The text message that dragged Thanasis Koukakis into what’s being called Europe’s Watergate scandal was so innocuous, he can barely remember receiving it. The Athens-based financial journalist received the note on his black iPhone 12 Pro on July 12 last year from a Greek number he didn’t have saved. That wasn’t unusual for Koukakis, who has spent the past three years investigating the changes the government has been making to financial crime regulation. He gets a lot of messages—both from numbers he’s saved and those he hasn’t. This one addressed him directly. “Thanasis,” it read, “Do you know about this issue?” Koukakis clicked on the link that followed, which took him to a news story about a Greek banking scandal. He replied with a terse: “No.”

Koukakis, 44, did not think about the message until months later. In the days that followed, he was oblivious to the fact that the website that hosted the story he was sent had disappeared. He also did not know that by clicking on that link, he had opened an invisible door inside his phone, allowing spyware software called Predator to creep in to silently watch the messages and calls he was sending and receiving.

His phone kept working as if everything was normal, he says. Then, in December, Koukakis read a report about how Facebook parent company Meta had detected commercial spyware being used by customers in 10 different countries, including Greece. One of the links used to trick people into downloading the spyware was designed to look like CNN Greece—where he worked as an editor.

Suddenly suspicious, he contacted Meta, which connected him with researchers at Citizen Lab, a research facility at the University of Toronto that specializes in spyware. In March, they told him that he was being spied on. He went public with that information the following month, prompting uproar and an investigation by a Greek prosecutor. But the scandal was only getting started. On July 26, another person revealed he had also received a link infected with Predator spyware: Nikos Androulakis, leader of PASOK, Greece’s third largest political party.

Androulakis did not click on the infected link. But the fact someone had attempted to hack the phone of a serving opposition leader tipped the Greek government into crisis. Two officials have resigned so far and pressure is mounting on Prime Minister, Kyriakos Mitsotakis, to explain who’s behind the spyware.

The ripple effects of the scandal are reaching the heart of the European Union. Over the past 13 months, it has been revealed that spyware had targeted opposition leaders, journalists, lawyers and activists in France, Spain, Hungary, Poland and even staff within the European Commission, the EU’s cabinet-style government, between 2019 and 2021. The bloc has already set up an inquiry into its own use of spyware, but even as the 38-person committee works toward producing a report for early 2023, the number of new scandals is quickly mounting up.

What sets the scandal in Greece apart is the company behind the spyware that was used. Until then the surveillance software in every EU scandal could be traced back to one company, the notorious NSO Group. Yet the spyware stalking Koukakis’ phone was made by Cytrox, a company founded in the small European nation of North Macedonia and acquired in 2017 by Tal Dilian—an entrepreneur who achieved notoriety for driving a high-tech surveillance van around the island of Cyprus and showing a Forbes journalist how it could hack into passing people’s phones. In that interview, Dilian said he had acquired Cytrox and absorbed the company into his intelligence company Intellexa, which is now thought to now be based in Greece. The arrival of Cytrox into Europe’s ongoing scandal shows the problem is bigger than just the NSO Group. The bloc has a thriving spyware industry of its own.

As the NSO Group struggles with intense scrutiny and being blacklisted by the US, its less well-known European rivals are jostling to take its clients, researchers say. Over the past two months, Cytrox is not the only local company to generate headlines for hacking devices within the bloc. 

In June, Google discovered the Italian spyware vendor RCS Lab was targeting smartphones in Italy and Kazakhstan. Alberto Nobili, RCS’ managing director, told WIRED that the company condemns the misuse of its products but declined to comment on whether the cases cited by Google were examples of misuse. “RCS personnel are not exposed, nor participate in any activities conducted by the relevant customers,” he says.

More recently, in July, spyware made by Austria’s DSIRF was detected by Microsoft hacking into law firms, banks, and consultancies in Austria, the UK, and Panama. DSIRF did not reply to WIRED’s request for comment.

