Barcelona: An Unlikely Emerging Hub for Spyware Startups

Toward the end of 2023, an Israeli security researcher from Tel Aviv recounted being contacted on LinkedIn about a job opportunity "with good pay" at a supposed "legitimate" offensive security company based in Barcelona, Spain. The recruitment process, however, raised some red flags. "The whole secrecy was very weird. Some employees that interviewed me didn’t use their full names, they took super long to reveal where the company even is, let alone its name. Why is it such a secret if everything’s legit?" the researcher said. "It seems like a company that might get sanctioned in the future, and things might get dirty."

During an interaction with the company's CTO, the researcher was told the firm, Palm Beach Networks, assured only ‘legit’ customers and ruled out selling to "shady nations." The company's CTO, Alexey Levin, previously worked with NSO Group, a well-known sanctioned spyware maker, and claimed the company developed both the exploits and the actual spyware utilized for device surveillance.

Interestingly, Barcelona, previously embroiled in a political scandal involving surveillance of local politicians, is becoming a growing hub for such enterprises, benefiting from favorable tax laws, similar climate to Israel, and a vibrant community. "Living in the city is similar to living in Israel," some company employees added. Moreover, the city provides strategic location advantages within Europe, despite its troubled relationship with surveillance tech.

"It is a concerning development if a major city in Europe becomes a hub for spyware makers," declared Natalia Krapiva of Access Now, emphasizing the associated risks of corruption and power abuse.

John Scott-Railton from the Citizen Lab expressed similar concerns regarding potential abuses of spyware, extending even against allies and partners in the EU, potentially exacerbating Europe's ongoing spyware crisis.

Sun, seafood, and spyware

Alongside Palm Beach Networks, Barcelona hosts several other spyware companies like Paradigm Shift and Epsilon, leveraging the city's inviting climate and vibrant culture. Paradigm Shift, spun from Variston, struggled previously yet continues operating in the city under new direction, led by industry veteran Jeremy Fetiveau.

Furthermore, other cybersecurity companies maintain significant presence in the area, supplying a robust tech workforce. Catalonia boasts more than 500 such companies employing over 10,000 individuals—a dramatic increase over five years.

A stealthy startup with many names

Palm Beach Networks, lacking public allegations of rights abuses, nevertheless shares historical traits with other elusive entities, frequently changing identities to obscure ownership links—a noted tactic employed within the spyware industry.

Business records reveal Palm Beach Networks evolved from Defense Prime Inc. and embraced a new identity as Head and Tail, but disguised its primary operations under general cybersecurity fronts, limiting transparency on its core business.

The offer initially extended to the Israeli researcher included high salaries but was ultimately declined due to concerns over transparency and potential ethical dilemmas echoing past controversies involving similar companies. "I could get good enough money elsewhere and not have to worry about what will happen or who I’m working for," he concluded, opting for caution over risk.