It was 3.22pm on June 7th 2021 when a taxi came to fetch Olivier Bohbot as he left his meeting. The number two at the French group Nexa, which specialises in spying and surveillance equipment, had given his pick up address as Boulevard Mortier in Paris's 20th arrondissement or district. This is just in front of the headquarters of the DGSE.
Enlargement : Illustration 1
That France's prestigious external intelligence agency should receive a visit from one of its suppliers, a firm that makes sensitive technology, is on the face of it perfectly normal. But the fact that it is still doing business with this company is, to say the least, surprising.
Since 2011 the company, which was previously called Amesys, has been the object of a judicial investigation for selling an internet surveillance system to Muammar Gaddafi's Libya that enabled the dictator to spy on and hunt down regime opponents. A second investigation was begun in 2017 for similar reasons in relation to the sale of the same system to Egypt, just a few months after the coup d'État staged there by Abdel Fattah al-Sisi.
On June 15th 2021, a week after his meeting at the DGSE's headquarters, Olivier Bohbot and several other Nexa executives were arrested by gendarmes from the crimes against humanity and hate crime unit the Office Central de Lutte contre les Crimes contre l’Humanité et les Crimes de Haine (OCLCH). Following this, a judge placed several of them under investigation for “complicity in torture”. The Nexa executives deny the accusations against them and they benefit from a presumption of innocence.
One of the most striking aspects of this affair is this: that despite the deep suspicions over human rights violations, the DGSE and the French state in general never abandoned Nexa. Indeed, between 2014 and 2021 the company won contracts worth at least 11 million euros with the intelligence services and the ministries of the interior, justice and defence. This is revealed by our 'Predator Files' investigation, based on confidential documents obtained by Mediapart and Der Spiegel, and shared by the European Investigative Collaborations (EIC) media network.
The DGSE refused to respond to our questions. “It was normal as part of our commercial activity to have contact with the authorities,” responded Stéphane Salies and Olivier Bohbot, the directors and major shareholders at Nexa. They declined to make any other comment on the issue.
These good relations go back some way. In one marketing brochure the two Nexa bosses introduce themselves as having “more than 20 years experience in selling solutions … to DGSE”. Several employees told the gendarmes just how close Stéphane Salies was to the intelligence service, as well as to Bernard Barbier, the DGSE's technical director from 2006 to 2013. Contacted by Mediapart, the latter did not respond.
Nexa, which then went under its old name, had contact “all the time” with the DGSE in those days “because Amesys was one of the DGSE's big suppliers”, said the company's former chair, Philippe Vannier.
Enlargement : Illustration 2
From 2006, at the request of the Libyan dictator Muammar Gaddafi, and with the blessing of Nicolas Sarkozy (who was France's interior minister in 2006 then president from 2007), Amesys developed the Eagle software. This was the first system able to monitor the internet at the scale of a whole country. According to our information the DGSE kept a close eye both on this technological achievement and the Libyan deal itself.
Several witnesses say that it was the DGSE, through its technical director Bernard Barbier, who asked another French company, Qosmos, to work with Amesys in order to provide it with a sensor to intercept internet traffic, something that was needed to make Eagle work effectively.
A backdoor
One DGSE agent told the investigating judge that when a commercial dispute broke out between Amesys and Qosmos, his agency tasked him “on an unofficial basis” to conduct “mediation” to reconcile the two companies.
Meanwhile, two former Amesys employees told gendarmes that the Eagle software was equipped with a 'backdoor', a hidden gateway allowing Amesys to get into the software without the knowledge of its Libyan client. As the website Intelligence Online revealed, one of the group's executives, Renaud Roques, went even further, telling the investigating judge that this backdoor was “designed by the DGSE's services” so that the agency could “connect in a discreet and untraceable way to the Libyan system” and “have access to the list of targets”.
Renaud Roques called for and succeeded in getting three former DGSE engineers who had been working at the agency at that time to give evidence to the judge anonymously, in a bid to confirm his version of events. These technical experts refused to comment on the possible existence of any such 'backdoor' on the grounds that this was “in the realm of official secrets”. But one of the agents did talk about the “constant and quality” dialogue they had with Amesys about Libya. “The company responded to all our questions and kept us informed about the progress of the deal,” he said.
Mediapart has been able to identify the former DGSE agents questioned by the judge. Two of them later worked at the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), which is in charge of protecting the state's administration and companies against cyber attacks. In the 2010s the pair had high-level jobs there.
Leaving no trace
One document seized during a judge-authorised search confirms the role that these two DGSE agents played in the Libyan contract. It is a handwritten report of a meeting that took place on January 15th 2007 at the “MinDef” - Ministry of Defence – between them and Amesys executives. According to the document this meeting discussed “the Eagle product” as well as security instructions about how to avoid leaks. The aim was to “limit to the maximum the number of people in the loop” and to pay “attention to sources and to access to sources”.
