Executive summary: a new liability frontier for spyware vendors

The Feb. 26, 2026 Greek court verdict shifts vendor liability for commercial spyware from sanctions and civil risk into criminal punishment and national-security scrutiny.

Details of the Greek ruling

In Athens, a criminal court on February 26, 2026, handed eight-year prison sentences—stayed pending appeal—to Intellexa founder Tal Dilian and three associates: Sara Hamou, Felix Bitzios and Yiannis Lavranos. The convictions for breaching telephone confidentiality and illegal data access relate to Predator spyware implicated in the so-called “Greek Watergate” scandal, which targeted opposition politicians, journalists and other public figures. Alongside the custodial sentences, judges ordered a probe of roughly a dozen individuals for potential espionage and foreign-state collaboration, signaling an elevated view of commercial spyware as a vector for state-linked intelligence operations.

Based on publicly available records, this appears to be the first publicly reported custodial sentence for a commercial spyware vendor executive following state-linked misuse. That designation reflects the limits of accessible legal archives rather than a definitive global claim.

Sanctions-era precursors and civil enforcement

Long before the Athens verdict, U.S. authorities imposed sanctions on Intellexa entities and senior individuals in March and September 2024, citing Predator’s deployment against journalists, government officials and U.S. persons. Those sanctions aimed to constrain the commercial reach of Predator but left vendor executives beyond direct criminal exposure. In July 2024, the Greek Supreme Court cleared the National Intelligence Service (EYP) and certain state officials of wrongdoing, effectively isolating vendor conduct for separate scrutiny while limiting official-actor liability.

The Greek verdict thus translates diplomatic and export-control pressure into domestic criminal consequences, marking a structural departure from reliance on economic measures and civil suits. Whereas previous enforcement treated intrusive surveillance tools primarily as export-control and sanctions concerns, the Athens court treated their sale and misuse as violations of criminal wiretapping statutes and potential espionage conduits.

Structural shift: from civil and sanctions risk to criminal and national-security exposure

The core insight of this ruling is that commercial spyware vendors can no longer rely solely on corporate liability shields or economic deterrents. Instead, judicial systems may hold executives personally accountable under criminal statutes when invasive tools are tied to state-linked abuses. This shift recalibrates the risk calculus: vendor malfeasance or neglect in vetting end-users can trigger not only sanctions or civil litigation, but also long-term prison exposure and national-security investigations.

Industry observers identify the decision as a turning point. Previously, the bar for criminal liability had centered on state-actor misconduct or export-compliance breaches. The Athens court’s decision to extend probes into alleged espionage networks indicates that commercial transactions in surveillance technology can fall squarely within criminal intelligence statutes.

Predator’s role in the “Greek Watergate” scandal

Predator spyware, marketed by Intellexa and resold via affiliates, enabled deep phone infiltration: message and file exfiltration, geolocation tracking and remote activation of microphones and cameras. Beginning in 2022, the tool was tied to the interception of communications belonging to opposition leader Nikos Androulakis, investigative reporter Thanasis Koukakis and at least 87–90 other figures. The ensuing uproar triggered resignations at the highest levels of Greek intelligence, parliamentary inquiries and international scrutiny.

The Athens court recounted evidence that Lavranos’s firm supplied Predator to the Greek National Intelligence Service (EYP), which then allegedly repurposed the tool for undisclosed domestic targets. That sequence underpinned both the wiretapping convictions and the expanded espionage probe. In the court’s view, the commercial sale of Predator intersected with state operations in ways that merited criminal charges beyond mere breaches of export-control laws.

Implications for industry participants

This ruling carries diagnostic implications for vendors, resellers and end-users of surveillance technology. Vendors may face increased scrutiny by criminal prosecutors when their products appear in state-linked abuses, even if contracts and due-diligence processes were formally observed. Resellers and integration partners might encounter renewed investigations into procurement histories, licensing agreements and end-user certificates.

Similarly, governments and contractors that procure commercial spyware can expect criminal-law angles to complement existing export-control and civil-liability regimes. The Athens decision suggests that buyers operating in jurisdictions with robust privacy or espionage statutes could become subject to judicial inquiries if the tools they acquire are misused. Rather than seeking guidance only from compliance manuals, industry actors will likely observe prosecutors tracking transactional chains and technical logs for evidence of complicity.