“Europe is definitely a nexus,” says Justin Albrecht, security intelligence researcher at cybersecurity company Lookout. This jostling in the spyware industry echoes what happened in 2015, when the well-known Italian spyware maker Hacking Team was itself hacked and the company’s emails were leaked online, says Albrecht. “After that, we started to see different players take away some of the business that was going to Hacking Team.”

Commercial spyware companies are the hit men of their industry. They enable hacking to take place, but they don’t choose the target. Instead, who orders these infections remains a mystery. When researchers detect spyware on a person’s phone, they can tell which company created the product but not who paid for it, meaning it’s difficult to decipher who’s really to blame.

In Greece, for example, the conservative government continues to deny using Predator spyware against Koukakis and Androulakis, although the head of Greek intelligence reportedly admitted to legally wiretapping Koukakis’ phone using local telecoms companies while the prime minister said Androulakis had been put under the same type of surveillance. “What took place was not illegal but it was a mistake,” he said. Resignations there started with those admissions. First the head of Greek intelligence, Panagiotis Kontoleon, stepped down. He was shortly followed by Grigoris Dimitriadis, the prime minister’s chief of staff (and nephew), after local outlet Reporters United alleged Dimitriadis ran in the same circles as people selling Cytrox spyware. Neither the Prime Minister’s office nor the Greek intelligence agency replied to WIRED’s request for comment.

Last year in Hungary, six people discovered their phones had been hacked by NSO group’s Pegasus, after they were tipped off by the Pegasus Project, an investigation by 17 media outlets in different countries. There is no direct evidence the Hungarian government deployed this spyware against local journalists and activists, says Ádám Remport, legal officer for the Hungarian Civil Liberties Union, which is representing hacking victims in a legal case against the state. Instead it’s a case of connecting the dots. “We know that Hungary bought Pegasus. We know these people were in fields that are uncomfortable for the government,” he says, adding the people targeted were journalists and activists who uncovered corruption and Hungary’s connections with Russia. “I think there are no other possible suspects who could have carried out these acts.”

Following revelations about the use of NSO spyware in Hungary and Poland, members of the European Parliament launched a rare inquiry in April, whose focus on Pegasus was so marked that it was called the PEGA committee.

Some in Israel believe the focus on the NSO Group is disproportionate. “There’s a feeling in Israel that a fair part of this is just Israel-bashing, and if it were any other country, there wouldn’t have been nearly as much noise about it,” says Chuck Freilich, a former deputy national security adviser in Israel. “There are companies and other countries that do the exact same or almost exact same thing. They just don’t do it as well.”

The NSO group doesn’t deserve less scrutiny, but other spyware companies do deserve more, says Lookout’s Albrecht. Although victims of other spyware firms are not as well known as Jamal Khashoggi, the Washington Post columnist who was murdered after his phone was hacked with Pegasus, there are signs that other companies enable hacking that would be considered controversial. “We’ve seen indications that RCS Lab spyware is being used within Syria, specifically in what’s known as the Rojava region, the area where the Kurdish minority population primarily is,” he says.

For some, the situation in Greece reinforces the argument that there needs to be industry-wide regulation. “Even if NSO Group closes tomorrow because of all the problems they face today, the situation will be the same if there is no change in the regulation,” says Etienne Maynier, a technologist at Amnesty International’s Security Lab. “The problem is not one bad company. It’s really the legal structure that makes these companies take these decisions.”

Sophie in’t Veld, a Dutch MEP who is the rapporteur in charge of the PEGA committee, is hoping to change that once the EU inquiry is complete next year. “This whole sector should be heavily regulated,” she says, adding she wants to force the sector to be more transparent. “If you try to find out who these companies are, who the people are behind them, and where they are based, it’s impossible.”

What annoys her the most is that Intellexa—the company that sells Cytrox—says on its website that it’s EU regulated. “What the hell does that mean that you are EU regulated?” she says. “Regulated by whom and by what rules?”