Freddie Ponton
21st Century Wire
Most people outside France still have no idea what BlackCore is. They do not know that in March 2026 a company no one had ever heard of walked into French municipal elections, ran a professional smear operation against left‑wing, pro‑Palestinian candidates, then tried to erase its own existence as soon as investigators got close.
They do not know that BlackCore is not a troll farm or a couple of rogue consultants, but the marketing name on an industrial influence machine built out of Israeli military intelligence alumni, a Tel Aviv law office, UK shell companies, a London server and AI tools designed to manufacture social media personas and flood elections with synthetic narratives. They also do not know that the same ecosystem, on its defensive side, sells disinformation detection to Western governments and now has a former CIA director in the boardroom.
The following story is about BlackCore’s (alleged) transnational influence operations using avatar networks and disinformation, which extend beyond France to places like New York, Scotland, Angola, and Togo.”. It starts with what happened in France. It follows the trail through French state reporting, a joint inquiry by Haaretz and Libération that broke open new details, corporate records in Israel and the UK, US securities filings and the digital debris that BlackCore and its partners failed to fully clean up. It shows how a smear campaign aimed at three municipal candidates now points to a global Israeli information warfare ecosystem that touches many nations and cities around the world, the US State Department and the office of Benjamin Netanyahu.
This investigation does not just repeat what Haaretz, Libération, Reuters or Viginum have already put on the table. It adds the Sadaqah Palestine phase BlackCore used to infiltrate pro‑Palestinian circles before turning its guns on them, the Benguy escrow structure and SEC paperwork that show how real ownership can be hidden behind Afik’s law office, the Unit 8200 and Shin Bet careers that sit behind Galacticos’ avatar factory, and the mirror on the other side of the membrane where Cyabra, Cygun, Ram Ben Barak and Mike Pompeo sell detection tools that operate on the same signals as the attacks.
The first wave of coverage stayed at the surface. BlackCore was named as the firm behind anonymous websites and fake accounts targeting candidates from La France Insoumise, and Viginum, the French state service created in 2021 to monitor foreign digital interference against French interests, confirmed it was looking at a foreign operation. Then the story slid into the background. The Haaretz‑Libération work dragged it back out and into international territory, tying the operation to a technical stack in London and a cluster of companies at 103 HaHashmonaim Street in Tel Aviv.
Our investigation goes several steps further. It shows that the London server hosting BlackCore’s tools was anchored in a UK shell, SNI Ltd, that had been dissolved by compulsory strike‑off two years before the French operation yet kept serving as live infrastructure for foreign election interference. It shows that the Israeli company behind the avatar system, Galacticos Ltd, shares an address and a trustee with Benguy Escrow Company Ltd, a trust vehicle used to hold shares for others and run by the same lawyer who fronts Galacticos in the registry. It establishes that one of Galacticos’ key technical figures, Nir Benita, an expert in cyber-espionage who spent around a decade as an officer in Unit 8200, Israel’s central signals intelligence and cyber unit, and that his post‑military CV runs straight through AI and intelligence tech before landing inside this influence factory.
IMAGE: Nir Benita, former Israeli UNIT 8200 of the Israel Defense Forces (IDF), and listed as an option holder/shareholder of Galacticos in May 2026 (Source: Checkid Israel)
It then maps the mirror image on the other side of the membrane. Cyabra, a Tel Aviv‑based social threat intelligence company now listed on Nasdaq under the ticker CYAB, sells AI tools to detect fake profiles and disinformation campaigns for governments and corporations. It was founded by Unit 8200 and IDF information warfare veterans who, by their own account and by the account of people who know the sector, built fake persona networks before they built the tools to spot them. Its senior advisors include former Mossad deputy chief Ram Ben Barak, who ran the Ministry of Strategic Affairs, the Israeli government unit that coordinates campaigns against international pro‑Palestinian activism and BDS, and its board now includes Mike Pompeo, former director of the CIA. Yigal Unna, the former head of the Israel National Cyber Directorate inside the Prime Minister’s Office and before that the man running Shin Bet’s cyber and signals intelligence operations, was approached to advise Galacticos. He stepped down and now sits on Cyabra’s advisory board while running Cygun, his private consultancy, in many of the same regions where BlackCore has been accused of operating.
