We reveal the list of Predator providers

Based on the original article by Konstantinos Venakis, published on ‘Documento’ newspaper,  November 27th 2022 – Available HERE

Documento sheds light on the unseen aspects of the technical traces behind the Predator spyware, revealing a list of 498 URL’s linked to the spyware from 2021 to the present day. The data that we are publishing will make the life

easier of the public prosecution authorities, who are complaining about the difficulties they are having with technical issues to proceed with the full clarification of the case and identify the perpetrators of the serious criminal offences that have been committed.

Former Chief of Police and Prosecutor of National Information Service under surveillance by “Predator” in Greece

ΘΕΜΑΤΑ Former Chief of Police and Prosecutor of National Information Service under surveillance by “Predator” in Greece Two hundred and eighty-five (225) domain names and 213 URL’s which have been left behind by the administrators have one thing in common: they share the same IP address (72.34.38.64). Also, the 498 links (URLs) of the list have a “.gr.com” extension at the end. By geolocating the IP we saw that the servers are located in Chatsworth, California, where IHNetworks LLC (title Insider Hosting), which is the provider, is based. Furthermore, the 285 links we have found have exactly the same IP as the “domain.gr.com” (the page is in Greek), which is also the platform that granted the “.gr.com” suffix. Opening the above website one sees the name Lexi Lavranos. Despite the devil’s coincidence, however, Documento’s evidence so far has not certified a family or other relationship with the businessman allegedly involved with the Predator case, Yannis Lavranos.

Of particular importance, especially for the prosecuting authorities, who will now know that there are more options than we all imagined, is the fact that the providers have been identified. All that remains is for IHNetworks LLC, Amazon and “domain.gr.com” to be formally asked by the judiciary who they were dealing with, when their servers hosted the trapped links? Who managed them and who paid for the registration of the hundreds of names that have been found? Because, in addition to subletting the server, someone paid to create 285 URL – domain names on “domain.gr.com”.

On top of this, it is noted that for legal reasons providers often – although often informally – keep the back logs files of administrator activity for up to twelve months. In addition, the invoices have probably not disappeared since many of the URL’s are still active. The investigation also revealed that the administrators – by committing criminal errors – left behind hundreds of traces (namely 213 administrative URL’s). Several of these websites are still ‘on air’, which reinforces the suspicion that Predator is still ‘alive’, raising further concerns about national security and the integrity of the election campaign, which is at full swing at the moment. Finally, Documento reveals the digital history of “blogspot.edolio5.com”, the malicious link responsible for the contamination of the mobile phones of journalist Thanasis Koukakis and well established businessman Theodoros Karipidis, while the same link is responsible for the attempted hack of the smartphone MEP and leader of PASOK Nikos Androulakis.

Traces are all over the place

The list of URL’s revealed by Documento enriches and cross-references the list first published by Meta (Facebook) in collaboration with the Canadian Citizen Lab in December 2021. It had, among other things, focused on the North Macedonian company Cytrox, which was the first to develop Predator and was subsequently acquired by Tal Dillian’s Intellexa. This publication contained hundreds of domain names, while an investigation by Inside Story (16.5.2022) revealed a further six domains.

Documento’s research identified the 498 URL’s through the method of reverse digital address (IP) lookup. In other words, we found the infected addresses in the published lists and noticed that some of them had a common IP (72.34.38.64). This intrigued us and with the help of the open access sources like “dnsdumpster.com” and “who.is” we tracked down the 498 domains with only a handful of clicks. And there was the list! We immediately created a file and realized that in there were more than 100 links (URLs) with the same IP (72.34.38.64) as in Meta’s published lists. They coincided with the list we had in our hands. Comparing this with Inside Story’s research, we found that three of the six domains also had the same IP (72.34.38.64), which also appeared in the list we were looking at.

