Spyware startup Variston is losing staff – some say it’s shutting down

in July 2021, someone sent Google a batch of malicious code that can be used to hack PCs running Chrome, Firefox, and Microsoft Defender. That code was part of an exploit framework called Heliconia. And at the time, according to Google, the exploits used to target those applications were zero-day, meaning software makers were unaware of the bug.

More than a year later in November 2022, Google’s Threat Analysis Group, the company’s team that investigates government-backed threats, Published a blog post analyzing those exploits And the Heliconia framework. Google researchers concluded that the code belonged to Barcelona-based startup Variston, which was unknown to the public.

“It was a huge crisis at the time, mainly because we had been under the radar for so long,” a former Variston employee told TechCrunch. “Everyone believed that by finally getting caught we would be exposed [in the wild]But instead it was a leaker.

Another former Variston employee said that the code was sent to Google by a disgruntled company employee and that after it happened, Variston’s name and privacy were “burned”.

Google continued to search for Variston’s malware. In March 2023, researchers at the tech giant Spyware created by Variston found Was used in Kazakhstan, Malaysia and United Arab Emirates. Last week, Google reveals it found Variston hacking tools used against iPhone owners in Indonesia,

In the past year, more than half a dozen Variston employees have left the company, they told TechCrunch on condition of anonymity because they were not authorized to speak to the press due to nondisclosure agreements.

Now, according to four former employees and two people with knowledge of the spyware market, Variston is shutting down.

In the early 2010s, the public began to realize that there was a thriving market where Western-based companies such as Hacking Team, Finfisher, and NSO Group were providing surveillance and hacking tools to countries and regimes around the world. Questionable or poor human rights records such as Ethiopia, Mexico, Saudi Arabia, UAE and many others.

Since then, digital and human rights organizations such as Citizen Lab and Amnesty International have Dozens of cases were registered Where government customers of these spyware makers were using those tools to hack and spy on journalists, dissidents and human rights defenders.

Over the past few years, the offensive security industry has become more public and normalized. Some of these spyware makers and exploit developers openly advertise their services online, their employees disclose on social media where they work, and there are some popular security conferences that openly promote this industry. , such as OffensiveCon and HexaCon.

However, Variston has always tried to fly under the radar.

The only public-facing information of the company is a barebones website Where it vaguely describes what it does.

“Our toolset is built on the vast cumulative experience of our advisors. It supports searching of digital information [law enforcement agencies],” is written on Variston’s website, the only brief mention of its work as a spyware and exploit creator for government agencies.

According to former employees who spoke to TechCrunch, Variston has prohibited employees from disclosing where they work, not only on LinkedIn, but also at cybersecurity conferences.

Variston was founded in Barcelona in 2018, according to Spanish business records seen by TechCrunch, with Ralf Wegener and Ramanan Jayaraman listed as founders and directors.

While its website lists another address in the city, Variston most recently worked out of an office in the Barcelona neighborhood of Poblenou, inside a co-working space located a block from the beach. In October, a representative for the co-working space told TechCrunch that Variston was based there and had been for a few years.

When TechCrunch visited Variston’s office this week, a co-working space representative claimed that Variston was still working there. The representative offered to take a message for Variston, stating that they were not there that day but that they had been in the building that week. Neither Wegener nor Jayaraman responded to multiple emails from TechCrunch requesting comment about Variston. An email sent to Variston’s public email address was not returned.

Variston’s first move in 2018 was to acquire true itA small zero-day research startup in Italy, according to Italian business records seen by TechCrunch. Since then, Variston has grown to a company with approximately a hundred employees. In addition to Heliconia, the company’s exploit framework for targeting Windows devices, Variston also developed exploits and hacking tools targeting iOS and Android. According to former employees, Variston’s Android product was called Violet Paper.

Even Truel IT’s founder, who went to work at Variston, does not disclose Variston as an employer on his LinkedIn profile.

According to former Variston employees, this level of confidentiality also applies to the identities of the company’s customers – except for its special relationship with Protect, a company based in the United Arab Emirates city of Abu Dhabi.

“Variston was a supplier to Protect,” said a person with knowledge of Protect’s operations, who asked to remain anonymous because they were not authorized to speak to the press. “It was an important relationship for both of them for some time.”

According to former Variston employees, the company’s work was “going to the UAE” and that Protect was “really the only customer”.

Former employees told TechCrunch that Protect was funding all of Variston’s operations, including the research and development side. A former Variston employee said that once Protect withdrew its funding from the development side in early 2023, Protect tried to force Variston employees to relocate. Then, when research funding stopped at the end of the year, Variston “closed up shop,” the person said.

In early 2023, Protect asked all Variston employees to move to Abu Dhabi. This is where Variston’s mystery began to unravel, as most of Variston’s employees did not accept the offer. Former employees said management gave them two options: “Move to Abu Dhabi or be fired,” and there would be no exceptions.

Protect bills itself as “a cutting-edge cybersecurity and forensics company.” Like Variston, Protect doesn’t say anything else on its website about what the company does.

But This is what Google’s security researchers believe Protect, also known as Protect Electronic Systems, “combines spyware developed with the Heliconia framework and infrastructure into a complete package, which is then offered for sale to a local broker or directly to a government customer.” “

This would explain how Variston devices reportedly came to be used in Indonesia, Kazakhstan and Malaysia.

According to Intelligence OnlineA trade publication that covers the surveillance and intelligence industry, Protect was launched after Darkmatter, a controversial hacking company based in the United Arab Emirates. Providing employment to Americans was revealed Which then helped the UAE government spy on dissidents, political rivals and journalists.

As of 2019, Protect was led by Awad Al Shamsi, and was “providing UAE government users discreet access to foreign cyber technology,” Intelligence Online reported. It is not known whether Al Shamsi is still under protection, and Al Shamsi did not respond to an email requesting comment. Protect did not respond to multiple further emails from TechCrunch.

Variston founders Wegener and Jayaraman also appear to have worked at Protect until at least 2016, according to public online records of encryption keys associated with their Protect email addresses seen by TechCrunch.

Wegener is a veteran of the spyware industry. According to Intelligence Online, Wegener runs several other companies, some of which are based in Cyprus and also co-owned by Jayaraman. Wegener worked at AGT, or Advanced German Technology, a surveillance provider founded in Berlin in 2001 with an office in Dubai. In 2007, along with Italian spyware maker RCS Lab, AGT worked with the Syrian government to develop a centralized real-time nationwide Internet surveillance system. According to news reports based on leaked documents And Research by the nonprofit Privacy International, Ultimately, AGT did not provide the system to the Syrian government.

Five years after its founding, Variston is no longer a secret startup.

Three former employees said Google’s report in 2022 exposed Variston’s secrecy. One of the employees said the Google report exposing Variston “could be the beginning of the end” for the spyware maker.

But another former Variston employee said the company – like other spyware makers – would eventually have been exposed. “It was bound to happen sooner or later,” the man said. “It’s quite normal.”

Natasha Lomas contributed reporting.

Google’s search for Variston’s tool was incorrectly attributed to Italy due to an editor’s error in an earlier version of this report. ZW,