IMAGE: Yigal Unna, Former Director General of the Israel National Cyber Directorate (INCD), Israel (Source: Cygun)
Taken together, these elements let us say plainly what earlier coverage only circled. BlackCore is not a freelance smear shop operating in a vacuum. It is a product of a structured Israeli information warfare ecosystem that runs on a single talent pool, a single doctrinal pipeline out of Unit 8200 and related units and a corporate and trust architecture built to keep ultimate sponsorship hidden behind lawyers and escrow accounts. On one side of the membrane sit AI tools and avatar factories used to stalk and disrupt elections in countries whose politicians criticise Israeli policy. On the other side sit AI detectors sold to governments as democracy protection, run by the same alumni and overseen by the same security elite.
GRAPHIC 1: The BlackCore Ecosystem
Description: A network diagram showing four bands: (1) Israeli state/intelligence (Unit 8200, Shin Bet, INCD, Ministry of Strategic Affairs, CIA/US State Dept, Viginum); (2) Offensive stack (Galacticos, SNI (IL), SNI Ltd (UK), BlackCore, Sadaqah Palestine front, London server); (3) Defensive stack (Cyabra, Cygun); (4) Targets/clients (France – LFI candidates; New York – Zohran Mamdani; Scotland – John Swinney/SNP; Angola; Togo; “19 governments”). Arrows connect individuals (Benita, Afik, Geyor, Unna, Ben Barak, Brahmy, Daar, Shraga, Pompeo) to their companies, and companies to operations. (Source: Created by Author)
The hit in the French municipal elections
The story starts in cities that rarely make international headlines. Marseille. Toulouse. Roubaix. In the 2026 French municipals, three La France Insoumise candidates were running in districts that had become front lines in the country’s social war over Gaza, Palestine and what it still means to call yourself a left‑wing politician in France.
The three targets were Sébastien Delogu in Marseille, François Piquemal in Toulouse and David Guiraud in Roubaix. All three were vocal on Palestine. All three had positions that sat badly in parts of Paris, Brussels and Tel Aviv. And all three found themselves, in the middle of an election they had every right to contest on the merits, buried under a smear avalanche that no local rival had the resources or technical depth to produce.
What hit them was not organic backlash. It was a packaged operation. Anonymous sites appeared with names that sounded like local watchdog projects or citizen leaks. They carried detailed allegations of sexual assault, corruption, tax fraud, hidden accounts, and unnamed criminal associates. Pornographic deepfake images were slipped into the stream. Passwords and supposed tax data were dumped. The material was then pumped into social media through clusters of accounts that looked human at a glance but moved like a disciplined unit.
Ads and boosted posts kept running after the official campaign silence period began. Under French law that window is supposed to give voters a few days away from fresh propaganda. Whoever ran this operation either did not care or knew the penalty was trivial next to the damage it could do. TikTok confirmed one linked account and removed it for deceptive behaviour. Meta took down related networks for what it described as coordinated inauthentic behaviour. The platforms themselves ended up confirming what reporters and investigators were seeing.
Viginum, created in 2021 after earlier scares over foreign interference, started pulling at the threads. Its job is to watch for digital operations aimed at French interests and call out the ones that carry foreign fingerprints. Its analysts documented a foreign campaign whose technical and behavioural signatures did not match the usual mix of far‑right trolls, local smear merchants or chaotic online activism.
