Candiru

Overview

Candiru is an Israeli offensive cyber company founded in 2014 by Eran Shorer and Yaakov Weizman, both veterans of Israel's signals intelligence apparatus. The company derives its name from the candiru, a parasitic fish notorious for its invasive behavior, a naming choice that reflects the firm's operational philosophy. Candiru has operated under multiple corporate identities including Saito Tech Ltd., Grindavik Solutions, and various other shell entities, cycling through names to obscure its activities and evade public scrutiny.

Corporate Opacity

Candiru represents one of the most secretive companies in the Israeli surveillance technology ecosystem. Unlike NSO Group, which has engaged in limited public communications, or Intellexa, whose founder Tal Dilian openly demonstrated interception capabilities to journalists, Candiru has maintained near-total opacity:

• No public website, press releases, or corporate communications
• Multiple name changes and corporate restructurings to avoid identification
• Employees reportedly sign strict non-disclosure agreements prohibiting discussion of the company's existence
• The company was virtually unknown to the public until Citizen Lab's 2021 investigation

Headquartered in Tel Aviv, Candiru reportedly employed approximately 120 staff as of 2021, with annual revenues estimated at $30 million. The company is privately held, and its ownership structure has been deliberately obscured through layers of corporate entities registered in Israel and offshore jurisdictions.

Connections to Israel's Intelligence Community

Like most Israeli offensive cyber companies, Candiru draws its talent from the Israel Defense Forces' elite intelligence units, particularly Unit 8200 (signals intelligence) and Unit 81 (technology and intelligence). The revolving door between Israeli military intelligence and the commercial spyware industry provides companies like Candiru with a pipeline of engineers trained in vulnerability research, exploit development, and offensive cyber operations at government expense.

Candiru's founders, Shorer and Weizman, brought extensive intelligence community connections that facilitated both recruitment and client acquisition. Israeli surveillance vendors benefit from the Israeli government's use of spyware export licenses as diplomatic currency, a dynamic documented in the broader NSO Group and Intellexa contexts.

Candiru sells exclusively to government intelligence and law enforcement agencies, offering an arsenal of spyware tools capable of compromising Windows computers, iPhones, Android devices, and Mac computers. The company's product catalog, partially revealed through a leaked 2017 project proposal document, shows a modular pricing structure where clients pay for different levels of capability, from basic device infection to persistent monitoring and data exfiltration.

Data Collection Practices

Candiru's flagship spyware, identified by Microsoft's Threat Intelligence Center (MSTIC) as "DevilsTongue," enables comprehensive surveillance of targeted individuals across multiple device types and operating systems.

DevilsTongue Malware

DevilsTongue is a modular, multi-platform espionage tool with capabilities documented by Microsoft and Citizen Lab in July 2021:

• Browser exploitation: DevilsTongue exploited zero-day vulnerabilities in Google Chrome (CVE-2021-21166 and CVE-2021-30551) and Internet Explorer to deliver initial payloads through watering-hole attacks and targeted links
• Windows privilege escalation: Exploited Windows zero-day vulnerabilities (CVE-2021-31979 and CVE-2021-33771) to escalate from browser-level access to full system compromise
• Cross-platform infection: Capable of compromising Windows PCs, macOS computers, iPhones, and Android devices through platform-specific exploit chains

Once installed, DevilsTongue provides operators with:

• Exfiltration of files, messages, and passwords from the compromised device
• Access to messaging applications including Signal, Telegram, and WhatsApp on both desktop and mobile
• Browser cookie and credential theft, enabling impersonation of the target on websites and web services
• Email harvesting from Outlook, Gmail, and other email clients
• Real-time microphone and camera activation
• Keylogging of all typed input
• Screenshot capture at specified intervals
• Location tracking via GPS and network data

Watering-Hole Infrastructure

Citizen Lab identified over 750 websites linked to Candiru's spyware infrastructure, including domains impersonating legitimate organizations such as Amnesty International, the Black Lives Matter movement, international media organizations, and various NGOs. These fake domains served as watering holes and phishing lures to deliver DevilsTongue to targeted individuals.