There was panic in March 2011 after the Western military intervention that led to the toppling and then the death of Gaddafi. Nicolas Deckmyn, who at the time was a young engineer at Amesys, described how he was “summoned” urgently by the DGSE so that he could deliver the coordinates for the locations where the Eagle system had been installed. “I think that this so they could intervene, to bomb the three sites,” he told gendarmes. The apparent aim was to leave behind no trace of the help given by France to the Libyan dictator.
It turned out that one of the buildings was completely destroyed and that a clean-up took place at the other two sites, though who did this is not known. In August 2011, when two Wall Street Journal journalists visited one of the centres and revealed the existence of the Eagle system, they found paper documents but the servers themselves had disappeared.
Following the scandal of that revelation and the opening of an initial judicial investigation into the Libyan deal, Stéphane Salies, one of the senior executives at Amesys, bought the Eagle technology, which was renamed Cerebro. He lodged it with a new company called Nexa, which also took on most of the existing staff. The aim was to ensure that Amesys's name was forgotten.
At the same time he set up a discreet sister company to Nexa in Dubai. This was named Advanced Middle East Systems (AMES), and had the major advantage of being able to export without the need to ask France for an export licence.
When he was questioned in custody Stéphane Salies insisted that “the French authorities and the French [secret] services had been notified [editor's note, of the creation of AMES] and had not made any objection … I'm speaking mainly of the DGSE.” The gendarmes asked him: “Did the DGSE have any demands?” Salies replied: “Yes, but I can't disclose them. Because it involves official secrets.”
Hello, does one of you have access to the Nexa account to see if we have received a payment of 200k from the DGSE?
We do not know if the DGSE did indeed unofficially approve Nexa circumventing the French authorities by exporting from Dubai. But one document found during a search shows that the Ministry of the Economy, which is in charge of authorising export licences, was indeed alerted to the creation of AMES and was not opposed to it.
Enlargement : Illustration 3
When questioned as a witness Rachida H., who was in charge of administration at Nexa, said that after the Libyan affair “it was difficult to rebuild trust with the French state's services”.
Yet the judicial investigation has shown that relations between the company and the intelligence services recovered very quickly. An internal document from 2014 indicates that at the time Nexa had a contract for “ten million euros a year” to supply the DGSE with IMSI-catchers, devices that can intercept mobile phone communications within a range of a few hundred metres. However, the deal seems to have ended because we have not been able to find any payments corresponding to such a sum.
During an internal group discussion in December 2020 a worried Renaud Roques asked: “Hello, does one of you have access to the Nexa account to see if we have received a payment of 200k from the DGSE? I'd like to be sure before chasing them up … during the day.”
The number two at Nexa, Olivier Bohbot, referred him to another member of staff to check if the 200,000 euros had been paid or not. To our knowledge, the judicial investigation has not been able to determine to what product or service this sum related.
French secret service agents also helped Nexa to export. A 2014 Nexa document lists commercial campaigns by the company in India, Mali, Mauritania and Senegal, carried out with the “support of the French [secret] services”.
And when the DGSE seemed to give a negative “opinion” on the sale of the large-scale internet interception system Cerebro to the Pakistani secret services, Renaud Roques, number three at Nexa, wrote a reminder in his notebook that he must “dig to find out the reason”. This book of notes, written in 2015 and 2016, also mentions a meeting with a DGSE agent who had the codename 'Clovis' in order to recommend to him a radio system made by the German group Plath, who had a 30% stake in Nexa.
By coincidence Nexa again had dealings with one of the ex-DGSE agents who had overseen the contract with Libya and who was now working at the ANSSI. One of this agency's jobs is to give authorisation to companies for the importation and sale of surveillance equipment in France.
Gendarmes found a list of 29 Nexa products that received authorisation from ANSSI at this time. In addition to the Cerebro software this list included a powerful Israeli system to infect mobile phones with malware, another to intercept data in cloud computing, and a third that intercepted “satellite traffic”, plus various types of IMSI-catchers.
'Authorised services'
In a summary report the gendarmes took the view that Nexa had minimised the real capabilities of its products in the requests for licences made to several supervisory organisations. “The description is different to that which appears on the contracts, in the marketing brochures,” write the gendarmes. They give as an example a request for authorisation sent to ANSSI in 2017 about a sensor, connected to Cerebro, which gathers and collects internet traffic data. “At no point is the maximum capability and the unlimited functions of this technology mentioned,” they write.
Yet the senior official at ANSSI who approved and signed this off was fully aware of the capabilities of this product that had been deployed in Libya. For he had been one of the three DGSE engineers in contact with the company over the issue and who ended up being questioned as part of the investigation.
