A few weeks ago, Meir (not the real name) received an envelope from the American embassy containing distressing news. "Inside were personal letters for me, my wife, and each of my children," he recounted. "The letters notified us that all our visas had been revoked and warned us against attempting to enter the US. The letter also 'strongly recommended' we bring our passports to the American embassy for physical removal of the visas. My son had plans to study for a semester at an American university, and my wife works for an American company. How is she supposed to explain to her superiors that she's barred from entering the US?"
While Meir wasn't provided an official justification for his family's visa revocations, he understands the real reason. As a senior executive at an Israeli offensive cyber company, Meir represents just one case in a growing pattern. Dozens of employees from Israeli offensive cyber firms have received similar notifications in recent months, with their visas and their family members' visas being canceled without explanation. This has created what one industry worker described as "hysteria" among remaining employees who fear they'll be targeted next.
This visa revocation campaign remained largely unreported until this week because affected individuals have avoided publicizing their situations, fearing employment repercussions. "Nobody discusses it – it's completely taboo," one senior industry executive explained. "Do you understand what losing a US visa means for someone in high-tech? It's grounds for immediate termination," Meir added. "Anyone in cyber or the broader tech sector who cannot enter the US becomes essentially unemployable by any company."
Beyond settlers
The American decision to revoke visas from Israel's offensive cyber workforce originated during the Biden administration. The Biden administration generally employed visa revocation against Israelis quite broadly. While sanctions against settlers allegedly involved in violence against Palestinians received public attention, Israel Hayom can exclusively reveal that during Biden's term, several IDF officers were also prohibited from entering US territory. "Not all Israeli military personnel requesting work-related travel to the US received authorization," a senior defense official, who worked directly with American counterparts during Biden's presidency, confirmed.
While the IDF can manage without a few officer work visits, for the offensive cyber sector, US entry restrictions represent a potentially fatal blow to the entire industry. This latest measure compounds a series of American actions implemented in recent years, apparently aimed at constraining Israel's cyber industry, which until recently maintained global leadership in this specialized field.
Industry sources maintain that these American measures, predominantly enacted during Biden's term, have caused leading Israeli companies in the sector – NSO and Candiru – to start "hemorrhaging both clients and personnel," while other firms like Quadream have completely ceased operations. "The industry has been struggling for several years but now faces imminent collapse," a senior industry executive warned. "If they continue revoking employee visas, we'll lose our entire workforce. The industry is facing extinction."
Currently, the Ministry of Defense is reviewing a potential acquisition of offensive cyber firm Candiru by an American company. This development, sending shockwaves through the cyber sector, follows Paragon's acquisition by American interests just months ago. Should this deal proceed, three of Israel's principal offensive cyber companies will be under American ownership, after NSO was also acquired in 2014 by an American fund – effectively depleting Israel of nearly all its civilian offensive cyber capabilities.
The Trump administration has thus far maintained this policy approach. But what motivates American targeting of Israeli offensive cyber enterprises? Identifying a single definitive factor proves challenging. According to numerous conversations with industry insiders and former Israeli political officials, this situation involves a complex mix of superpower interests related to trade and security and, according to multiple sources, anti-Israeli sentiments among senior White House officials. This combines with the business interests of tech giants like Facebook and Apple alongside international organizations that have identified offensive cyber operations as a global human rights threat.
This volatile situation has been further complicated by internal conflicts that have weakened Israel's cyber industry from within, including strained relationships between the Israeli intelligence community and certain local offensive cyber companies, business rivalries that occasionally descended into leadership ego clashes, and inevitably, substantial financial interests.
What remains undeniable is Israel's failure to safeguard its offensive cyber industry, which faces extinction. Media reports indicate that while 18 offensive cyber companies operated in Israel during 2021, by 2023, this number had contracted to merely six. The industry's displaced workforce has largely relocated overseas, where they now employ their expertise – often developed during IDF service with Unit 8200 and other intelligence units – for foreign enterprises.
