The Covert Reach of NSO Group

April 29, 2020 2:06 pm By

At face value, Circles Bulgaria, a hacking/surveillance firm under the control of the infamous Israeli spyware company NSO Group, and FloLive, a cloud-based internet connectivity and cybersecurity company in London look to be two entirely different operations. However, under a dizzying web of shell companies spanning numerous countries as well as multiple common principals between the two firms, the companies appear to be intimately connected, an arrangement that has severe privacy, counterintelligence, and cybersecurity concerns.


Though relatively little is known about Circles, Forensic News has been able to exclusively acquire documents from Bulgaria, Cyprus, the British Virgin Islands, Luxembourg, the UK, and Delaware, over a period of months that paint a full picture of the secretive company known for covertly intercepting phone calls, text messages, and tracking locations of unaware citizens. Additionally, our team has spoken with a network of sources who declined to be identified, based on a fear for their safety, to expand on the documents.

Circles was launched in 2008 by former Israeli intelligence official Tal Dillian and his co-founders Boaz Goldman and Nadia Ropleva, the latter acting as their CEO. The company, which is based in Cyprus, but operates in Bulgaria and other countries, has the ability for “real-time interception of data from 3G networks” as well as the ability to track the location of certain mobile phone users. The eavesdropping of data includes the ability to read messages, internet searches, emails, and listen into phone calls as they occur via a vulnerability in Signalling System No. 7 (SS7 – “a set of protocols allowing phone networks to exchange the information needed for passing calls and text messages between each other”)

The company claims that these highly sophisticated tools are only sold to governments to monitor terrorists, drug dealers, and other malign actors, though at least two independent investigations indicate that the company’s tools may have been used to spy on citizens, including journalists and political opponents.

In a legal complaint obtained by the Israeli newspaper Haaretz, Circles intercepted messages of a Qatari journalist on behalf of a member of the UAE’s Supreme Council for National Security, a government agency tasked with implementing the national security of the state.

According to the suit, filed in August 2014 in Israel and Cyprus…a senior executive at Circles, received an email from Ahmad Ali al-Habsi, an official of the UAE’s Supreme Council for National Security. The message noted that the council’s directorate would soon make a decision, apparently referring to the purchase of the company’s products. In the meantime, he asked [the executive] to demonstrate the company’s capabilities, “even though I know that this is not included in our license,” and is also prohibited under the rules of the [Israeli] Defense Ministry. In this connection, Circles was asked to intercept the conversations of the editor of the Al Arab newspaper, of Qatar, over a 48-hour period. And indeed, within two days al-Habsi received an email with recordings of the editor’s conversations.

Haaretz

Al-Araby Al-Jadeed, a London-based pan-Arab newspaper, acquired documents outlining the transactions between the UAE and Circles. Notably, the Circles surveillance tools were sold to a private company in the UAE apparently acting as an intermediary for the UAE Supreme Council for National Security.

Furthermore, a 2016 report by the Premium Times in Nigeria (a subsequent co-winner of the Pulitzer Prize for their reporting on the Panama Papers) found that Nigerian state officials purchased surveillance tools from Circles using state funds. Multiple public officials paid millions of dollars for the highly advanced equipment which was used, in part, to spy and eavesdrop on the family of political opponents and dissidents who made negative posts about the government.


Circles’ ties to NSO Group are undeniable after NSO purchased the secretive company in 2014 for a sum of just under $130 million. NSO Group is currently locked in a contentious legal battle in California where the popular messaging app WhatsApp (owned by Facebook) sued NSO, alleging that “NSO was sending malware to take control of phones via WhatsApp and was using Facebook infrastructure as part of its hacking campaign.”

NSO’s prominent software called Pegasus was designed to track criminals but, like Circles, has been used by bad actors to spy on journalists and human rights defenders, allegedly including the late Jamal Khashoggi and the world’s richest man, Jeff Bezos. A report by Citizen Lab, a watchdog group at the University of Toronto that studies surveillance and spyware, concluded with high confidence that Khashoggi’s associate Omar Abdulaziz had his phone infected by NSO Group’s Pegasus software shortly before Khashoggi was murdered and dismembered by Saudi government agents.

NSO denies that it had anything to do with the hacks of civilians and journalists after it sold Pegasus to governments around the world. They claim that the company simply makes the software and that it is up to the individual countries to use it properly.

Pegasus has been used by Saudi Arabia, Mexico, United Arab Emirates, and other countries with questionable and poor records on human rights to hack activists, dissidents, and journalists, according to internet watchdog Citizen Lab.