When contacted, the former DGSE engineer said that he could not comment on matters which were covered by official secrets. He nonetheless said that ANSSI was not responsible for export licences and that it always set out the “limitations” that applied to any sales in France. “The interception solutions that you talk about are systematically limited to the 'authorised services',” he said, meaning the secret services.
The DGSE is not the only state service to have made use of Nexa. An internal company document from 2014 shows that Nexa had three other sensitive contracts at the time, the nature of which were not detailed. One was a “small” deal with the Ministry of the Interior, another a “medium” deal with the military intelligence directorate the Direction du Renseignement Militaire (DRM), while the third contract, for two million euros, was with the defence procurement agency the Direction Générale de l’Armement (DGA).
In Renaud Roques's notebook there is mention of a meeting with the commissioner at the head of the technical directorate at the domestic secret service the DGSI, a visit by France's minister of the interior to Nexa premises and a presentation of products to a delegation from the elite gendarme tactical group the GIGN.
The honeymoon with the secret services continued well after the company's legal problems emerged. In June 2021, during a search of Nexa's premises, it was found that nine employees still had 'official secrets' clearance, until either 2025 or 2027, including Renaud Roques and boss Stéphane Salies.
Even in its archive Nexa maintained secrecy over its contracts which were referred to by codes, most of them named after types of confectionery or pastries. The French contracts were called 'Cachou' (a type of lozenge), 'ParisBrest' (a French pastry) and 'Calisson' (a speciality candy). We have been able to compile an inventory of contracts with a total value of at least 11 million euros, concluded between 2014 and 2020, between the French state and the company. It is worth recalling that at the time the latter was the object of two legal proceedings for alleged complicity in torture.
In 2016 Nexa received 180,000 euros to deliver a decoder and software to the Groupement Interministériel de Contrôle (GIC), the body which manages the eavesdropping and 'administrative' surveillance that is carried out by the country's secret services outside the usual judicial procedures.
Nexa then concluded a contract for 219,000 euros with the DRM in 2018, and in 2020 agreed another, codenamed 'MilleFeuille', for two million euros with the Ministry of Defence for IMSI-catcher style mobile communication interception systems. One aspect of the project, called “backpack study”, was clearly aimed at designing a device small enough to be carried in a backpack.
The nature of some deals was not specified, such as project 'Papillon' with the Ministry of Justice which had a price tag of 2.8 million euros.
Thanks to its subsidiary Elecktron (sold in December 2021), the Nexa group was also active in the domain of judicial eavesdropping systems, despite the introduction of a single system, the PNIJ, that was awarded to the defence, security and aerospace company Thales in 2017. As a result of technical issues several regional police forces continued to use the Elektron system. In June 2021 the boss of Nexa spoke on the phone of a recent payment of 500,000 euros from the “ministry” in relation to this.
One is fully aware that it can't all be angelic.
In July 2018 Nexa won a new contract with the Ministry of the Interior, called 'Pimousse' (a brand of sweets), for a product to be used in conjunction with normal phone-tapping and eavesdropping. This system allowed the user to glean not just conversations and SMS messages from targeted phones but also “internet data and the geolocation”, a Nexa engineer told gendarmes.
Nexa also sold a software component codenamed 'Jasmine' which enables the user to identify with whom an individual is in contact and the dates of their conversations (though not their content) even when the target is using encrypted apps such as Signal, WhatsApp or Telegram. “This unit … is used for judicially [approved] interceptions in France,” Nexa boss Stéphane Salies told gendarmes.
One document dated January 2021, which lists the commercial campaigns in progress, shows that France was a priority market: Nexa was competing to win 18 different contracts with ministries or intelligence services, with a combined value of 10 million euros.
Among the biggest potential deals was an extension of the 'MilleFeuille' project with the Ministry of Defence for three millions euros and a mobile phone eavesdropping system with the DGSE for 400,000 euros.
When contacted by Mediapart about these contracts the DGSE and the Ministry of the Armed Forces declined to respond. The Ministry of the Interior did not respond. The Ministry of Justice confirmed to us that they had made use of Elektron for judge-approved eavesdropping. But the ministry said it had “never awarded a contract to Nexa and had never maintained links with this company”.
All the while it was supplying French ministries and intelligence services Nexa continued to export its very intrusive surveillance systems, including mobile phone hacking software, to authoritarian regimes, just as it had done in the days of Colonel Gaddafi.
Questioned about this by the investigating judge, one of the former DGSDE agents ended up noting: “This is the customary problem with arms sales, one is fully aware that it can't all be angelic.”
--------------------------------------------------------------------------
- The original French version of this article can be found here.
English version by Michael Streeter