"We're witnessing the collapse of an entire industry, experiencing brain drain to foreign countries, while the government takes virtually no preventive action," one industry source explained with evident frustration. "Yes, we operate as businesses, but ultimately we're not just losing revenue – Israel is surrendering a critical security capability. Most companies have either dissolved or been sold, with communities of Israeli cyber specialists relocating to Barcelona, Singapore, Cyprus, Malta, and Dubai, where they develop comparable products sold indiscriminately without regulatory oversight. Israel has failed to protect this essential industry and its workforce, and the resulting damage to our national security will have long-term consequences for everyone."
Some of that cost, as we'll soon discover, manifested during the Oct. 7 attacks.
NSO in the crosshairs
The offensive cyber (cyberwarfare) market, which emerged with the internet's integration into daily life and accelerated following smartphone proliferation, generates tens of billions of dollars annually. The cyber tools produced within this market can penetrate phones and computers, extracting invaluable information. Israeli company NSO, founded in 2010, established itself as an industry pioneer – literally breaking new ground – becoming one of the global market's leading companies. Subsequently, additional companies developed in Israel, primarily drawing personnel from IDF technological units, especially Unit 8200.
This ecosystem, connecting private enterprise with the intelligence community, transformed the local industry into a driving force within the high-tech sector and positioned Israel as a global offensive cyber power alongside the US, China, Russia, and Iran. However, what began in Israel to advance legitimate objectives – intelligence monitoring of terrorists, criminals, and pedophiles – quickly revealed itself as operating in an ethically ambiguous space, where countries purchasing services from Israeli companies also deployed cyber tools to infiltrate the phones and computers of journalists, political dissidents, and human rights advocates.
The 2018 murder of Saudi journalist Jamal Khashoggi, a case that implicated NSO, marked a turning point in American policy toward offensive cyber generally and Israeli companies specifically. Subsequently, multiple investigations by international organizations presented evidence of various governments – from Uganda to Spain – illegally employing cyber tools acquired from Israeli companies.
During its initial years, the Israeli cyber industry successfully deflected criticism while maintaining impressive growth. Notably, cyber companies' operations were and continue to be regulated by the Defense Export Controls Agency at the Ministry of Defense (DECA), providing legal and ethical protection for these activities.
Everything changed in November 2021, however, when the US Department of Commerce announced that two leading Israeli cyber companies – NSO and Candiru – had been added to the "Entity List" of organizations whose activities conflict with American national security interests. The announcement stated that tools marketed by these companies "enabled foreign governments to conduct transnational repression" and "to target dissidents, journalists, and activists outside their borders to silence dissent."
The administration's announcement caught both the companies themselves and the Israeli Ministry of Defense unprepared. "The American decision arrived without warning and seemed disconnected from any precipitating event," acknowledges a former Ministry of Defense official. According to this source, despite the official American announcement's wording, the Commerce Department's sanctions stemmed not merely from ethical considerations but also commercial interests. "The Americans recognized offensive cyber as an emerging transformative technology, comparable to artificial intelligence or quantum computing, and decided to suppress competition," he explained. "Human rights might serve as the justification, but American officials explicitly informed us that these companies were undermining direct US interests."
"There are certainly voices within the American administration opposed to this industry generally and the Israeli industry specifically," another former senior defense official added. "This opposition stems from commercial, political, and ideological factors, not exclusively values-based concerns. Various countries allegedly employed tools from Israeli companies illegally to monitor American government personnel. I presume that, as usual, all these considerations played a role."
An industry executive offered this analysis: "During this period, tech giants faced congressional hearings regarding privacy intrusions and user data exploitation. Remember that cyber companies breaching computers and phones effectively compete against device manufacturers and data controllers – Google, Apple, Facebook, and others. Once these corporations found themselves under government scrutiny, they redirected pressure toward their 'adversaries' like NSO and similar companies. This aligned with undercurrents that emerged in Europe and America during the Obama administration, focused on human rights violations and privacy rights while disregarding our effectively lawless digital environment. Furthermore, American industry advocated for 'keeping the advantage on our side,' while US leadership recognized these as superpower tools requiring American dominance. By 2021, these factors will have converged.
