Egyptian Politician Hacked by 2 Government Hacking Groups, Researchers Say

Citizen Lab found that an Egyptian politician’s iPhone was hacked by two different government hacking groups, using spyware made by NSO Group and a competitor called Cytrox.
Image: OZAN KOSE/AFP via Getty Images
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

Two different groups of government hackers, using spyware made by different providers, hacked a prominent Egyptian opposition politician, according to a new report. 

Citizen Lab, a digital rights watchdog housed at the University of Toronto Munk School, analyzed the iPhone of Ayman Nour, an Egyptian politician who has been a vocal opponent of current President Abdel Fattah Al-Sisi, and found that it was infected by spyware made by Israeli spyware maker NSO Group, as well as by a new player in the industry called Cytrox, according to a new report published on Thursday


The hack against Nour is yet another example of a government using tools made by Western cybersecurity companies to target prominent dissidents and politicians. It’s also a sign that the spyware as a service industry—which insiders call the “lawful intercept” industry—is filled with many players beyond the controversial and well known NSO Group.

“The targeting of a single individual with both Pegasus and Predator underscores that the practice of hacking civil society transcends any specific mercenary spyware company. Instead, it is a pattern that we expect will persist as long as autocratic governments are able to obtain sophisticated hacking technology,” Citizen Lab researchers wrote in the report. “Absent international and domestic regulations and  safeguards, journalists, human rights defenders, and opposition groups will continue to be hacked into the foreseeable future.”

Citizen Lab researchers also found traces of Cytrox’s spyware on the iPhone of an Egyptian journalist, who asked to remain anonymous. 

At the same time, Facebook found around 300 accounts on Facebook and Instagram operated by Cytrox. The company, according to a new Facebook report also published Thursday, had an infrastructure made of domains spoofing legitimate news entities such as the BBC, CNN, and Fox News. Facebook researchers said that Cytrox customers targeted politicians and journalists around the world, including in Egypt and Armenia. 


Nour, who lives in exile in Turkey, suspected something was wrong with his iPhone when he noticed last summer that it was “running hot,” as Citizen Lab researchers put it. Indeed, there were two separate spyware programs running on it, Pegasus, made by NSO, and what Citizen Lab calls Predator, made by Cytrox. 


Bill Marczak, a senior researcher at Citizen Lab, said that he and his colleagues believe the Egyptian government is likely the one who used Predator to target Nour. 

“The Egyptian Government is not known to be a Pegasus customer,” Marczak said. “I'm not fully sure which Pegasus customer used the spyware against Nour, but the UAE and Saudi are two customers that appeared to do a bunch of spying against targets in Turkey with Pegasus.”

The attack started via malicious WhatsApp messages containing images, which Nour clicked on. The malware itself, according to Marczak, “was quite haphazard, with a bunch of testing or older versions of unused code included.” The exploits used to install it on the phone, however, “are a heck of a lot better than their spyware,” he said.

Do you work or have worked for Cytrox, NSO Group, or a similar company? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email


“This might indicate that they're buying the exploits from another player in the industry,” he told Motherboard in an online chat. 

Cytrox’s CEO and founder Ivo Malinkovski did not respond to requests for comment made via email and LinkedIn. After Motherboard sent him a message on LinkedIn, Malinkovski removed all references to Cytrox from his profile on the platform. He did not, however, change his profile picture, which shows him posing in front of a Cytrox-branded mug. 


The LinkedIn profile picture of Cytrox’s CEO and founder Ivo Malinkovski

Cytrox is part of Intellexa, a surveillance group that is trying to compete against NSO, according to several media reports. Intellexa did not respond to a request for comment made through the contact form on its website. 

As part of its actions against Cytrox, Facebook also removed fake accounts belonging to other surveillance for hire companies, such as the infamous Black Cube, Cobwebs Technologies, Cognyte, Bluehawk CI, and Belltrox.

A Black Cube spokesperson said that the company “does not undertake any phishing or hacking and does not operate in the cyber world.”

“Black Cube is a litigation support firm which uses legal Humint investigation methods to obtain information for litigations and arbitrations,” read the statement sent via email to Motherboard. “Black Cube works with the world’s leading lawfirms in proving bribery, uncovering corruption, and recovering hundreds of millions in stolen assets. Black Cube obtains legal advice in every jurisdiction in which we operate in order to ensure that all our agents' activities are fully compliant with local laws.” 

A Cobwebs Technologies spokesperson told Motherboard in an email that the company has “not been contacted by Facebook (Meta) and are unaware of any claims it has allegedly made about our services.”

CobWebs operates only according to the law and adheres to strict standards in respect of privacy protection.”

Cobwebs Technologies, Cognyte, and Bluehawk CI did not respond to a request for comment. Belltrox could not be reached for comment.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.