The Rayzone Group’s secret cyber intelligence activities revealed

In April 2015, 24 Israeli business people crowded together for a PR photo op. The reason was an announcement by Hadassah International, the fundraising arm of the Jerusalem-based Medical Center, about the launch of an international board of trustees. So far the organization has raised $100 million in donations.

Among the trustees were successful business owners and former government officials. It is doubtful any of them knew then, and maybe still don’t, about the activities of one of the younger members of the board - Matan Caspi.

 

Caspi is one of five co-founders of the Israeli cyber and intelligence group Rayzone, whose products enable, among other things, the gathering of secret personal data and location tracking of individuals or groups through the internet or cellular networks both in real-time and in retrospect. Over the past few weeks, the group has been in the spotlight following reports on its activities in leading news publications including Forbes and The Guardian.

 

As Calcalist has previously exposed, Caspi is no stranger to the world of intelligence gathering and espionage. Caspi, together with another Rayzone founder, Eran Reshef, helped intermediate a 2011 deal in which surveillance company NSO sold its Pegasus spyware technology to the military of a foreign nation with the help of a foreign businessman convicted of corruption charges whose name is protected under a court-issued gag order.

 

Ever since the NSO deal, Rayzone’s business activities have been conducted in complete secrecy. Reshef, who according to company filings, serves as its CEO and Caspi, who recently relocated to the Netherlands, along with their three partners: Ron Zilka, Yohai Bar Zakay Hasidoff, and Yaron Elrom, managed to operate under the radar.

Rayzone tax filings obtained by Calcalist along with documents submitted to the court as part of a shareholder dispute in one of Rayzone’s service providers, Israeli cyberintelligence company Senpai, helped shed light on its activities, its clients, and the turnover of three of the group’s companies, which as of 2019, stood at NIS 107 million ($33.25 million)

The Rayzone Group employs 180 people in Tel Aviv and has seven subsidiary companies. According to the group’s website, it has eight different products, however, most of its activities are concentrated in three companies that merged in September.

The list of intelligence agencies, clandestine services, and internal security bodies that Rayzone works with is one of its best-kept secrets, but legal documents reveal a few of the countries in which it acted or negotiated with in the past and they include Mexico, Singapore, the Philippines, Vietnam, and Greece.

 

The information appears in documents submitted to the court in 2019 due to a dispute between Senpai shareholders. As previously published by Calcalist, in May 2018— a month prior to heavily contested elections in Malaysia, during which Prime Minister Najib Razak, who was recently convicted of corruption charges, was under threat of being voted out of office— the Malaysian Special Branch internal security agency purchased a system used to track opposition activists from Senpai for $1.5 million.

 

The court documents mentioned that Rayzone had considered acquiring Senpai’s activities. The court was handed a transcription of a call between Ron Zlika, a Rayzone shareholder (20%), and Senpai’s VP of sales Roy Shloman, discussing the company’s shared clients.

A list of Senpai’s clients and contracts reveals that it sold various services to Rayzone in several countries. One of those countries is Mexico. According to the documents, Rayzone paid Senpai $50,000 in March 2018 in exchange for services it provided in the Central American country. The documents don’t spell out which Mexican agency was the recipient of the service on Rayzone’s behalf or what that service was.

Singapore, Vietnam, and the Philippines are three additional countries that the documents reveal Senpai provided services to, negotiated with, or was entitled to a commission on behalf of Rayzone. In Singapore, for example, Senpai operated opposite the Internal Security Department, while in the Philippines, it liaised with the National Intelligence Coordinating Agency and the Philippines National Police. Senpai also operated opposite the Greek police on Rayzone’s behalf.

The most well known among the Rayzone group’s companies is Rayzone itself, which was founded in October 2010 and deals with the planning, manufacturing, and sales of technology solutions for secretly gathering online data for security and intelligence agencies. Those solutions are sold to national governments and internal security services mainly in Asia and Central America, but also in Europe.

The second, and perhaps most interesting company in the group, is Echo-On Technologies, which was founded in February 2018. It develops a strategic SIGINT system that enables intelligence and law enforcement agencies to conduct security and criminal investigations. The platform enables clients to analyze digital and computerized data and construct a time and location-based intelligence framework.

The company’s flagship product is called Echo, and is a signal intelligence system that provides state law enforcement agencies with diverse information about internet users. It is described as “a fully stealth method of collection on any internet user, without the need for cooperation from either the target or from any tech or commercial entity.” According to the company’s website, “Echo is agnostic to the device type, operating system or version, and does not require pre-installation of any physical equipment.” It is further described as “providing the benefits of both a target-centric approach (collecting information on a particular point of interest) and data-centric approach (mass collection of all internet users in a country).”