Double-edged sword
Following the Commerce Department's November 2021 designation of NSO and Candiru to the "Entity List," Israel's Ministry of Defense and National Security Council initiated a series of discussions and meetings with American officials to mitigate the impact. "The dialogue wasn't aimed at defending the specific affected companies, but rather at understanding how to preserve Israel's offensive cyber industry," a source directly involved in these negotiations explained. "The goal was identifying workable solutions with the Americans that would allow progress to continue."
When American officials provided few concrete answers to Israeli inquiries, the Ministry of Defense implemented its own preventive measures – intensifying oversight of Israeli companies in hopes of alleviating American concerns. During this period, the ministry drastically reduced the number of countries to which Israeli cyber companies could export hacking tools from approximately 100 to just 37. This decision ultimately functioned as a double-edged sword, failing to satisfy American concerns while simultaneously crippling Israeli cyber companies' business opportunities.
"The defense establishment fundamentally mishandled this crisis," an industry source stated. "While the Americans ignited the situation, the Ministry of Defense's ineffective response caused the explosion. They prioritized security relations with the US over the survival of cyber companies. The ministry even suspended licenses for previously approved contracts, inflicting devastating financial damage. Their additional restrictions effectively suffocated these companies."
A source from another industry company reported, "Appeals to both the prime minister and defense minister over several years yielded no results. While Bennett attempted intervention during his premiership, Netanyahu and Dermer took virtually no action. They focused on addressing settler sanctions rather than the offensive cyber industry crisis."
According to a political system insider from the Bennett administration, "We conducted complex negotiations with the Americans and established productive relationships with key officials. Rather than expecting a complete policy reversal, we sought practical pathways for companies to navigate restrictions safely. We developed internal protocols that would likely have resolved most American concerns, but to my knowledge, this framework was abandoned after the elections and never implemented."
This week, responding to a Haaretz report about Prime Minister's adviser Caroline Glick's activities, officials noted her engagement with the White House included "exploring options for lifting sanctions on Israeli technology companies." Israel Hayom's investigation confirms Glick maintains active contact with Israel's offensive cyber industry representatives and is working on this issue.
Internal Israeli struggle
At a practical level, the "Entity List" designation for NSO and Candiru had limited direct consequences. While it restricted their ability to freely trade with American companies, this alone wasn't fatal. "The real damage," an industry source explained, "came from the symbolic implications."
Multiple sources consistently report that the "Entity List" designation drove away both clients and, more critically, employees from these and other Israeli companies. "This creates a devastating reputational stain that tarnishes all Israeli companies," one source explained. "Customers abandon your technology platforms, employees resign and deliberately omit their company tenures from their resumes. The impact is extraordinary. Employees fear escalation to arrest warrants, asset freezes, and visa revocations."
Israel Hayom can exclusively reveal that during Bennett's administration, officials considered a state rescue of NSO. Given the company's deteriorating situation alongside its critical importance to Israeli national security, during 2022 the government evaluated purchasing NSO and incorporating it as a division within a government entity like Rafael, or alternatively within the Shin Bet or Military Intelligence. This initiative aimed to prevent NSO's collapse and the loss of its valuable cyber capabilities. "The National Security Council and defense minister held discussions about NSO's future, seeking to prevent its closure under American pressure," a source directly involved in these deliberations revealed. "The Mossad and Shin Bet showed greater flexibility, while Military Intelligence opposed acquisition." Ultimately, officials decided against purchasing NSO.
Military Intelligence's opposition must be understood within the context of existing tensions between the agency and civilian cyber companies. These private entities primarily recruit from Military Intelligence veterans, particularly Unit 8200 alumni. As civilian companies expanded, competition intensified between them and Military Intelligence for the limited pool of elite talent, especially "vulnerability researchers" – exceptionally gifted specialists capable of breaching sophisticated communication systems.
"Unit 8200 serves as the primary source of vulnerability researchers," a field expert explained. "Military Intelligence acknowledges they can produce very few qualified vulnerability researchers annually – it's an extremely scarce resource. In recent years, as competition for this talent intensified, Unit 8200 began treating the civilian market as adversarial. Realizing they couldn't match the astronomical salaries offered by private companies, they promoted a narrative portraying the industry negatively."
