The Dodgy Framework and the Middlemen: how NSO Sold its First Pegasus License

A legal dispute regarding brokerage fees sheds light on the way the malware was first sold to a foreign country. American businessman Elliott Broidy, currently under investigation by the U.S. Department of Justice for possible violations of lobbying laws, was originally tapped as one of the architects of the deal despite admitting to illegal gifts worth $1 million shortly before

Tomer Ganon and Hagar Ravet 14:1424.02.20
U.S. businessman and venture capitalist Elliott Broidy, currently under federal investigation for suspicions of using his close relationship with President Donald Trump to violate lobbying laws, was one of the original architects of the first deal Israeli surveillance company NSO Group signed to sell its Pegasus spyware to a foreign power, according to court documents. Parts of the relevant documents were recently released for publication following a legal battle Calcalist has been waging for over a year.

 

The information about Broidy, a controversial figure in the U.S., came to light as part of a lawsuit filed in August 2015 to the Tel Aviv district court, concerning a legal dispute about brokerage fees. The emails and documents filed as part of the lawsuit, only part of which have been declassified, reveal how the first sale of NSO’s Pegasus to a foreign country unfolded.

 

Elliott Broidy. Photo: Shutterstock Elliott Broidy. Photo: Shutterstock

 

 

The plaintiff in the case is insurance agent and businessman Udi Oren, who filed the lawsuit against two other people involved in the deal; his childhood friend Eran Reshef and his business partner Matan Caspy. Oren has demanded the two pay him a brokerage fee of NIS 3 million (approximately $872,000 in current exchange rates) for his alleged involvement in the Pegasus deal.

 

Today, NSO employs over 600 people and is considered one of the top companies in the digital spyware industry. In July 2011, however, when the first deal was signed, NSO was still a very young startup, having been founded only a year prior.

 

The legal documents reveal that the deal was executed in two stages using a middleman company. First, Pegasus was sold to a company controlled by a non-Israeli businessman, whose name remains classified following a petition by the Israeli Ministry of Defense. Then, the businessman sold the spyware to a foreign country—its identity also redacted by the court at the request of the ministry—for military use.

 

According to the documents, Broidy, one of the top fund-raisers for Trump during the 2016 U.S. election, came into the picture in October 2010, despite pleading guilty in 2009 to a misdemeanor. Broidy admitted to paying $1 million in illegal gifts to New York State officials in order to secure a $250 million investment for his private equity firm, Markstone Capital Partners.

 

His involvement in the Pegasus deal was confirmed by two other testimonies. One was from a leading Israeli cyber executive, Eric Banoun, who was also involved in brokering the deal. Between 2007 and 2010, Banoun was vice president of sales and business development of the cyber and intelligence business of NICE Systems Ltd. After leaving, he joined Circles Technologies as a partner and used his accumulated contact network to market NSO’s technology. The second testimony was that of NSO co-founder and CEO Shalev Hulio. Following Hulio’s testimony, the court agreed that the case would proceed in chambers.

 

According to the released documents, it was Reshef and Caspy who recruited Broidy to assist in the deal. Each of them owns 20% of Rayzone Group Ltd., a global seller and distributor of intelligence and cyber technologies. In his testimony, Caspy said he spent a few years in California, among other things selling technological products in South America. That was when he had first met and worked with Broidy, whom he described as a wealthy businessman with ample business activity and connections in South and Central America. For a while, he had also been employed at one of Broidy’s companies, Broidy Capital Management, as vice president of business development.

 

Caspy already knew of Banoun’s work when he worked for Broidy, he said, but when he returned to Israel in 2010 Banoun was among the businessmen he met with. It was from Banoun that Caspy first learned of NSO. At the time, the group was still a small startup developing offensive intelligence technology for mobile phones, with no sales. Banoun offered NSO his services to market the group’s technology in a foreign country “known to be a big buyer of defensive and offensive cyber products,” and received distribution rights in return for a commission. His contract with NSO—deemed confidential by the court—was signed in December 2010.