According to a Forbes article on Rayzone published this month, “the GPS location data is accurate, as close as within one meter of the target, but will be a little behind in real time, due to the nature of the surveillance.” Echo, according to the report, makes use of location data gathered by mobile advertising platforms. Sources refused to tell Forbes how the company accesses the data but noted that it has become a common practice among those in the industry. Use of such platforms is concerning to human rights activists who fear a dearth of oversight over the data that advertisers collect about unknowing consumers.

The third interesting company in the group is Root Networks, which was founded in October 2016. Root researches and develops defensive solutions to protect cellular network users’ anonymity and personal data. According to a report in The Guardian two weeks ago, Rayzone “received access to the global telecommunications network via a mobile operator in the Channel Islands in the first half of 2018, potentially enabling its clients at that time to track the locations of mobile phones across the world.“

Another product produced by the Rayzone group is called Vegas: it is an interception system that according to the company, “provides intimate and meaningful information of any connected device within targeted networks at designated locations.”

Yet another Rayzone product is called Piranha and is described as an IMSI (International Mobile Subscriber Identity) catcher. IMSI is a unique number given to every cellular network user that is used by telecom companies. Products such as these are in use by police and intelligence bodies that seek to intercept and monitor cellular communications, including eavesdropping on calls. That is one of the reasons human rights organizations have criticized its use.

Rayzone’s website says the system delivers “advanced tools to utilize the gathered information and to manipulate the phones.” Piranha can also be integrated into other systems, such as surveillance cameras, face recognition, biometric systems, and others. It was surprising to find that Rayzone also offers a product called ArrowCell that provides protection from IMSI catchers, meaning it produces both the technology and its countermeasure.

An additional product called Sprinter is a system that enables the interception of cellular networks in order to gain access and record calls, voice messages, text messages, and device location. According to the company, “Sprinter system intercepts and records target’s incoming and outgoing voice calls, text messages (SMS), and to manipulate target’s communication. The system is totally transparent and undetectable neither by the mobile operator nor by the target.”

According to information in the company’s 2018 financial reports and the tax reports of three of the Rayzone Group’s central companies, the merged company’s annual revenue was NIS 107 million (Rayzone NIS 98.8 million, Echo-On NIS 6.4 million, and Root Networks NIS 1.6 million).

The three companies' equity stands at NIS 33.2 million, according to 2019 reports (Rayzone NIS 28.4 million, Echo-On NIS 1.45 million, and Root NIS 3.38 million). Rayzone's taxable revenue for that year was NIS 12.7 million, while Echo posted a loss of NIS 2.1 million and Root a loss of NIS 5.04 million). The filings reveal that in December 2019 Rayzone, Echo-On, and two other subsidiaries in the group (Impulse Programmatics and Oxillon) submitted a request for a significant tax benefit. The meaning of the request, which as far as is known has not been approved yet, is that the company’s earnings from the cyber activities it carried out abroad will be taxed 12%-16% instead of 23% and shareholders dividend taxes will be 20% instead of 30%.

“The company does not address its activities on behalf of its clients,” Rayzone said following a request for comment.

 

************************

Behind the scenes of the establishment of Rayzone

Depositions that Caspi and Reshef submitted to the court in May 2017 as part of a financial dispute over mediation payments for an NSO-linked deal, expose the story of Rayzone’s founding and the founders’ entrance to the cybersecurity sector. A walk with the dog that ended with a random encounter at a Ramat Hasharon cafe and later gave birth to the cyberintelligence and espionage group.

 

Caspi, who at the time served as a bodyguard abroad, testified that he had lived for several years in California, during which he had worked selling technological products in Central America. “During those years,” he said, “I worked with Eliott Broidy who was living in Los Angeles. He has broad business activities and ties in South and Central America. I served as Vice President of Business Development in one of his companies, Broidy Capital Management.” Broidy was one of the U.S. President Donald Trump’s major fundraisers and was recently charged with violating lobbying laws after trying to convince the president to halt an investigation into massive embezzlement of a Malaysian investment fund.

 

When he returned to Israel in 2010, Caspi met with several business people, including Eric Banoun, a central figure in the Israeli cyber industry, which opened the door for him to enter the local cyber community. Both Banoun and Broidy were involved in mediating a 2011 deal in which NSO sold its Pegasus system to the military of a foreign government. Caspi and Banoun later had a falling out with Broidy and he was cut out of the deal. Eventually, in a secretive settlement agreement, Banoun was granted 40% of the commission, and Rayzone and Rayspot took home 60%.

 

Caspi and Reshef met entirely by accident. In 2010, Caspi met a childhood friend of Reshef’s who lived nearby in Ramat Hasharon. While Caspi was sitting in a cafe with the friend, he called Reshef up and suggested he meet Caspi. “I was close by walking my dog and arrived, barefoot to the cafe a few minutes later,” Reshef said. “It was a social meeting, but later on we became closer, both personally and professionally and we became partners in Rayzone.”