This page supports four open-source developers targeted by illegal surveillance for building privacy tools.
In 2019-2021, open-source developers building privacy-centric voting protocols were targeted by an EU state with military-grade Pegasus and Candiru spyware. They were criminalised as alleged terrorists, not for any crime committed, but for the potential future use of the tools they were building.
Sentinel's Developer Defense Fund has been created to fund the legal fight these developers are leading to seek accountability, prevent new state-sponsored abuses and defend the right to build open-source software.
Last updated: March 2026
In 2025, Sentinel Alliance filed the first criminal complaint in Europe against intelligence agencies and spyware vendors for the illegal surveillance of open-source developers. The Barcelona court accepted the case and placed former intelligence directors and spyware company executives under formal investigation in January 2026.
Between 2019 and 2020, Spanish intelligence agencies targeted open-source software developers and blockchain advocates: Joan Arús, Jordi Baylina, Elies Campo, Pau Escrich, Joan Matamala and Xavier Vives. They were attacked with military-grade Pegasus and Candiru spyware for their work on privacy-centric protocols.
The state's pretext: "national security," supported by alleged terrorism charges that carried a potential 12+ years in prison.
The surveillance was total. They were physically followed for months. Their phones and laptops were hacked; their communications, intercepted. Their families were targeted.
Every professional and personal file was exfiltrated without consent. The operation was also transnational: Jordi Baylina was illegally targeted while residing in Switzerland.
The exfiltrated data was used to build a secret case against them. It was then illegally leaked to mainstream press in a coordinated campaign to frame them as terrorists.
Their alleged crime? Building neutral, privacy-centric, open-source protocols for decentralized identity and voting.
For two years, they were denied access to the case, learning of their status as "terrorist suspects" only through the press.
The investigation was eventually archived. No charges were ever filed.
To this day, Spanish authorities have never acknowledged the illegal surveillance nor provided restitution to the victims.
On April 30, 2025, the developers went on the offensive. They filed a landmark criminal complaint against Spain's CNI, Guardia Civil, NSO Group, Candiru Ltd., and their executives to seek accountability.
On September 15, 2025, a Barcelona court accepted the case for prosecution.
This is a battle against a state-sponsored playbook designed to criminalize the very right to build open-source software.
This fight is for the future of open-source development. Help us win it.
Decades of combined experience in building primitives for privacy-centric and censorship-resistant governance.
Jordi Baylina is a co-founder of Polygon and a leading engineer behind modern zero-knowledge tooling and decentralized governance systems. His open-source work has helped millions access scalable, privacy-centric and censorship-resistant infrastructure.
From pioneering the Circom circuit language and launching identity protocols like Iden3, to enabling verifiable voting with Vocdoni and personal node infrastructure with DappNode, Jordi's contributions span research, solidity security auditing of top tier projects (Status, Maker, Aragon among others), ERC-20 standards like the MiniMe token, and real-world products. He also co-led the White Hat Group, helping secure user funds during the 2016 DAO crisis, and continues advancing zk technology with initiatives like Zisk.
building the primitives and privacy infrastructure for a more sovereign and free society
A chronological overview of the state-sponsored surveillance against open-source developers and advocates, their families and their professional network.
Amidst a widespread internet shutdown by the Spanish state during the Catalan independence vote, decentralized technologies like IPFS prove critical for communication. 2.1M people vote in spite of the physical violence committed against voters.
Triggered by the technological and physical repression lived in 2017 in Catalonia, Jordi Baylina, Pau Escrich, Xavier Vives and Joan Arús start creating foundational primitives for privacy-centric and censhorship-resistant protocols: Creation of Iden3/Circom, Vocdoni, DappNode, Hermez (acquired by Polygon) and more
The Spanish state initiates attacks against the developers, with documented infections on Jordi Baylina's devices with Pegasus military-grade spyware. Physical monitoring and surveillance of the developers and their families begins.
The attacks intensify. Over 78 infection attacks are documented against Jordi, his wife, Xavier, Pau, Joan and Elies Campo and his family. Digital surveillance is paired with physical surveillance.
