Candiru is a privately held Israeli cyber-surveillance firm founded in 2014 and headquartered in Tel Aviv. The company, which has also operated under names such as Saito Tech and Grindavik Solutions, develops and licenses offensive intrusion tools to government and intelligence customers. Unlike its better-known compatriot NSO Group, Candiru maintains an unusually low public profile, has no website, and reportedly forbids sales to the United States, Russia, China, Israel, and Iran while marketing to clients elsewhere.
Candiru drew sustained international scrutiny in July 2021, when Citizen Lab (University of Toronto) and Microsoft jointly published research identifying the company as the operator behind a Windows spyware framework Microsoft tracked as DevilsTongue. The investigation tied Candiru tooling to the exploitation of two Windows zero-days (CVE-2021-31979 and CVE-2021-33771) and documented victims including human-rights defenders, political dissidents, journalists, and an employee of a Saudi opposition outlet across countries such as Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia, and Singapore.
On 5 November 2021, the U.S. Department of Commerce's Bureau of Industry and Security added Candiru to its Entity List, alongside NSO Group, Positive Technologies, and COSEINC, citing the supply of spyware used to target government officials, journalists, and activists in a manner contrary to U.S. foreign-policy and national-security interests. This designation imposes export-licensing requirements on U.S. technology transfers to the firm.
For IR researchers and Model UN delegates, Candiru is a frequently cited example in debates over:
- regulation of the commercial spyware industry under export-control regimes such as the Wassenaar Arrangement;
- the application of the UN Guiding Principles on Business and Human Rights to surveillance vendors;
- and proposals advanced by UN Special Rapporteurs (notably the 2019 report of David Kaye) for a moratorium on the sale and transfer of private surveillance technology pending a human-rights compliance framework.
Example
In July 2021, Citizen Lab and Microsoft attributed the DevilsTongue spyware to Candiru after identifying at least 100 victims, including journalists and dissidents, across multiple continents.
Frequently asked questions
Both are Israeli commercial spyware vendors, but Candiru historically focuses on PC and cloud-account intrusion tools (such as DevilsTongue for Windows), while NSO Group is best known for its mobile-focused Pegasus product. Candiru is also far more secretive, with no public website.
Keep learning