{
	"id": "4422568c-2dcc-4460-9fc2-85d91acabdcd",
	"created_at": "2026-04-06T00:09:07.067824Z",
	"updated_at": "2026-04-10T13:12:23.477508Z",
	"deleted_at": null,
	"sha1_hash": "4065cf7567cf517447e9a83598f038be4ae68ff4",
	"title": "Revealing Europe's NSO",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 627077,
	"plain_text": "Revealing Europe's NSO\r\nArchived: 2026-04-05 13:47:33 UTC\r\nAn Italian surveillance company is tracking people all over the world on a grand scale on behalf of its clients –\r\nincluding in countries with a recent history of corruption and human rights abuses. Its powerful spyware was\r\nrecently found in Kazakhstan and Romania. Europe’s parliamentarians voice growing concern about an out-of-control surveillance industry and call for it to be regulated.\r\nConfidential data seen by Lighthouse Reports shows that a little-known company based in Rome, Tykelab, has\r\nbeen using dozens of phone networks, often on remote Pacific islands, to send tens of thousands of secret\r\n“tracking packets” around the world, targeting people in countries including Libya, Nicaragua, Malaysia, Costa\r\nRica, Iraq, Mali, Greece and Portugal – as well as in Italy itself.\r\nIt’s doing this by exploiting longstanding but frequently unfixed vulnerabilities in global phone networks which\r\nmake it possible for third parties to see phone users’ locations, and potentially intercept their calls, without any\r\nrecord of compromise being left on their devices.\r\nAt the same time, Tykelab’s parent company, RCS Lab, has developed a powerful phone hacking tool, Hermit,\r\nwhich once installed on a victim’s device can be used to remotely activate the phone’s microphone, as well as\r\nrecord calls, access messages, call logs, contacts, photos and other sensitive data.\r\nBehind the scenes, security professionals have raised the alarm about Tykelab’s activities. Analysts with access to\r\nconfidential telecom data described how the company was “persistently and systematically” attempting to bypass\r\nnetwork protections as well as carrying out “blatant and targeted tracking of individuals”.\r\n“They are becoming more and more active,” one told us. “Since the start of this year, they’ve been increasing the\r\nnumber of attacks, and now it’s constant.”\r\nAs the European Union wakes up to the threat posed by an out-of-control surveillance industry, with Israel’s\r\nnotorious NSO Group and its Pegasus software in its crosshairs, we reveal the scope and scale of a previously\r\nunknown surveillance vendor in the heart of the EU.\r\nMETHODS\r\nOur findings originated with two confidential sources in the telecom industry. They had both independently been\r\ntracking significant volumes of suspicious traffic sent through a group of phone networks – much of it ostensibly\r\nfrom islands in the South Pacific. Through technical and other data they determined, independently from each\r\nother, that this traffic originated in Italy with a company called Tykelab. The company’s website says it’s an\r\ninnocuous telecom services provider. Our sources said that its traffic had no legitimate purpose other than\r\nsurveillance.\r\nWe sent samples of the data our sources provided to two independent security experts: Karsten Nohl, from\r\nSecurity Research Labs in Germany, and Jean Gottschalk, from Telecom Defense Ltd in the USA. Both agreed\r\nhttps://www.lighthousereports.nl/investigation/revealing-europes-nso\r\nPage 1 of 4\n\nwith our sources’ analysis. “Someone is spying on a large scale via the phone network,” said Nohl.\r\nThrough corporate disclosures and financial data, we established that Tykelab is a part of RCS Lab, an Italian\r\ncompany with a long history of interception activities both in Italy and abroad. This fact was undisclosed until a\r\ntakeover by a third company, Cy4Gate, made it known to shareholders last December. We also established that\r\nRCS Lab has another concealed subsidiary, Azienda Informatica Italiana, which builds interception software for\r\nAndroid and iPhone devices.\r\nTykelab’s office in a suburb of Rome with the company logo clearly visible inside\r\nWe obtained unpublished brochures of RCS Lab’s products and services from an invite-only trade fair. These\r\nincluded details of Ubiqo, a tool which can “track the movements of almost anybody who carries a mobile phone,\r\nwhether they are blocks away or on another continent”, as well as offering more sophisticated behaviour analysis.\r\nWe used IoT search engines Censys and Shodan to scan RCS Lab’s Italian infrastructure and found a login for a\r\nwebpage with the slogan “powered by Tykelab”.