When Viginum’s director, Marc‑Antoine Brillant, stood next to Prime Minister Sébastien Lecornu on 11 June, he did not just talk about the smear against France Insoumise. He told the country that
the same modus operandi had been deployed against a municipal race in New York, against Scottish politics and in campaigns in Angola and Togo. In New York, the target was the 2025 municipal race, eventually won by Zohran Mamdani, a left‑wing, pro‑Palestinian candidate whose victory thrilled younger progressive Jews and alarmed more traditionally pro‑Israel parts of the city’s political establishment. In Scotland, the campaign locked on to First Minister John Swinney, who had described the Gaza campaign as a man‑made humanitarian catastrophe and refused to dress it up as self‑defence. In every theatre the target profile stayed the same. Elected or credible candidates who turned hard against the Gaza war or defended Palestinian rights found themselves under attack from an invisible army of avatars.
The name Viginum put on the operation was BlackCore.
The fake solidarity operation that came first
Before BlackCore ran its smear machine against Delogu, Piquemal and Guiraud, it ran something else. Something that makes the whole thing worse. The same infrastructure that later flooded French social media with deepfakes and fabricated criminal allegations first operated a website called Sadaqah Palestine. It presented itself as a non‑political humanitarian organisation providing aid to Palestinians displaced by poverty, war and occupation. The site was live. It had an online donation form. Social media accounts on X, Instagram and Facebook promoted it, with engagement patterns and follower lists that investigators recognised as fake. Same avatars. Same patterns. Same operators.
IMAGE: Sadeqah Palestine Fake NGO (X | Former Twitter)
A joint investigation by Libération and Haaretz traced the technical records of that website straight back to the BlackCore‑linked servers and domains that later hosted the avatar generator and the anti‑LFI smear tools. In parallel, Turkish and Arab press reported that the same site had been used to solicit donations under the “support for Palestine” brand while being controlled by the same Israeli entity already under investigation for interference in the French elections.
Nobody has yet established whether it pulled in real donations, harvested personal data from people who believed it, or mainly served as a cover to give BlackCore a pro‑Palestinian identity inside French Muslim and left‑wing digital spaces before turning on the politicians who shared those values.
What is already on record is enough. BlackCore did not just run an attack operation. It first posed as Palestinian solidarity, built a presence inside communities that trusted that frame, then turned the same infrastructure on the people those communities were most likely to vote for. If you want a word for that, the word is infiltration.
The company that tried to erase itself
Before it panicked and scrubbed its presence, BlackCore pitched itself as an elite influence and a cyber and technology firm for the age of information warfare. Its website, caught for a moment in archives and screen grabs, promised governments, corporations and campaigns cutting‑edge strategies, advanced tools and robust security to shape narratives online.
It did not list directors or clients. It did not carry an address that matched anything in Israel’s corporate registry. The blackcore.online domain sat behind an Icelandic registrar known for anonymous ownership and was registered in August 2025, just months before the municipal campaigns ramped up for the 2026 vote.
As soon as investigations by French media began naming it, the site went down. The LinkedIn page vanished. The brand disappeared. The only reason it can still be named at all is that the infrastructure underneath it did not go dark fast enough.
The London machine and the four‑country server network
The joint Haaretz‑Libération work and Viginum’s technical report traced the operation to a deliberately distributed cluster of servers across four European jurisdictions: the United Kingdom, Germany, Finland and Lithuania. That spread is not an accident. It routes different pieces of the operation into different legal systems, fragments jurisdiction, slows down takedown requests and makes attribution painful for any one government that tries to act alone.
IMAGE:Viginum, the French public body created in 2021 to detect cyberattacks by foreign powers (Source: French Govt)
Investigators identified at least eight subdomains tied to BlackCore’s primary domain. Different parts of the operation sat on different subdomains. Avatar generation on one. Content distribution on another. The fake NGO front and the smear websites on others.
The key node was a London server renting capacity from a Finnish cloud provider. That machine held the working guts of the influence factory. None of it was meant for public view. Every system on it sat behind login.
