In July 2021, someone sent Google a bundle of malicious code that could be used to hack Chrome, Firefox, and computers running Microsoft Defender. This code was part of an exploit framework called Heliconia. And at the time, the exploits used to target these apps were zero-day, meaning software makers were unaware of the bugs, according to Google.
More than a year later, in November 2022, the Google Threat Analysis Group, the company’s group that investigates government-sponsored threats, published a blog post analyzing these exploits and the Heliconia framework. Google researchers concluded that the code belonged to Variston, a startup based in Barcelona that was unknown to the public.
“It was a huge crisis at the time, mainly because we had been under the radar for quite some time,” a former Variston employee told TechCrunch. “Everyone thought we would eventually be exposed if we were caught [in the wild]but instead he was a burglar.”
Another former Variston employee said the code was sent to Google by a disgruntled company employee, and that after it happened, Variston’s name and privacy were “burnt.”
Google continued to dig up the Variston malware. In March 2023, the tech giant’s researchers discovered that spyware manufactured by Variston was being used in Kazakhstan, Malaysia and the United Arab Emirates. Last week, Google reported that it found Variston hacking tools being used against iPhone owners in Indonesia.
Over the past year, more than half a dozen Variston employees have left the company, they told TechCrunch on condition of anonymity because they were not authorized to speak to the press due to non-disclosure agreements.
Now, according to four former employees and two people with knowledge of the spyware market, Variston is shutting down.
In the early 2010s, the public began to learn that there was a thriving market where Western-based companies such as Hacking Team, FinFisher and the NSO Group provided surveillance and hacking tools to countries and regimes around the world with dubious or poor human rights records such as Ethiopia, Mexico, Saudi Arabia, the United Arab Emirates and many others.
Since then, digital and human rights organizations such as Citizen Lab and Amnesty International have recorded dozens of cases where government customers of these spyware makers used these tools to hack and spy on journalists, dissidents and human rights defenders.
In recent years, the offensive security industry has become more public and normalized. Some of these spyware makers and exploit developers openly advertise their services online, their employees reveal where they work on social media, and there are some popular security conferences that openly cater to this industry, such as OffensiveCon and HexaCon.
Variston, however, has always tried to fly under the radar.
The only public facing company information is a barebones website where he vaguely describes what he does.
“Our toolset is based on the vast cumulative experience of our consultants. It supports the discovery of digital information from [law enforcement agencies],” says Variston’s website, in its only brief mention of its work as a spyware and exploit developer for government agencies.
Variston banned employees from disclosing where they work, not only on LinkedIn, but also at cybersecurity conferences, according to former employees who spoke to TechCrunch.
Variston’s website. Image Credits: TechCrunch (screenshot)
According to Spanish business records seen by TechCrunch, Variston was founded in Barcelona in 2018, listing Ralf Wegener and Ramanan Jayaraman as founders and directors.
While its website lists another address in the city, Variston recently worked out of an office in Barcelona’s Poblenou neighborhood, inside a co-working space a block from the beach. In October, a spokesperson for the co-working space told TechCrunch that Variston was there and had been for a few years.
When TechCrunch visited Variston’s office this week, a fellow site representative claimed that Variston still works there. The representative offered to leave a message for Variston, saying that he was not there that day, but that he was in the building that week. Neither Wegener nor Jayaraman responded to multiple emails from TechCrunch seeking comment about Variston. An email to Variston’s public email address was not returned.
One of Variston’s first moves in 2018 was an acquisition Real IT, a small zero-day research startup in Italy, according to Italian business filings seen by TechCrunch. Since then, Variston has grown into a company of around one hundred employees. In addition to Heliconia, the company’s exploit framework for targeting Windows devices, Variston has also developed exploit and hacking tools targeting iOS and Android. Variston’s Android product was called Violet Pepper, according to former employees.
Even the founders of Truel IT, who moved to work at Variston, do not disclose Variston as an employer on their LinkedIn profiles.
According to former Variston employees, that level of secrecy also applied to the identity of the company’s customers — except for its special relationship with Protect, a company based in the United Arab Emirates city of Abu Dhabi.
“Variston was a supplier to Protect,” said a person with knowledge of Protect’s operations, who asked to remain anonymous because they were not authorized to speak to the press. “It was an important relationship for both of them for a while.”
The company’s work was “going to the UAE” and that Protect was “de facto the only customer”, according to former Variston employees.
Former employees told TechCrunch that Protect funded all operations at Variston, including the research and development side. A former Variston employee said that once Protect withdrew its development-side funding in early 2023, Protect tried to force Variston employees to relocate. Then, when research funding stopped later in the year, Variston “closed up shop,” the person said.
Contact us
Do you know more about Variston or Protect? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email. You can also contact TechCrunch via SecureDrop.
In early 2023, Protect asked all Variston employees to relocate to Abu Dhabi. This is where Variston began to unravel, as most of the Variston staff did not accept the proposal. The former employees said management gave them two options: “move to Abu Dhabi or be fired” and that there would be no exceptions.
Protect accounts as “a leading cybersecurity and forensics company.” Like Variston, Protect says little else on its website about what the company does.
But Google security researchers believe that Protect, also known as Protect Electronic Systems, “combines the spyware it develops with Heliconia’s framework and infrastructure into a complete package that is then offered for sale either to a local broker or directly to a government customer.
This would explain how Variston’s tools allegedly ended up being used in Indonesia, Kazakhstan and Malaysia.
According to Intelligence Onlinea trade publication covering the surveillance and intelligence industry, Protect was launched after DarkMatter, a controversial hacking company based in the United Arab Emirates, it was revealed that he had employed Americans which then helped the UAE government spy on dissidents, political opponents and journalists.
As of 2019, Protect was headed by Awad Al Shamsi and provided UAE government users with discreet access to foreign cyber technology, Intelligence Online reported. It is not known if Al Shamsi is still with Protect, and Al Shamsi did not respond to an email seeking comment. Protect did not respond to several other emails from TechCrunch.
Variston founders Wegener and Jayaraman also appear to have worked at Protect since at least 2016, according to public online files of encryption keys linked to their Protect email addresses seen by TechCrunch.
Wegener is a veteran of the spyware industry. According to Intelligence Online, Wegener runs several other companies, some based in Cyprus and co-owned by Jayaraman. Wegener worked for AGT, or Advanced German Technology, a surveillance provider founded in Berlin in 2001 with an office in Dubai. In 2007, along with Italian spyware maker RCS Lab, AGT worked with the Syrian government to develop a centralized real-time internet monitoring system across the country. according to reports based on leaked documents and research by the non-profit Privacy International. Ultimately, AGT did not provide the system to the Syrian government.
Five years after its founding, Variston is no longer a secretive startup.
Three former employees said Google’s 2022 report blew the lid off Variston’s privacy. One of the employees said that the Google report revealing Variston “may have been the beginning of the end” for the spyware maker.
But another former Variston employee said the company — like other spyware makers — would have been exposed eventually. “It’s bound to happen sooner or later,” the person said. “It’s quite normal.”
Natasha Lomas contributed reporting.
An earlier version of this report incorrectly attributed Google’s discovery of Variston’s tools to Italy, due to an error by the editor. ZW.
