Julian-Ferdinand Vögele

Julian-Ferdinand Vögele is a principal threat researcher at Recorded Future’s Insikt Group, specialising in malware analysis and infrastructure detection. He investigates cybercriminal, state-sponsored, and mercenary spyware operations. He previously worked in offensive security, studied computer science, and is a Virtual Routes fellow.

‍

Talk: The Blueprint for a Modern Commercial Spyware-Maker? (with Paul May) [TLP:RED]

In 2026, commercial spyware makers are not only the providers of a single surveillance product but an intentionally-fragmented global enterprise: a network of export brokers in one jurisdiction, shell companies in another, and boutique exploit developers elsewhere. These deliberately disparate networks, connected through layers of legal, technical and logistical intermediaries, form a structure designed to create jurisdictional arbitrage and reduce liability across borders.

This talk unpacks that machinery through the notorious yet still not-understood case of the Intellexa network, a complex web of entities behind the Predator spyware. Despite the prosecutions of Intellexa-linked actors in Greece, elements of the network continue to operate, highlighting the resilience of this distributed structure.

Following years of investigations drawing on non-public data, we demonstrate the network’s architecture, identifying overlooked and previously unreported entities associated with an initial access technique and clarifying their roles. We show how blurred boundaries between contractors, employees, and service providers complicate attribution and accountability.

Does Intellexa represent a blueprint of the modern commercial spyware vendor? We demonstrate whether the network as a case study can help us better understand the growing commercial surveillance industry.

‍