On that server, investigators found a login page for an Avatar Data Generator by Galacticos AI, password‑protected dashboards labelled with the SNI name for Strategic Network Intelligence, an internal agent‑maker, aggressive Facebook search and group infiltration tools and systems named Omri Systems and Electric Marinade. BlackCore’s own marketing boasted of an army of 1,600 avatars. Set against those panels, that number sounds less like bragging and more like inventory. Each avatar came with an AI‑generated face that beat reverse image search, a backdated posting history and a behavioural script tuned to the rhythms of real users across Facebook, Instagram, TikTok and X.
The London server was not isolated. Its domain data and internal references tied it back to SNI and to Galacticos, the Israeli company behind the avatar system. That path led straight to one building in Tel Aviv.
From Pagecorn to Galacticos: BlackCore’s Hidden Tooling Layer
A joint investigation by Libération and Haaretz has traced BlackCore back into a deeper, shell‑like corporate stack in Tel Aviv. According to Israeli corporate records cited in that reporting, the company now marketed as Galacticos began life as Pagecorn Ltd., was then renamed Mycelium Intelligence Networks, and only later took on the Galacticos brand, a sequence of rebrands that mirrors the obfuscation patterns seen in earlier Israeli influence‑for‑hire outfits. Galacticos and its sister company SNI (Strategic Network Intelligence) share the same Tel Aviv address and are jointly owned by lawyer Doron Afik and reality‑TV‑star‑turned‑tech‑entrepreneur Guy Geyor, with both men denying any connection to BlackCore or political work in France, even as their infrastructure overlaps.
On the technical side, Libération and Haaretz mapped BlackCore’s infrastructure to a London‑based server operated by a Finnish cloud provider that, since mid‑2025, hosted only four “network domains”: two belonging to BlackCore, plus Omri Systems and a fourth called Electric Marinade. Behind login pages on these domains sat a suite of internal tools with names such as “avatar‑generator,” “agent‑maker”, and “fb‑search,” including a “Galacticos AI Avatar Generator” interface that sources described as a dashboard for manufacturing and managing large numbers of sock‑puppet personas used in both influence operations and social‑media monitoring. The same infrastructure also exposed a Portuguese‑language “Government of Angola Campaign, Training Program, February 2026” on the subdomain angola-plan. blackcore online, advertising Meta and TikTok ad campaigns and a three‑month editorial calendar, evidence that this toolkit was being pitched beyond France to at least one African government client.
The personnel and money trails around Galacticos further blur the line between commercial “OSINT” and political interference. Former Israel National Cyber Directorate chief Yigal Unna has said he was approached by Afik around two years ago to help find clients for what was pitched as a social‑network and open‑source‑intelligence startup focused on protecting brands, but describes what he saw as more of an improvised shell than a normal operating company, with no visible executive team or staff. In parallel, Geyor’s wedding‑payments startup Easy2Give / Going Dutch was acquired in a share‑swap merger by the Tel Aviv‑listed shell Axilion Smart Mobility Ltd., a transaction proudly publicised by Afik’s own law firm as its deal counsel, illustrating how the same small circle of actors straddles both fintech and covert influence tooling.
