Toward the end of 2023, an Israeli security researcher from Tel Aviv said that he was approached on LinkedIn with an opportunity to work abroad with “good pay.” He said that the company’s HR department told him that it was a “legitimate” offensive security company that was starting from scratch in Barcelona, Spain.
But during the whole recruiting process, the researcher recounted to TechCrunch, things felt a bit off.
“The whole secrecy was very weird. Some employees that interviewed me didn’t use their full names, they took super long to reveal where the company even is, let alone its name. Why is it such a secret if everything’s legit?” the researcher told TechCrunch. “It seems like a company that might get sanctioned in the future, and things might get dirty.”
When he spoke to the company’s chief technology officer, the researcher said that he was told something along the lines of, “we will only have legit customers and unlike other companies won’t sell to shady nations.”
Alexey Levin, the hiring CTO and a former researcher at the sanctioned spyware maker NSO Group, told the researcher that the company trying to hire him was called Palm Beach Networks, and that it develops everything from the zero-day exploits used for compromising devices to the spyware implant itself, referring to the surveillance software that gets installed on a target’s device, according to the researcher.
The researcher said that Levin also told him that Palm Beach Networks had at least one U.S. government customer. (Levin did not respond to a request for comment.)
But why found a spyware startup in Barcelona, which just years earlier was at the center of a wide-reaching political scandal where Spanish government officials used spyware to target local politicians who pushed for independence? Just like many other startups in the city; the researcher said that company employees told him that it was because living in the city is similar to living in Israel, that there are good tax benefits, and good weather.
Those are some of the reasons why in the last couple of years, Barcelona has become an unlikely hub for spyware companies, according to multiple people who work in the offensive cybersecurity industry who spoke with TechCrunch, as well as business records we have seen.
Having Barcelona become a crucial regional outpost for offensive cybersecurity companies puts the spyware problem squarely on the doorstep of Europe, which has a fractious relationship with surveillance tech, due to scandals in Cyprus, Greece, Hungary, and Poland — all involving Israeli spyware makers.
“It is a concerning development if a major city in Europe becomes a hub for spyware makers,” Natalia Krapiva, the legal counsel at nonprofit Access Now, which specializes in investigating and researching spyware, told TechCrunch. Krapiva said that the spyware business “goes hand in hand with corruption and abuse of power.”
“Spanish citizens, media, and policymakers should be carefully scrutinizing these businesses in terms of whether their operations are consistent with national and EU laws and whether the Spanish government may be involved in abusing their surveillance tools, especially given Spain’s history with Pegasus,” said Krapiva.
John Scott-Railton, a senior researcher at the Citizen Lab, where he and his colleagues have for more than a decade investigated abuses carried out with spyware tools, also expressed concern. Scott-Railton noted that in the past there have been cases of spyware abuse not only against human rights activists and dissidents in non-democratic countries like Ethiopia and Saudi Arabia, but also against U.S. diplomats and targeted individuals, including politicians and citizens within Europe’s borders.
“This will add fuel to the fire of Europe’s spyware crisis. If experience is a guide, it’s only a matter of time before this tech winds up used by customers against Spain’s allies and EU partners,” Scott-Railton told TechCrunch. “Governments that allow this industry to flourish take a gamble with their own secret capabilities and human capital. These capabilities tend to drain outwards, including to potential future adversaries, once mercenary spyware and exploit developers come to town and start hiring.”
Sun, seafood, and spyware
Apart from Palm Beach Networks, as it was known at the time, Barcelona is home to several other exploit and spyware makers that too are making the most of the city’s sunny, temperate weather, fresh seafood, and vibrant expat community.
Among them are Paradigm Shift, a spin off of the embattled startup Variston, which lost staff and was struggling to survive in 2024; and Epsilon, which is led by Jeremy Fetiveau, an industry veteran who used to work for a division within U.S. defense giant L3Harris that was created after the company acquired the Australian startup Azimuth.” Fetiveau did not return a request for comment.
The city is said to be also home to an unnamed group of Israeli researchers who moved to Barcelona from Singapore to work on developing zero-day exploits. The existence of this unnamed team as well as Epsilon’s presence in Barcelona was first reported by Israeli newspaper Haaretz, whose article sparked coverage in local newspapers and news websites.
Other cybersecurity companies have a presence in Barcelona, even if they are not headquartered there. Andrijana Šekularac, the chief executive of Austrian cybersecurity company SAFA lives in the city, according to her public LinkedIn profile. SAFA has sponsored offensive cybersecurity conferences, including OffensiveCon and Hexacon, and employs at least two security researchers with past experience at spyware companies, according to their public LinkedIn profiles. Šekularac also did not respond to a request for comment.
