AI Analytics

SpyLedger dossier · Mercenary spyware

Candiru

Tel Aviv-based mercenary-spyware vendor founded in 2014. Its current registered legal name is Saito Tech Ltd; it has operated under multiple successive registered names. The U.S. BIS Entity List entry lists seven aliases: Candiru Ltd., DF Associates Ltd., Grindavik Solutions Ltd., Taveta Ltd., Saito Tech Ltd., Greenwick Solutions, and Tabatha Ltd. The Entity List entry gives the address as 21 Haarbaa, Tel Aviv-Yafo, Israel 6473921.

Headquarters: Israel

Products

  • DevilsTongue (the persistent spyware implant, named by Microsoft)
  • Sherlock (cross-platform browser/OS zero-day exploitation tooling)

Government designation status

1 active designation from the surveyed authorities. Each is a public government record with a different legal effect — read the type label and scope on each.

US BISExport controlEntity List · 2021-11-04

A license is required to export US-origin items/technology to the entity, typically reviewed under a presumption of denial (e.g. BIS Entity List). It is not an asset freeze.

Added to the Commerce/BIS Entity List effective Nov 4, 2021 (final rule 2021-24123) for developing and supplying spyware. Imposes a license requirement for all items subject to the EAR (per 15 CFR 744.11), with no license exceptions available and a license review policy of presumption of denial. Listed under country Israel with seven aliases including Saito Tech Ltd. This is a U.S. export-control restriction, NOT a financial/asset sanction. Independently verified against the primary govinfo.gov Federal Register text: the entity entry, the seven aliases, the EAR-wide license requirement, the presumption-of-denial review policy, and the Israel listing all match.

Federal Register / BIS Final Rule 2021-24123 — Addition of Certain Entities to the Entity List (FR-2021-11-04)

No US OFAC (SDN/sanctions), US Treasury NS-CMIC investment-restriction, EU consolidated sanctions, or US FCC Covered List designation for Candiru/Saito Tech is on public record as of the research date. The only verified government designation is the US BIS Entity List addition (effective Nov 4, 2021). A 2025 press headline referring to "US sanctions ... including Candiru" was checked and found to be journalistic shorthand for this same November 2021 BIS Entity List action, not a separate or new designation.

This dossier restates public government-designation records; it is not an allegation of wrongdoing by AI Analytics, and it publishes no customer-deployment claims or targeting data. A designation describes a specific legal action by a named authority — read its scope; an export control, an equipment-authorization restriction, and an asset-blocking sanction are not the same thing. To dispute or correct an entry, contact us (see the methodology). Status current as of the 2026-06-23 build — confirm against the linked primary source. Back to all vendors.