Crucially, the infrastructure’s reaction to scrutiny points back to a common operational centre. Libération and Haaretz report that less than two hours after they first contacted Afik and Geyor with detailed questions about BlackCore, the remaining online infrastructure linked to both BlackCore and Galacticos, including several London‑hosted systems, was abruptly pulled offline. That near‑real‑time purge does not by itself prove who ordered the campaigns, but it strongly suggests that the avatar‑generation stack, the BlackCore brand and the Tel Aviv corporate entities are responsive parts of a single nervous system rather than disconnected, innocent bystanders
103 HaHashmonaim Street
Galacticos Ltd appears in Israel’s company registry as number 516599818. It was incorporated in April 2022 as Pagecorn, renamed Mycelium Intelligence Networks and finally rebranded as Galacticos in 2024. Its registered address is 103 HaHashmonaim Street in Tel Aviv. The same address houses Strategic Network Intelligence Ltd and
IMAGE: Commercial building at 103 HaHashmonaim Street, Tel Aviv, Israel, right across from the TLV Fashion Mall. The ground floor houses Lehamim Bakery (with outdoor seating), while upper floors include Sarona Space coworking offices (Source: Secret Tel Aviv)
Afik & Co. is a commercial law firm that works on international deals and is admitted to practice in both Israel and New York. That New York admission is valuable as it confirms that Doron Afik is a lawyer whose firm runs out of that address, holds the majority stake in Galacticos and is also the trustee of the escrow company in the same building. He has active standing in the jurisdiction where BlackCore is accused of running an influence operation against a municipal election.
Tech entrepreneur and former reality‑TV figure Guy Geyor holds around 28 percent of Galacticos. He personally registered the domain galacticos.ai and listed SNI as the registrant owner. That is not a distant corporate act. It is one person linking the two companies in his own name. When Haaretz and Libération called, both Afik and Geyor denied any link to BlackCore or to political operations in France. Within hours, the Galacticos and BlackCore infrastructure vanished.
Unit 8200 veteran Nir Benita holds a minority stake and appears as a co‑founder‑level figure, with technical director Daniel David Levy holding a further minority position.
Strategic Network Intelligence in Israel operates out of the same law office, with Afik and Geyor in control, and shows up in domains and internal references as the infrastructure and tooling arm of the Galacticos stack. The UK vehicle, SNI Ltd, company 14458636, was incorporated in November 2022 at a residential address in Swanley in Kent, registered under the generic retail‑by‑mail‑order category that shell companies use when they want a quiet Companies House entry. It never filed proper accounts. Companies House initiated compulsory strike‑off, before finally dissolving SNI Ltd in April 2024.
Despite that dissolution, the London server using its name and hosting Galacticos’ AI tools stayed live into early May 2026, when press inquiries to the Tel Aviv principals finally prompted a shutdown. Under UK law a dissolved company cannot trade or contract; its remaining assets technically become bona vacantia, property of the Crown. In practice, this looked like cloud hosting paid for from somewhere else and left running long after the shell died on paper. A dead UK company anchoring live infrastructure used in foreign election interference. That is what sits behind BlackCore’s London node.
The trust company in the same building
At the same Tel Aviv address, another company keeps popping up in US federal records. Benguy Escrow Company Ltd, Israeli registration 513905034, is a trust and escrow outfit registered at 103 HaHashmonaim Street and controlled by Doron Afik.
SEC filings for SMX, Security Matters Public Limited Company, describe Benguy as a testamentary trust where SMX founder Haggai Alon is the beneficiary and Afik is the trustee. A lock‑up agreement filed with the SEC bears Afik’s signature as trustee for Benguy Escrow, giving the address as c/o Afik & Co., 103 HaHashmonaim Street, Tel Aviv. In another SEC exhibit, Benguy appears as the escrow agent in a share purchase agreement, again under the same registration number, again with Afik signing.
The mechanism is simple. Instead of a registry entry that says Mr X owns 20 percent of a sensitive company, the registry says Benguy Escrow Company Ltd owns 20 percent. The trust deed, which is not public in Israel, lists the real beneficiary. The structure is legal. It is also made for situations where you do not want the public to know who actually controls what.
No open record has yet shown Benguy as a shareholder of Galacticos. What is already documented is enough to frame the question for investigators. The same lawyer who fronts Galacticos and SNI, signs SEC paperwork as trustee for Benguy and runs his law firm from the same address has already used Benguy to hold equity in other tech deals out of public view. If someone wanted to park a political or state sponsor inside Galacticos without their name ever touching the Israeli registry, this is the exact kind of structure they would use. French prosecutors and the DGSI have both been pointed at this thread.
