Barcelona Spyware Hub: How Catalonia Became a Startup Center

Barcelona's Emergence as a Spyware Hub

Late in 2023, a security researcher based in Tel Aviv reported being contacted via LinkedIn regarding a potential employment opportunity offering attractive compensation. The company’s human resources department indicated it was a new offensive security firm establishing operations in Barcelona, Spain.

Recruitment Concerns

Throughout the recruitment process, the researcher experienced a sense of unease, as detailed to TechCrunch. A notable degree of secrecy surrounded the organization, with some interviewers withholding their full names and delaying disclosure of the company’s location.

The researcher questioned this lack of transparency, wondering why a legitimate enterprise would operate with such concealment. He voiced concerns that the company might face future sanctions and engage in questionable activities.

Assurances and Revelations

During a conversation with the company’s chief technology officer, the researcher received assurances that they would only serve legitimate clients and avoid selling to nations with dubious reputations.

Alexey Levin, the CTO and a former researcher from the sanctioned spyware manufacturer NSO Group, identified the company as Palm Beach Networks. He explained that they develop a full spectrum of tools, from zero-day exploits for device compromise to the spyware implant itself.

The researcher was also informed that Palm Beach Networks had secured at least one customer within the U.S. government. (Mr. Levin did not respond to requests for comment.)

The Appeal of Barcelona

The choice of Barcelona as a base of operations raised questions, given the city’s recent involvement in a political scandal involving the use of spyware against Catalan politicians advocating for independence.

Company personnel reportedly justified the location by citing its similarities to Israel, favorable tax benefits, and pleasant climate.

A Growing Trend

Multiple sources within the offensive cybersecurity industry, along with business records reviewed by TechCrunch, indicate that Barcelona has become an unexpected center for spyware companies in recent years.

This development places the spyware issue directly within Europe, a region already grappling with a complex relationship with surveillance technology due to prior incidents in Cyprus, Greece, Hungary, and Poland – all involving Israeli spyware developers.

Legal and Ethical Concerns

Natalia Krapiva, legal counsel at Access Now, a nonprofit focused on spyware research, expressed concern over Barcelona becoming a hub for these companies. She emphasized the inherent link between the spyware business and corruption, as well as abuses of power.

Krapiva urged Spanish citizens, media outlets, and policymakers to rigorously examine these businesses to ensure compliance with national and EU laws. She also highlighted the need to investigate potential misuse of surveillance tools by the Spanish government, considering Spain’s history with Pegasus spyware.

Potential for Abuse

John Scott-Railton, a senior researcher at the Citizen Lab, echoed these concerns, drawing on over a decade of experience investigating spyware-related abuses.

He noted past instances of spyware misuse not only against activists and dissidents in countries like Ethiopia and Saudi Arabia, but also against U.S. diplomats and individuals within Europe.

Escalating the Crisis

“This will add fuel to the fire of Europe’s spyware crisis,” Scott-Railton stated. He predicted that the technology would inevitably be used against Spain’s allies and EU partners, based on past experiences.

Scott-Railton cautioned that governments enabling this industry risk compromising their own security capabilities and losing valuable human capital, as mercenary spyware developers attract talent and potentially share expertise with adversaries.

Barcelona: A Hub for Surveillance Technology

Beyond its reputation for pleasant weather, seafood, and a welcoming expatriate population, Barcelona has emerged as a significant location for companies specializing in exploit and spyware development. This is in addition to Palm Beach Networks, formerly known as such.

Among these firms is Paradigm Shift, established by ex-employees of Variston following the latter’s dissolution last year. Additionally, Epsilon is led by Jeremy Fetiveau, a seasoned professional with a background at a U.S.-based L3Harris division, which was formed through the acquisition of the Australian firm Azimuth. Attempts to reach Mr. Fetiveau for comment were unsuccessful.

Emerging Groups and Initial Reports

Reports indicate the presence of an unidentified team of Israeli researchers who relocated to Barcelona from Singapore to concentrate on the creation of zero-day exploits. The initial reports concerning this team, as well as Epsilon’s Barcelona presence, originated in the Israeli newspaper Haaretz, subsequently gaining traction in local media outlets.

Several other cybersecurity organizations maintain a presence in Barcelona, even without being headquartered there. Andrijana Šekularac, CEO of Austrian cybersecurity company SAFA, is a resident of the city, as evidenced by her LinkedIn profile. SAFA has provided sponsorship for offensive cybersecurity conferences like OffensiveCon and Hexacon, and employs security researchers with prior experience in vulnerability exploitation.

Ms. Šekularac initially did not respond to a request for comment. However, in a subsequent communication, she stated, “SAFA firmly denies any involvement with spyware. Our core focus is delivering research and threat intelligence services to clients, which is entirely separate from the creation or deployment of spyware.” She further emphasized, “SAFA does not employ individuals with prior ties to spyware companies, and this assertion misrepresents the professional backgrounds and integrity of our team.”

A Growing Cybersecurity Ecosystem

These companies focused on zero-day exploits and spyware are integral to Barcelona’s expanding cybersecurity and startup landscape. Data from the Catalan regional government reveals that over 500 cybersecurity companies employ more than 10,000 individuals in Barcelona, representing a 50% increase over the past five years.

