EU commercial spyware accountability

Greece's €7.6 Million Predator Lawsuit Shows Courts, Not Brussels, Are Driving Spyware Accountability

Eight Predatorgate victims sue Intellexa for €7.6M as EU export-control reform stalls three years after the PEGA report.

Predator Accountability, By the Numbers People of Internet Research · EU €7.6M Damages sought Total compensation claimed by eigh… 8 years Actual prison term Suspended sentence for Dilian and … 3 years Since PEGA recommendation Time since Parliament's June 2023 … 7 of 27 States disclosed export data Member states that fully answered … peopleofinternet.com
Predator Accountability, By the Number… People of Internet Research · EU €7.6M Damages sought 8 years Actual prison term 3 years Since PEGA recommendation 7 of 27 States disclosed export data peopleofinternet.com

Key Takeaways

Eight Greeks targeted by Predator spyware filed a civil suit against Intellexa and 13 associated individuals in an Athens court on July 8, 2026, seeking roughly €7.6 million ($8.7 million) in damages, according to their lawyer Zacharias Kesses, as reported by The Record. The plaintiffs include financial journalist Thanassis Koukakis, journalist Spyridon Sideris, a former Meta security manager, a former director of the Hellenic Police's Forensic Laboratories, a former Greek intelligence chief, two lawyers and a former law enforcement official. Trial is set for April 2027.

This is a civil follow-on, not a fresh discovery. It builds directly on the criminal case: on February 26, 2026, an Athens court convicted Intellexa founder Tal Dilian, business partner Sara Hamou, former deputy administrator Felix Bitzios and Yiannis Lavranos of illegally accessing communications systems, sentencing each to more than 126 years — collapsed under Greek law to 8 years, and currently suspended pending appeal (The Record). The underlying scandal, dubbed Predatorgate, surfaced in 2022 when Predator was found on the phones of more than 90 prominent Greeks, triggering the resignations of the national intelligence chief and the prime minister's chief of staff.

Why courts are moving faster than regulators

The civil suit matters because it is the first attempt to convert a criminal finding of guilt into direct financial redress for named victims — "the next institutional step towards full accountability," in Kesses's words. That is worth taking seriously on its own terms. Spyware victims are typically journalists, lawyers and civil servants who cannot out-litigate a well-funded surveillance vendor, and a court-ordered damages award, even a modest one relative to Intellexa's global client base, creates a real financial disincentive that regulatory fines rarely have matched in this sector.

But it's worth being honest about what this lawsuit is not: it is not evidence that the EU's own oversight machinery is working. The European Parliament's Committee of Inquiry on Pegasus and equivalent spyware (PEGA) adopted a formal recommendation on June 15, 2023, calling for spyware use to be restricted to exceptional, judicially authorized cases, for protected categories (lawyers, journalists, doctors, elected officials) to be shielded absent evidence of wrongdoing, for stronger enforcement of existing export-control rules, and for a standing "EU Tech Lab" to investigate abuse (European Parliament recommendation, TA-9-2023-0244; European Parliament press release). Three years on, none of that has become binding law. A new informal cross-party spyware group formed in Parliament this year has no inquiry powers, and in July 2026 Citizen Lab found that a former MEP who sat on PEGA, Stelios Kouloglou, had himself been infected with Pegasus in 2022 and 2023 — while the committee investigating spyware abuse was itself a target of it.

The export-control gap is the real failure

The steelman for tighter EU rules is straightforward: the 2021 recast Dual-Use Regulation already gives member states the legal basis to block cyber-surveillance exports likely to be used for human rights violations, but a Human Rights Watch investigation published May 12, 2026 found the Commission's own January 2024 implementation guidance strips the regulation of its teeth. HRW's freedom-of-information requests to all 27 member states — only 7 responded fully, 12 refused outright — turned up licensed exports of intrusion and interception tools from Bulgaria to Azerbaijan and from Poland to Rwanda, both destinations with documented records of surveilling journalists and dissidents (HRW, "Looking the Other Way," May 12, 2026). If a regulation exists but its reporting rules are designed so exports can't be traced to harms, that is not restraint, it's a paper shield — and the case for fixing implementation, rather than writing new statute, is strong.

Where we part ways with advocates like EDRi and the PEGA rapporteurs is on the remedy. The instinct in Brussels has been to layer new institutions — an EU Tech Lab, a fresh spyware working group — onto a system that already has adequate legal authority and simply isn't enforcing it at the member-state level, where licensing decisions actually happen. Intellexa is a Greek- and Cypriot-linked vendor; its principal accountability to date has come from a Greek criminal court and now a Greek civil court, not from Brussels. That is the system working roughly as designed under subsidiarity, and it is faster than waiting for a Commission evaluation of the Dual-Use Regulation that isn't scheduled to conclude until 2028.

The innovation-policy risk of overcorrection is real: broad, vaguely worded EU-level spyware bans tend to sweep in legitimate lawful-intercept and forensic tooling that police forces and cybersecurity researchers rely on, without addressing the actual failure mode here, which was Greek intelligence services deploying Predator against journalists and political rivals with no judicial oversight. The fix for that is enforcement of the authorization and oversight requirements already on the books, backed by the kind of criminal and civil liability Athens is now applying — not a new pan-European licensing bureaucracy that primarily burdens compliant vendors while doing little to touch actors willing to route through weaker member states.

What to watch

Sources & Citations

  1. The Record: Greek victims file lawsuit against Intellexa
  2. The Record: Intellexa founder sentenced
  3. European Parliament PEGA recommendation (TA-9-2023-0244)
  4. European Parliament press release on spyware reforms
  5. Human Rights Watch: Looking the Other Way