GRAPHIC 2: From Hidden Sponsor to BlackCore
Description: A left‑to‑right flowchart showing: Unknown sponsor/client → Benguy Escrow Company Ltd → Galacticos Ltd → Strategic Network Intelligence (IL) → SNI Ltd (UK, dissolved) → London server (Galacticos AI / SNI dashboards) → BlackCore operations (Sadaqah Palestine front, smear campaigns in France/NYC/Scotland/Angola/Togo). (Source: Created by Author)
The human pipeline out of Unit 8200 and Shin Bet
Strip away the shells and trust vehicles and you arrive at a small group of people who learned their trade in Israel’s security apparatus and are now selling it back into the world. Unit 8200 sits at the top of that pipeline. It is the IDF’s signals intelligence and offensive cyber unit, comparable to the US National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ), responsible for intercepting communications, breaking encryption, manipulating networks and backing covert operations abroad. A record there has become the premium line on Tel Aviv tech résumés and many Silicon Valley pitch decks. It tells investors you have handled live operations on real targets.
Nir Benita, the Galacticos option holder and co‑founder‑level figure, is described in French reporting as a former Unit 8200 officer who moved through AI and intelligence‑oriented companies before taking a stake and a technical role in the company that built the avatar generator sitting on the London server.
Yigal Unna‘s path through the same system runs even deeper. He started in Unit 8200, then spent 23 years inside Shin Bet, Israel’s internal security service, where he ran the Cyber and Signals Intelligence Operations Division. For much of that career he was known internally only as “Y”, the letter used to mask the names of senior officials. In 2014 he became head of Shin Bet’s SIGINT‑Cyber Division, reporting directly to the director general and running both offensive and defensive cyber capabilities at the sharpest end of Israel’s domestic security work.
His work there included operations that shaped the conflict directly. One of them was the surveillance campaign that tracked and helped kill Yahya Ayyash, the Hamas bomb‑maker and the leader of the West Bank battalion of the Izz ad-Din al-Qassam Brigades, behind some of the most deadly attacks of the 1990s, who was killed by a booby‑trapped mobile phone on 5 January 1996.
In 2017, Netanyahu appointed Yigla Unna Director General of the Israel National Cyber Directorate, the INCD, the civilian body inside the Prime Minister’s Office that pulled together cyber defence powers previously scattered across Shin Bet and other agencies. He held that post until 2022, reporting into the prime minister’s office and steering Israel’s national cyber posture.
After leaving government, he launched Cygun, a private consultancy selling cyber capacity‑building projects to governments from India to Mexico to West Africa, several of the same regions where BlackCore‑related activity has been reported. Afik then approached him about advising an OSINT and social network startup for brand protection. Unna says he saw improvisation and walked away. In October 2024, he joined Cyabra’s advisory board.
The mirror called Cyabra
Cyabra is marketed as the Israeli company that fights the kind of operation BlackCore ran in France. Its pitch talks about AI that detects fake profiles, coordinated inauthentic behaviour and deepfakes, protecting democracies, brands and public discourse from manipulation and foreign interference.
The company is real and so are its tools. Cyabra is now publicly traded on Nasdaq under the ticker CYAB, after completing a business combination with Trailblazer Merger Corporation I in March 2026. It sits on the US General Services Administration schedule, which means federal agencies can buy its services as an ordinary vendor. It has publicly named the US State Department as a client and claims to have helped 19 governments protect elections in the Middle East and Asia‑Pacific in the past year.
Look at who built it. CEO and co‑founder Dan Brahmy leads the company. Chief product officer Yossef Daar spent close to a decade in Israeli military intelligence, including as Head of Department. CTO Ido Shraga is another intelligence‑unit veteran. All three founders are veterans of elite Israeli intelligence units. Globes reported that the founders had experience in the use of digital identities in military and business intelligence and had realised that in order to distribute disinformation online, it was necessary to use false identities. The same skill set that builds the attack is now packaged as defence.
