Julian-Ferdinand Vögele
Julian-Ferdinand Vögele is a senior threat researcher at Recorded Future’s Insikt Group. With extensive experience in malware research, he specializes in tracking infrastructure linked to both cyberespionage and cybercriminal operations. Prior to joining Recorded Future, Julian-Ferdinand worked in offensive security and studied computer science at UCL in London. He is a fellow of the European Cyber Conflict Research Initiative (ECCRI).
Sessions
The ongoing use of mercenary spyware, such as Predator, for purposes beyond legitimate law enforcement raises concerns regarding privacy, legal implications, and the physical safety of targeted individuals, their employers, and those involved in these activities. Although marketed ostensibly for counterterrorism and law enforcement, there is a well-documented pattern of Predator being used to target civil society, including journalists, politicians, and activists. This presentation aims to demonstrate how Predator has been exposed and the impact on their operations when combined with political re-evaluations, such as sanctions.
In the first part, we examine the multi-tiered Predator delivery infrastructure network identified and exposed by Recorded Future. This includes delivery servers, upstream servers, and infrastructure that is highly likely linked to Predator customers. We illustrate how, among other things, spyware operators initially responded to public reporting in September 2023 and continued their operations with minimal changes to their modus operandi. Our investigation uncovered ongoing Predator usage in at least 11 countries, including two previously unidentified: the Philippines and Botswana.
In the second part, we aim to evaluate the operational status of Intellexa’s Predator after more than a year of major publications. These include Citizen Lab’s report on the hacking of Ahmed Eltantawy, Amnesty’s Predator Files detailing leaked documents about capabilities and an in-depth investigation into Indonesia, and infrastructure exposure by private security companies like Recorded Future. We illustrate how public reporting, alongside unprecedented sanctions and political efforts to combat spyware proliferation—including the US adding Intellexa to the entity list, an EU resolution, a US visa ban for various individuals involved with Intellexa, and the initiation of the Paul Mall Process—has significantly impacted Predator’s operations.
In the end, we will zoom out, offering insights into the future direction of Predator and providing an outlook on the future of the entire landscape of the mercenary spyware ecosystem.