The use of domains mimicking human rights organizations is particularly cynical, the very communities most likely to be targeted by Candiru's government clients are lured through imitations of the organizations that defend them.

Leaked Product Catalog

A leaked 2017 Candiru project proposal, reported by TheMarker (Haaretz's business publication), revealed a tiered pricing structure:

• Basic package: $16 million for the ability to monitor 10 devices simultaneously
• Additional capabilities: Priced incrementally, including access to specific messaging applications, email monitoring, and cloud account compromise
• Unlimited package: Up to $30 million for comprehensive monitoring of an unlimited number of targets

This pricing structure confirms that Candiru's technology was designed for systematic, large-scale surveillance rather than targeted use against individual criminal or terrorism suspects.

Known Clients & Government Contracts

Citizen Lab's technical analysis mapped Candiru spyware infrastructure to at least 10 countries, with government clients spanning the Middle East, Central Asia, Europe, and Southeast Asia.

Saudi Arabia: Candiru infrastructure was identified in Saudi Arabia, where the government has a documented pattern of deploying commercial spyware against journalists, activists, and dissidents. Given Saudi Arabia's simultaneous use of NSO Group's Pegasus, including against associates of murdered journalist Jamal Khashoggi, the addition of Candiru's capabilities represents a layered surveillance approach in which multiple spyware vendors provide redundancy and expanded target coverage.

United Arab Emirates: UAE intelligence agencies were identified as Candiru clients, consistent with the UAE's pattern of deploying multiple commercial spyware platforms. The UAE previously deployed Pegasus against human rights activist Ahmed Mansoor and has invested heavily in building one of the most comprehensive digital surveillance states in the Middle East.

Uzbekistan: Candiru spyware infrastructure was linked to Uzbekistan, where the National Security Service (SNB) has a documented history of surveilling journalists, opposition figures, and human rights activists. Uzbekistan's surveillance apparatus has been implicated in the monitoring of exiled dissidents across multiple countries.

Singapore: Infrastructure linked to Singapore's intelligence services was identified, raising concerns about the deployment of offensive cyber tools by a government that maintains strict controls on political expression and media freedom despite its democratic facade.

Turkey, Qatar, Armenia, Spain, and the United Kingdom: Citizen Lab identified Candiru-linked infrastructure in each of these countries, suggesting government clients in each jurisdiction. The presence of Candiru operations in EU and NATO member states demonstrates that the market for commercial spyware extends well beyond authoritarian regimes.

Iran and Lebanon: Citizen Lab's infrastructure analysis identified DevilsTongue targets in Iran and Lebanon, including political dissidents and journalists critical of the Iranian government. The targeting of Iranian individuals by a tool sold by an Israeli company raises the possibility that Candiru's technology is being used as an instrument of state intelligence operations, not just domestic law enforcement.

Targeting of Palestinian Civil Society: In November 2021, Microsoft and Citizen Lab confirmed that Candiru's DevilsTongue was used to target Palestinian human rights organizations, journalists, and activists. At least 100 individuals in Palestine, Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia, and Singapore were identified as targets. The targeting of Palestinian civil society organizations, some of which were simultaneously designated as "terrorist organizations" by the Israeli government in a widely criticized move, demonstrated the intersection of commercial spyware and state policy.

Multi-Vendor Stacking: The identification of Candiru alongside NSO Group and Intellexa in several of the same client countries, Saudi Arabia, UAE, and others, reveals a pattern of governments acquiring spyware from multiple vendors simultaneously. This redundancy strategy ensures that if one vendor's tools are detected and neutralized, alternative platforms remain operational, and that different tools can be deployed against different target categories based on their respective strengths.

Privacy Incidents & Litigation

Microsoft and Citizen Lab Joint Disclosure (July 2021)

In a coordinated disclosure that represented one of the most significant commercial spyware exposés since the Pegasus Project, Microsoft's Threat Intelligence Center and the University of Toronto's Citizen Lab jointly published detailed analyses of Candiru's DevilsTongue malware in July 2021.

Microsoft identified at least 100 victims of DevilsTongue across Palestine, Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia, and Singapore. Targets included human rights defenders, dissidents, journalists, activists, and politicians.

