A lawyer who was allegedly hacked with government-grade spyware made by the infamous surveillance tech maker NSO Group has filed a complaint in court against two of the company’s founders and one executive. It appears to be the first attempt to hold the people behind a spyware company accountable for hacking crimes, rather than just the company itself.
On Wednesday, the Barcelona-based human rights nonprofit Iridia announced that it had filed a complaint in a Catalan court earlier this week accusing NSO’s founders Omri Lavie and Shalev Hulio, as well as Yuval Somekh, an executive of two affiliate companies, of hacking crimes.
Iridia represents lawyer Andreu Van den Eynde, an attorney and university professor who specializes in cybersecurity. According to a 2022 investigation by Citizen Lab, a nonprofit that has been investigating government spyware for more than a decade, Van den Eynde was among the victims of a wide-ranging hacking campaign against at least 65 Catalans linked to the region’s attempts to become independent from Spain, which was carried out using NSO’s Pegasus software. Amnesty International independently confirmed Citizen Lab’s findings.
Van den Eynde and Iridia filed a lawsuit against NSO in a Barcelona court in 2022. Until this week, the lawsuit named NSO as well as Osy Technologies and Q Cyber Technologies, two Luxembourg-based affiliates of NSO as defendants. Today, the nonprofit and the lawyer asked the judge presiding over the lawsuit to expand it to include Lavie, Hulio, and Somekh.
“The people responsible for NSO Group have to explain their concrete activities,” a legal representative for Iridia and Van den Eynde wrote in the complaint, which was written in Catalan.
“Van Den Eynde was spied on to gain access to his clients and the legal strategy of the cases he was handling, creating a chain effect of rights violations: by spying on him, all his contacts were indirectly spied on,” Iridia wrote in a press release. “What is more, this surveillance is carried out without any criminal proceedings being brought against him and therefore without any judicial control.”
The complaint alleges that three three executives were responsible for “selling illegal software,” and participating and cooperating in the illegal use of the software.
Gil Lainer, vice president of global communications for NSO, told TechCrunch that the company has no comment.
Shalev did not respond to messages asking for comment. Lavie referred questions to his representative Hedan Orenstein.
“I understand that the plaintiffs are requesting to include Omri’s name as a defendant. But is there a specific allegation about an act attributed to Omri? They could theoretically ask to include both your name and mine as well,” Orenstein told TechCrunch.
Van den Eynde told TechCrunch that he is not happy to be a victim because he’d rather focus on his own work and interests in technology.
“The truth is that with all this Pikachu (I never mention the name of the spyware to make it harder when they leak my emails, lol) being a victim of the acts I try not to amplify this situation,” he said in an email.
Other victims of the alleged hacking campaign have put pressure on the Spanish government to disclose details of the alleged surveillance against them. In 2020, Motherboard first reported that the Spanish intelligence agency Centro de Inteligencia Nacional (National Intelligence Centre, or CNI) had purchased NSO spyware. The Spanish government at first denied the accusation that it was responsible for the alleged hacks against the Catalan politicians, arguing that it “doesn’t spy on its political opponents.”
The CNI said that its work was overseen by the Spanish Supreme Court and “in full accordance with the legal system, and with absolute respect for the applicable laws.” Its former director Paz Esteban later testified in Spain’s Congress and said 18 members of the independence movement were spied on with judicial approval.
At the time he was allegedly hacked, Van den Eynde was representing several politicians of Esquerra Republicana de Catalunya (Republican Left of Catalonia), who were involved in what Catalan politicians referred to as “el procés,” a catchall phrase to refer to the independece movement as well as the steps it took to attempt to have Catalonia secede from Spain. The most controversial of those steps was the independence referendum that the Catalan government called on October 1, 2017, which Spain’s constitutional court later declared as illegal.
There are several legal cases against NSO all over the world, including lawsuits in the U.S. launched by Apple and WhatsApp. Both cases are ongoing.