Barcelona is not only a center for surveillance technology but also a thriving hub for startups generally, frequently ranked among Europe’s top startup locations.

The city serves as the original home of Glovo, a food delivery startup valued at €2.3 billion by Delivery Hero in 2021; Impress, an orthodontics startup that secured $125 million in funding in 2022 and $114 million in 2024; and TravelPerk, a business travel management platform that raised $104 million in 2024. These are just a few of the over 2,200 startups operating in the region, according to the Barcelona and Catalonia Startup Hub.

Attractiveness and Cost of Living

The city’s appeal to workers is enhanced by a lower cost of living compared to other European startup hubs like London, Amsterdam, and Berlin. Furthermore, the city boasts attractive beaches, reminiscent of those found in Tel Aviv, Cyprus, and Greece – locations previously or currently associated with spyware companies such as NSO Group, Circles, and Intellexa.

Beyond its inherent attractiveness, other factors have drawn Israeli security researchers to Barcelona. As reported by Haaretz in late December 2024, Israel has implemented stricter regulations regarding the export of spyware following controversies surrounding NSO Group, creating opportunities for companies to relocate internationally.

One source described this shift to Haaretz as not merely “emigration to Spain, but expulsion to Spain.”

Company Structures and Statements

While Paradigm Shift openly promotes itself as an offensive cybersecurity firm, advertising relevant job openings, other companies maintain a lower profile, similar to Variston’s past practices. Paradigm Shift is led by Leone Pontorieri, alongside Filippo Roncari and Simone Ferrini, according to company records and their respective LinkedIn profiles.

These three individuals were previously part of an Italian startup acquired by Variston in 2018, marking one of the first spyware companies to establish operations in Barcelona.

In an email to TechCrunch, Mr. Pontorieri stated that Paradigm Shift is “a newly established and entirely independent entity” comprised of former Variston security researchers, but explicitly denies “any connection, affiliation, or association—direct or indirect—with Variston’s business.”

Regarding Paradigm Shift’s activities, Mr. Pontorieri indicated that the company serves “a diverse client base, ranging from large enterprises to law enforcement agencies, depending on the specific services required,” without elaborating further. He also stated that the decision to establish Paradigm Shift in Barcelona was not driven by export control regulations, but rather by the city’s overall appeal, which “provides a vibrant environment for everyone” and “facilitates recruitment.”

A Discreet Startup Operating Under Multiple Identities

Unlike spyware developers such as NSO Group, Hacking Team, and FinFisher, Palm Beach Networks has, to date, avoided public accusations concerning involvement in human rights violations. However, the company exhibits a noteworthy pattern of name changes, a tactic previously employed by other vendors in the spyware industry to obscure corporate ownership.

Prior to being placed on the U.S. government’s trade ban list in 2021, Israeli spyware firm Candiru underwent several rebrandings, mirroring the complex corporate structure maintained by NSO Group itself.

The designation "Palm Beach Networks" was reportedly used with discretion, revealed only by Levin and colleagues during subsequent discussions, according to an Israeli researcher.

It appears that the name Palm Beach Networks may already be outdated, representing the initial phase of a startup that has since adopted a new identity.

Business filings indicate that Defense Prime Inc. transitioned into Palm Beach Networks on May 11, 2023. Subsequently, on June 16, 2023, a company named Head and Tail commenced operations in Barcelona. Palm Beach Networks was then dissolved on June 28, 2024, as documented in business records from both Florida and Spain.

A connection between Defense Prime, Palm Beach Networks, and Head and Tail is suggested by shared executives and key personnel.

Sai Gopal is identified as Head and Tail’s authorized signatory in Spanish business records, while an individual with the same name served as the treasurer of Defense Prime in Florida records. Attempts to reach Gopal for comment were unsuccessful.

Business records further reveal that Levin, the CTO who extended a job offer to the Israeli security researcher at Palm Beach Networks, currently holds the position of director at Head and Tail. Requests for comment directed to representatives of Head and Tail remained unanswered.

A current executive within the spyware sector, speaking on condition of anonymity, confirmed to TechCrunch that Levin is employed by Palm Beach Networks. Previously, this executive stated, Levin was a foundational developer at NSO Group and also contributed to Candiru.

The official website of Head and Tail does not explicitly state its involvement in the development of surveillance technology. Instead, the company positions itself as a provider of solutions for “a myriad of cybersecurity issues, including threat intelligence, vulnerability assessments, security awareness training, and incident response.” The company is currently advertising job openings in Barcelona, Madrid, and Sevilla.

Ultimately, the Israeli researcher declined the employment opportunity with Palm Beach Networks, despite being informed by acquaintances that the company offers exceptionally high salaries, significantly exceeding the national gross annual average.

The researcher expressed concerns about potentially facing similar repercussions as employees of NSO Group, including the consequences of human rights controversies, account suspensions on platforms like Facebook, and potential visa denials from the U.S. government.

“I am able to secure adequate compensation elsewhere without the apprehension of potential repercussions or uncertainty regarding my employer,” the researcher stated, “particularly given my reservations about the company’s lack of transparency and my inability to ascertain its clientele.”

Updated with comment from Paradigm Shift’s Pontorieri; and added response from SAFA’s Šekularac and clarified the paragraph about the researchers’ work experience at offensive security companies.