The Companies: Intellexa and Cytrox
Confirmed - Corporate Records Confirmed - International Reporting
The commercial surveillance ecosystem at the center of this investigation involves two interlinked entities:
| Entity | Jurisdiction | Role | Status |
|---|---|---|---|
| Intellexa S.A. | Athens, Greece | Commercial front for Predator spyware sales | Registered company |
| Cytrox | North Macedonia | Parent company / development arm | Linked to Intellexa |
Intellexa marketed Predator as a "lawful intercept" tool for government clients. The spyware can remotely access a target's smartphone -- messages, calls, camera, microphone, location, and encrypted communications -- with zero-click or one-click delivery. Cytrox, the North Macedonian parent, developed the core technology. Intellexa S.A., registered in Athens, handled the sales and client relationships.
These are not theoretical capabilities. Citizen Lab, Amnesty International, and the European Parliament have all documented Predator deployments against journalists, opposition figures, and government officials across multiple countries.
The Timeline: Summer-Fall 2021
Confirmed - Multiple Sources Critical Finding
The documented events cluster within a narrow window:
| Date | Event | Source |
|---|---|---|
| July-August 2021 | NSS Deputy Director co-authors paper on surveillance expansion | Published academic/policy paper |
| September 2021 | Hrachya Hakobyan (MP), Alen Simonyan (Speaker), and Vigen Badalyan (businessman) travel to Mykonos, Greece on VistaJet Challenger 850 private jet | Flight records, media reporting |
| October 2021 | Surveillance infrastructure identified in Armenia | Technical analysis, international researchers |
| August 2022 | Greek surveillance scandal breaks: 92 politicians and journalists monitored | European Parliament investigation, Greek media |
The sequence is: an NSS official writes about expanding surveillance capabilities (July-August 2021), senior Armenian officials fly to Greece on a private jet (September 2021), and surveillance infrastructure appears in Armenia (October 2021). Greece -- the destination of the trip -- is where Intellexa S.A. was headquartered.
The Greece Connection
Confirmed - Flight Records Pattern Analysis
The September 2021 trip to Mykonos, Greece raises specific questions:
| Detail | Fact | Significance |
|---|---|---|
| Travelers | Hrachya Hakobyan (MP), Alen Simonyan (Speaker), Vigen Badalyan (businessman) | Senior political figures + private sector |
| Aircraft | VistaJet Challenger 850 (private charter) | Not commercial aviation -- private, unscheduled |
| Destination | Mykonos, Greece | Same country as Intellexa S.A. headquarters (Athens) |
| Timing | September 2021 | One month before surveillance infrastructure identified in Armenia |
| Context | Intellexa S.A. registered in Athens | Greece was the operational hub for Predator sales |
We are not claiming this trip was for spyware procurement. We are documenting that senior Armenian officials traveled on a private jet to the country where Predator's commercial entity was headquartered, one month before surveillance infrastructure was detected in Armenia. The coincidence of timing, destination, and subsequent events warrants scrutiny.
The NSS Paper on Surveillance Expansion
Confirmed - Published Paper Pattern Analysis
In July-August 2021 -- the exact period when the timeline begins -- the NSS Deputy Director co-authored a paper discussing the expansion of surveillance capabilities. This document was produced during the same window that leads to the detection of Predator infrastructure in Armenia two months later.
| Element | Detail |
|---|---|
| Author | NSS Deputy Director (co-author) |
| Date | July-August 2021 |
| Subject | Surveillance capability expansion |
| Context | Two months before infrastructure detected in Armenia |
| Significance | Shows institutional interest in expanding surveillance during the exact procurement window |
A policy paper advocating surveillance expansion, authored by the deputy head of the security service, during the same period that surveillance technology appears in the country -- this is not a coincidence that can be dismissed without investigation.