Comparative context: vendor accountability under different legal systems

Until now, major spyware vendors—particularly those linked to Pegasus-class tools—have largely faced civil litigation, export restrictions and reputational fallout. Criminal charges against vendor executives have been rare or nonexistent in public records. The Greek case, by isolating vendor liability despite the earlier acquittal of state actors, establishes a precedent that could inform prosecutions in other jurisdictions.

Nevertheless, enforcement will vary widely. Some countries lack concrete statutes addressing commercial-spyware misuse or impose high burdens of proof for proving intent. In contrast, Greece’s wiretapping and national-security laws provided a framework for criminal charges. Appeals courts in Athens may overturn or reduce the convictions, and analogous proceedings would depend on local legal definitions of espionage and data-privacy breaches.

Human stakes: privacy, power and corporate agency

At its core, the Athens ruling raises questions about the agency of private-sector actors in amplifying state surveillance powers. Commercial spyware vendors occupy a liminal space between technology firms and intelligence contractors. When their products facilitate intrusive targeting of journalists, activists or political figures, human stakes extend beyond business risk into fundamental freedoms of expression, privacy and democratic accountability.

Advocacy groups described the verdict as a potential watershed in the fight against digital repression. Some observers noted that the end of a four-year scandal might encourage victims of spyware misuse to pursue remedies, while others warned of ongoing tensions between state security priorities and personal privacy rights. In either scenario, the ruling underscores that vendors can be enablers of state power in ways that attract not just economic sanctions, but criminal prosecution.

Potential evasions and corporate responses

Industry participants are already exploring structural workarounds, such as offshore incorporation, layered ownership models and intermediary resellers. These tactics aim to complicate traceability of transactions and obscure links between engineering teams and end-user deployments. Yet the Greek probes into foreign-state collaboration suggest that prosecutors may pursue broader networks, examining financial flows, corporate filings and cross-border service agreements.

Conversely, some vendors are likely to tighten end-user vetting and contract clauses to document permitted use cases and disclaimers of liability. While such measures do not guarantee immunity from criminal investigation, they create audit trails that can influence prosecutorial discretion or appellate reviews. In that sense, the Athens verdict operates as a diagnostic event: it reveals how existing governance structures may be tested under criminal-law frameworks.

Risks and caveats in extrapolating a global precedent

  • Jurisdictional limits: Athens’s ruling applies under Greek statutes; it does not automatically establish EU-wide or international criminal norms.
  • Appeal dynamics: Sentences remain stayed pending appeal and could be overturned or modified, altering the immediate risk profile for vendor executives.
  • State-vendor separation: Earlier Greek Supreme Court decisions cleared intelligence officials, underscoring that vendor liability can be isolated from state-actor accountability.
  • Proof requirements: Criminal convictions require evidence of intent or knowledge; not all civil or export-control breaches will translate into provable espionage charges.

Potential follow-on developments

The appeal outcome will shape whether this ruling becomes a sustained template for criminal prosecutions of commercial-spyware vendors. Parallel espionage probes into a dozen additional individuals may uncover broader networks of state collaboration. U.S. and EU regulators might respond with new guidelines or enforcement actions, translating the criminal-law focus into supplementary sanctions or export-control updates.

In commercial forums, procurement officers and legal advisors will watch appellate briefs and further investigative findings for signals about judicial thresholds. Prosecutors in other countries may reference the Athens decision when drafting indictments or negotiating plea agreements. Meanwhile, civil-society organizations will monitor case progress as an indicator of whether the era of spyware impunity has truly reached its terminus.

Conclusion

The Greek court’s decision marks a structural inflection in the accountability of commercial spyware vendors. By extending liability from sanctions and civil suits into criminal statutes and national-security scrutiny, the ruling reframes the business of intrusive surveillance tools as a matter of potential imprisonment and espionage investigations. As the case advances on appeal and sparks broader probes, the industry and its counterparts across procurement and regulatory spheres will be compelled to reckon with a more complex liability landscape—one where state-linked misuse carries not only reputational or economic costs, but personal criminal exposure.