Overall, the list of domains is divided into six sections, namely: 285 malicious links (URLs), 13 with the “autodiscover” property, 31 with the “cpanel” property, 17 with the “cpcalendars” property, 15 with the “cpcontracts” property, 74 with the “hostmaster” property, and 63 with the “mail’ property. The above obscure attributes indicate that the administrator has left a lot of traces and judging by the numbers, probably a lot. Consequently, the names of the links in the list are not at all random. They concern various sites: news, pornography, social media, banks, government labor agency – SEPE, advertising, sports, betting, etc.

Indicatively, some of them are: estia.gr.com, exoplismoi.gr.com, inews.gr.com, instagram.gr.com, piraeus.bamk.gr.com, porno.gr.com, sirina.gr.com, myalpha.gr.com, protothema.gr.com, stoiximan.gr.com, mobile. piareus.gr.com, opap.gr.com, pireaus.gr.com, unfollow.gr.com and thestival.gr.com. It is underlined that for the Labour Inspectorate (SEPE) and the Ministry of Labour there was a particular interest, since there are five entries with the following links: apps.sepenet.gr.com, hostmaster. apps.sepenet.gr.com, hostmaster. sepenet.gr.com, hostmaster. www. sepenet.gr.com, sepenet.gr.com.

From the above, we can easily distinguish the case of “SEPE”, because it is clear that the link refers to the Labour Inspectorate and may be addressed to officials of the Ministry of Labour. It should be noted that Documento in its publication on the second Predator spy list, had revealed that both the Minister of Labor Kostis Hatzidakis and his trusted fellow Nikos Sigalas had been trapped. The existence of imitation of pornography sites confirms that some people might also exploit a person’s sexual orientation in order to blackmail them. The list also includes the domain name “exoplismoi. gr.com”, which may have been used to intercept a person whose profession has an interest in defence or national security issues. Documento, ‘Vima’ and ‘Kathimerini’ have revealed, among others, that former PM’s National Security Advisor Alexandros Diacopoulos, Vice Admiral, Director of the General Directorate of Defence Equipment and Investments Aris Alexopoulos, the former Minister of Citizen Protection Michalis Chrysochoidis, the former chief of the Greek police Michael Karamalakis and, above all, Foreign Minister Nikos Dendias.

Furthermore, the businessman Theod. Karpidis, as revealed by Documento, had been “attacked” by Predator and four links were responsible for his contamination: “blogspot.edolio5.com”, “cnn.gr.com”, “thestival.gr.com” and “yout.ube.gr.com”. The last three are not on Predator’s list of providers, but after searching for these three URLs on “dns.dumpster.com” we confirmed that they have the same IP (72.34.38.64), so either someone deleted them or this is another devil’s coincidence.

And the questions that reasonably arise are: Should not the messages sent and recorded on third country providers be checked? The digital address (IP) is the exactly the same in 498 cases (!), the extension “.gr.com” is again exactly at the same 498 cases (!), while Meta (Facebook) together with the Canadian Citizen Lab as external parties have certified that the above extension coincides in many cases with the list explored by Documento.

The “domain.gr.com”

It is worth mentioning the “domain.gr.com”, the website that first registered the extension “.gr. com”|. Entering the site, one sees that it is from another era. The graphics and software are from a previous decade, and on exploring the site we discover that the entry with the companies using the above extension is completely empty. On Facebook, it appears that the page has been operating normally from 2009 to 2015. However, the site in its pinned text refers to the CENTRALNIC website, where the user checks the availability of the “.gr.com” domain name. On entering the latter site, we see that it is a more sophisticated site. CentralNic Group PLC is a London based company (at 4th Floor, Saddlers House 44 Gutter Lane) and has been listed on the London Stock Exchange since 2013. Currently it seems to be managed by Ben Crawford. At the same time, the CentralNic website offers the option to purchase a domain name in the top left-hand corner. From there the browser takes the user to onlydomains.com, which has the Greek flag in its logo.