A live infection with Candiru, another mercenary spyware, is discovered on the laptop of Joan Matamala, one of the targeted developers. The finding, verified by CitizenLab, triggers Microsoft to issue a global security patch protecting over 1.3 billion devices from the state-level exploit used against the developers. Joan Matamala becomes patient zero of Candiru, worldwide. Pau Escrich, Xavier Vives and Elies Campo are also targeted with Candiru.
The "CatalanGate" report by CitizenLab publicly exposes the vast surveillance campaign, uncovering more than 65 forensically verified targets. In retaliation, the state shifts tactics: a massive coordinated misinformation campaign is launched, leaking manipulated details of a secret "terrorism" investigation to the media. Developers are branded as terrorists on national television, in a clear attempt to provoke their civil death.
After the secret investigation is archived on a technicality with no accusations brought forward, the developers form the Sentinel Alliance in Zug, Switzerland, creating a legal shield -not just for them, but for all victims- to fight back. They onboard top legal experts in state overreach cases.
Criminal charges filed by Jordi Baylina and targeted blockchain developers are accepted by Barcelona courts against Spanish intelligence officials, NSO Group, and Candiru. This landmark case marks the beginning of legal accountability for state-sponsored surveillance crimes against developers. The prosecution will set global precedent for holding surveillance actors accountable for their illegal activities.
Xavier Muñoz
Legal Representative
Amidst a widespread internet shutdown by the Spanish state during the Catalan independence vote, decentralized technologies like IPFS prove critical for communication. 2.1M people vote in spite of the physical violence committed against voters.
Triggered by the technological and physical repression lived in 2017 in Catalonia, Jordi Baylina, Pau Escrich, Xavier Vives and Joan Arús start creating foundational primitives for privacy-centric and censhorship-resistant protocols: Creation of Iden3/Circom, Vocdoni, DappNode, Hermez (acquired by Polygon) and more
The Spanish state initiates attacks against the developers, with documented infections on Jordi Baylina's devices with Pegasus military-grade spyware. Physical monitoring and surveillance of the developers and their families begins.
The attacks intensify. Over 78 infection attacks are documented against Jordi, his wife, Xavier, Pau, Joan and Elies Campo and his family. Digital surveillance is paired with physical surveillance.
A live infection with Candiru, another mercenary spyware, is discovered on the laptop of Joan Matamala, one of the targeted developers. The finding, verified by CitizenLab, triggers Microsoft to issue a global security patch protecting over 1.3 billion devices from the state-level exploit used against the developers. Joan Matamala becomes patient zero of Candiru, worldwide. Pau Escrich, Xavier Vives and Elies Campo are also targeted with Candiru.
The "CatalanGate" report by CitizenLab publicly exposes the vast surveillance campaign, uncovering more than 65 forensically verified targets. In retaliation, the state shifts tactics: a massive coordinated misinformation campaign is launched, leaking manipulated details of a secret "terrorism" investigation to the media. Developers are branded as terrorists on national television, in a clear attempt to provoke their civil death.
Jordi Baylina Interview
"He assumit que visc amb un mòbil espiat"
3Cat • 39 min
After the secret investigation is archived on a technicality with no accusations brought forward, the developers form the Sentinel Alliance in Zug, Switzerland, creating a legal shield -not just for them, but for all victims- to fight back. They onboard top legal experts in state overreach cases.
Criminal charges filed by Jordi Baylina and targeted blockchain developers are accepted by Barcelona courts against Spanish intelligence officials, NSO Group, and Candiru. This landmark case marks the beginning of legal accountability for state-sponsored surveillance crimes against developers. The prosecution will set global precedent for holding surveillance actors accountable for their illegal activities.
Xavier Muñoz
Legal Representative
Sentinel vs CNI | Guardia Civil | NSO Group | Saito Tech
More than 3 years after the initial findings and the overwhelming international response against mercenary spyware abuse, no restitution for victims had happened, and the worst part is that we still don't know how many agencies are using mercenary spyware against civil society and who is ordering transnational illegal targeting.