VICE News

Business records from Cyprus confirm that NSO Group, via its subsidiary in Luxembourg called OSY Technologies, acquired Circles in 2014:

A recent Forbes article found that Circles charges approximately $150,000 to $3,000,000 for its phone tracking tools, and financial records from Bulgaria and Cyprus show that the company has been wildly successful in their sales. In Bulgaria, the company has seen large increases in revenue year-over-year for the past 4 years, reaching almost $12,000,000 in revenue in 2018.

In Cyprus, the numbers are astronomical. Documents for the Circles parent company Iota Holdings Limited show that the web of various Circles companies has resulted in over $184,000,000 in total assets at the end of the fiscal year 2016.

Further corroborating the reporting that suggests that Latin America is a main customer of the Circles hacking and surveillance abilities are shipping records reviewed by Forensic News that detail shipments of “dispositivo de almacenamiento de datos” or data storage devices from Circles Bulgaria to a Mexican company – Eyetech Solutions – that provides surveillance and other security measures for local governments in the region. Eyetech Solutions is run by a former Israeli military officer and advisor to the Prime Minister of Israel.

Shipping details from Circles Bulgaria to EyeTech Solutions in Mexico

Shipping details from Circles Bulgaria to EyeTech Solutions in Mexico

The owner of EyeTech Solutions is allegedly close to the President of El Salvador, Nayib Bukele, where Eyetech Solutions recently scored an $85,000,000 contract for “the prevention of violence, crime and local development in the municipality of the El Salvadorian capital,” though the company “not only implements tools for public safety such as video surveillance, it is also known for selling applications to interfere with phone calls and messaging and to identify and locate cell phone users.


In Ecuador, where Circles Bulgaria has been rumored to be active, Forensic News reviewed a separate shipping record from the global import/export data website Import Genius detailing a shipment of “aparatos de telecomunicación” or telecommunication devices to Ecuador’s National Intelligence Secretariat (Secretaría Nacional de Inteligencia, SENAIN).

Shipping details from Circles Bulgaria to Ecuador's Intelligence Service

Shipping details from Circles Bulgaria to Ecuador’s Intelligence Service

SENAIN made headlines in 2018 after it was revealed that the intelligence agency spied on many who entered Ecuador’s embassy in London, where WikiLeaks founder Julian Assange had sought refuge after officials became concerned about Assange’s visitors. SENAIN spent millions to spy on not only Assange himself but Assange’s visitors, including British police embassy staff. A report by BuzzFeed News in 2013 proved that SENAIN used equipment from Israeli spyware companies to bolster their domestic spying abilities, used in part to keep “close tabs on the Facebook and Twitter accounts of journalists, opposition politicians, and other individuals.”

FloLive

FloLive is a relatively new company operating out of London, offering network connectivity and cybersecurity solutions for businesses and enterprises. The firm specializes in the IoT (Internet of Things) space (think: anything that can be connected to the internet, from Amazon’s Alexa to smart refrigerators and lightbulbs) and the management of these devices on a centralized cloud-based platform.

In essence, according to one news article, “floLIVE offers a…connectivity service that enables companies in the IoT industry to deploy, manage, and operate their IoT devices from anywhere in the world, comply with roaming and privacy laws, and protect the devices from external threats.”

If that sounds confusing… It’s because it is. Even those in the industry find FloLive’s claims odd and unclear.

Journalist Stacey Higginbotham, who has been writing about technology and the IoT industry for nearly 20 years, found FloLive’s claims confounding. I’m dealing with a release so filled with jargon it’s making me angry,” she wrote on Twitter in February. “Nothing about what @floLIVE7 does is clear in this thing. What kind of connectivity does it provide? No clue. The PR says it’s distributed, centrally controlled AND in the cloud. This is NOT helpful.”

Most importantly, the company says they offer a robust set of solutions to deal with ever-evolving cybersecurity threats.

Over the years we have developed unique solutions to protect subscribers on our core networks from external attacks, whether impersonation, identity theft, hacking and more; today we are proud to say that our core network is one of the most secure networks in the market, as a fact!

-FloLive

On their website, FloLive asserts that it guards the data of businesses from SS7 attacks – the precise type of attack that Circles has exploited for its customers.

FloLive.net

An archived version of the company website from late 2019 states,

Our unique security solution spans across the entire chain, from the device, through the network, and up to the application and analytics layers – our home-grown technology scans your network elements and protects your assets from attempts to compromise their security. With a powerful big-data analytics engine, we will monitor your usage and alert upon any abnormal usage or deviation, to help you prevent fraud and hacking attempts on your business.

An exhaustive investigation into FloLive, however, reveals that the company shows every sign of acting as a front for the hackers and private spies behind Circles. Forensic News has documented the multiple data points to support this assertation.

Shared Ownership, Principals, and Employees

The center of the Venn diagram between FloLive and Circles runs through the offshore haven of Cyprus. The country is frequented by business people, largely from Eastern Europe, wanting to keep their taxes to a minimum, sometimes in violation of their home country’s law.

