Candiru (Saito Tech Ltd)
Israeli mercenary spyware vendor behind DevilsTongue malware used to target journalists, activists, and dissidents worldwide, with approximately half of known victims in Palestine
Take Action
Apply pressure where it matters. Use these tools and personalise your message with evidence from this page.
- Contact Corporate LeadershipPre-filled letter templates for email or post
- Report New IntelligenceSubmit evidence of contracts, partnerships, or complicity
- Share This ProfileShare on LinkedIn to reach cybersecurity and policy professionals
- Strategic AnalysisIn-depth analysis and engagement strategy
Before taking action, review our Code of Conduct for professional standards and ethical guidelines.
Help Us Hold Candiru (Saito Tech Ltd) Accountable
Your skills and knowledge can strengthen this campaign. Join our volunteer research team or share insider information securely.
Leverage Your Expertise
Do you work in this sector? We need professionals who understand procurement cycles, regulatory compliance, and corporate governance. Don't just boycott - lead!
Decision-Maker Directory
Key individuals with influence over corporate partnerships and procurement decisions. Direct your correspondence to the most relevant role.
Material Risk Framing
Frame your message around business risks. These talking points resonate with corporate stakeholders and institutional investors.
On US Commerce Department Entity List since November 2021; subject to export restrictions; zero-day exploits patched by Microsoft and Google; potential exposure under EU human rights regulations
Entity List designation restricts access to US technology and investors; spyware licensing model creates reputational liability for government clients exposed
Directly implicated in targeting human rights defenders, journalists, and politicians across multiple countries; infrastructure designed to impersonate Amnesty International and Black Lives Matter
Dependent on discovering and exploiting software vulnerabilities that get patched once discovered; multiple zero-days burned in 2021-2022 investigations
Strategic Analysis
In-depth assessment of the company's position, vulnerabilities, and recommended approaches for effective engagement.
High severity, high vulnerability — campaigns with the best chance of making an impact
Learn about our methodology — companies are categorised based on severity (harm potential) vs strategic vulnerability (campaign leverage).
Why do these scores change?
Unlike static boycott lists, our targeting model is dynamic. This company's position on the matrix is re-evaluated continually as we verify new contracts, divestments, or policy changes. Your reporting directly impacts this score.
Candiru represents the second major Israeli mercenary spyware vendor alongside NSO Group, with significant management and investor overlap between the companies. The company operates under multiple corporate identities (DF Associates, Grindavik Solutions, Taveta, Saito Tech, Integrity Partners, Integrity Labs) to obscure its activities. What makes Candiru particularly significant for Palestinian advocacy is that approximately half of the 100+ confirmed victims identified by Microsoft and Citizen Lab were located in Palestine - the highest concentration of any country targeted.
Key Leverage Points
- US Entity List Status: November 2021 blacklisting alongside NSO Group creates identical compliance and technology access restrictions
- Government Client Exposure: Saudi Arabia, UAE, Hungary, Indonesia, and Spain identified as having Candiru systems - diplomatic and public pressure opportunities
- Zero-Day Dependency: Business model requires constant discovery of software vulnerabilities; each exposure burns operational capabilities
- Disinformation Infrastructure: 764+ domains impersonating Amnesty International, Black Lives Matter creates litigation and regulatory exposure
Evidence Summary
The Citizen Lab investigation provides comprehensive technical evidence of Candiru's capabilities and targeting patterns. The spyware can exfiltrate data from encrypted messaging apps including Signal, capture browsing history and passwords, and activate device cameras and microphones. Victims include human rights defenders, journalists, activists, and elected politicians. The company's infrastructure deliberately impersonates legitimate human rights organisations to deceive targets into clicking malicious links. Microsoft's parallel investigation confirmed the findings and led to patches for two zero-day vulnerabilities being actively exploited.
Engagement Strategy
Focus on maintaining US Entity List designation by documenting ongoing abuses and engaging congressional representatives on export control enforcement. Target governments known to operate Candiru systems (Saudi Arabia, UAE, Spain, Hungary) through diplomatic pressure and human rights reporting. Support civil society litigation against spyware vendors and their government clients. Document and publicise each new case of journalist or activist targeting to build case for comprehensive spyware regulation. Coordinate with technology companies to accelerate vulnerability patching when new Candiru exploits are discovered.
Evidence & Sources
Verified sources including NGO reports, regulatory filings, and primary documents. Use these to substantiate your correspondence.
Candiru spyware used in Spanish government surveillance of Catalan independence movement members including elected officials
Open sourceCandiru added to US export blacklist alongside NSO Group for engaging in activities contrary to US national security or foreign policy interests
Open sourceTechnical investigation identifying 764+ domains, confirming victims across Palestine, Israel, Iran, and other countries, with capabilities to exfiltrate from Signal, Gmail, Telegram
Open sourceMicrosoft identifies DevilsTongue malware and patches CVE-2021-31979 and CVE-2021-33771 zero-day vulnerabilities exploited by Candiru
Open sourceReporting on Citizen Lab findings that Israeli spyware company Candiru targeted human rights activists globally
Open sourceUpdates & Milestones
- Saito Tech Ltd. / Integrity Partners Purchase
Company operates as Saito Tech Ltd., also as Integrity Partners or Labs - latest known corporate identities
- CatalanGate Exposed
Citizen Lab reveals Candiru spyware used by Spanish government against Catalan independence movement
- US Commerce Department Blacklist
Added to Entity List alongside NSO Group for engaging in activities contrary to US national security
- Microsoft Patches Zero-Days
Microsoft patches CVE-2021-31979 and CVE-2021-33771 vulnerabilities exploited by Candiru
- Citizen Lab Investigation Published
Joint Microsoft-Citizen Lab report reveals DevilsTongue spyware targeting 100+ victims including approximately half in Palestine
- Taveta Ltd.
Company operates as Taveta Ltd.; Eitan Achlow serving as CEO
- Grindavik Solutions
Company operates as Grindavik Solutions Ltd.
- Corporate Name Change
Operates as DF Associates Ltd., beginning pattern of corporate name changes
- Company Founded
Candiru Ltd. established in Tel Aviv by Ya'acov Weitzman and Eran Shorer