Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
John Scott-Railton Profile picture
@jsrailton
Apr 18, 2022 16 tweets 15 min read Read on X
Scrolly
🚨MAJOR NEW INVESTIGATION: #CatalanGate state-run hacking operation.

Stunning range of #Pegasus & #Candiru infections in the EU.

Many political & civil society targets got infected. Multiple 🇪🇺 MEPs.

THREAD 1/
catalonia.citizenlab.ca
2/ A jaw dropping list of people were targeted in #CatalanGate

Let's take the 🇪🇺 European Parliament.

*Every pro-independence MEP* was targeted directly or w/relational targeting:

-@toni_comin
-@DianaRibaGiner
-@jordisolef
-@ClaraPonsati
-@KRLS
3/ Catalan civil society was extensively targeted.

From the leadership of major civic organizations like @omnium & @assemblea_int...to open source developers working on digital voting.

Mostly #Pegasus, but #Candiru spyware, too.

Link: citizenlab.ca/2022/04/catala…
4/ So many Catalan politicians were targeted with #Pegasus between 2017-2020.

Like every current/former President of Catalonia since 2010.

Catalan's Parliamentary leadership, legislators, etc. etc. #CatalanGate
5/The #Pegasus hacking was via a mix of zero-click vulnerabilities & SMS infection attempts.

Texts were *very* well informed.

Like this one: @jbaylina was sent a mobile boarding pass link...for a @FlySWISS flight he'd booked.
6/ WILD: while doing #Pegasus forensics, at the 11th hour on this project, @billmarczak actually discovered another NSO iOS Zero-Click 0day!

We call it #Homage

We think it stopped working by 13.2 so if you are updated, you're likely OK.

We notified @apple.
7/ The #Candiru targeting that we saw was via email. Again, often super personalized.

They impersonated official COVID communications from Spanish gov, notifications from biz registries, etc.

Sometimes Candiru & #Pegasus targeting themes overlapped.
8/ Craziest story? Victim working on a live #Candiru infected computer had to be persuaded to step into the hallway using a ruse so we could explain the situation away from it's microphones...

Material was shared w/@MsftSecIntel which led to 1.4 billion devices getting patched.
9/ The folks at @AmnestyTech conducted an independent validation of our forensic methods on a selection of cases.
10/ Which government is behind #CatalanGate? Well, we aren't conclusively attributing to a specific government...

But substantial circumstantial evidence suggests a nexus with the Government of Spain.
11/ Big picture: people think the problem with mercenary spyware is that it gets sold to dictators. Who abuse it. True.

Turns out that when democracies acquire it, risk of abuse is dangerously high.

It's abundantly clear that this is now a major problem in the #EU.
12/ EU MEPs have begun weighing in👇

🇪🇺 EU Parliament's new committee on Pegasus spyware has first meeting tomorrow.

Sure to be interesting.
13/ Investigations like this are group effort, huge credit to my coauthors @elies @billmarczak @insyria @sienaanstis @gozdebocu @SalSolimano & @RonDeibert

With help from Miles Kenyon @rizhouto @adamsenft
& so many others.
citizenlab.ca/2022/04/catala…
14/ Cases like this cannot come to light without the many victims & organizations that graciously consent to participating in our research, and chose to come forward & be named.

Without them, this report would not have been possible.
15/ Special acknowledgement to the team @domesticstream who helped us do the amazing graphical companion to our report.

They do great work, give them a follow!

catalonia.citizenlab.ca
16/ 16/ Nice thread by David Kaye, former UN Special Rapporteur, talking about *solutions* to the mercenary spyware problem.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Scott-Railton

John Scott-Railton Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jsrailton

John Scott-Railton Profile picture
May 9
I can confidently diagnose @betterhelp as sociopaths.

Promised therapy customers privacy...then gave their mental health info to advertisers.

Victims get less than ten bucks each.
wcnc.com/article/news/n…
Image
A billion+ dollars in revenue in 2023 alone.

