How Barcelona became an unlikely hub for spyware startups

Towards the end of 2023, an Israeli security researcher from Tel Aviv said he was contacted via LinkedIn and offered the opportunity to work abroad “with good pay.” He said the company’s human resources department told him it was a “legitimate” offensive security company that started from scratch in Barcelona, ​​Spain.

But during the entire hiring process, the researcher told TechCrunch, things seemed a bit bad.

“The whole secrecy was very strange. Some of the employees who interviewed me did not use their full names, and it took them a very long time to reveal the location of the company, let alone its name. Why is it a secret if everything is legitimate?” the researcher told TechCrunch. “It looks like the company may be hit with sanctions in the future, and things could get dirty.”

When he spoke to the company’s chief technology officer, the researcher said he was told something along the lines of, “We will only have legitimate customers, and unlike other companies, we will not sell to suspicious countries.”

Alexei Levin, a hiring CTO and former researcher at sanctioned spyware maker NSO Group, told the researcher that the company trying to hire him was called Palm Beach Networks, and that it develops everything from zero-day exploits used to hack devices to implanting spyware. Same, referring to the monitoring software that is installed on the target’s device, according to the researcher.

The researcher said Levin also told him that Palm Beach Networks had at least one U.S. government client. (Levin did not respond to a request for comment.)

But why was a spyware startup founded in Barcelona, ​​just years ago? He was at the center of a massive political scandal Where Spanish government officials used spyware to target local politicians who pushed for independence? Just like many other startups in the city; The researcher said that company employees told him that the reason was that living in the city was similar to living in Israel Good tax benefitsAnd good weather.

These are some of the reasons why Barcelona has in the last couple of years become an unlikely hub for spyware companies, according to several people working in the offensive cybersecurity industry who spoke with TechCrunch, as well as the business records we’ve seen.

Barcelona’s transformation into a crucial regional hub for offensive cybersecurity companies puts the spyware problem squarely on Europe’s doorstep A tense relationship with surveillance technologyBecause of scandals in Cyprus, Greece, Hungaryand Poland – all of which involve Israeli spyware makers.

“It’s a worrying development if a major city in Europe becomes a hub for spyware makers,” Natalia Krapeva, a legal advisor at the nonprofit Access Now, which specializes in spyware investigation and research, told TechCrunch. Krapeva said the business of spyware “goes hand in hand with corruption and abuse of power.”

He said: “Spanish citizens, media and policymakers should carefully scrutinize these companies with regard to whether their operations are compliant with national and EU laws and whether the Spanish government may be involved in misusing their surveillance tools, especially given Spain’s history.” With Pegasus. Krapeva.

John Scott-Railton, a senior researcher at Citizen Lab, where he and his colleagues have been investigating breaches carried out using spyware for more than a decade, also expressed concern. Scott Railton noted that in the past there have been cases of misuse of spyware not only against human rights activists and dissidents in non-democratic countries such as Ethiopia and Saudi Arabia, But also against American diplomats It targeted individuals, including politicians and citizens within Europe’s borders.

This would add fuel to the fire of the spyware crisis in Europe. If experience is any guide, it is only a matter of time before this technology ends up being used by agents against Spain’s allies and EU partners. “Governments that allow this industry to flourish are risking their covert capabilities and human capital. These capabilities tend to trickle outward, including to potential future adversaries, once spyware developers and exploit mercenaries arrive in town and start hiring.”

Sun, seafood, spyware

Aside from Palm Beach Networks, as it was known at the time, Barcelona is home to several other spyware and exploit makers who also make the most of the city’s sunny and mild weather, fresh seafood and vibrant expat community.

Among them is Paradigm Shift, a clone of beleaguered startup Variston, Which lost its employees and was struggling to survive in 2024; And Epsilon, which is led by Jeremy Vitivo, an industry veteran who worked in a division within US defense giant L3Harris, which was created after the company acquired Australian startup Azimuth. Fetiveau did not return a request for comment.

The city is also said to be home to an unnamed group of Israeli researchers who moved to Barcelona from Singapore to work on the development Zero day exploited. The presence of this unnamed team, as well as the presence of Epsilon in Barcelona This was first reported by the Israeli newspaper Haaretzwhose article sparked coverage in local Newspapers And the news Websites.

Other cybersecurity companies have a presence in Barcelona, ​​even if they are not headquartered there. Andriana Shkularac, CEO of Austrian cybersecurity company SAFA, lives in the city, according to her public LinkedIn profile. SAFA has sponsored offensive cybersecurity conferences, incl OffensiveCon and Hexagonand employs at least two security researchers with previous experience at spyware companies, according to their public LinkedIn profiles. Šekularac also did not respond to a request for comment.

