Cyprus has made strides in positioning itself as an innovation and technology hub. It is also a popular tourist destination, with its stunning beaches and rich cultural heritage attracting visitors from around the world. However, Cyprus is also known for another, more dubious distinction. It has become a popular “hub” for espionage and surveillance activities.

The clandestine global surveillance technology market has seen a significant uptick in recent years, with the industry reaching $130 billion in 2022, and projected to reach a value of $213 billion by 2026. This growth can be attributed to various factors, including the increasing use of technology in everyday life, the growing threat of cyber attacks, and the management of information and big data. While countries such as the United States, China, and Israel dominate the global surveillance market, Cyprus has also emerged as a key player.

More recently, the European Commission has expressed concerns over the misuse of spyware within the EU, noting that the technology has been used to “intimidate political opposition, silence critical media and manipulate elections.” 

Cyprus is included among these concerns, where the Members of the European Parliament (MEPs) have highlighted that, “Cyprus has played a major role as an export hub for spyware and should repeal all export licenses it has issued that are not in line with EU legislation.” 

The island also has a history with questionable espionage activities involving spyware, and unfortunately they are more serious than thrilling, as they highlight a lack of privacy and digital safety.

One of the most notorious cases of spyware in Cyprus is definitely that of whistleblower Makarios Drousiotis, now a journalist and once an aide to former President Nicos Anastasiades. He believed that he was personally targeted by authorities using surveillance and spyware to monitor his communications at a time where he was conducting a research project on corruption across the island. His research included the relationship between the former president of Cyprus and Russian oligarch, Dmitri Rybolovlev.

His suspicions led him to discover that the Cypriot secret services, CIS, operated with spyware from the well-known Italian surveillance technology company, The Hacking Team. The Italian company had leaked emails indicating that former president Anastasiades authorized the monitoring and surveying of Drousiotis.

Another alarming case of espionage in Cyprus encompasses the Israeli “spy van” incident in 2019. The van, including the spyware technology it carried, was estimated to cost between $3.5 million and $9 million, and was commandeered by an Israeli intelligence veteran and spy-tech dealer, Tal Dillian. The van acted as a one-stop shop for spyware dealings and hacking tools that could listen-in on and monitor encrypted communications such as those people regularly carry out through Whatsapp, as Dillian had demonstrated for Forbes in their interview in Larnaca.

While those tools were initially crafted to shadow the movements of terrorists and notorious criminals, there were some occasions in which politicians, journalists, and human rights activists were targeted as well.

Aside from espionage being conducted within the island, companies sought to establish their spyware and surveillance technology licenses from Cyprus as well. Famously, the Israeli firm, NSO group, which has been recently blacklisted by the Biden administration, acquired its exporting licenses from Cyprus and Bulgaria, and had set up subsidiaries in the two EU countries to sell its products. 

The NSO group has concerned human rights activist groups for some time, as its spyware “Pegasus'' had been implicated in the targeting and killing of Saudi Arabian journalist Jamal Khashoggi in 2018.

In being implicit in exporting spyware and surveillance technology licenses, Cyprus has caught the regulatory gaze of the EU, which assembled under the PEGA Committee to revamp EU spyware regulations. The PEGA Committee was initially formed to address the issues and challenges that arose from the Pegasus spyware and its activity within Europe. 

The recent report from PEGA, consisting of 14 months of hearings and studies, indicated that the Committee aims to introduce a more strict regulatory framework. Their conclusion dissatisfied the European Digital Rights initiative, as they had hoped for an outright ban on spyware across the EU.

The Committee also highlighted some noteworthy proposals for future EU legislative plans. These include the establishment of European technology labs focused on supporting individuals by detecting the existence of spyware within their devices, as well as a “call on national parliaments to set up meaningful oversight bodies of intelligence services and better cooperate among them to increase accountability and control.”

To counterbalance the shady espionage activities across the island, Cyprus is also home to several cybersecurity firms, one of which, Malloc was founded in 2020 and acts to provide spyware protection for companies, government bodies, and individuals. The mere existence of companies like Malloc in times of rampant cyberthreats and shady espionage is almost akin to vigilantes protecting people from those with malicious intent.

Another Cyprus-based cybersecurity company is Odyssey. They specialize in supporting organizations globally to establish and manage their cybersecurity strategies with the purpose of mitigating operational risk since 2003. Such services are critical at a time of rampant cyber attacks targeting not only individual’s data, but that of organizations as well.

Such organizations may also provide a backbone for upcoming EU legislation in further advancing and developing the continent’s e-Privacy Directive. While spyware and surveillance technologies are not intended to serve those with malicious intent, it is imperative that nations and regulatory bodies seek to establish stringent laws on the development, sale, and exporting of spyware. 

It is crucial for governments, civil society organizations, and individuals to monitor and hold accountable those who engage in such activities to ensure that they are not violating basic human rights and freedoms.