Exclusively obtained business documents from the small island show that, in 2014, Circles and FloLive’s Cyprus branch were owned by the same entity in another nation known for its corporate secrecy – the British Virgin Islands. The documents confirm that Flo Live Cy and CS – Circles Solutions were both owned by Global Seven Group LP. The strict laws in the British Virgin Islands make it next-to-impossible to determine who holds the shares of Global Seven Group, though the Limited Partnership appears in 2014 and 2015 shareholder meetings in Luxembourg alongside NSO Group officials and entities.

When asked about Global Seven Group, a spokesman for Circles said, “There is no current affiliation or business connection between Circles and Global Seven Group that
we are aware of.”

In addition to the secretive chain of ownership that connects FloLive and Circles is open-source information on the principals and employees working for the two companies. The CEO and co-founder of Circles, Nadia Ropleva (more on her later), was appointed as a Director for FloLive in mid-2018, according to her LinkedIn profile. Boaz Goldman, who has been documented in multiple reports as another co-founder of Circles, alongside Ropleva, is currently a major shareholder and Director of FloLive, according to documents filed with the UK government and reviewed by Forensic News.

Ropleva also joined the Board of Directors in February 2020 for another company in the UK in which Goldman is a shareholder – Fourmula (sic) Partners Limited. Ropleva’s listed address is in the same address in Sofia, Bulgaria where FloLive’s Service & Support staff are located. It is unclear what Fourmula Partners Limited does or if it is related to Circles or FloLive.

Further cementing the intertwined nature of FloLive and Circles (the NSO Group affiliate) is a simple photo on FloLive’s Facebook page depicting their employees competing in a friendly game of soccer against workers from Circles.

On LinkedIn, numerous people list work for both Circles and FloLive. In one case, the former COO of Circles made the transition to FloLive in 2018 to hold the same high-level position. Other software developers and engineers in Cyprus and Bulgaria either left Circles for FloLive or vice-versa.

In addition to the employees, at least one prominent lawyer in Israel lists FloLive and the Global Seven Group LP (which she notes is just another name for Circles) amongst her clients.

Finally, the Cyprus branches of both FloLive and Circles are currently managed by the same man, Andreas Koutsos, and his corporate services firm Comform Global Services. Koutsos has been involved in numerous business transactions for Circles through at least 2019.

Flo Live Cyprus managed by Andreas Koutsos

Flo Live Cyprus managed by Andreas Koutsos

Circles Solutions managed by Andreas Koutsos

Circles Solutions managed by Andreas Koutsos

FloLive did not reply to a detailed list of questions regarding these connections.

Despite the evidence linking the two firms, the Circles spokesperson told Forensic News, There is no affiliation or connection between Circles and FloLive that we know of.” The spokesperson further stated, “We do not see any conflict since neither Goldman or Ropleva have any current relationship with Circles.” 

The leaked documents from the UAE, however, prove that Goldman was involved in business transactions for Circles in mid-2016, well after FloLive was founded.

Ropleva, in a message to Forensic News, said that she has not been the CEO of Circles for “many years,” while also claiming that “FloLIVE is a totally different company and has nothing to do with Circles.” When asked about the connections between FloLive and Circles and why she updated her LinkedIn profile in 2018 but did not remove her position at Circles, Ropleva said, “no sensation here and hope you will not fall into the trap of chasing something that is not true. As for the LinkedIn, as you probably see I am not very active in the social media.”


The numerous connections between FloLive and Circles are concerning. One company openly sells hacking and surveillance tools that far too often get used for malign purposes and the other states that it protects your data from the precise type of attack that the tools sold by Circles unleash.

Nexus to the US

FloLive and the NSO Group subsidiary Circles’ connections to the United States are voluminous and concerning. FloLive, the purported connectivity and data-security company, and Circles, the hacking and surveillance company have established firm roots in the United States, incorporating companies, buying server space, forming partnerships, applying for FCC approval on routers, receiving trademarks, and hiring senior-level employees in the contiguous US.

In the Cyprus documents for the previously-mentioned Circles parent company Iota Holdings, a US-incorporated subsidiary is listed:

Iota Holdings Limited (Circles' parent company) listing a US subsidiary (NAC 2013) (NSO)

Iota Holdings Limited (Circles’ parent company) listing a US subsidiary (NAC 2013)

A search on the company database website OpenCorporates led Forensic News to Delaware where a source provided us with the incorporation documents for the subsidiary, signed by an accountant of Comform Services, the secretary of Iota Holdings, confirming the link to Circles. As of mid-2019, the Delaware LLC remained in good standing with the state, indicating that it remains active and eligible to conduct business in the country, though Iota Holdings said in 2016 that the company was dormant.

