Bulgaria approved the sale of spyware to intelligence and security agencies in countries with records of human rights abuses. Documents show Bulgaria’s export control authority licensed Circles BG, a Sofia-based surveillance technology company, to sell interception systems, mobile-tracking tools and surveillance infrastructure to intelligence agencies in Azerbaijan, Serbia, Malaysia and Mexico.
Circles is an affiliate of the NSO Group, the Israeli firm behind the notorious Pegasus spyware that has been used to target political figures worldwide, including French President Emmanuel Macron and Pakistani politician Imran Khan. One of Circles’ founders, Tal Dilian, was sanctioned by the U.S. in 2024 for his role at another company, in which he allegedly developed spyware used to target journalists, policy experts and government officials.
The exports, which took place between 2018 and 2023, were revealed in a new report by surveillance watchdog Human Rights Watch. In 2020, researchers at the Toronto-based Citizen Lab reported on Circles’ surveillance operations that exploited weaknesses in telecom systems across multiple countries. Co-founder Dilian, a former Israeli military intelligence commander, also founded Intellexa, the spyware consortium behind Predator, the surveillance tool that triggered Greece’s 2022 “Predatorgate” scandal.
The findings do not indicate that the exports were illegal or that the technologies were used unlawfully. Circles did not respond to multiple requests for comment.
Bulgaria’s Ministry of Foreign Affairs told Politico that the documentation provided by Circles showed that the technologies are intended for “activities related to the prevention and investigation of crime and terrorism, as well as for search and rescue operations in humanitarian crises.”
“When examining applications, all relevant circumstances are assessed, including end-use documents and information received through official channels,” it said.
The licenses raise new questions about how individual governments implement EU export controls on tracking technology, particularly to countries that have faced criticism from international watchdogs over surveillance practices, democratic backsliding, and human rights concerns, Human Rights Watch said in its report.
Zach Campbell, senior surveillance researcher at Human Rights Watch, said that “these licenses are clear evidence that Bulgaria is licensing exports of surveillance tech worldwide to police, military and intelligence agencies in countries with long histories of using that same technology to crack down on rights.”
According to the license documents, Azerbaijan’s Foreign Intelligence Service purchased server and storage infrastructure from Circles BG worth more than 40,000 euro in a license issued in June 2022. The equipment included Dell servers, storage arrays and remote-access hardware.
It also purchased a tracking system that uses cellphone towers to pinpoint the location of mobile phones, which was valid until Dec. 2023 — spanning the most consequential months in the Nagorno-Karabakh conflict since the 2020 war. Citizen Lab and Amnesty International published a report in May 2023 finding Pegasus spyware targeted Armenian public figures.
Meanwhile, in Serbia, the interior ministry purchased a portable mobile-phone surveillance and location-tracking device for 17,300 euro, the documents showed, a few months before the December 2023 elections. In 2024, Amnesty International reported that Serbian authorities had used spyware against journalists and civil society activists, allegations the government has disputed.
In the United Arab Emirates, the country’s Signals Intelligence Agency purchased an interception system known as “Voice Over Location Enabler” (Vole) through Abu Dhabi-based Securetech LLC in 2018 for 9,500 euro, according to the documents. A separate license shows the UAE’s Electronic Government Authority purchasing the same system in 2019.
Malaysia’s military intelligence service also obtained a Vole system through Telekom Malaysia Berhad, the country’s largest telecommunications provider, the documents showed. The package, valued at more than 50,000 euro, included installation and training services.
The documents further indicate that government authorities in Bahrain, Brazil, the Dominican Republic, Ghana, Guatemala, El Salvador, Jordan, Mexico, Morocco and Panama were listed as end users of Circles technology.
One export to Mexico involved a tactical signals intelligence system designed to locate and monitor mobile devices. The end user was listed as the government of Michoacán, a state long plagued by cartel violence, kidnappings and organized crime.
The licenses show shipments departing from Sofia Airport. In at least one case involving Brazil, the export transited through Luxembourg-based Q Cyber Technologies, a company previously linked to NSO Group.
The licenses also reveal commercial ties between Circles and NSO Group itself.
NSO Group made purchases from Circles in October 2021 for 119 euro. The technology procured from Circles was eventually transferred to the Home Front Command of the Israeli Ministry of Defense. Circles BG does not appear on any U.S. sanctions or export-control blacklist. NSO Group, however, was placed on the U.S. Commerce Department’s Entity List in November 2021 over allegations that its spyware had been used to target civil society.
The findings come as Brussels prepares a fresh review of the EU’s dual-use export control regime, with the European Commission expected to present a proposal by early 2027.
“The European Commission, despite having visibility on these exports and a mandate to control potentially harmful exports, has done nothing to stop them,” Campbell said about Circles’ exports.
The review is expected to focus on whether existing rules are sufficient to prevent European surveillance technologies from reaching governments accused of human rights abuses. Under the current law, national authorities must assess whether cyber-surveillance tools could be used for internal repression or serious human rights violations before approving exports.
But many surveillance systems are built from a combination of software, mobile-tracking tools and largely commercial hardware, making it difficult to determine where ordinary telecommunications equipment ends and cyber intrusion tools begin.
Discover more from The Balkan Report
Subscribe to get the latest posts sent to your email.