Black Cube and Intellexa Operated Across Greece and Cyprus as the EU Failed to Respond
By Bosphorus News Geopolitics Desk
The Conviction That Did Not Stop the Industry
On 26 February 2026, an Athens court convicted four individuals linked to spyware firm Intellexa for the illegal surveillance of at least 87 people in Greece. The defendants, Intellexa founder Tal Dilian, his business partner Sara Hamou, shareholder Felix Bitzios, and Krikel owner Yiannis Lavranos, each received combined sentences of 126 years and eight months, capped at eight years under Greek misdemeanor law. All four remain free pending appeal.
The conviction was the first of its kind in the European Union. It did not close the wider market that made the case possible.
Days earlier, a separate Israeli private intelligence firm had been running an active operation fewer than 500 kilometres away.
Black Cube, founded by veterans of Israeli elite intelligence units, had deployed operatives in Cyprus. Posing as representatives of a private investment fund interested in committing 150 million euros to the island's energy sector, they secured meetings with senior figures around the government of President Nikos Christodoulides and recorded the conversations covertly. Their targets were the director of the President's Office, a former energy minister and the chief executive of one of the island's biggest construction firms. Their recordings are now in the hands of Cypriot investigators. Their client remains unknown.
The Athens verdict punished four defendants. It did not reach the wider ecosystem in which the operation sat.
Cyprus: Base and Target
The relationship between Greece's Predatorgate and Cyprus's Videogate is not incidental. It runs through the island itself.
Cyprus Confidential documents, published by the International Consortium of Investigative Journalists in November 2023, showed how Intellexa founder Tal Dilian used Cyprus as the operational hub for his surveillance empire. The island's lax regulatory framework, offshore corporate architecture and repeated failure to enforce European Union rules gave Dilian and Sara Hamou room to build one of the world's most controversial spyware operations from Limassol and Larnaca. PEGA Committee rapporteur Sophie in 't Veld described that structure as "a smokescreen, a method they apply to stay under the radar."
Dilian was eventually sanctioned by the United States. Intellexa was placed on a US export blacklist. The EU took no equivalent step.
Then, on 8 January 2026, the day after Cyprus assumed the rotating presidency of the Council of the European Union, an eight minute video appeared on X under the account "Emily Thompson." It featured covertly recorded conversations with Charalambos Charalambous, then director of the President's Office, former Energy Minister Giorgos Lakkotrypis and Cyfield chief executive Giorgos Chrysochou. The footage, assembled in documentary style, alleged corruption, illegal campaign financing and a system of privileged access in which proximity to the presidency could be converted into commercial advantage.
The Christodoulides government moved quickly to frame the video as a foreign hybrid operation, calling it "a product of fabrication, distortions and hybrid interference." In the early phase of the scandal, Bosphorus News reported that the affair was already being framed not only as a corruption controversy but also as a possible foreign interference case, with claims in public circulation pointing to Russian disinformation methods and digital dissemination links traced to Türkiye, without formal attribution by investigators, in "Cyprus Probes Leaked Video Amid Claims of Russian Disinformation and Digital Links to Türkiye". The opposition rejected that line. Several opposition figures argued that even if the operation carried the hallmarks of hybrid interference, the authenticity of what was said on camera had not been answered and the corruption allegations required a political response, not only a security one.
Charalambous resigned four days after the video appeared. The presidency of the First Lady's social support fund was transferred to another body. The political damage was immediate and institutional.
Cypriot media and the investigative outlet Politis have since reported that Black Cube is the firm behind the operation. The company has not denied involvement and has acknowledged limited cooperation with investigators, including the handover of unedited recordings to the team led by former Supreme Court judge Andreas Paschalides. Black Cube has said publicly that it acted on behalf of a private client rather than a state actor and that its work exposed corruption. It has not disclosed who commissioned the operation. Paschalides has been granted a two month extension and is now due to submit his report in June.
Cyprus first gave Intellexa corporate shelter. It later became the stage for a Black Cube sting.
Greece: The State Question Reopens
Predatorgate did not begin as a corporate scandal. It began as a political one.
The surveillance of at least 87 individuals, including opposition leader Nikos Androulakis, journalists, senior military officials and members of the prime minister's own circle, was carried out using Predator spyware, a tool developed by the Intellexa consortium that can access a target's messages, calls, camera and microphone. Trial evidence showed that the Ministry of Citizen Protection signed six classified contracts with Krikel, the company convicted of procuring Predator. Classified spending at that ministry totalled approximately 160.9 million euros between 2020 and 2024, the highest of any Greek ministry in that period, overlapping with the years in which Predator was reported to have been active.
Intellexa's position throughout the trial was consistent. The company says it sells only to governments and law enforcement agencies. The Greek government's line was equally consistent. It says private actors operated Predator without state involvement. The distance between those two positions remains the central unresolved fault line of the case. As Bosphorus News noted in its earlier analysis, "Greece's Predator Scandal Returns to the State Question", that contradiction sharpened after the February conviction, when prosecutors opened an espionage track and the state question moved back to the centre of the scandal.
That fault line deepened after the verdict. Trial testimony showed that the Greek National Intelligence Service, EYP, which operates under the Prime Minister's Office, had compiled surveillance files on confirmed Predator targets. Those files were later destroyed. No official explanation has been made public for that destruction and no individual has been held accountable. Greek media reports also indicate that ADAE, the privacy authority, has not complied with a ruling by Greece's highest administrative court requiring disclosure to targets. What began as a surveillance scandal now also carries the shape of a rule of law problem.