These zero-day and spyware companies are part of a broader cybersecurity and startup ecosystem in Barcelona. As of last year, According to the Catalan regional governmentThere were more than 10,000 people working in more than 500 cybersecurity companies in Barcelona, ​​or about 50% more workers than five years ago.

Barcelona is not only a hotbed for surveillance technology makers, but also a hotbed for startups in general some classification The city is among the best startup hubs in Europe. The city is the founding home of food delivery startup Glovo, which rival DeliverHero values 2.3 billion euros in 2021 When it acquired a majority stake in the Catalan company; Start Impress Orthodontics, which It raised $125 million in 2022 and $114 million in 2024; And the business travel management platform TravelPerk, which It raised $105 million in 2024; Among more than 2,200 other startups, According to the Startup Center of Barcelona and Cataloniaa local government project that tracks the startup ecosystem in the region.

The city is attractive to workers because… The cost of living is cheaper Compared to other European startup hubs such as London, Amsterdam and Berlin. Then, there are perhaps the most obvious reasons, at least for anyone who has visited Barcelona: the city has beautiful beaches, which, like Tel Aviv, Cyprus and Greece, are places that are or have been home to spyware companies like NSO Group, Circlesand Intellexa.

There are also other reasons, besides the city’s attractiveness, that have drawn Israeli security researchers in particular to Barcelona. As reported by Haaretz newspaper At the end of December 2024, Israel became more restrictive in granting licenses to export spyware to other countries in the wake of scandals involving the NSO Group, leaving the door open for companies to move abroad. It is now more difficult for companies to export spyware from Israel to the rest of the world, including the European Union, than it is to export it from within the bloc itself.

One person told Haaretz that this process is not “immigration to Spain, but rather expulsion to Spain.”

While the paradigm shift announces itself publicly As an offensive cybersecurity company, with job listings for roles that fit this type of work, other companies are not as transparent, Just like Fareston used to be. Paradigm Shift is headed by Leon Ponturieri, according to company business records, as well as Filippo Roncari and Simone Ferrini, according to their public LinkedIn profiles. The three were part of an Italian startup that was acquired by Variston in 2018, when the company launched in Barcelona and was one of the first spyware companies to set up operations in the Catalan city.

Paradigm Shift representatives did not respond to a request for comment.

A hidden startup with many names

Palm Beach Networks has so far avoided any public allegations of involvement in human rights abuses, unlike spyware makers NSO Group, and before them Hacking Team and FinFisher, in the past. But the company has an interesting history of changing names, and it’s a strategy that achieves just that Other spyware vendors have previously used it to hide ownership of their companies. Israeli spyware makers have renamed the brand Candiru Several times Before you are a company It has been added to the US government’s trade embargo list In 2021, NSO itself has done just that Complex institutional structure.

The name Palm Beach Networks “was somewhat secret and was only mentioned by Levin and others in later stages,” according to the Israeli researcher.

As it turns out, Palm Beach Networks may actually be an old name, the second iteration of a startup with a different identity.

A company called Defense Prime Inc. Palm Beach Networks On May 11, 2023. On June 16, 2023 a company called Head and Tail was created Operations have begun In Barcelona. Then on June 28, 2024, the Palm Beach Networks It has been solvedaccording to business records filed in Florida and Spain.

Defense Prime and Palm Beach Networks appear to be related to Head and Tail due to overlapping executives and key figures.

A person named Sai Gopal Runway As the authorized signatory of Head and Tail in the Spanish commercial registers, he was a person of the same name Listed as treasurer From Defense Prime in Florida Business Records. Gopal could not be reached for comment.

Commercial records It also shows that Alexei Levin, the CTO who tried to hire an Israeli security researcher at Palm Beach Networks, is the director of Head and Tail. Representatives for Head and Tail did not respond to TechCrunch’s request for comment.

A current executive at a spyware maker, who requested to remain anonymous, told TechCrunch that Levin works at Palm Beach Networks. Previously, the executive said, Levin was an early developer at NSO Group, then also worked at Candiru.

On its official websiteHead and Tail doesn’t explicitly mention the fact that it develops monitoring technology, but instead says it addresses “a myriad of cybersecurity issues, including threat intelligence, vulnerability assessments, security awareness training, and incident response.” The company has job listings for Barcelona, ​​Madrid and Seville.

Ultimately, the Israeli researcher turned down the opportunity to work at Palm Beach Networks, even though people he knew told him that the company pays some of its employees enormous salaries that far exceed the country’s overall annual average.

The researcher said he was concerned that he might end up like some NSO Group employees, who have had to deal with the fallout from human rights scandals, on Facebook. Block and delete their personal accountsAnd the American government Threatening to refuse their visas.

“I could get enough money somewhere else and not have to worry about what would happen or who I was working for, especially when I felt like they didn’t have transparency in the company and I didn’t know who the person I was working for was,” the researcher said. Customers are.”