Every spy probably imagines himself as James Bond, at least sometimes.
But Shalev Hulio, pudgy, indiscreet and a 007 obsessive, was never a spy — just an Israeli tech nerd who has found himself at the intersection of big secrets and big money.
Maybe that’s why, a few years ago, he started selling the cyber weapon Pegasus under the name Q Suite, after the beloved Quartermaster from the Bond films.
But the NSO Group, the shadowy Israeli military spyware manufacturer that Hulio co-founded a decade ago, is nothing like the workshop from which the curmudgeonly Q operates.
Staffed by dizzyingly well-paid veterans of Israel’s elite military intelligence units, NSO is best known for creating Pegasus, a piece of software so powerful that it can hack remotely into any phone, pierce all its encrypted apps and turn on its camera and microphone to listen in to whispered secrets from a world away.
NSO’s clients — real-world spies, mostly — are notoriously secretive. It is policed by the Israeli Ministry of Defence, which approves every export licence for the software and considers Pegasus a weapon, to be sold only to the country’s friends — potential or current.
But every so often, NSO’s own secrets, usually shielded behind layers of shell companies and non-disclosure agreements, spill out into the open.
This week, 17 newspapers banded together in an Amnesty International consortium nicknamed the Pegasus Project. The subsequent investigation drew on a purportedly leaked list of 50,000 people that the human rights watchdog says “is irrefutably linked to potential targets” and included princesses and presidents, kings and their courtiers, journalists and political dissidents, many of them critical of repressive regimes.
Hulio, 39, is garrulous and foul-mouthed, friendly to the point of disarming and evasive to the point of frustration. Like other Israeli start-ups that nurture a Silicon Valley-style origins story, he likes to talk about how NSO started life in a chicken coop on a kibbutz in central Israel.
Guarded by well-trained minders, he is now in charge of cleaning up the most recent mess. In his telling, bad guys — paedophiles, terrorists and drug-lords — use encrypted apps to avoid getting caught. NSO sells Pegasus solely to the good guys after careful vetting, and only so that they can stop the bad guys.
What then of the hundreds of journalists, academics, dissidents and members of civil society around the world to whose phones human rights groups, including the Citizen Lab at the University of Toronto, have traced Pegasus over the years? “NSO will thoroughly investigate any credible proof of misuse of its technologies, as we always had, and will shut down the system where necessary,” his lawyers reply.
(“Enough is enough,” the company said, in response to press queries about the Amnesty consortium’s reports. NSO “will not play along with this vicious and slanderous campaign.”)
Those who have known Hulio for longest describe a man who is somewhat surprised that NSO has survived thus far, if only for technical reasons. The assumption, says one who has known him since high school, was that phonemakers such as Apple would eventually find a way to shut him down.
“He called it a cat-and-mouse game,” says this individual. “But every new operating system adds a new feature, and even if it closes one vulnerability, another is found — it’s painful and it’s slow, but there’s always one.”
The software’s survival has made Hulio rich — the company is valued at about $1.5bn, and he owns a tenth of it, according to people familiar with the valuation.
He remains the company’s public face. One co-founder left years ago; another, Omri Lavie, who once joked to the FT in 2013 that he didn’t want to talk about NSO clients because “I don’t want to be beheaded”, has other ventures.
Hulio’s work for NSO has meant a lot of private jet flights to countries that most Israelis will never visit. People familiar with NSO say the company has done business with Saudi Arabia, Azerbaijan, Morocco and the UAE.
This has meant working in an environment where nearly all negotiations are done in person — a world of middlemen and non-disclosure agreements. One middleman, who says he was never paid after being used to make a sale in Africa, says he’s now relieved he never ended up formally in business with NSO. “How much is it worth to be caught in the middle of this?” he asks. “Maybe this (technology) was used to catch two terrorists or two criminals, but this thing was designed for political ends.”
That, in the end, is Hulio’s dilemma. The narrative of a technology that he says is designed to catch criminals and terrorists has been punctured by various newspapers, an independent UN Rapporteur on freedom of expression and now this recent consortium.
To convince the world that NSO is one of the good guys, Hulio is going to have to lift the veil of secrecy it has thrived behind, while simultaneously fighting off the tech giants — from Apple to Facebook — who want to shut him down. For now, he has already failed in Q’s first directive to Bond (“Never let them see you bleed”). The company’s future might depend on how well he executes the second: “Always have an escape plan.”
mehul.srivastava@ft.com