Meta identifies six firms, including India's BellTroX, for spying on users

BellTroX allegedly operated fake accounts used in suspected efforts to hack people's phones or computers; the company targeted people in countries including Australia, Angola, Saudi Arabia and Iceland

Facebook parent Meta Platforms Inc. has announced a sweeping crackdown on surveillance companies that it says have used its social media websites to spy on people in more than 100 countries.

In a report published on Thursday, Meta identified six companies from Israel, India, and North Macedonia, in addition to an unknown entity in China, which it said carried out “indiscriminate” surveillance targeting thousands of people.

Meta said it had blocked infrastructure associated with the companies, issued cease and desist warnings to them, and banned about 1,500 of their accounts from Facebook and Instagram, which had secretly been used to carry out reconnaissance, launch hacking campaigns and trick people into providing personal information.

Those targeted for surveillance by the companies included journalists, dissidents, critics of authoritarian regimes, and families of opposition and human rights activists, according to Meta. More than 48,000 people believed to have been targeted by the surveillance companies were alerted by Meta.

“The goal of today's enforcement is not just to take down their accounts, but to disrupt their activity in the most costly way possible, to blow the cover on their operations and bring transparency to the industry,” said David Agranovich, Meta’s director of threat disruption.

The revelations come amid increasing scrutiny of companies that provide governments with surveillance technologies. The firms, such as Israel’s NSO Group Ltd, contend that they provide the tools to help intelligence and law enforcement agencies fight serious crime and terrorism. But there have been repeated examples in recent years in which governments have allegedly used the technology to spy on dissidents, human rights activists and journalists.

On Tuesday, a group of 18 U.S. lawmakers wrote to the U.S. Department of the Treasury and the State Department, urging them to use Global Magnitsky sanctions to punish NSO Group and other surveillance companies they accused of enabling human rights abuses. The embattled NSO Group is now said to be exploring options that include shutting its controversial Pegasus spyware unit and selling the entire company, Bloomberg News reported.

Meta says its report aims to show “that NSO is only one piece of a much broader global cyber mercenary ecosystem.” It names four other Israeli firms as having been involved in providing the “surveillance-for-hire” services—Cobwebs Technologies, Cognyte, Black Cube and Bluehawk CI – in addition to India’s BellTrox, North Macedonia’s Cytrox and an unknown entity in China. Most of the companies didn’t respond to requests for comment.

A spokesperson for Black Cube said the company operates in compliance with local laws and “does not undertake any phishing or hacking and does not operate in the cyber world.” The company “works with the world’s leading law firms in proving bribery, uncovering corruption and recovering hundreds of millions in stolen assets,” the spokesperson added.

Meital Levi Tal, spokeswoman for Cobwebs Technologies said the company hasn’t “been contacted by Facebook (Meta) and are unaware of any claims it has allegedly made about our services. Cobwebs operates only according to the law and adheres to strict standards in respect of privacy protection.”

John Scott-Railton, a senior researcher at Citizen Lab, a research group at the University of Toronto that focuses on abuses of surveillance technology, said that Meta’s “broad stroke enforcement action” would send “a really clear signal of the way it's going to treat other offensive players going forward.”

“It's significant, because it shows this is not the problem of a single company or a handful of companies. It's an industry-wide problem.”

Meta accused Cobwebs of operating hundreds of fake accounts used to collect information on their targets, who included activists, politicians and government officials in Hong Kong and Mexico. Bluehawk CI was said to use fake accounts posing as journalists to trick people into installing malicious software on their computers, targeting politicians and businessmen in the Middle East. Black Cube was accused of operating fake personas to gather information on people in medical, mining, minerals and energy industries, as well as Palestinian activists and people in Russia involved in finance and real estate development.

India's BellTroX allegedly operated fake accounts used in suspected efforts to hack people’s phones or computers; the company targeted lawyers, doctors, activists, and members of the clergy in countries including Australia, Angola, Saudi Arabia and Iceland. Meta found a “vast domain infrastructure” associated with Cytrox, which it said was likely used in hacking campaigns that targeted politicians and journalists, including in Egypt and Armenia. Moreover, Meta linked the unknown entity in China to domestic law enforcement in the country and observed it had been supporting surveillance campaigns focused on minority groups in the Asia-Pacific, including the Xinjiang region of China, Myanmar and Hong Kong.

Separately on Thursday, Citizen Lab published a report  linking Cytrox to hacks that targeted two prominent critics of the Egyptian government.

The company has developed spyware called Predator that can penetrate iOS and Android mobile devices to secretly record conversations and steal data, Citizen Lab found.

In June, Cytrox’s spy technology compromised a phone belonging to Ayman Nour, the exiled president of the Union of the Egyptian National Forces, an opposition political group. The spyware was also found on the phone of an Egyptian journalist in exile who is the host of a popular news program, according to Citizen Lab’s report, which does not name the journalist.

Citizen Lab’s digital analysis identified multiple servers associated with the delivery of Cytrox’s spyware, in countries including Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia and Serbia. Governments in those countries are likely among Cytrox’s customers, according to Citizen Lab.

“What the public is learning this year is that there is a large cyber insecurity industry that sells these offensive tools,” said Scott-Railton, the senior researcher at Citizen Lab. “And as long as there is no serious oversight, the offensive tools will be used in the same way: to target dissidents, journalists and others. Until there are serious systematic efforts to address this problem, the horrors will keep happening.”

Cytrox has a limited online footprint and has received little media coverage. The comp any originated as a startup in Macedonia, but was later acquired by Tal Dilian, an Israeli intelligence agency veteran, in a deal worth about $5 million, Forbes reported in 2019. A representative for Dilian didn’t respond to a request for comment.

According to Citizen Lab, Cytrox is involved in a surveillance industry alliance called Intellexa, which was founded by Dilian and says it offers law enforcement and intelligence agencies “cutting-edge technological platforms” that protect communities from criminal activities.

Cytrox has impersonated popular companies and websites—including Apple, Fox News, Instagram, LinkedIn, Tesla, Twitter and YouTube—in order to dupe hacking targets into clicking on malicious links, Citizen Lab’s researchers found.

The two Egyptians who were hacked earlier this year received messages on WhatsApp that tried to trick them into clicking on what appeared to be legitimate news websites, but were in fact malicious domains set up to deliver Cytrox’s spyware, Citizen Lab reported.

In Nour’s case, he became suspicious that his phone had been infected after it began overheating. Citizen Lab’s researchers forensically examined it, finding that it had been successfully infected by two variants of spyware: Cytrox’s Predator and NSO Group’s Pegasus.

Citizen Lab notified WhatsApp parent Meta about its findings, which prompted the company to initiate its own investigation. According to Meta’s report published on Thursday, it identified and removed approximately 300 Facebook and Instagram accounts linked to Cytrox’s spying efforts.

Companies such as Cytrox are “democratizing access” to spying techniques, said Nathaniel Gleicher, Meta's head of security policy. "They are building tools to manage fake accounts, to target and surveil people, to enable the delivery of malware. And they are providing them to any clients most interested – the clients who are willing to pay."