The Greek Surveillance Scandal
Confirmed - European Parliament Confirmed - International Media
In August 2022, Greece became the epicenter of Europe's largest surveillance scandal:
| Fact | Detail | Source |
|---|---|---|
| Targets monitored | 92 Greek politicians and journalists | European Parliament investigation |
| Tool used | Predator spyware (Intellexa/Cytrox) | Citizen Lab, Amnesty International |
| Government response | Greek intelligence chief resigned | Greek government statements |
| EU response | European Parliament established PEGA Committee | EP records |
| US response | Intellexa consortium sanctioned by US Treasury (March 2024) | OFAC designation |
The same company, in the same country, that Armenian officials visited on a private jet -- was subsequently confirmed to have deployed surveillance tools against 92 targets in Greece alone. The Greek scandal confirmed that Predator was being actively marketed and deployed from Athens during the exact period of the Armenian events.
The Athens Digital Footprint: April 2018
Confirmed - Breach Data Pattern Analysis
A separate data point connects Armenian political figures to Athens through compromised credentials:
| Element | Detail |
|---|---|
| Date | April 2018 |
| Target | Credentials belonging to Anna Hakobyan |
| Computer username | "kingc" |
| Location | Athens, Greece (IP range 2.84.x.x) |
| Malware | Azorult stealer v3.2 |
| Significance | Armenian political figure's credentials compromised from Athens-based computer |
In April 2018, credentials belonging to Anna Hakobyan were compromised by Azorult stealer v3.2 from a computer with username "kingc" located in Athens, Greece (IP address in the 2.84.x.x range). This predates the 2021 events by three years, but establishes that Athens was already a node in the digital exposure of Armenian political figures.
The "kingc" computer in Athens harvested credentials from Armenian political circles in 2018 -- the year of the Velvet Revolution. Whether this was criminal, commercial, or state-sponsored remains unknown.
Breach Data: Intellexa and Cytrox Email Addresses
Confirmed - Public Breach Databases
Public breach databases contain email addresses directly referencing the surveillance companies:
| Email Address | Found In | Significance |
|---|---|---|
intellexa@rambler.ru | Public breach databases | Intellexa-branded address on Russian email provider Rambler |
cytrox@gmx.net | Public breach databases | Cytrox-branded address on GMX email provider |
The presence of intellexa@rambler.ru -- an Intellexa-branded address on the Russian email service Rambler -- raises questions about the company's connections to Russian-language markets. Similarly, cytrox@gmx.net on the German provider GMX represents a digital footprint of the parent company. These addresses appear in publicly available breach databases and may represent operational accounts, test accounts, or registration artifacts.
The Oversight Question
Pattern Analysis Critical Finding
Armenia's legal framework for surveillance procurement and deployment raises fundamental oversight questions:
| Question | Why It Matters |
|---|---|
| Was surveillance technology procured through official channels? | Public procurement records should document the purchase |
| Was parliamentary oversight informed? | The Speaker of Parliament was on the Greece trip |
| Who authorized the infrastructure deployment? | Infrastructure detected in October 2021 requires institutional authorization |
| Who are the targets? | Without disclosure, journalists, opposition, and civil society are at risk |
| What legal authority governs deployment? | Armenian law requires judicial authorization for surveillance |
| Has there been any judicial review? | No Armenian court has publicly addressed Predator deployment |
The presence of the Speaker of Parliament on the Greece trip is particularly significant for oversight. If Alen Simonyan -- whose role includes legislative oversight of security services -- was aware of or involved in surveillance procurement, the separation between the monitored and the monitors collapses.
International Context: Who Else Uses Predator
Confirmed - International Research
Predator has been documented in multiple countries, establishing a pattern of authoritarian and semi-authoritarian deployment:
| Country | Documented Use | Source |
|---|---|---|
| Greece | 92 politicians and journalists monitored | European Parliament PEGA Committee |
| Egypt | Opposition figure Ayman Nour targeted | Citizen Lab |
| Libya | Deployed amid civil conflict | UN Panel of Experts |
| Madagascar | Political surveillance | Citizen Lab |
| Cote d'Ivoire | Journalist targeted | Amnesty International |
| Serbia | Civil society targeted | Amnesty International |
Every confirmed Predator deployment has targeted opposition figures, journalists, or civil society. No government has used Predator exclusively against external threats. The pattern is domestic political surveillance.