Following the February conviction, prosecutor Dimitris Pavlidis opened three new lines of inquiry: espionage, software trafficking and the role of unnamed senior Intellexa managers. A retrial hearing has been scheduled for 11 December 2026. The European Parliament revisited the case in March 2026, reaffirming that the surveillance formed an illegal targeting chain directed at journalists, politicians and civil society. No court has established that the Greek state purchased or operated Predator.
Slovenia: The Playbook Travels
Between December 2025 and March 2026, Black Cube ran a third operation, this time in Slovenia.
Co founder Dan Zorella, retired Israeli Major General Giora Eiland, a former head of Israel's National Security Council, and a third operative flew to Ljubljana on a private jet and visited the headquarters of opposition leader Janez Janša's Slovenian Democratic Party. Flight records confirmed three further visits between November 2025 and February 2026. Black Cube operatives then approached figures linked to government circles while posing as representatives of a fictitious British investment fund called "Stockard Capital," luring them into staged meetings in Vienna and recording them covertly.
The recordings surfaced online in the weeks before Slovenia's 22 March parliamentary election through an anonymous Facebook profile. The material alleged corruption among figures tied to Prime Minister Robert Golob's coalition and quickly became part of the campaign's final stretch.
Slovenia's Intelligence and Security Agency, SOVA, confirmed Black Cube's presence and presented material evidence of foreign interference to the National Security Council. Golob wrote to European Commission President Ursula von der Leyen, describing "a grave instance of foreign information manipulation." French President Emmanuel Macron said Golob had been "the victim of clear cut interference by third countries." Golob's coalition narrowly won the election, 28.54 percent to 28.17 percent, with coalition talks still ongoing.
The operational template closely mirrored Cyprus: fictitious investors, staged meetings, covert recordings and timed release ahead of a politically sensitive moment. In Cyprus, the target date was the start of the EU Council presidency. In Slovenia, it was a national election.
Timing was not incidental. It was central to the operation.
The EU's Consistent Absence
Across all three cases, the European Union's institutional response followed a familiar pattern: documentation without consequence.
In Greece, the European Parliament established the PEGA Committee in 2022. It produced a detailed report in May 2023, found violations of EU law and issued ten recommendations to Athens. Greece implemented none of them in full. The Greek Supreme Court cleared state officials in 2024. The European Commission opened no infringement proceedings. No sanctions followed. No binding measure was imposed.
In Cyprus, the Videogate operation was launched the day Cyprus assumed the EU Council presidency. The bloc has not formally addressed that provocation. Black Cube remains operational. Its client remains unidentified.
In Slovenia, Golob's letter to von der Leyen produced no institutional response. Macron's statement remained just that. The EU has opened no formal proceedings related to Black Cube's documented interference in a member state election.
Part of the explanation is legal. The EU has no direct enforcement mechanism over member states' intelligence services, and private intelligence firms operating across borders sit in regulatory gaps that existing frameworks were not designed to close. But legal constraint alone does not explain the silence. The absence of political will has widened the gap. When the US Treasury sanctioned Intellexa in March 2024, Sophie in 't Veld, the former PEGA rapporteur, wrote: "Maybe the US should then also sanction the Member State governments, the EU Commission and EUCO. They are the enablers in chief of the abuse of, and illicit trade in spyware, giving Intellexa tax breaks, government contracts and export licenses."
The United States acted. The European Union watched. That gap has not narrowed.
One Industry, Three Operations, One Open Question
Predatorgate and Videogate are not parallel scandals that happen to share a region. They are connected outputs of the same private intelligence market, built by veterans of the same Israeli intelligence community, operating through methods shaped in the same institutional culture and protected by the same regulatory vacuum.
The geography makes the point clearly. Cyprus served as Intellexa's operational base and corporate shelter. Greece absorbed the legal fallout, producing the continent's first criminal conviction of a spyware executive. Slovenia became the latest case in which the same ecosystem resurfaced, this time through human infiltration rather than digital intrusion.
The method shifted across the cases. Predator is a digital intrusion tool that infects a device through a malicious link. Black Cube's operations in Cyprus and Slovenia relied on human infiltration, grey zone services built around fabricated identities, fictitious funds and staged encounters. The techniques differed, but the underlying architecture did not. Deniability remained built in. So did the refusal to identify the client.
In Greece, the procurement chain was allegedly linked to government contracts. In Cyprus and Slovenia, the client was private and remains undisclosed. In each case, the standard defence sounded familiar: the work was legal, wrongdoing was exposed and the client would not be named.
Intellexa's conviction did not close the state question in Greece, did not identify who commissioned the Cypriot operation and did not trigger a single binding EU measure against the industry that produced all three crises.
The Paschalides report, due in June, may answer the Cypriot question. The Athens retrial, scheduled for December, may answer the Greek one. Brussels has set no deadline for itself.
***Cypriot investigators' identification of Black Cube as the firm behind the Videogate operation has been reported by Politis and other Cypriot outlets but has not been established by judicial proceedings. Black Cube has not denied involvement and stated publicly that it acted on behalf of a private client. Intellexa's conviction was handed down by an Athens court on 26 February 2026. SOVA's confirmation of Black Cube's presence in Slovenia was presented to the National Security Council on 20 March 2026 and published on the Slovenian government's official website. Cyprus Confidential documents were published by the International Consortium of Investigative Journalists in November 2023. Classified spending data cited in the Predatorgate section draws on Finance Ministry records reviewed by Dikastiko Reportaz and reported in Bosphorus News's earlier analysis of the Greek surveillance scandal, published on 22 March 2026. Sophie in 't Veld's statement on EU institutional responsibility was published on X in September 2024.