Spyware startup Variston is losing staff, some say it’s closing its doors


In July 2021, someone sent Google a batch of malicious code that could be used to hijack Chrome, Firefox, and PCs running Windows Defender. This code was part of an operating framework called Heliconia. And at the time, the exploits used to target these apps were zero-day, meaning the software companies were unaware of the bugs, according to Google.

More than a year later, in November 2022, Google’s Threat Analysis Group, the company’s team that investigates government-sponsored threats, published a blog post analyzing these exploits and the Heliconia frame. Google researchers concluded that the code belonged to Variston, a Barcelona-based startup unknown to the public.

“It was a huge crisis at the time, mainly because we had gone under the radar for a while,” a former Variston employee told TechCrunch. “Everyone believed that in the end we would be exposed by getting caught [in the wild]but it was more of an escape.

Another former Variston employee said the code was sent to Google by a disgruntled employee of the company and after that Variston’s name and secrets were “burned.”

Google continued to investigate the Variston malware. In March 2023, researchers from the tech giant discovered that spyware made by Variston was used in Italy, Kazakhstan and MalaysiaAnd the United Arab Emirates. Last week, Google reported that it discovered Variston hacking tools used against iPhone owners in Indonesia..

Over the past year, more than half a dozen Variston employees have left the company, they told TechCrunch on condition of anonymity because they were not authorized to speak to the press due to non-disclosure agreements.

Now, according to four former employees and two people with knowledge of the spyware market, Variston is on the verge of closing its doors.

In the early 2010s, the public began to discover that there was a thriving market in which Western companies, such as Hacking Team, FinFisher, and NSO Group, were providing surveillance and hacking tools to countries and regimes around the world. entire. with questionable or poor human rights records, such as Ethiopia, Mexico, Saudi Arabia, the United Arab Emirates and many others.

Since then, digital and human rights organizations like Citizen Lab and Amnesty International have documented dozens of cases where government clients of these spyware makers used these tools to hack and spy on journalists, dissidents and human rights defenders.

In recent years, the offensive security industry has become more public and standardized. Some of these spyware creators and exploit developers openly advertise their services online, their employees reveal where they work on social media, and there are a few popular security conferences that openly cater to this industry, like OffensiveCon and HexaCon.

Variston, however, has always tried to go unnoticed.

The company’s only public information is a simple website where he vaguely describes what he does.

“Our toolset draws on the extensive cumulative experience of our consultants. It supports digital information discovery by [law enforcement agencies]reads Variston’s website, in the only brief mention of its work as a creator of spyware and exploits for government agencies.

Variston has prohibited employees from disclosing where they work, not only on LinkedIn but also at cybersecurity conferences, according to former employees who spoke to TechCrunch.

a screenshot from the Variston website, which says: "Your Trusted Partner At Variston, we strive to offer tailored information security solutions to our customers.  Our team is made up of some of the most experienced experts in the industry.  We are a young but growing company." with an iPhone photo.

The Variston website. Image credits: TechCrunch (screenshot)

According to Spanish business records seen by TechCrunch, Variston was founded in Barcelona in 2018, citing Ralf Wegener and Ramanan Jayaraman as founders and directors.

While his website lists another address in the city, Variston most recently worked from an office in Barcelona’s Poble Nou neighborhood, in a coworking space a block from the beach. In October, a representative for the coworking space told TechCrunch that Variston had been there for a few years.

When TechCrunch visited Variston’s office this week, a representative for the shared workspace claimed that Variston was still working there. The representative offered to take a message to Variston, saying they weren’t there that day but had been in the building that week. Neither Wegener nor Jayaraman responded to several emails from TechCrunch seeking comment on Variston. An email sent to Variston’s public email address was not returned.

One of Variston’s first moves in 2018 was to acquire Real IT, a small zero-day search startup in Italy, according to Italian business records seen by TechCrunch. Since then, Variston has become a company with around a hundred employees. In addition to Heliconia, the company’s exploit framework for targeting Windows devices, Variston has also developed exploits and hacking tools targeting iOS and Android. Variston’s Android product was called Violet Pepper, according to former employees.

Even the founders of Truel IT, who joined Variston, do not disclose Variston as an employer on their LinkedIn profile.

According to former Variston employees, this level of secrecy also applied to the identities of the company’s customers, with the exception of its special relationship with Protect, a company based in Abu Dhabi, United Arab Emirates.

“Variston was a supplier to Protect,” said a person with knowledge of Protect’s operations, who asked to remain anonymous because they were not authorized to speak to the press. “It was an important relationship for both of them for a while.”

The company’s work “was going to the United Arab Emirates” and Protect was “de facto the only customer,” according to former Variston employees.

Former employees told TechCrunch that Protect funded all of Variston’s operations, including research and development. A former Variston employee said that once Protect withdrew its funding from the development in early 2023, Protect attempted to force Variston employees to relocate. Then, when research funding stopped later that year, Variston “closed up shop,” the person said.

Contact us

Do you know more about Variston or Protect? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or E-mail. You can also contact TechCrunch via SecureDrop.

In early 2023, Protect asked all Variston employees to relocate to Abu Dhabi. This is where Variston began to fall apart, as most of Variston’s employees did not accept the proposal. The former employees said management gave them two choices: “move to Abu Dhabi or get fired,” and that there would be no exceptions.

Protect presents itself as “a leading cybersecurity and forensics company.” Much like Variston, Protect doesn’t say much else on its website about what the company does.

But Google security researchers believe that Protect, also known as Protect Electronic Systems, “combines the spyware it develops with the Heliconia framework and infrastructure, into a complete package that is then offered for sale either to a local broker or directly to a government client.”

This would explain how Variston’s tools ended up being used in Indonesia, Italy, Kazakhstan and Malaysia.

According to Intelligence OnlineA specialist publication that covers the surveillance and intelligence sector, Protect was launched after DarkMatter, a controversial hacking company based in the United Arab Emirates, it was revealed that he employed Americans which then helped the UAE government spy on dissidents, political rivals and journalists.

Since 2019, Protect was led by Awad Al Shamsi and provided “UAE government users with discreet access to foreign cybertechnology,” Intelligence Online reported. It is unclear whether Al Shamsi is still at Protect, and Al Shamsi did not respond to an email seeking comment. Protect did not respond to several other emails from TechCrunch.

Variston founders Wegener and Jayaraman also appear to have worked at Protect, at least since 2016, according to public online records of encryption keys linked to their Protect email addresses viewed by TechCrunch.

Wegener is a veteran of the spyware industry. According to Intelligence Online, Wegener runs several other companies, some based in Cyprus and also co-owned by Jayaraman. Wegener worked at AGT, or Advanced German Technology, a surveillance provider founded in Berlin in 2001 with an office in Dubai. In 2007, in collaboration with Italian spyware manufacturer RCS Lab, AGT worked with the Syrian government to develop a centralized country-wide real-time Internet surveillance system, according to reports based on leaked documents And research conducted by the non-profit organization Privacy International. Ultimately, AGT did not provide the system to the Syrian government.

Five years after its creation, Variston is no longer a secret startup.

Three former employees said Google’s 2022 report exposed Variston’s secret. One of the employees said Google’s report revealing Variston “could have been the beginning of the end” for the spyware maker.

But another former Variston employee said the company — like other spyware makers — would have eventually been exposed. “It was bound to happen sooner or later,” the person said. “This is completely normal.”

Natasha Lomas contributed reporting.


Leave a Comment

Your email address will not be published. Required fields are marked *