Leaked licences show Bulgaria greenlit surveillance exports to governments accused of repression

TL;DR

Leaked export licences show Bulgaria approved Circles BG, an NSO Group affiliate, to sell phone-tracking tools and interception systems to intelligence agencies in Azerbaijan, Serbia, the UAE, and at least a dozen other countries between 2018 and 2023. The findings, published by Human Rights Watch, raise questions about the effectiveness of EU dual-use export controls.

Bulgaria’s export control authority licensed a Sofia-based surveillance firm to sell phone-tracking tools, interception systems, and monitoring infrastructure to intelligence agencies in countries with documented records of suppressing dissent. The licences, published by Human Rights Watch on Wednesday, cover exports by Circles BG to government buyers in Azerbaijan, Serbia, Malaysia, Mexico, the UAE, and at least ten other countries between 2018 and 2023.

Circles is an affiliate of NSO Group, the Israeli company behind the Pegasus spyware that has been used to target journalists, politicians, and human rights defenders worldwide. The leaked licences offer the clearest picture yet of how the company used its Bulgarian base as a gateway for exporting surveillance technology to governments that international watchdogs have accused of deploying such tools against their own citizens.

The Circles-NSO connection

Circles was acquired in 2014 by a company that also owns NSO Group, bringing both firms under the Q Cyber Technologies umbrella. In 2020, the University of Toronto’s Citizen Lab identified Circles as operating surveillance systems that exploited weaknesses in global telecom networks across at least 25 countries.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

One of Circles’ co-founders, Tal Dilian, a former Israeli military intelligence commander, was sanctioned by the United States in March 2024 for his role at Intellexa, a separate surveillance consortium he founded. Intellexa developed the Predator spyware that triggered Greece’s 2022 “Predatorgate” scandal, and a Greek court convicted Dilian and three others in February 2026, sentencing each to eight years in prison.

The licences also reveal direct commercial ties between Circles and NSO Group itself. NSO purchased equipment worth $119,941 from Circles in October 2021, technology that was ultimately transferred to the Israeli Ministry of Defence’s Home Front Command.

NSO Group was placed on the US Commerce Department’s Entity List the following month over allegations that its spyware had been used to target civil society. Circles BG, despite its corporate affiliation with NSO, does not appear on any US sanctions or export-control blacklist.

Who bought what

The export documents name specific government agencies and the equipment they acquired. Azerbaijan’s Foreign Intelligence Service purchased Dell server and storage infrastructure worth more than $42,000 in a licence issued in June 2022, and separately obtained a mobile-phone tracking system that uses cellphone towers to pinpoint device locations.

That tracking licence was valid until December 2023, spanning the period in which Azerbaijan launched its military offensive to retake Nagorno-Karabakh. A joint investigation by Amnesty International and Citizen Lab had already found in May 2023 that Pegasus spyware was being used to target Armenian public figures amid the conflict.

Serbia’s interior ministry purchased a portable mobile-phone surveillance and location-tracking device for $18,254, a few months before the country’s December 2023 elections. Amnesty International subsequently reported in December 2024 that Serbian authorities had used spyware and forensic extraction tools against journalists and civil society activists, allegations the Serbian government has disputed.

The UAE’s Signals Intelligence Agency purchased a voice interception system known as VOLE for $10,000 through a local intermediary in 2018. Malaysia’s military intelligence obtained the same system through Telekom Malaysia Berhad in a package valued at more than $52,000 that included installation and training.

The documents also list government authorities in Bahrain, Brazil, the Dominican Republic, Ghana, Guatemala, El Salvador, Jordan, Morocco, and Panama as end users. One Mexican export involved a tactical signals intelligence system designed to locate and monitor mobile devices, with the end user listed as the government of Michoacán, a state long plagued by cartel violence.

The EU’s export control gap

The findings land as Brussels prepares a fresh review of the EU’s dual-use export control regime, with the European Commission expected to present a proposal by early 2027. Under the current rules, national authorities must assess whether cyber-surveillance tools could be used for internal repression or serious human rights violations before approving exports.

“These licences are clear evidence that Bulgaria is licensing exports of surveillance tech worldwide to police, military and intelligence agencies in countries with long histories of using that same technology to crack down on rights,” said Zach Campbell, senior surveillance researcher at Human Rights Watch. Campbell added that the European Commission has done nothing to stop the exports despite having visibility on them, a claim this article could not independently verify.

Bulgaria’s Ministry of Foreign Affairs told Politico that Circles’ documentation showed the technologies were intended for crime prevention, counter-terrorism, and humanitarian search-and-rescue operations. The ministry said it assesses “all relevant circumstances” when examining applications.

The broader problem is structural. Many surveillance systems combine software, mobile-tracking tools, and largely commercial hardware, making it difficult to determine where ordinary telecommunications equipment ends and cyber intrusion tools begin.

Circles did not respond to multiple requests for comment. The findings do not indicate that the exports were illegal or that the technologies were used unlawfully, but alongside cases such as Italian spyware distributed through fake WhatsApp updates, they underscore how far Europe’s surveillance industry has outpaced the regulatory framework designed to constrain it.