosecutor critical of the government.

The phone of Krzysztof Brejza – a senator from the opposition Civic Coalition and, at the time of the attack, chief of staff of the opposition presidential candidate (who ultimately lost the election by a narrow margin) – was hacked thirty-three times. As revealed by the journalists of TVN’s Superwizjer, thanks to Pegasus, the services gained access to the politician’s messages, phone calls, and private photos.

CitizenLab’s analyses showed that the long list of the invigilated also included people about whose activities the Polish government wanted to know as much as possible, such as:

• officials of the Supreme Audit Office, which controls the authorities;
• Michał Kołodziejczak, leader of the AgroUnia agricultural organization, opposed the government;
• Adam Hofman and Mariusz Antoni Kamiński, businessmen providing PR services to people and companies linked to the authorities.

In May 2023, we learned about the recommendations of the PEGA committee on surveillance in Poland. They partly coincide with the conclusions of the September 2019 report ‘Osiodłać Pegaza’ (Saddle the Pegasus) by the Polish privacy foundation Panoptykon. Among other things, PEGA recommends that Poland restore independent control over the services and a system of parliamentary oversight over them, implement a European directive protecting whistleblowers, launch an investigation into the use of Pegasus, and restore the full independence of the judiciary.

However, there is no indication that Poland will take up PEGA’s recommendations: the United Right government has consistently refused to meet with MEPs sitting on the committee.

Pegasus was not the only spyware used in Poland. According to CitizenLab, Predator, a software developed by a company from North Macedonia (linked to people from Israeli intelligence), was also used in Poland.

In July 2022, a scandal erupted in Greece where the Predator spyware was used on journalists and opposition politicians. A parliamentary investigative committee discovered that behind the software supply to the Greek government were two businessmen and a Polish lawyer and entrepreneur with business ties to them – as FRONTSTORY.PL revealed. The lawyer, Stanisław Pelczar, is the one who probably brokered the purchase of Predator by the Greek police (which he himself denied in an interview with journalists).

The EU code of silence that spread to Romania

In 2016, Romania was hit with the revelation that the National Anticorruption Department chief prosecutor was spied on by Black Cube, a company established by former Israeli Mossad agents. The case is outlined in the PEGA committee, a special committee set out to investigate the use of spyware in the European Union.

Contex.ro, one of OCCRPs local partners, tried to assess if and what type of spyware the Romanian government had purchased and used in the past decade. The Ministry of Foreign Affairs (MAE) refused to provide information requested by Context.ro regarding the use of spying software by institutions in Romania.

The same ministry should have also supplied the data to the PEGA committee, which had made a similar official request.

Romania and other EU states decided not to cooperate with the commission. The rapporteur of the PEGA commission criticizes the lack of transparency of EU governments. “The fact that the governments decided as a group not to respond to us and not to cooperate is very relevant. I call this omerta. It’s a term used by the Italian mafia when they decide to keep quiet,” Sophie in ‘t Veld told Context.ro.

 

The PEGA commission’s preliminary report found that commercial spyware products were used in all EU member states: “We can say with a high degree of certainty that all EU member states have purchased one or more commercial spyware products.”

In 2015, Rise Project published two materials detailing that Hacking Team, an Italian spy software manufacturer, had ties to several Romanian intelligence services and commercial companies. According to Rise, Hacking Team’s internal correspondence made public after other hackers attacked them showed that representatives of the SRI, the Army Intelligence Service (DGIA), and a department of the General Inspectorate of the Romanian Police were interested in the spy software of the company.

The NSO “end of the year sales” event in Prague

Recently, Czech media reported that the Czech government had purchased the Pegasus spyware. An official European Parliament’s Commission of Inquiry report also claims that the Czech Republic should own the surveillance software. According to the E15 website, the Israeli company NSO Group was interested in selling Pegasus to the Czech Republic.

“I am unaware that the Czech state has ever purchased this software. I have never worked for the NSO Group or relevant parts of the Czech state that can buy and use similar tools,” national security advisor Tomáš Pojar told Investigace.cz. When asked which institution in the Czech Republic guarantees that spyware like Pegasus will not be used against journalists or activists, he said there is a simple answer – the Czech Republic is a state governed by the rule of law. “From my point of view, there is absolutely no reason to create any other institutions,” Pojar concluded.

Every year, Prague hosts a cybercrime and surveillance-oriented conference, ISS World Europe, which hosts law enforcement and intelligence people and those who sell these tools. In 2021, this conference was sponsored by NSO Group.

Slovak authorities are on mute about the use of Pegasus

In the past, the media published information on spyware being acquired by Slovak secret services, but it was never officially confirmed.

 

Based on information from WikiLeaks 2014, the Slovak Republic allegedly purchased the FinFisher tool from the Gamma Group. A year later, the e-mail communications of the Italian company Hacking Team were leaked through WikiLeaks. It followed that Slovakia was interested in its Galileo software solution. None of the purchases was officially confirmed.

The usage of FinFisher was confirmed by the European Parliament report this year.

Slovak military intelligence statement in 2021 published by Zive.SK: “We can confirm that we do not use the mentioned system in the Department of Defense, and we have not used it,”

The Slovak Information Service (SIS) refused to comment on the possible use of Pegasus. It referred to a legal obstacle that allegedly prohibits SIS from confirming or refuting its possible deployment.

Bulgaria a good host for spyware companies

Bulgaria’s secret services have a long record of using FinFisher and FinSpy. They also tried to acquire another spying software from HackingTeam, but the deal failed. In 2013, a scandal broke after the revelations that mobile IMSI catchers (Mobile cell phone stations pretending they are legit cell operator stations. Your phone connects to the rogue mobile station and gets exposed to hacking and monitoring.) bought by the Ministry of Interior with EU money were used to spy illegally on politicians. The prosecution office indicted three persons, but later, the case vanished from official records.

Recent reporting shows Bulgaria was hosting the business operations of the Israeli company Circles, providing GSM network hacking tools. Pegasus, the NSO Group, acquired circles. The business of Circles is currently prospering, according to the increasing number of employees and multi-million revenue declared in the company’s annual financial reports. The use of Pegasus by the Bulgarian government has not been confirmed officially, but there is an ongoing prosecution probe, and sources confirm the Ministry of Interior has used the software. The current prosecutor general, Borislav Sarafov, stated recently that he had been surveilled by a private group by the orders of the former prosecutor general and his rival Ivan Geshev. However, it was not clear if he had been targeted by spyware of any type.

Written by Zita Szopkó – Atlatszo (Hungary), Orsolya Fülöp – Atlatszo (Hungary), Bianca Albu – Rise Project (Romania), Attila Biro – Context Investigative Reporting Project (Romania), Tomáš Madleňák – Investigative Center of Ján Kuciak (Slovakia). Cover photo: OCCRP