Full Report
A Greek court sentenced four Intellexa executives to prison for their role in a 2022 scandal that involved the use of Predator spyware against more than 90 public figures in the country. Citizen Lab researchers first published evidence of Predator spyware in Greece in late 2021. The Lab later analyzed the phones of journalist Thanasis […] The post Intellexa Founder, Three Others Sentenced to 8 Years in Prison Over Greek Spyware Scandal appeared first on The Citizen Lab.
Analysis Summary
# Regulation/Compliance: Legal Accountability for Mercenary Spyware Operations
## Overview
This case marks a historic judicial precedent regarding the illegal use of "mercenary spyware" (specifically Predator). It establishes that the sale, deployment, and operation of invasive surveillance technology without strict legal authorization constitutes a criminal offense for which corporate executives can be held personally and criminally liable.
## Key Details
- **Issuing Authority:** Greek Judiciary (Criminal Court)
- **Effective Date:** Sentences handed down March 5, 2026 (Case origins: 2022)
- **Jurisdiction:** Greece / European Union
- **Status:** Final (Sentencing Stage)
## Requirements
### Mandatory Requirements
1. **Lawful Interception Compliance:** Surveillance must only be conducted through official legal channels with explicit judicial oversight.
2. **Export Control Adherence:** Technology firms must adhere to dual-use goods regulations (such as EU Export Control Regulations) when distributing surveillance tools.
3. **Data Privacy Protection:** Adherence to GDPR and national privacy laws regarding the unauthorized processing of personal data from mobile devices.
### Recommended Practices
1. **Due Diligence:** Commercial spyware vendors should perform human rights impact assessments on clients.
2. **Whistleblower Protections:** Organizations should have mechanisms to report the misuse of surveillance tools against protected groups (journalists, politicians).
## Affected Organizations
- **Industries:** Private intelligence firms, Cyber-surveillance software vendors (mercenary spyware), and Defense contractors.
- **Organization Size:** All sizes; focus is on executive-level accountability.
- **Geographic Scope:** Greece-based operations and international firms exporting to EU member states.
## Compliance Timeline
- **Late 2021:** Initial evidence of Predator spyware published by Citizen Lab.
- **2022:** "Predatorgate" scandal breaks; 90+ public figures identified as targets.
- **July 2023:** (Contextual) U.S. and EU increase sanctions/scrutiny on Intellexa.
- **March 5, 2026:** Final sentencing of four executives.
## Implementation Guidance
### Assessment Phase
- **Operational Audit:** Review current client lists to ensure no "high-risk" usage against civil society, journalists, or opposition politicians.
- **Legal Review:** Verify that all active infections/deployments are backed by a valid warrant in the local jurisdiction.
### Implementation Phase
- **Technical Safeguards:** Implement "kill switches" or logging requirements in software to prevent unauthorized use by end-clients.
- **Executive Oversight:** Appoint a Compliance Officer specifically for human rights and surveillance ethics.
### Validation Phase
- **Independent Audits:** Use third-party cybersecurity firms or human rights organizations to audit the impact of the deployed technology.
## Technical Requirements
- **Forensic Transparency:** Ability for independent researchers (e.g., Citizen Lab) to verify the origin and purpose of surveillance "artefacts."
- **Restricted Access:** Implementing strict access controls to prevent the deployment of spyware via "one-click" or "zero-click" exploits against protected targets.
## Penalties & Enforcement
- **Fines:** Severe financial penalties (specific amounts vary by victim counts).
- **Other Consequences:**
- **Incarceration:** Prison sentences for high-level executives (8 years in this instance).
- **Operational Loss:** Reputation damage described as a "huge ball and chain" preventing future business.
- **Enforcement:** Criminal prosecution by national judicial systems and possible international travel restrictions/extradition.
## Related Standards
- **EU Dual-Use Regulation (2021/821):** Governs the export of "cyber-surveillance items."
- **UN Guiding Principles on Business and Human Rights:** Aligning corporate operations with the protection of civil liberties.
- **GDPR Article 5 & 6:** Lawfulness of processing and protection of sensitive personal data.
## Resources
- **Official Documentation:** [hxxps://citizenlab.ca/research/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/]
- **Guidance:** [hxxps://www.amnesty.org/en/tech/]
- **Tools:** MVT (Mobile Verification Toolkit) for detecting spyware indicators.
## Practical Recommendations
- **For Compliance Officers:** Ensure your organization's "Terms of Service" for software explicitly forbid use against non-criminal targets.
- **For Executives:** Recognize that "corporate veils" no longer protect individuals from criminal prosecution in cases of human rights abuses via technology.
- **For Government Liaisons:** Verify that state-sponsored surveillance contracts include strict "End-User Agreements" aligned with EU human rights standards.