From the start Cyabra had Ram Ben Barak in its corner as a senior advisor. Ben Barak spent 27 years in Mossad, rising to deputy director, then ran the Ministry of Intelligence Services and the Ministry of Strategic Affairs, the department charged with countering BDS and other campaigns against Israel’s policy toward Palestinians.
In January 2024 Mike Pompeo, former CIA director and Secretary of State, joined Cyabra’s board. He ran US foreign intelligence and diplomacy in a period of tight US‑Israeli security cooperation. He now sits on the board of an Israeli company staffed by 8200 and IDF information warfare alumni, advised by a former Mossad deputy and a former national cyber director, and selling services to the US State Department and those 19 governments.
IMAGE: Mike Pompeo (left) and Dan Brahmy. (Source: Cyabra)
In October 2024, around the time Unna says he was distancing himself from Galacticos, he joined Cyabra as an adviser. The man who was too classified to be named inside Shin Bet, who ran Israel’s cyber apparatus under Netanyahu and whose name appears in materials connected to Afik’s office is now helping steer the flagship Israeli detection platform that operates on the same technical signals as Galacticos’ offensive tools.
Cyabra’s detection system hunts for clusters of accounts that move in coordinated lockstep, runs image forensics on profile pictures to catch AI generation, maps network structure to expose which accounts amplify which narratives and flags linguistic patterns that betray large language model output. Galacticos’ avatar generator and BlackCore’s campaigns were engineered to survive those tests. Same signals. Different side of the trade.
Technically it looks like a generative adversarial setup. One model generates fakes. One tries to catch them. Each gets better by fighting the other. Here the same schools, the same doctrine and some of the same people sit behind both ends of that game. The line between offence and defence is not a wall. It is a membrane.
GRAPHIC 3: Two Sides of the Same AI Machine
Description: A split diagram. Left: “Offensive Stack” with Galacticos → SNI → BlackCore→ Sadaqah Palestine / smear campaigns, annotated “AI avatars, deepfakes, coordinated inauthentic behaviour.” Right: “Defensive Stack” with Cyabra (and Cygun as consulting layer), annotated “bot detection, narrative mapping, GenAI forensics.” Between them, a central band labelled “Shared signals” listing: behaviour patterns, network graphs, image artefacts, linguistic fingerprints. Arrows show knowledge/talent flow in both directions (Unit 8200 pipeline feeding both sides). (Source: Created by Author)
Cyabra has not been accused of running BlackCore’s operations. There is no sign in the French file that Cyabra infrastructure powered the offensive work. What the overlap shows is something any government client should sit with. The same small circle of Israeli intelligence veterans, former ministers and American political figures sits behind both the attack tools and the detection tools, and the revolving door between the two sides is not a metaphor. It is the way this ecosystem works.
The Israeli private influence industry before BlackCore
BlackCore did not appear in a vacuum. For years, a small cluster of Israeli private firms staffed by former intelligence officers have been selling political interference as a service in Western democracies. Psy‑Group was the first to really surface. It pitched the Trump campaign in 2016 on a smear operation against Hillary Clinton, built on fake personas, fake news websites and targeted psychological operations against Republican delegates and undecided US voters. It also ran covert influence work in at least one local US election, using elaborately crafted social media identities and online manipulation as a product.
Black Cube took a different tack but operated in the same market. Branded as a private Mossad, it used undercover operatives, hidden cameras and entrapment to gather compromising material on NGOs and political targets, then fed those recordings into friendly media before elections. Its agents have been accused of meddling in votes in Hungary and elsewhere.
In 2022, LinkedIn confirmed that Black Cube used fake job postings to target Hungarian activists and journalists before the parliamentary election. The names change. The pattern does not. An Israeli private intelligence shop appears around an election, runs dirty work for a client, denies everything when caught, then quietly retools for the next campaign.