Sources indicate Unit 8200 also alleged that discharged researchers transferred classified methodologies to civilian employers. "They perceived Israeli companies as appropriating Unit 8200 capabilities and deploying them indiscriminately," a former military intelligence official explained. "It's well known there aren't thousands of vulnerability researchers in Israel – we're discussing perhaps a few dozen individuals. Recruiting someone with these skills from Unit 8200 directly undermines Israel's security infrastructure."
This same source noted that ethical considerations reinforced practical concerns. "Yossi Sariel [former Unit 8200 commander] firmly refused to utilize tools from civilian companies," he stated. "He believed employing tools used for surveilling journalists and human rights activists would compromise their integrity. The principle was clear – associate with questionable practices and suffer the consequences. Military Intelligence personnel, especially within Unit 8200, maintain strong ethical standards. Learning that Israeli companies' tools were being deployed illegally troubled them deeply."
Another industry source offers an alternative explanation for the antagonism between military intelligence and civilian companies. According to this source, by 2020, Unit 8200 suspected several leading companies had obtained proprietary unit developments. Consequently, then-commander Assaf Cohen terminated reserve service for employees from these companies. Reservists working at Sentinel One were subsequently barred from Unit 8200 reserve duty after the company erected a billboard near the unit's facility attempting to recruit personnel. The sign read, "Usually we chase the enemy, this time we're chasing talent." A former unit source noted, "From the Unit 8200 commander's perspective, this crossed a line, prompting aggressive countermeasures."
Regardless of underlying causes, the consequence was that over the past five years, exceptional Unit 8200 reservists employed by several Israeli cyber companies were simply not activated for reserve duty. "Remember, these individuals represent the field's most brilliant minds," an industry source emphasized.
Ehud Barak also involved
Paragon maintained notably strong ties with Unit 8200, distinguishing itself from other cyber firms. Founded by Ehud Barak and former Unit 8200 commander Ehud Schneurson, the company was strategically positioned as the industry's "clean" alternative. Following the Oct. 7 attacks, approximately 50 Paragon employees were mobilized for reserve duty with Unit 8200.
Information obtained by Israel Hayom reveals that following Oct. 7, the Shin Bet approached at least two offensive cyber companies requesting urgent assistance with war efforts – notably after having previously severed relationships with one such firm in the pre-war period.
The Shin Bet's urgent need to rapidly acquire offensive cyber capabilities emerged within a specific context. According to industry sources, after NSO and Candiru were added to the "Entity List," the Shin Bet deliberately "distanced itself from civilian companies to avoid complications with American authorities." This policy shift manifested concretely, as cooperation between the Shin Bet and one of Israel's leading cyber companies – whose breaching tools had previously been instrumental in gathering Hamas intelligence in Gaza and the West Bank – progressively diminished from late 2021 until completely ceasing. "Consequently, by October 7, the Shin Bet lacked any operational breaching tools from this company in Gaza," explains a source with direct knowledge. "This clearly demonstrates that the erosion of Israel's offensive cyber industry directly weakens capabilities within national intelligence organizations."
Another industry insider notes, "Israeli companies were willing – and remain willing – to work with security agencies at minimal cost. They generate revenue through international contracts while supporting Israeli intelligence services virtually without compensation. Unit 8200 failed to recognize how the industry strengthens Israeli security, instead choosing to position itself against the private sector."
Hostile administration
The 2021 American sanctions against cyber companies triggered a cascading effect that not only devastated the industry but also generated significant tension between private firms and intelligence agencies. Concurrently, numerous employees – including critical "vulnerability researchers" who represent the cutting edge of offensive cyber capabilities – relocated abroad, fearing personal American sanctions, subsequently joining foreign companies. "This constitutes a dangerous brain drain and poses a genuine threat to Israeli security," warns an industry representative.
According to multiple sources, this exodus may accelerate following the latest American measure – widespread visa revocations. Industry insiders assert that this action extends beyond merely political or commercial considerations, involving individuals with anti-Israeli inclinations who occupied pivotal positions within the Biden administration.