As of today, the developers have been denied the legal grounds on which they were spied upon, and most of the infiltration attempts for them and their surroundings remain unaccounted for. Those responsible for these forensically verified attacks remain without having to face accountability.
On April 30th, 2025, blockchain developers and entrepreneurs Jordi Baylina Melé, Joan Matamala i Alzina, Xavier Vives, Pau Escrich Garcia, and Joan Arús San Segundo filed a criminal complaint in Barcelona's courts against Spain's Centro Nacional de Inteligencia ( CNI), Guardia Civil officials, and spyware firms NSO Group and Candiru, among others.
They allege illegal surveillance via mercenary spyware, targeting devices over 78 times between 2019-2021, extracting private data, communications, and business documents without proper warrants.
The criminal complaint filed in Barcelona courts outlines specific charges against Spanish intelligence agencies and spyware firms, based on documented evidence of illegal surveillance activities.
Unauthorized interception and access to personal data through the deployment of military-grade spyware on personal devices without proper judicial oversight.
Breaching device security systems and accessing private information stored on personal computers and mobile devices without authorization.
Enhanced penalties apply when surveillance crimes are committed by public officials or under their direction, reflecting abuse of state power.
Prosecute intelligence officials and spyware executives for unauthorized surveillance and privacy violations under Article 197.2
Force public disclosure of all surveillance contracts and targeting criteria. Intelligence agencies must justify their actions.
Court-ordered damages from NSO Group, Candiru, and the Spanish government for privacy violations and professional harm
Making abuse costly through economic, civil, and criminal liabilities. When surveillance becomes financially painful, it becomes selective and accountable.
Forcing transparency through declassification. Agencies must publicly explain what distinguishes legitimate threats from technology builders.
Coordinated by Sentinel Alliance, the lawsuit seeks accountability and reforms to prevent government overreach. The full legal complaint can be found here (in spanish)
The accountability gap is stark: victims face severe challenges in seeking justice due to surveillance laws that lack precise boundaries, oversight by courts that falls short, and governments that paradoxically deny wrongdoing while refusing transparency. This creates a complex legal proceeding with limited protection for those targeted.
This is a battle for the fundamental rights of every developer, user, and citizen in the digital age.
Protecting the right to BUIDL
A ruling against Jordi Baylina and his peers would establish a chilling precedent, dangerously escalating the playbook used against developers like Roman Storm of Tornado Cash. While the U.S. prosecution targeted the use of a neutral tool, the Spanish state attacked the act of creation itself, meaning anyone who writes neutral, open-source code could be held liable for its potential use by third-parties. A victory will help strenghen "Code as Speech" as a fundamental right, setting a precedent for safe innovation across the EU and beyond.
Increasing accountability of public institutions
The misuse of mercenary spyware is deeply entrenched under archaic secrecy laws which makes abuse almost impossible to prosecute.
This is a fight to hold state agencies accountable for deploying military-grade spyware against citizens, most times without legal oversight.
A victory will empower civil society—developers, journalists, activists, and ordinary citizens—by pushing for stricter judicial oversight on digital intrusions and safeguarding privacy, free expression, the right to a fair trial and private family life.
Increasing the Cost of State-Sponsored Abuse
A successful lawsuit against state agencies and the firms that supply them increases the legal and financial risk of their predatory business model. It has the potential to accelerate global regulatory crackdowns and shrink the market for surveillance tools that are weaponized against civil society worldwide.
