Barcelona Becomes a Hub for Cyber-Espionage: NGOs Raise Alarm Over Secret Spyware Summit
From Wednesday night until early Friday morning, cyber-spies from major global spyware companies are converging in Barcelona for a secret meeting. This clandestine gathering, organized by an Israeli firm, includes companies allegedly linked to human rights violations, sparking significant concern among human rights organizations.
The event, initially revealed by this newspaper in December, is being held at an undisclosed location in Barcelona’s Eixample district. It features discussions on new methods for implementing surveillance software on devices belonging to citizens, public officials, and other targets. Industry sources highlight that a key aspect of the meeting is networking among cyber-spies and brokering commercial deals between companies and clients.
Legitimizing Harmful Practices: The Concerns of NGOs
Human rights organizations, including Amnesty International and Access Now, a digital rights advocacy group, are deeply troubled by the precedent set by this meeting. They fear it lends an air of legitimacy to these companies despite their controversial practices and consolidates Barcelona’s role as a European hub for cyber-espionage.
“These events seek to whitewash their legitimacy and encourage more spyware providers to establish themselves in European cities as secure operational bases,” explains Rand Hammoud, global surveillance lead at Access Now.
While participating companies ostensibly focus on identifying vulnerabilities in IT systems and mobile devices, experts describe this as a “euphemism” for selling spyware to governments and security forces. As this newsroom previously uncovered, the event is organized by Epsilon, a Barcelona-based spyware company founded by an Israeli researcher. Epsilon specializes in identifying “zero-day” vulnerabilities in mobile phones and boasts “zero-click” products, meaning they can be installed without any user interaction.
Barcelona’s Growing Role in Cyber-Espionage
The choice of Barcelona as an operational base for these companies, a trend that began after the pandemic, is a significant concern for human rights organizations. Dozens of cyber-spies, many of them Israeli, have established and registered their companies in the Catalan capital.
Some sources suggest this relocation to Europe aims to facilitate the export of their products to other EU member states with fewer restrictions than if they operated from Israel. Others point out that European governments and their security agencies are often the primary clients for these companies, lacking their own sophisticated surveillance tools.
“Barcelona has become a prominent center for security researchers in recent years,” notes Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab. “As is common in the sector, little is known about the end customers – governmental or otherwise – of these companies.”
Amnesty International urges EU member states and Spanish authorities to be transparent about any export licenses granted for high-risk cyber-surveillance products like spyware. They emphasize that these products are subject to arms export regulations.
“Weak enforcement of export controls creates a permissive environment where companies can operate from Europe while exporting surveillance tools to governments with serious human rights violations,” Hammoud of Access Now reiterates.
Companies with a Dubious Past
The company organizing the event is led by Frenchman Jeremy Fetiveau, an industry veteran who previously worked at Trenchant, a cybersecurity division of the US defense giant L3Harris. Neither Fetiveau nor Epsilon responded to elDiario.es’s request for comment. The Barcelona City Council also declined to comment on the meeting.
Another participant is the Israeli firm Radiant Research, with offices in Tel Aviv and Barcelona. Its staff includes veterans of Israel’s elite military cyber-intelligence Unit 8200 and former employees of NSO, the company behind the Pegasus spyware. Radiant Research sells its products to state actors in the West or through defense contractors, stating on its website: “We develop advanced cyber capabilities for a select group of military, intelligence, and law enforcement agencies,” and “We take on challenges others might shy away from.”
Paradigm Shift, a company registered in 2024 by three Italian partners, also participates, offering services to security agencies and law enforcement. All its founders are former employees of Variston, a company identified by Google in 2023 for providing spyware from Barcelona to a group of hackers targeting citizens in the United Arab Emirates.
This ongoing trend raises critical questions about the ethical implications of Barcelona becoming a hub for an industry with such a controversial track record, and the potential impact on privacy and human rights globally.