Understanding these assertions requires examining events starting in March 2023, when President Biden issued "Presidential Directive 14093," intensifying oversight of America's offensive cyber sector. While not explicitly targeting Israel, this directive effectively continued the restrictive approach toward Israeli companies established in 2021.
This directive signaled a pronounced shift in American policy toward the global offensive cyber industry. Subsequently, in February 2024, the American administration announced visa cancellations for 13 offensive cyber industry employees, predominantly Israelis. In September 2024, just before Trump's eventual electoral victory, the Biden administration implemented another round of visa cancellations. Sources confirm Israel was again disproportionately affected, with hundreds of employees from local companies – including junior staff – receiving instructions to surrender their passports at the American embassy in Tel Aviv for visa removal.
According to official American statements, Maher Bitar, Deputy National Security Advisor for Intelligence, was responsible for the visa cancellation decision. Bitar, an American of Palestinian descent, previously worked at UNRWA and served on the board of Students for Justice in Palestine (SJP) – a pro-Palestinian campus organization whose activities were banned in several states after expressing support for Hamas's Oct. 7 attack.
Bitar, who has previously made explicit anti-Israel statements, began his career at the State Department and served on the US National Security Council during the Obama administration. After Biden's inauguration, he was appointed "Special Assistant to the President" – a nomination supported by Robert Malley, a senior US National Security Council official currently under investigation for allegedly serving as an Iranian agent in Washington. In January 2024, Bitar was promoted to Deputy National Security Advisor and coordinator of presidential intelligence and defense activities, effectively becoming the highest-ranking administration official responsible for policy in these domains. "Maher Bitar's decision to revoke US entry visas from Israeli cyber experts, made in his capacity as a Biden advisor, aims to eliminate this industry and nullify Israel's competitive advantage," a senior Israeli industry figure asserted.
It's important to note that Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies, worked closely with Bitar. Neuberger, an Orthodox Jewish woman whose parents were rescued during Operation Entebbe, isn't considered anti-Israel. However, according to senior industry officials, the Bitar-Neuberger collaboration represented a convergence of two distinct agendas within the Biden administration. "On one hand, Bitar with his anti-Israeli predispositions, and on the other, Neuberger, whose cyber advisory role prioritized establishing American dominance in offensive cyber capabilities," one source explained. "Ultimately, both aimed to eliminate competition and consolidate control over Israeli cyber companies."
Evidence supporting this assessment emerged when an American investment fund acquired Israeli firm Paragon several months ago, further eroding Israel's offensive cyber advantage. Notably, Secretary of State Anthony Blinken was involved in Paragon's sale process. Blinken founded the lobbying firm WestExec, which Paragon retained while attempting to enter the American market. Shortly after Blinken's appointment as Secretary of State under Biden, Paragon's acquisition by American capital fund Euro-Equity was finalized. Paragon maintains that once Blinken became Secretary of State, he recused himself from the acquisition process due to the inherent conflict of interest.
While the Biden administration supported Paragon's acquisition, it strongly opposed similar arrangements involving NSO, Paragon's primary competitor. Concurrent with Paragon's sale, negotiations were underway between American defense contractor L3Harris and NSO regarding the potential acquisition of the Israeli company. These discussions had progressed substantially, including regulatory conversations between senior Israeli Defense Ministry officials and American counterparts. However, upon the White House's discovery of these negotiations, a senior administration official was quoted in the Washington Post expressing "concern" about potential American connections to NSO. The American company promptly interpreted this signal and abandoned acquisition plans.
NSO executives remain convinced that Maher Bitar was the unnamed "senior official" quoted in American media reports.
The Shin Bet responded: "By law, Shin Bet capabilities and operational methods are classified, and their disclosure is prohibited. Nevertheless, we emphasize that the article's claims regarding tools operated by the Shin Bet in Gaza before the October 7 attack are completely unfounded and have no basis in reality."
The US Embassy responded by saying, "Visa records are confidential under American law. Therefore, we cannot discuss details of individual visa cases." The Ministry of Defense and IDF Spokesperson provided no response.