 

Caspy told Banoun about his own connections, especially his relationship with Broidy, and the two decided to partner up. “We traveled, Banoun and I, to Los Angeles to meet with Broidy and try to interest him in selling NSO’s products to the foreign country,” Caspy testified, providing flight tickets as proof. “The meeting with Broidy was successful. He was very interested in NSO’s products and the odds of a sale to the foreign country. It was agreed that he would try to use his connection there to advance the deal.”

 

The email exchange The email exchange

 

 

Caspy provided to the court an email exchange between him, Banoun, and Broidy, dated November 2010. NSO’s technology was code-named BBM—short for BlackBerry Messenger. That was because the BlackBerry was the leading device at the time and breaching its messenger system was considered the holy grail of the intelligence industry, according to Caspy.

 

Banoun continued closing loose ends with NSO, while Caspy handled the work with Broidy. With Broidy’s blessing, he made contact with the middleman businessman in the foreign country and from there continued to meet with Broidy in Los Angeles.

 

But then came a twist in the story. On April 11, Caspy arranged a meeting at Broidy’s Los Angeles offices. Present were Broidy and NSO co-founders Hulio and Omri Lavie. Following the meeting, Caspy and Banoun learned that Broidy was trying to cut them out as middlemen and establish direct contact with NSO himself. They decided to bring in Reshef to neutralize Broidy.

 

 

NSO co-founders Omri Lavie (right) and Shalev Hulio. Photo: Bar Cohen NSO co-founders Omri Lavie (right) and Shalev Hulio. Photo: Bar Cohen

 

  

According to Caspy’s testimony, the move was successful. The final deal was signed between NSO and the foreign country, without Broidy. The court filings do not reveal whether Broidy took any legal action against any of the sides following his alleged ousting, but they do reveal NSO has tried to minimize the role Banoun, Caspy, and Reshef filled in the deal to avoid paying them a commission fee. Eventually, the two sides settled on an unspecified compensation sum, 40% of which went to Banoun and the rest went to Caspy and Reshef’s Rayzone Group.

 

Oren’s lawsuit against Caspy and Reshef was rejected three months ago.

 

A spokesperson for NSO told Calcalist that the company is not a side in the aforementioned case. The company will not discuss its operations but wishes to emphasize its technology is sold in accordance with the law “only to countries or state entities,” the spokesperson said.

 

A spokesperson for Broidy stated that he "has no business relationship with NSO. In 2010, he provided an introduction that involved NSO and other parties with respect to a potential contract. He received no compensation of any kind from NSO or anyone else with regard to this contract. He has had no contact with NSO since that time.”

 

In the decade that has passed since NSO’s foundation, it has made many an unflattering headline due to multiple reports of its Pegasus spyware allegedly being used to spy on and target human rights activists, journalists, and members of the political opposition in several countries. Once installed via a pressed link, pegasus can be used to remotely take over a smartphone and gain access to calls, messages, and any other stored data on the device.

 

 

In May 2019, Amnesty International filed a petition with the Tel Aviv district court, asking that NSO’s export license be rescinded after its malware was allegedly used to spy on an Amnesty staff member. More recently, in October 2019, NSO was sued in California by encrypted messaging app WhatsApp and its parent company Facebook, which alleged that NSO and its Luxembourg-based affiliate Q Cyber Technologies Ltd. used WhatsApp servers to deliver malware to approximately 1,400 devices, for the purpose of surveilling certain Whatsapp users. Similar lawsuits were filed in Israel in 2018, one by an associate of Jamal Khashoggi, who claimed NSO played a role in the slain Saudi journalist’s death, and another by five Mexican journalists and human rights activists who alleged they were targeted using Pegasus.

 

NSO has consistently denied any wrongdoing regarding the use of its technology, but the two-stage, middleman-based deal process described in the recently released court documents casts doubt on the company’s ability to control and monitor the use of its spyware.