Earlier this week, the US government announced sanctions against the founder of a controversial government spyware maker, Tal Dilian, and his business partner, Sara Aleksandra Fayssal Hamou.
In announcing the sanctions, US Treasury officials accused Dilian and Hamou developed and sold spyware that was then used to target Americans, including US government officials, as well as policy experts and journalists — actions that enabled human rights abuses around the world.
The move was the first of its kind. Until now, the US government has targeted spyware companies – not the people who run them – by putting them on blacklists and imposing sanctions that prevent any US person or company from funding or doing business with them. But as of now, it looks like the gloves are off. If the US government believes that someone sold spyware to dictators and dictators, or their company’s spyware was used against the wrong targets, they will go straight after the people who run these spyware companies.
And people working in the government spyware industry expressed concern.
“Wow. That’s big,” said a former head of a spyware company that sold to governments when TechCrunch shared news of the sanctions with him.
The person, who like others in this story spoke on condition of anonymity, said he was concerned but also confident his former company followed regulations and did things the right way, unlike Dilian, the founder of Intellexa, which was also approved by the Ministry of Finance.
“He sold to whoever was willing to pay,” the former spyware chief said.
The person also added that — in his opinion — Dilian was wrong to try to circumvent restrictions previously placed on his company by the US government. In 2023, the Biden administration placed Dillian’s companies Intellexa and Cytrox on a blacklist called the “entity list.” Once a company is on this list, US businesses and individuals can no longer do business with or do business with the blocked company.
“I think that’s what pissed off the Americans,” the former spyware chief said.
Another person who worked in the spyware industry said that Dilian “moves like an elephant in a crystal shop,” implying that Dilian’s activities were not covert, if not brazen.
“In this particular space of spyware vendors you have to be extremely balanced and careful…but he didn’t care,” the person said.
At the same time, the person said that he is glad that he left the industry, because times have changed.
According to a third person who works in the spyware industry, the sanctions against Dilian and his business partner Hamou should give the entire market a moment of reflection.
“If I had to go back to actively work in this industry and I couldn’t find a dedicated client that was extremely reliable, [sanctions] it would be a risk,” said the third person. “A company, no matter how serious, can never be 100% sure of how its customers are acting and the political developments that may involve them.”
Before this week’s sanctions, the last action the US government took against spyware makers was to announce the State Department could impose travel bans and visa restrictions for individuals involved in facilitating or enabling spyware abuses.
Contact us
Do you know more about spyware providers? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email. You can also contact TechCrunch via SecureDrop.
Before that in 2021, the US Department of Commerce added to its blacklist the NSO Group, an Israel-based spyware maker whose tools have been documented to have been used against journalists, politicians, dissidents and human rights defenders in several countries such as Hungary. Mexico, Poland, Saudi Arabia and Spain. Two years later, in 2023, Cytrox and Intellexa also entered the same list as NSO Group.
Since, just as Intellexa, NSO Group, and Candiru—another Israeli spyware maker—were placed on the denial list, it would make sense for the US government to target the founders and executives of these two other companies.
However, it is not clear whether the people who run these companies care.
Dillian could not be reached for comment. Hamou did not respond to a request for comment.