Yet @betterhelp paid less than $8 million in fines for victimizing their *entire customer base* for 4+ years.

In a just society with comprehensive privacy legislation, they'd face existential civil & criminal consequences. Image
A single therapist that did this would lose their livelihood and probably wind up with local news camped in front of their office.

A company does it to 800,000 people and you can't even hear the wrist slap from the next room.
Read 7 tweets
John Scott-Railton Profile picture
Apr 22
BREAKING: US @StateDept imposes visa restrictions on 13 mercenary spyware proliferators / immediate family.

First known application of policy rolled out in Feb.
state.gov/promoting-acco…
Image
2/ Visa restrictions are a promising tool in the fight against mercenary spyware.

Spyware developers & investors want big returns.

But they also want to spend some of that money on travel to the US & their kids' Ivy League tuition.

3/ As the visa announcement ricochets around mercenary spyware land...

A *lot* of shady players are surely having a little panic.

...wondering if their name is or will be on a list.
state.gov/promoting-acco…
Read 4 tweets
John Scott-Railton Profile picture
Apr 19
SEEN THESE ADS?

Producer is a declared foreign agent, paid ~$6.8m to make Kremlin propaganda on #Ukraine, etc.

He's claimed in filings that those videos wouldn't target the US audiences.

By @taylorgiorno_ & @annalecta opensecrets.org/news/2022/08/r…
Image
Please REPLY if you are seeing "Zelenskyy Unmasked" ads in the US.

In FARA registrations, Ben Swann claims Russian millions are *not* for content targeting the the US.

So who is funding this massive advertising spend to attack #Ukraine?

FARA Example: efile.fara.gov/docs/7151-Supp…
Image
3/ Anecdotally I keep hearing that viewers of my tweets about Russian hacking & election interference are being shown the ads.👇
Read 5 tweets
John Scott-Railton Profile picture
Apr 18
Report: Russia seeking to interfere in US elections & undermine support for #Ukraine.

Tactics include propaganda-laundering.👇 1/

By @selectedwisdom
blogs.microsoft.com/on-the-issues/…
Image
2/ Rigged courts. Election Fraud... Sound familiar?

It's the work of another #Russian propaganda operator highlighted by @Microsoft that amplifies socially divisive narratives.
Image
Image
@Microsoft 3/ The now-familiar hack-and-leak targeting of US political figures = dynamic to watch as 2024 elections approach.

I think media still struggles to responsibly cover "leak"-branded political hacks.

No doubt Russia has made the same observation.

Ft. @MsftSecIntel. Image
Read 4 tweets
John Scott-Railton Profile picture
Apr 14
Good morning to everyone except the "OSINT" accounts that spent last night spreading fake, alarmist & unconfirmed content.
2/ OSINT: Open Source INtelligence.

Owes its good reputation to groups like @Bellingcat that carefully VERIFY material before using it in analysis.

But today, if you find "OSINT" in the handle, there's a good chance that you will find neither verification nor analysis.
3/ How to run an "OSINT"-branded grift:

1️⃣Copy unverified spicy videos from Telegram channels, other accounts etc.

2️⃣ Strip sourcing because, hey, don't want to help competitor "OSINT" accounts get clout.

3️⃣Add hyperbolic & alarming caption.

4️⃣ Amplify.
Read 4 tweets
John Scott-Railton Profile picture
Apr 13
Be wary of OSINT-branded accounts recycling faked & old footage of airstrikes, explosions, interceptions etc.

It happens every time, but in New Twitter they have a direct financial incentive to push out inflammatory nonsense.

There's more 1/
2/ The annoying practice of some OSINT-branded accounts of repeating headlines ginned up & borrowed from somewhere without citation as if it's their own...

Is reckless & dangerous during fast moving conflict where there is huge potential for *consequential* misunderstandings.
3/ Exercise extreme caution in what you amplify & believe.

Twitter is awash with a flood tide of falsehoods tonight.

Some is the work of people trying to farm revenue.

And some is disinformation seeking to seed specific false perceptions.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(