\r\nDuring our investigation, cybersecurity specialists at Lookout and Google published details of a previously\r\nunknown but sophisticated hacking package called Hermit. They both independently attributed this package to\r\nRCS Lab and provided lists of fake internet domains which the company had set up to lure targets to download the\r\nsoftware. They included domains masquerading as Apple and Facebook, as well various telecom providers. We\r\nanalysed this list using the domain database WhoisXML API and found that RCS Lab purchased some of these\r\nfake domains as early as 2015, while others were bought in March this year – indicating years of potential hacking\r\noperations by the company.\r\nhttps://www.lighthousereports.nl/investigation/revealing-europes-nso\r\nPage 2 of 4\n\nWe interviewed Lookout’s Justin Albrecht and Paul Shunk, who confirmed further details of the Hermit spyware,\r\nincluding that they had recently observed it in action in another country, Romania.\r\nSTORYLINES\r\nSince 2021 a wave of hacking scandals has engulfed EU countries, with tools supposedly meant for the most\r\nserious criminals being turned against politicians and journalists. The European Parliament is holding hearings,\r\nfocusing particularly on Israel’s NSO Group and its flagship Pegasus spyware. But our investigation has thrown\r\nthe spotlight on the EU itself and Europe’s role in the high-risk proliferation of commercial surveillance\r\ntechnology.\r\nOur findings show Tykelab’s surveillance traffic reaching all over the world – the Italian company’s systems have\r\nbeen targeting people in Libya, Costa Rica, Nicaragua, Pakistan, Malaysia, Iraq and Mali, to give only a few\r\nspecific examples, as well as in Greece, Macedonia, Portugal and Italy.\r\nMEPs, security specialists and privacy experts, looking at our findings, expressed deep concern at the risks\r\nassociated with the untransparent trade in powerful spy tech and questioned whether EU member states were\r\ndoing enough to regulate it.\r\nAs Markéta Gregorová, the European Parliament’s rapporteur for surveillance technology export controls, told us:\r\n“Commercial cyber-surveillance secretly sold to anyone willing to pay is a global security risk for all of us inside\r\nand outside the European Union. This service gets human right activists and journalists tortured and killed.”\r\nWhile highlighting problems in Europe’s export policies, the investigation also exposes the little-known practice\r\nin the telecom industry which enables these types of abuses to flourish – the leasing of phone network access\r\npoints or “global titles”. We spoke to the mobile phone trade association, GSMA, who confirmed to us that\r\n“organisations improperly using leased global titles must be stopped”. But the association pointed out that phone\r\noperators cannot always identify the source and purpose of the traffic that flows through their networks, making it\r\ndifficult to curtail the surveillance industry.\r\nSecurity expert Karsten Nohl emphasised that it is now eight years since critical vulnerabilities in how mobile\r\nphone networks function were disclosed – the same vulnerabilities which Tykelab and others have weaponised for\r\nsurveillance purposes. Nohl said: “Firewalls have long been in place so that phone operators can protect their\r\ncustomers — but this research proves that not all worldwide phone providers have set up these basic protections.\r\nIt is very unfortunate that these vulnerabilities have still not been closed.”\r\nTo keep up to date with Lighthouse investigations sign up for our monthly newsletter\r\nCO-PUBLICATIONS\r\nDomani: European surveillance starts with an Italian company\r\nMediapart: An Italian company's spying software raises concern\r\nEUobserver: Investigation: NSO surveillance rival operating in EU\r\nDer Spiegel: \"This the easiest way to monitor a specific person\"\r\nhttps://www.lighthousereports.nl/investigation/revealing-europes-nso\r\nPage 3 of 4\n\nIRPI: The Italian company that can track a person in every corner of the world\r\nSource: https://www.lighthousereports.nl/investigation/revealing-europes-nso\r\nhttps://www.lighthousereports.nl/investigation/revealing-europes-nso\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.lighthousereports.nl/investigation/revealing-europes-nso"
	],
	"report_names": [
		"revealing-europes-nso"
	],
	"threat_actors": [],
	"ts_created_at": 1775434147,
	"ts_updated_at": 1775826743,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4065cf7567cf517447e9a83598f038be4ae68ff4.pdf",
		"text": "https://archive.orkl.eu/4065cf7567cf517447e9a83598f038be4ae68ff4.txt",
		"img": "https://archive.orkl.eu/4065cf7567cf517447e9a83598f038be4ae68ff4.jpg"
	}
}