What We Know vs. What We Don't
| Confirmed | Unknown |
|---|---|
| Intellexa S.A. was registered in Athens, Greece | Whether Armenian officials met with Intellexa during or around the Greece trip |
| Cytrox was based in North Macedonia as parent company | The exact procurement channel and contract terms |
| Surveillance infrastructure was identified in Armenia (October 2021) | Who specifically authorized the procurement |
| Armenian officials flew to Greece on private jet (September 2021) | The full list of surveillance targets in Armenia |
| NSS Deputy Director co-authored surveillance expansion paper (Jul-Aug 2021) | Whether judicial authorization was obtained |
| Greek surveillance scandal confirmed Predator deployment from Athens (Aug 2022) | Total financial cost of the procurement |
| Anna Hakobyan credentials compromised from Athens "kingc" computer (Apr 2018) | Whether the "kingc" computer is connected to surveillance vendors |
| intellexa@rambler.ru and cytrox@gmx.net exist in breach databases | What these email addresses were used for operationally |
The Timeline -- Complete
Confirmed - All Dates Documented
| Date | Event | Evidence Level |
|---|---|---|
| April 2018 | Anna Hakobyan credentials stolen from "kingc" computer in Athens (IP 2.84.x.x, Azorult v3.2) | Confirmed - Breach data |
| July-August 2021 | NSS Deputy Director co-authors paper on surveillance expansion | Confirmed - Published paper |
| September 2021 | Hrachya Hakobyan, Alen Simonyan, and Vigen Badalyan fly to Mykonos, Greece (VistaJet Challenger 850) | Confirmed - Flight records |
| October 2021 | Surveillance infrastructure identified in Armenia | Confirmed - Technical analysis |
| August 2022 | Greek surveillance scandal: 92 politicians and journalists monitored with Predator | Confirmed - European Parliament |
| March 2024 | US Treasury sanctions Intellexa consortium | Confirmed - OFAC |
Evidence Summary
| Claim | Evidence Level | Source |
|---|---|---|
| Intellexa S.A. registered in Athens | Confirmed | Greek corporate registry |
| Cytrox based in North Macedonia | Confirmed | Corporate records, Citizen Lab |
| Surveillance infrastructure in Armenia (Oct 2021) | Confirmed | Technical analysis |
| Hakobyan-Simonyan-Badalyan trip to Greece (Sep 2021) | Confirmed | Flight records, media |
| VistaJet Challenger 850 private jet | Confirmed | Flight records |
| NSS Deputy Director surveillance paper (Jul-Aug 2021) | Confirmed | Published paper |
| Greek scandal: 92 targets (Aug 2022) | Confirmed | European Parliament PEGA Committee |
| Anna Hakobyan credentials from Athens "kingc" (Apr 2018) | Confirmed | Breach database |
| IP 2.84.x.x Athens, Azorult v3.2 | Confirmed | Breach database |
| intellexa@rambler.ru in breach data | Confirmed | Public breach database |
| cytrox@gmx.net in breach data | Confirmed | Public breach database |
| US Treasury sanctioned Intellexa (Mar 2024) | Confirmed | OFAC designation |
Surveillance infrastructure appeared in Armenia in October 2021. One month earlier, the Speaker of Parliament flew to Greece on a private jet. During the same period, the NSS Deputy Director wrote about expanding surveillance. Greece was the home of Predator. No Armenian institution has ever acknowledged, investigated, or explained any of this. The question is not whether Armenia acquired surveillance technology. The question is who is being watched -- and who decided.
Sources
This investigation draws on: Greek corporate registry records, flight records, published academic/policy papers, Citizen Lab technical reports, Amnesty International research, European Parliament PEGA Committee findings, OFAC sanctions designations, publicly available breach databases, Armenian media reporting, and open-source digital forensics. No systems were accessed or penetrated.