Microsoft issued security patches for the two Windows zero-day vulnerabilities exploited by DevilsTongue (CVE-2021-31979 and CVE-2021-33771) and added detection for the malware to Microsoft Defender.

U.S. Commerce Department Entity List (November 2021)

The U.S. Commerce Department placed Candiru on its Entity List alongside NSO Group in November 2021, finding that both companies' technologies had been used to "maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers." The designation effectively bars Candiru from purchasing U.S.-origin technology components, including processors, operating systems, and cloud infrastructure.

Google Chrome Zero-Day Exploitation (2021)

Google's Threat Analysis Group (TAG) attributed the exploitation of Chrome zero-day vulnerabilities CVE-2021-21166 and CVE-2021-30551 to Candiru. These vulnerabilities affected Chrome's V8 JavaScript engine and WebAssembly runtime, enabling remote code execution through specially crafted websites. Google patched the vulnerabilities after identifying active exploitation in the wild.

The stockpiling and weaponization of browser zero-days represents a direct threat to the security of all Chrome users, not just Candiru's intended targets. Until the vulnerabilities were patched, any Chrome user visiting a compromised website was potentially at risk.

Apple NSO/Candiru Connection

Apple's November 2021 lawsuit against NSO Group referenced the broader commercial spyware ecosystem including Candiru. Apple issued emergency security updates addressing vulnerabilities exploited by multiple surveillance vendors, and the company's creation of "Lockdown Mode" in iOS 16 was a direct response to the threat posed by companies including Candiru.

Targeting Journalists and Civil Society

Confirmed DevilsTongue victims include journalists working for international media organizations, human rights workers at organizations defending Palestinian rights, political dissidents critical of Gulf state governments, and academics researching Middle Eastern politics. The pattern of targeting mirrors that of NSO Group's Pegasus, confirming that Candiru's government clients use the technology for political surveillance rather than exclusively for counterterrorism or criminal investigation.

Watering-Hole Domain Impersonation

Citizen Lab's investigation revealed that Candiru registered over 750 domains designed to impersonate legitimate organizations and causes, including:

• Domains mimicking Amnesty International, Black Lives Matter, and refugee support organizations
• Fake media outlet domains impersonating international news organizations
• Domains designed to appear as legitimate government and NGO services
• Typosquatted domains targeting specific linguistic and geographic communities

This infrastructure represents a deliberate strategy to exploit the trust that targeted communities place in human rights organizations and independent media, weaponizing the names of the very institutions that exist to protect potential surveillance targets. The scale of 750+ domains indicates sustained, industrialized targeting operations rather than ad hoc surveillance.

Threat Score Analysis

Candiru receives a composite threat score of 82/100, reflecting its position as one of the most dangerous commercial spyware vendors operating within the Israeli surveillance technology ecosystem:

• Data Collection (88/100): DevilsTongue provides comprehensive device compromise across Windows, macOS, iOS, and Android, a broader platform range than many competitors. The combination of browser zero-day exploitation, OS-level privilege escalation, and messaging app interception delivers near-total surveillance capability. The watering-hole infrastructure of 750+ fake domains demonstrates sophisticated, large-scale targeting operations. The cross-platform capability, while not yet demonstrated to match Pegasus's zero-click sophistication, enables monitoring of targets across all their devices.

• Third-Party Sharing (85/100): Candiru sells surveillance capabilities to governments with documented records of human rights abuses, including Saudi Arabia, the UAE, and Uzbekistan. The leaked pricing structure, up to $30 million for unlimited monitoring, confirms that the technology is sold for mass surveillance rather than targeted investigations. Client vetting has failed to prevent deployment against journalists, activists, and civil society organizations across multiple countries. The company's deliberate corporate opacity suggests awareness that its client relationships would not withstand public scrutiny.

• Breach History (60/100): Candiru's own systems have not suffered a publicly documented data breach. However, the comprehensive exposure of DevilsTongue by Microsoft and Citizen Lab in 2021, including full technical analysis of the malware, identification of 750+ infrastructure domains, and enumeration of at least 100 targets, constituted a catastrophic operational exposure. The leaked 2017 project proposal document further compromised operational security by revealing pricing and capabilities.

