Tal Dilian: How Mr Predator attempted to save his image
His name is linked to wiretapping scandals in Cyprus & Greece – the former Israeli intelligence officer is one of Europe’s most controversial figures. Solomon’s OSINT investigation reveals how a months-long campaign attempted to create a positive online narrative about Tal Dilian and his business activities.
“From creating equal opportunities for disadvantaged youths to providing innovative solutions in the intelligence field, Tal Dilian’s search for a new challenge never ends.”
This is the first thing you read on the official website of Tal Dilian − the former commander of Israel’s elite military cybersecurity Unit 81 and current entrepreneur. A quick internet search of his name brings up his website: taldilian.com.
However, in recent years the Israeli businessman’s name has been in the limelight for less flattering reasons. Linked to surveillance scandals in Cyprus and Greece, Tal Dilian is one of Europe’s most controversial figures. His name is mentioned dozens of times in a report by the European Parliament’s PEGA Committee on the use of spyware surveillance software.
Using OSINT tools (Open Source Intelligence), Solomon reveals how the mastermind behind the Predator malware and a legal representative of the Intellexa corporation that markets it, attempted to reconstruct his online image by manipulating search engine results (such as Google), in order to bury negative reports and to strengthen the positive narrative about him and his business activity.
As part of a months-long online campaign, hundreds of automated links were allegedly utilized and posted to various addresses that were hosted on at least 18 platforms.
Solomon’s investigation and data analysis of the campaign in question, and examination of the efforts of the “Israeli cyber tsar,” (as he was recently called in an article by Intelligence Online), to alter content about him, revealed the following:
Hundreds of automatically-generated articles link to specific websites that present Tal Dilian as a business genius and outline Intellexa in a positive light.
Search engines find that many articles refer to the websites in question (and therefore consider them “reliable”), so then they place “higher” in the preferences.
So when a user searches for keywords such as “Tal Dilian” and “Intellexa” the first results that appear are those which are promoted by the campaign.
At the same time, however, the campaign also serves a possibly more vital purpose: articles related to the same keywords, but which present incriminating evidence or negative publicity, get “pushed” to the bottom of the list of results.
A website that raises questions
Let’s start from the beginning.
While browsing the internet, we came across a website that initially caught our attention. The address is: taldilianintellexajbkx529.weebly.com and the title of the website is: Tal Dilian Intellexa best blog 1073.
The question naturally arises: Who uses the term best blog or a number like 1073 in the title of a website?
This site in question is hosted on weebly.com, a platform recommended as “the easiest way to create a website, a blog, or an online store” for free.
Browsing the website, we soon found that its content (as its title) appears not to have been written by an actual person. But is, instead, automated.
A simple search for similar websites bearing the name Tal Dilian which are also hosted on weebly.com brings up dozens of matching results.
Taking a closer look at the results, we see that all the web pages have the same characteristics: similar titles and addresses, and common word-for-word texts that appear to be machine-generated.
This is an indication that it’s probably not due toseveralcoincidences, but a targeted campaign. But why should a campaign of this kind be limited to one platform?
So we started looking for addresses with related titles or content on other platforms as well.
At least 463 links on 18 platforms
We found at least 463 links. Besides weebly.com, these links are hosted on at least 17 similar platforms where one can also easily post content for free.
The titles of the websites we found on the other platforms also follow the same pattern: the words “Tal Dilian” and “Intellexa” then a phrase like “nice” or “excellent blog” followed by a number.
The random series of letters and numbers in the title of the site and at the beginning of each address (subdomain), as well as the content of the texts which is repeated verbatim, suggest that the websites have been generated automatically, and are therefore part of a campaign.
In the field of technology and SEO (Search Engine Optimization), i.e. the techniques by which an address can be found to rank higher in search engines, campaigns like this are known as “Black Hat SEO campaigns” (corresponding to Black Hat Hacking).
They refer to methods for the creation of “non-organic” content (not produced by humans), through automated publications, which attempt to prioritize specific results in the search engines we use.
The campaign lasted for at least 7 months
To find the period when the campaign ran, we selected a list of sites. Using a programming language (script), we compiled a list of the dates when the articles (posts) were posted, in the context of the campaign.
From this list, the first article appears to have been posted on November 16, 2021, and the last on June 12, 2022.
This means that, although there are probably other sites hosted on more platforms, we can safely conclude that the campaign lasted for at least seven months.
During that time, the surveillance scandal had already been revealed in Cyprus – where Tal Dilian had based his business activity since 2013.
As reported by inside story, overestimating “the ability of the Cypriot authorities to withstand the pressure of a big news story”, in a 2019 Forbes video, Dilian demonstrated the capabilities of the infamous black surveillance van, which, as he claimed, could hack every mobile phone that was within its range.
After the ensuing uproar, Dilian ‘s company in Cyprus was found guilty of 42 charges (including illegal processing of personal data and illegal intervention in private communications) and fined.
By the end of the campaign, early indications of the wiretapping scandal had emerged in Greece as well, when it was revealed that journalist Thanasis Koukakis’ mobile phone had been infected by Predator malware. Koukakis was the first victim of many that were to follow.
The aim of the campaign
A campaign of this kind aims to manipulate search engine results, bringing positive mentions high among the list of results and “burying” unwanted content at the end of search result lists.
Specifically, Black Hat SEO campaigns use the repetition of keywords and backlinks, which lead to the websites they want to promote.
So, since we knew, as noted above, that the keywords (Tal Dilian, Intellexa) were included in titles and addresses, it remained to be seen which links the campaign promoted.
With the help of a script, we visited every website available to us, extracting the links it contained. As we expected, the links are repeated — so we recorded exactly how many times each link appeared.
We confirmed that the two main links which appear the most, refer to Tal Dilian’s website (at least 172 times) and Intellexa (at least 149 times).
Following this, are articles praising the work of Dilian and Intellexa. One such article is from the Cypriot newspaper Phileleftheros – its headline reads “Tal Dilian breaks his silence on the surveillance van” and presents his statements on the matter.
From the links mentioned above, it is particularly interesting to note that besides Tal Dilian, some links point to Nigerian Pastor Chris Oyakhilome — a controversial figure who was accused of financial fraud in 2019. Other links refer to Bimbo Success, a popular Nigerian actress on social media.
At this point, we may not be able to find out who was responsible for running the campaign. However, we do understand that whoever was responsible, also ran other campaigns for clients who wanted to alter their online image.
To understand how the campaign worked, we need to follow the timeline of the various stages that followed the creation of Tal Dilian’s personal website.
The address taldilian.com was purchased on August 25, 2021. That was two and a half months before the start of the campaign.
Soon after, positive articles about Tal Dilian and his business activity appeared in newspapers and online magazines.
Keeping in mind the dates of the original publication of the articles and their posting on his personal website, we noticed that they began to be reposted from the same day, and up to six days later. The articles that are reposted on the website are the same articles that the campaign is trying to promote.
Also, on the whole, and with only one exception, the articles appear to have been published 1-2 months before the start of the campaign. Once it starts, both the articles and Tal Dilian’s personal website are widely distributed and prioritized on search engines, through multiple links to them.
Before publication, Solomon contacted Tal Dilian regarding questions about the campaign. We also asked for a comment on the criticism he and Intellexa have received for their alleged involvement in the wiretapping scandal, which the international press is calling Greek “Watergate”.
At the time of publication, we have not received a reply.