| Developer | Spyware | Attacks | Year | Confirmed By |
|---|---|---|---|---|
| Jordi Baylina | Pegasus | 34 | 2019-2020 | Citizen Lab |
| Joan Matamala | Pegasus + Candiru | 18 | 2019-2020 | Citizen Lab / Microsoft |
| Xavier Vives | Pegasus + Candiru | 23 | 2019-2020 | Citizen Lab |
| Pau Escrich | Pegasus + Candiru | 5 | 2019-2020 | Citizen Lab |
| Joan Arus | Phone tapping + Physical surveillance | Ongoing | 2020 | Court documents |
| Elies Campo | Candiru + Physical surveillance | 14 (incl. family) | 2019-2020 | Citizen Lab |
| Date | Event | Court/Entity | Significance |
|---|---|---|---|
| April 2022 | CatalanGate Report Published | Citizen Lab | 65+ targets identified |
| April 30, 2025 | Criminal Complaint Filed | Barcelona Courts | First criminal prosecution of spyware vendors in Europe |
| September 15, 2025 | Complaint Accepted | Barcelona Court of Instruction No. 2 | Case moves to prosecution phase |
| January 27, 2026 | 8 Persons Placed Under Investigation | Barcelona Court of Instruction No. 2 | Former intelligence directors and spyware executives formally investigated |
Major media outlets worldwide are covering the fight against surveillance overreach
"Another new case comes from Sentinel Alliance, a non-profit representing five Catalan software engineers who were targeted with spyware. The group filed a new legal case in Barcelona against the country's National Intelligence Center (CNI) and its Civil Guard law enforcement agency as well as spyware makers Pegasus and Candiru."
Already, the worst offenders of civil liberties such as China and Russia are selling their own spyware around the world. Democracies shouldn’t surrender to a future of limitless surveillance; they should fight for a better one.
Get quick answers to the most common questions about the case and the developers involved
Jordi Baylina Melé is a cryptographic engineer and blockchain developer, best known for co-founding the White Hat Group and rescuing €4 million during the 2016 DAO hack. He has led major projects like Polygon zkEVM, CIRCOM, DAppNode, and Iden3—pioneering zero-knowledge technologies and decentralized infrastructure used by millions. In 2025, he launched ZisK to advance zkEVM development independently. A vocal advocate for digital sovereignty and privacy, Baylina was a confirmed target in the CatalanGate spyware scandal, which reinforced his commitment to censorship-resistant, open-source tools. His contributions have shaped the Ethereum ecosystem and continue to drive innovation in secure, privacy-preserving technologies.
Pau Escrich García is a seasoned technology developer with over 15 years of experience in decentralized systems, mesh networking, and blockchain-based governance. As co-founder and CTO of Vocdoni, he has led the development of one of the world's most advanced digital voting platforms, enabling secure, anonymous, and verifiable elections for over 300 organizations globally, including FC Barcelona. His earlier work includes co-developing LibreMesh and WiBed, empowering communities to deploy autonomous networks independent of centralized providers. A vocal proponent of technology sovereignty, Escrich has made substantial contributions to open-source infrastructure and privacy-preserving cryptographic systems. Targeted in the CatalanGate surveillance scandal, his experience with spyware attacks directly informed the creation of censorship-resistant democratic tools.
With over 17 years of international entrepreneurial experience, Joan Arús has built and scaled companies from the ground up across the retail, food, and technology sectors. After witnessing first-hand the physical and technological repression of the Catalan Independence Referendum, in 2018 Joan co-founded Vocdoni, the world's first universally verifiable voting protocol. Despite facing surveillance and misinformation campaigns in Spain due to this work, he led Vocdoni to a successful acquisition by the Aragon Project in 2020. As Executive Director at Aragon, he continued building governance and privacy tooling for digital organizations communities.
Joan Matamala i Alzina is a Catalan entrepreneur and digital rights advocate known for merging cultural preservation with cutting-edge privacy technologies. As president of Fundació Les Voltes and co-founder of Fundació Nord, he has championed Catalan language, civic education, and blockchain-based democratic tools. Matamala became a global figure in the fight against surveillance after being identified as the first known victim of Candiru spyware, with his case helping Microsoft patch vulnerabilities that protected over 1.4 billion devices. Featured in HBO's Surveilled documentary, his advocacy has influenced EU policy debates on spyware and digital rights.
Xavier Vives Riba is a Catalan technology entrepreneur and digital rights advocate best known for co-founding Vocdoni, the first universally verifiable digital voting protocol. His work on Vocdoni enabled secure, anonymous voting for over 180,000 users across major civic and cultural organizations. A pioneer in privacy-preserving technologies and decentralized governance, Vives has helped lower the cost and technical barriers to digital democratic participation while building open-source infrastructure to resist censorship and protect civil liberties.