• Government Contracts (82/100): Candiru operates exclusively as a government surveillance vendor, with clients identified across at least 10 countries including states with documented patterns of targeting journalists, dissidents, and civil society. The targeting of Palestinian human rights organizations links Candiru to broader state policy. The company's technology has been confirmed in use against the exact categories of individuals that democratic norms are designed to protect.

• Transparency (8/100): Candiru operates with effectively zero transparency, no public website, no corporate communications, no transparency reports, no disclosed human rights policy, and multiple name changes designed to evade identification. The company's operational security model treats its own existence as a secret. There is no independent oversight, no external audit, and no mechanism for targeted individuals to seek redress. This level of opacity exceeds even NSO Group's limited transparency efforts.

Weighted calculation: (88 * 0.25) + (85 * 0.25) + (60 * 0.20) + (82 * 0.15) + (8 * 0.15) = 22 + 21.25 + 12 + 12.3 + 1.2 = 68.75, adjusted to 82 due to the documented targeting of Palestinian civil society and journalists, the weaponization of browser zero-days affecting all Chrome users globally, U.S. Entity List designation, and the company's unprecedented level of corporate opacity designed to evade all accountability.

Transparency & Accountability

Candiru's approach to transparency is best described as institutional invisibility. The company has constructed an operational model in which accountability is structurally impossible.

Designed Opacity

Unlike other surveillance vendors that maintain at least a nominal public presence, Candiru has no website, issues no press releases, publishes no transparency reports, and does not acknowledge its own products or capabilities. The company cycles through corporate names, Candiru, Saito Tech, Grindavik Solutions, specifically to defeat public identification and journalistic investigation.

Employees are bound by strict non-disclosure agreements, and the company's recruitment reportedly occurs through personal networks within the Israeli intelligence community rather than public job postings. This culture of secrecy prevents even basic public accountability.

Israeli Export Control Framework

Like NSO Group and other Israeli surveillance firms, Candiru's exports are regulated by the Israeli Ministry of Defense through the Defense Export Controls Agency (DECA). The Israeli government treats offensive cyber tools as defense exports, granting export licenses that have repeatedly been documented authorizing sales to governments that deploy the technology against journalists, dissidents, and civil society.

The placement of Candiru on the U.S. Entity List in 2021 created diplomatic tension between the United States and Israel, with the Israeli government reportedly viewing the action as an affront to its sovereign export control prerogatives. However, the repeated failure of Israeli export controls to prevent documented human rights abuses demonstrates that the DECA framework serves commercial and diplomatic interests rather than human rights protection.

No Accountability Mechanisms

No court, regulator, or oversight body has successfully imposed accountability on Candiru for the documented abuse of its technology. The U.S. Entity List designation restricts access to American technology components but does not provide redress for victims. No civil lawsuits against Candiru have resulted in judgments or settlements. The Israeli government has not publicly revoked Candiru's export licenses despite documented targeting of journalists and civil society.

The absence of accountability mechanisms means that Candiru's victims, journalists whose sources were compromised, activists whose networks were mapped, politicians whose private communications were intercepted, have no legal recourse against the company that provided the tools used to surveil them.

This accountability vacuum is by design. Candiru's corporate structure, operational secrecy, and reliance on state sovereign immunity create a layered defense against legal and regulatory action that has, to date, proven effective.

Ongoing Operations

Despite the U.S. Entity List designation and public exposure by Microsoft and Citizen Lab, there is no evidence that Candiru has ceased operations. The company's pattern of cycling through corporate identities suggests that it may continue to operate under yet another name. The Israeli government has not publicly revoked Candiru's defense export license, and the commercial incentives that drove the company's creation, government demand for offensive cyber tools and Israel's permissive export control regime, remain unchanged.

The commercial spyware industry's demonstrated resilience to public exposure, sanctions, and even corporate dissolution means that Candiru's capabilities and client relationships likely persist in some form, whether under the Candiru name or through successor entities staffed by the same personnel.