The site is based in New Zealand and is owned by Centralnic NZ Limited, which also has Ben Crawford as a director, and Donald Baladasan is an executive of both companies. A further search of the case on “opencroporates.com” platform revealed that there was a company in New Zealand called “Only Domains Limited”, which was incorporated on 10.6.2009 and dissolved on 31.12.2021. Again, the director of this company was Ben Crawford. Next, by clicking on the main image of “domain.gr.com”, which is a link, you can reach the platform of the ‘instra.com” website, which is registrar. Instra Corporation, which owns the above website, was created “in 1997 in Australia”, as stated in the company profile. In any case, in UK there is another company called Instra Holdings (UK) Limited, based in London and incorporated on 18.11.2015, with Ben Crawford again as a director and Donald Baladasan as an executive.

Crawford, originally from Australia, has the profile of a typical businessman. He is listed in many companies, mostly subsidiaries, but CentralNic Group Plc, of which he is a board member and CEO, is his flagship company. The latter, having been founded in 1996, prima facie manages portfolios of Internet services (registrar, web hosting, domain parking, etc.). Lastly, Documento took hold of an internal corporate manual of Central Nic via open sources, that proves beyond any doubt that Lexi Lavranos (this is Alexandra-Lexi Lavranos), in addition to being responsible for media at “domain.gr.com”, is also marketing director at the company where Crawford and Baladasan (CFO) are located.

The birth of edolio5.com

“Blogspot.edolio5.com”, the link responsible for the contamination of Th. Koukakis, Theod. Karpidis and the wiretapping attemp of N. Androulakis, may be one of the most recognized spyware links in modern history. But little is known about its real history. Documento has in its possession a recent technical audit proving that it was “born” on March 9, 2021, just as the first Intellexa employees were arriving in Athens. The “birth certificate” is located on the servers of Namecheap, where the price for a name is very low. It should be pointed out that “blogspot. edolio5.com” is no different from “edolio5.com”, the former derives from the same “flesh” of the latter. In the language of IT, it is a subdomain and has the role of a russian babushka toy.

Consequently, it was hosted on the servers of Amazon.com Inc. for nine months, from 10.3.2021 until the discovery of the Koukakis surveillance. Six days after the disclosure of Inside Story, the spyware domain suddenly went off (20.4.2022). However, the monitoring of Koukakis is part of the first life cycle of this domain, because on 10.3.2022 the subscriptions for the server, and possibly for the name, were renewed. From March to 20 April 2022 is the second life cycle, which ended abruptly. However, on the same day “edolio5.com” was registered on the platform of Above.Com Pty Ltd and broadcasts via the servers of Trellian Pty (Australia) Limited. The original contract was for four months, i.e. until 24.8.2022. At the expiry of the term, the subscription was renewed and is still valid today.

At the time of the technical report “edolio5com” was pending delete according to the standard message. Namecheap is located in Reykjavik, Iceland, namely at Kalkofnsvegur 2 (p.o.b. 101). This address is considered by the US authorities to be particularly dangerous because, according to a report by the Cybersecurity and Infrastructure Protection Agency (CISA) (8.7.2021), six more domains have been recorded as being trapped by malware. In particular, this is ransomware, which is considered so dangerous that the State Department on 21.10.2021 set a $10 million reward for those who provide relevant information about “the transnational organized criminal organization” Darkside.

It should be stressed, that registering a name is a very simple process, since all that is required is to type in the name, a few clicks and a payment of €9.45 per year. Payment is made exclusively by debit card and not by cryptocurrency, so there is no anonymity. Therefore, the competent prosecuting authorities can easily find out who bought the domain, the bank through which the transaction was made, when it was made and how much it cost. Moreover, Amazon – a company that has developed excellent relations with Kyriakos Mitsotakis – claims that it is an institutional player and, apart from the overexploitation of its employees, has never been an obstacle to state investigations, especially when it is not involved. It is likely that the same applies to the Australian company that now hosts the website in question.