In an email, the Circles spokesperson claimed, “this registered subsidiary has no business activities.”

FloLive has also raised over $26,000,000 from multiple Venture Capital firms, some located in the US, including three California-based VC’s – Qualcomm Ventures, Saban Ventures, and Dell Technologies Capital. Requests for comment to all three VC’s were not answered.

In 2017, a trademark in the United States was approved for Circles Solutions for a product called “PiXcell,” described as, “electronic and radio devices, namely, apparatus comprised of electronic wireless communications receivers and transmitters for gathering intelligence and tapping into or intercepting targets’ wireless, telephone, computer, and internet communications for use in the field of the prevention of crime and terrorism.”

The active trademark may severely undercut a key claim made by NSO Group in their defense against WhatsApp, wherein the company states that their activities do not touch the US. The trademark, approved in 2017 and active as of this article, comes well after Circles merged with NSO Group in 2014. An email to Jason Greenberg, the attorney on file for the trademark, went unanswered.

Andreas Koutsos, the manager for the Cyprus branches for FloLive and Circles, applied for FCC approval regarding a Wi-Fi router on behalf of one of the Iota Holdings subsidiaries, MS Magnet Solutions in 2017. The FCC approved the request and it appears that the company is able to operate the router using the PiXcell name within the US, though a document filed with the FCC by MS Magnet Solutions states that the router is not intended for commercial use but rather “government public service agents.”

“This product is deployed by operators for indoor wireless coverage or carried by government public safety agents for network security operations. When used in premise indoor coverage, this product can be installed by set on desktop, mount on wall, or attach to ceiling. It is designed to provide coverage and will not interfere cellular or other wireless networks. This product is not available for commercial or general consumers and it is prohibited from any illegal use.”

Forensic News could not find any concrete evidence that the router has been operated in the US. In the documents and emails (page 13) acquired by the Arab newspaper Al-Araby Al-Jadeed however, PiXcell is mentioned in a 2016 email from Circles to David Meidan, a former top Mossad official who mediated the sale of Circles hacking and surveillance equipment to the UAE. Boaz Goldman, the FloLive Chairman and shareholder, is CC’d.

Back in the US in 2018, it was announced that FloLive was partnering with a company in Texas, Telestax, to join their marketplace for service providers wanting to add real-time voice and messaging applications for their customer needs. This partnership potentially gave FloLive access to US customer data and information.

In an email to Forensic News, the Vice President of Marketing for Telestax said, “FloLive used to be a marketplace partner for Telestax…However, in the past few years, we have moved to a cloud-based…platform. Our business model has evolved and we do not actively work with FloLive anymore.”

Former Trump adviser Michael Flynn, who pled guilty to lying to the FBI about his conversations with the Russian Ambassador before withdrawing his guilty plea in January by claiming entrapment, advised Circles’ parent company OSY Technologies in 2016 and 2017, receiving just over $40,000. Business records accessed in Luxembourg via Dun and Bradstreet show that the managers of OSY Technologies are the NSO Group Board of Directors, including Omri Lavie and Shalev Hulio, former members of the Israeli military’s elite Unit 8200 involved in the collection of signals intelligence.

It’s unclear exactly what type of work Flynn did for OSY Technologies. There is no suggestion of any criminal wrongdoing on the part of Flynn. Sidney Powell, an attorney for Flynn, did not respond to a request for comment on Flynn’s work for OSY Technologies.

Though based in the UK, FloLive website itself is hosted on Google servers in California, according to the cyber-intelligence website SecurityTrails. One active subdomain for the FloLive website located on servers in Turkey ominously appeared to be involved in the tracking of vehicles, with the web address “vehicletracking.flolive.net”


Ongoing Investigations

Apart from the ongoing civil lawsuit that WhatsApp and Facebook brought against NSO Group, the FBI has reportedly opened a criminal investigation into NSO Group’s spyware usage in the United States. “The FBI conducted more interviews with technology industry experts after Facebook filed a lawsuit in October accusing NSO itself of exploiting a flaw in Facebook’s WhatsApp messaging service to hack 1,400 users,” according to the Reuters report.

A federal investigator confirmed to Forensic News on background that the investigation into NSO Group is continuing and that witnesses have been contacted in recent weeks.

“Circles is not aware of any ongoing investigations and has not been contacted by any law enforcement,” a spokesperson for the company said.



Forensic News is funded entirely by our readers. We don’t hide content behind paywalls or take money from corporate entities. Consider pledging your support so we can continue producing impactful investigative journalism.

Tags



Related Posts

Related post image
NSO Group Affiliate Circles Sold Equipment to Uzbekistan ‘Secret Police’

Forensic News

Paywalls are old news. That's why every Forensic News article is free. Help us keep it that way by making a donation today.

Choose an amount