In July 2021, someone sent Google a batch of malicious code that could be used to hack Chrome, Firefox, and PCs running Windows Defender. That code was part of an exploitation framework called Heliconia. And at the time, the exploits used to target those applications were zero-days, meaning the software makers were unaware of the bugs, according to Google.
More than a year later in November 2022, Google’s Threat Analysis Group, the company’s team that investigates government-backed threats, published a blog post analyzing those exploits and the Heliconia framework. Google’s researchers concluded that the code belonged to Variston, a Barcelona-based startup that was unknown to the public.
“It was a huge crisis at the time, mainly because we had stayed under the radar for quite a while,” a former Variston employee told TechCrunch. “Everyone believed that in the end we’d be exposed by being caught [in the wild], but it was a leaker instead.”
Another former Variston employee said that the code was sent to Google by a disgruntled company employee and that after it happened Variston’s name and secrecy were “burned.”
Google kept digging into Variston’s malware. In March 2023, the tech giant’s researchers found that spyware made by Variston was used in Kazakhstan, Malaysia, and the United Arab Emirates. Last week, Google reported that it found Variston hacking tools used against iPhone owners in Indonesia.
In the past year, more than half a dozen Variston employees have left the company, they told TechCrunch on the condition of anonymity as they were not authorized to speak to the press because of non-disclosure agreements.
Now, according to four former employees and two people with knowledge of the spyware market, Variston is shutting down.
At the beginning of the 2010s, the public began to learn that there was a flourishing market where Western-based companies, such as Hacking Team, FinFisher, and NSO Group, were providing surveillance and hacking tools to countries and regimes all over the world with questionable or poor records of human rights, such as Ethiopia, Mexico, Saudi Arabia, the United Arab Emirates, and many others.
Since then, digital and human rights organizations like the Citizen Lab and Amnesty International have documented dozens of cases where government customers of these spyware makers were using those tools to hack and spy on journalists, dissidents, and human rights defenders.
In the last few years the offensive security industry has become more public and normalized. Some of these spyware makers and exploit developers openly advertise their services online, their employees disclose where they work on social media, and there are a few popular security conferences that openly cater to this industry, such as OffensiveCon and HexaCon.
Variston, however, has always tried to fly under the radar.
The company’s only public-facing information is a barebones website where it vaguely describes what it does.
“Our toolset is built upon the vast cumulative experience of our consultants. It supports the discovery of digital information by [law enforcement agencies],” reads Variston’s website, in what is the only short mention of its work as a spyware and exploit maker for government agencies.
Variston forbade employees from disclosing where they work, not only on LinkedIn, but also at cybersecurity conferences, according to the former employees who spoke to TechCrunch.
According to Spanish business records seen by TechCrunch, Variston was founded in Barcelona in 2018, listing Ralf Wegener and Ramanan Jayaraman as the founders and directors.
While its website lists another address in the city, Variston most recently worked out of an office in the Barcelona neighborhood of Poblenou, inside a co-working space located one block from the beach. In October, a representative for the co-working space told TechCrunch that Variston was located there and had been for a couple of years.
When TechCrunch visited Variston’s office this week, a co-working space representative claimed Variston is still working there. The representative offered to take a message for Variston, saying they were not there that day but that they had been in the building that week. Neither Wegener nor Jayaraman responded to multiple emails from TechCrunch requesting comment about Variston. An email to Variston’s public email address went unreturned.
One of Variston’s first moves in 2018 was to acquire Truel IT, a small zero-day research startup in Italy, according to Italian business records seen by TechCrunch. Since then, Variston grew to a company of around a hundred staff. Other than Heliconia, the company’s exploitation framework for targeting Windows devices, Variston also developed exploits and hacking tools targeting iOS and Android. Variston’s Android product was called Violet Pepper, according to the former employees.
Even Truel IT’s founders, who moved to work at Variston, do not disclose Variston as an employer on their LinkedIn profiles.
According to the former Variston employees, this level of secrecy also applied to the identity of the company’s customers — except for its special relationship with Protect, a company based in the United Arab Emirates city of Abu Dhabi.
“Variston was a supplier of Protect,” said a person with knowledge of Protect’s operations, who asked to remain anonymous because they were not authorized to speak to the press. “It was an important relationship for both for a while.”
The company’s work “was going to the UAE,” and that Protect was “de-facto the only customer,” according to former Variston employees.
The former employees told TechCrunch that Protect was funding all the operations at Variston, including the research and development side. One former Variston employee said once Protect pulled its funding from the development side in early 2023, Protect tried to force Variston employees to relocate. Then, when the funding for research stopped later in the year, Variston “closed shop,” the person said.
Contact Us
Do you know more about Variston or Protect? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
At the beginning of 2023, Protect asked all Variston employees to move to Abu Dhabi. This is where Variston began to unravel, as most of Variston’s staff did not accept the proposal. The former employees said management gave them two choices: “move to Abu Dhabi or get fired,” and that there would be no exceptions.
Protect bills itself as “a cutting edge cyber security and forensic company.” Much like Variston, Protect says little else on its website about what the company does.
But Google’s security researchers believe that Protect, also known as Protect Electronic Systems, “combines spyware it develops with the Heliconia framework and infrastructure, into a full package which is then offered for sale to either a local broker or directly to a government customer.”
That would explain how Variston’s tools allegedly ended up being used in Indonesia, Kazakhstan, and Malaysia.
According to Intelligence Online, a trade publication that covers the surveillance and intelligence industry, Protect was launched after DarkMatter, a controversial UAE-based hacking company, was revealed to have employed Americans who then helped the UAE government spy on dissidents, political rivals, and journalists.
As of 2019, Protect was headed by Awad Al Shamsi, and was providing “UAE government users with discreet access to foreign cyber technology,” reported Intelligence Online. It’s not known if Al Shamsi is still at Protect, and Al Shamsi did not respond to an email requesting comment. Protect did not respond to several other emails from TechCrunch.
Variston’s founders Wegener and Jayaraman also appear to have worked at Protect, at least as of 2016, according to public online records of encryption keys linked to their Protect email addresses seen by TechCrunch.
Wegener is a veteran of the spyware industry. According to Intelligence Online, Wegener runs several other companies, some based in Cyprus and also co-owned by Jayaraman. Wegener used to work at AGT, or Advanced German Technology, a surveillance provider founded in Berlin in 2001 with an office in Dubai. In 2007, along with Italian spyware maker RCS Lab, AGT worked with the Syrian government to develop a centralized real-time country-wide internet monitoring system, according to news reports based on leaked documents and research by non-profit Privacy International. Eventually, AGT did not provide the system to the Syrian government.
Five years after it was founded, Variston is not a secret startup anymore.
Three former employees said Google’s report in 2022 blew the lid on Variston’s secrecy. One of the employees said the Google report exposing Variston “might have been the beginning of the end” for the spyware maker.
But another former Variston employee said the company — like other spyware makers — would have been exposed eventually. “It was bound to happen sooner or later,” the person said. “It’s quite normal.”
Natasha Lomas contributed reporting.
An earlier version of this report misattributed Google’s discovery of Variston’s tools to Italy, due to an editor’s error. ZW.