These zero-day and spyware companies are part of a broader cybersecurity and startup ecosystem in Barcelona. As of last year, according to the Catalan regional government, there were more than 10,000 people working for more than 500 cybersecurity companies in Barcelona, or around 50% more workers than five years earlier.
Contact Us
Do you have more information about Epsilon, Head and Tail, Paradigm Shift, or other government spyware makers? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
Barcelona isn’t just a hotbed for surveillance tech makers, but startups in general, with some ranking the city among the top startup hubs in Europe. The city is the founding home for food delivery startup Glovo, which competitor DeliveryHero valued at €2.3 billion in 2021 when it acquired a majority stake in the Catalan company; orthodontics startup Impress, which raised $125 million in 2022 and $114 million in 2024; and business travel management platform TravelPerk, which raised $105 million in 2024; among more than 2,200 other startups, according to the Barcelona and Catalonia Startup Hub, a local government project that tracks the startup ecosystem in the region.
The city is attractive to workers because its cost of living is cheaper than other European startup hubs like London, Amsterdam, and Berlin. Then, there’s the perhaps more obvious reasons, at least for anyone who’s been to Barcelona: The city has nice beaches, similar to Tel Aviv, Cyprus, and Greece, places that are or were home to spyware companies like NSO Group, Circles, and Intellexa.
There are also other reasons, apart from the city’s attractiveness, that have brought Israeli security researchers in particular to Barcelona. As Haaretz reported at the end of December 2024, Israel has become more restrictive in granting licenses to export spyware to other countries in the wake of the scandals involving NSO Group, leaving the door open for companies to move abroad. It is now more difficult for companies to export spyware from Israel to the rest of the world, including the European Union, than from within the bloc itself.
One person told Haaretz that this process is not “emigration to Spain, it’s expulsion to Spain.”
While Paradigm Shift is openly advertising itself as an offensive cybersecurity company, with job listings for roles that fit this type of business, other companies aren’t as transparent, just like Variston used to be. Paradigm Shift is headed by Leone Pontorieri, according to the company’s business records, as well as Filippo Roncari and Simone Ferrini, according to their public LinkedIn profiles. The three were part of an Italian startup that was acquired by Variston in 2018, when the company launched in Barcelona, and one of the first spyware companies to set up its operations in the Catalan city.
Representatives for Paradigm Shift did not respond to a request for comment.
A stealthy startup with many names
Palm Beach Networks has so far avoided any public claims of involvement in human rights abuses, unlike spyware makers NSO Group, and before it Hacking Team and FinFisher, have in the past. But the company does have an intriguing history of changing names, a strategy that other spyware vendors have previously used to mask their corporate ownership. Israeli spyware makers Candiru rebranded several times before the company was added to the U.S. government’s trade ban list in 2021, and NSO itself had a complex corporate structure.
The name Palm Beach Networks “was a bit secretive and only said by Levin and others at later stages,” according to the Israeli researcher.
As it turns out, Palm Beach Networks may already be an obsolete name, and the second iteration of a startup with a different identity.
A company called Defense Prime Inc. became Palm Beach Networks on May 11, 2023. On June 16, 2023 a company called Head and Tail started operations in Barcelona. Then on June 28, 2024, Palm Beach Networks was dissolved, according to business records filed in Florida and Spain.
Defense Prime and Palm Beach Networks appear to be linked to Head and Tail due to overlapping executives and key figures.
A person named Sai Gopal is listed as Head and Tail’s authorized signatory in Spanish business records, and someone with the same name was listed as the treasurer of Defense Prime in Florida business records. Gopal could not be reached for comment.
Business records also show Alexey Levin, the CTO who tried to hire the Israeli security researcher for Palm Beach Networks, is the director of Head and Tail. Representatives from Head and Tail did not return TechCrunch’s request for comment.
A current executive at a spyware maker, who asked to remain anonymous, told TechCrunch that Levin works at Palm Beach Networks. Previously, the executive said, Levin was an early developer at NSO Group, and then also worked at Candiru.
On its official website, Head and Tail makes no explicit mention of the fact that it develops surveillance technology, but instead says it addresses “a myriad of cybersecurity issues, including threat intelligence, vulnerability assessments, security awareness training, and incident response.” The company has job listings for Barcelona, Madrid, and Sevilla.
In the end, the Israeli researcher turned down the chance to work at Palm Beach Networks, even though people he knows told him the company pays some of its employees eye-watering salaries that vastly exceed the country’s gross annual average.
The researcher said he was worried he may end up like some NSO Group’s employees, who have had to deal with the fallout from human rights scandals, Facebook blocking and deleting their personal accounts, and the U.S. government threatening to deny their visas.
“I could get good enough money elsewhere and not have to worry about what will happen or who I’m working for,” said the researcher, “especially when I felt they aren’t a transparent company and I wouldn’t know who the customers are.”
