New evidence presented to a court in Athens has added fresh detail to the financial trail behind infrastructure used to distribute Predator spyware-infected text messages, in a case that has drawn sustained international attention. The material was submitted during the 31st hearing of Greece’s wiretapping trial by lawyers representing the civil party and is based on an analysis of a prepaid bank card issued in the name of Aemilios Kosmidis, a figure referred to in the proceedings by the nickname “the butcher.”
The case has attracted scrutiny well beyond Greece because it concerns the use of Predator, a powerful form of commercial spyware capable of covertly accessing mobile phones, against politicians, journalists, and business figures. On trial are Greek nationals Giannis Lavranos and Felix Bitzios, alongside Intellexa executives Tal Dillian and Sara Hamou.
The proceedings are being held at the Single-Member Misdemeanor Court of Athens. On Monday, January 26, lawyers for the civil party completed the submission of documents that were formally entered into the court record.
According to civil party lawyer Zacharias Kesses, a review of the transaction history of a prepaid card issued by the National Bank of Greece in Kosmidis’s name revealed two previously undisclosed payments to AMD Telecom, a telecommunications firm based in northern Greece. Kesses told the court that these transactions were not included in the conclusions of either the national communications watchdog or the data protection authority, despite lengthy investigations by both bodies.
AMD Telecom is already known to Greek authorities, as its infrastructure is alleged to have been used to send more than 330 SMS messages containing links infected with Predator spyware. The two transactions highlighted in court date back to December 10, 2020, and involved payments of 10 euros each for services provided by the company.
Kesses questioned why AMD Telecom had failed to disclose the transactions despite having been formally asked about them. When the presiding judge remarked that the information would not significantly alter the case, the lawyer countered that the timing was critical. He argued that these payments were the earliest known transactions linked to the spyware affair, predating any confirmed identification of individuals, which only emerged from 2021 onward. He also noted that as the wiretapping scandal became public, the company’s ownership structure changed, with a new legal representative replacing the previous owner. In that context, he said, clarification about what services were purchased in 2020 would be of particular importance.
The court also heard that the prepaid card had been used repeatedly to pay for hosting, cloud computing, and domain registration services. Kesses argued that such expenses align closely with the technical requirements for operating digital infrastructure designed to distribute malicious links. He presented what he described as clear temporal links between payments made with the card and the first appearance of related infrastructure in official findings by the data protection authority. Specific reference was made to multiple payments to the hosting provider Contabo and to a separate transaction involving the domain registrar Namecheap.
One payment received particular attention: a transaction dated October 21–22, 2021, to the SMS provider SMS77.IO, now known as seven.io, for SMS services worth 23.80 euros. Kesses told the court that this provider is explicitly recommended in an internal training manual produced by Intellexa, a document that has also been submitted as evidence.
Drawing on that manual, Kesses outlined a range of products allegedly marketed by Intellexa. Among them was a system referred to as “Aladdin,” described as a method for infecting targets via malicious links without requiring any action by the recipient. He also referred to tools known as Nebula, Helios, Mars, and Jupiter. According to previous findings by the data protection authority, Intellexa appears to have drawn inspiration from Greek mythology and astronomy when naming its products.
The hearing also addressed the involvement of individuals connected to the defendants. Reference was made to Ben Muscal, whose name appears in the data protection authority’s report and who is alleged to have had close personal and business ties to Dillian and Hamou. The court heard that Muscal and his wife, Michal Yanai, relocated to Athens in 2021, and that there were contractual relationships and financial transactions between a company owned by Yanai and Censura, a firm linked to Dillian.
Separately, civil party lawyers Artemisia Papadaki and Flora Tampaki submitted journalistic material concerning what they described as “scripted” questions posed by members of Greece’s ruling party to Stamatios Trimpalis, a former executive of the security firm Krikel, during a parliamentary inquiry. They pointed to questions suggesting a link between Trimpalis and a former minister responsible for public order, a link that Trimpalis himself had mentioned during testimony but which, according to the journalistic investigation, never existed. They also referred to lines of questioning related to a controversial police telecommunications contract, arguing that the approach appeared designed to divert attention from the core issues of the case.
The trial is scheduled to continue on Wednesday, January 28, when lawyers for the defendants are expected to submit documents contesting the claims made by the civil party. During Monday’s hearing, the court also discussed whether the defendants would appear in person to testify. The presiding judge made clear that the prosecutor expects advance notice and that the court wishes the defendants to be present.
