Greek intelligence allegedly uses Predator spyware to wiretap Facebook security staffer

An eye overlaid with sharp-angled graphics and different colours like pink white and blue, all denoting a cyber element of surveillance such as spyware
(Image credit: Getty Images)

A former Facebook employee in Greece, a US national, was allegedly placed under a wiretap by the country’s national intelligence service through Predator spyware.

Artemis Seaford worked for Facebook between 2020 and 2022 as a trust and safety manager in Greece. She became suspicious of a potential hack after spotting her name on a leaked list of spyware targets in the Greek news media, according to the New York Times which first reported the story.

She worked on cyber security policy and was in contact with Greek and European officials during her role.

After realising her details were leaked, Seaford submitted her mobile phone to the University of Toronto's Citizen Lab, which investigated the device.

Citizen Lab, known for spearheading research into international spyware such as Pegasus and Predator, found that the phone had been hacked with Predator spyware in September 2021 for at least two months.

However, the organisation said that the device could have also been infected at a different time, as well as longer than two months.

Seaford booked an appointment for a COVID-19 booster shot in September 2021 using the Greek government’s vaccination portal. The Facebook employee then received an SMS confirming the appointment, and then another SMS message asking her to confirm her details by clicking on a link.

The second text message with the link was reportedly the method used to install the Predator spyware onto her phone.

The vaccination appointment details in the message were correct, and there is a suggestion that someone reviewed the earlier message before manually composing the second, infected message using that correct information.

“Anyone, anywhere can fall prey to spyware hacking. I should know - I was a Predator target,” Seaford said on Twitter. “This does not make it normal. We need our governments and international bodies to protect us.”

This hack would make Seaford the first known case of a US citizen being targeted by spyware in an EU country.

“This Predator case is further evidence that the mercenary spyware problem in the EU is out of control,” said John Scott-Railton, senior researcher at Citizen Lab, on Twitter. “And it's directly impacting US nationals working on sensitive topics.”

Seaford has filed a lawsuit in Greece, which forces prosecutors to open an investigation into the incident. She also filed a request with the independent constitutional watchdog to determine if the national intelligence service wiretapped her phone.

Two NYT sources stated that Seaford had been wiretapped since August 2021 by the intelligence service, and for several months in 2022.

The Citizen Lab investigation found that the information taken from the wiretap might have helped to provide intelligence to organise the attack to implant the spyware.

What is Predator spyware and who makes it?

Predator spyware is a surreptitious program that’s able to offer surveillance capabilities. It's installed on devices through links sent via messages that when clicked, lead to the download of the spyware.

It’s similar to the NSO Group’s Pegasus which was used in the past to target Saudi critic Jamal Khashoggi.

Predator is built and sold by Cytrox, a company founded in North Macedonia with a corporate presence in Israel and Hungary, according to a report from Citizen Lab.


Achieving zero trust for corporate networks

Zero trust is a new way of thinking about information security


The organisation found that customers for the spyware are likely to be based in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.

Cytrox has been reported to be part of Intellexa, a 'star alliance of spyware', which aims to compete with the NSO Group, said Citizen Lab. This is a group of surveillance vendors that appeared in 2019, consisting of companies like Nexa Technologies, Cytrox, and Senpai.

Citizen Lab’s report stated that Intellexa operates from Greece, with the alliance having a corporate presence there as well as in Ireland.

In December 2021, the spyware was reported to have targeted the iPhones belonging to two exiled Egyptians, a politician and a journalist. Both individuals received links through WhatsApp which were believed to be used to launch the spyware's installation.

At the time, Citizen Lab said it had medium-to-high confidence that the spyware attacks were carried out by the Egyptian government.

How is Greece connected to wiretapping?

In January 2023, the Greek parliament’s chamber of deputies voted 156 to 143 to defeat a no-confidence vote in Kyriakos Mitsotakis, the Greek prime minister, according to the Guardian.

The vote had been called due to an alleged phone-tapping scandal which saw politicians, military officials, and journalists targeted.

This includes Nikos Androulakis, the head of Greece’s third-largest political party, who claimed that he had been wiretapped by the national intelligence service, as well as being targeted by Predator spyware.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.