What changed with Galacticos and BlackCore is not the intent but the tooling. Psy‑Group needed teams of humans to role‑play fake personas and keep their stories straight. Black Cube needed field operatives on the ground to bait, record and leak its targets. Galacticos hands that work to AI. One avatar factory. One spread of servers. Sixteen hundred synthetic people that never sleep. The client buys reach and deniability at a fraction of the old cost, with a smaller human footprint and a larger technical one. The industry evolved. The core business did not.
Psy‑Group shut down in early 2018 after coming under scrutiny from special counsel Robert Mueller’s investigation into election interference. Galacticos and BlackCore are the next version. AI‑automated, cheaper to run, easier to scale and built to vanish the moment anyone starts asking questions. The firms change their names. The tools get sharper. The talent pool stays the same.
France’s response and what we still do not know
France has not treated this as a curiosity. Viginum’s report is on the Prime Minister’s desk. Paris prosecutors have opened an investigation. The foreign intelligence service, the DGSE (Direction Générale de la Sécurité Extérieure), and the domestic counter‑intelligence agency, the DGSI (Direction Générale de la Sécurité Intérieure), have both been told to follow the most sensitive leads, including the Unna thread and the links between Galacticos, SNI and Benguy. Lecornu has publicly pressed Israel for explanations and said that if a French private firm had done to Israeli elections what this network has done in France, Tel Aviv would have summoned the French ambassador in the same way Paris summoned theirs.
Israel’s embassy has replied that Israel has no intention of interfering in French politics at any level. Intent is not the point. What Viginum describes is not a wish. It is an operation, technically documented, tied to specific infrastructure and companies and now under two separate criminal investigations in France. The Israeli sentence is diplomacy. The French file is evidence.
We still do not know who paid for any of this. Viginum has said it has not identified the sponsor or sponsors behind the foreign digital interference. We do not know whether Benguy or another trust vehicle holds any stake in Galacticos for a political client, a state agency or a private donor. We do not know what happened to the data collected through the Sadaqah Palestine fake NGO, whether money was raised under false pretences, or which individuals in France’s Muslim and pro‑Palestinian communities had their personal information harvested by a system that, at the same time, was preparing to attack their political representatives. We do not know which politicians in Angola and Togo were targeted or what those operations looked like from the ground. We do not know the full geography and client list of Cygun and how closely it maps to the countries where BlackCore has been active.
Those questions are not out of reach. They belong to subpoenas, parliamentary hearings and hard disclosure demands. French investigators have started that work. The Israeli side is closing ranks.
What is already visible is enough to close the circle. BlackCore is not a one‑off dirty‑tricks operation that happened to be run from Israel. It sits on an architecture that links Unit 8200 and Shin Bet veterans, a Tel Aviv law firm with New York bar admission, UK shells that outlived their legal existence just long enough to anchor infrastructure, a trust vehicle used to conceal ownership and a Nasdaq‑listed detection platform that monetises the same knowledge and the same relationships from the other side of the game.
BlackCore cannot be understood without Galacticos. Galacticos cannot be understood without the Unit 8200 alumni pipeline. The Unit 8200 alumni pipeline runs straight into Cyabra. Cyabra’s boardroom links to the CIA, the Prime Minister’s Office and former Mossad leadership. These are the concentric circles of Israel’s information warfare private sector. BlackCore sits at the operational centre of all of them.
The French case is the first time that architecture has been forced into the light like this, and it only happened because three candidates in Marseille, Toulouse and Roubaix were hit so hard that French state services had no choice but to pull the thread. Those three candidates were targeted because they stood with Palestinians. The people who built the machine to target them were part of the same Israeli “grey zone” export industry documented by Le Monde’s #StoryKillers investigation. That is not background. That is the story.
READ MORE FRANCE NEWS AT: 21st Century Wire Canada France Files
SUPPORT OUR INDEPENDENT MEDIA PLATFORM – BECOME A MEMBER @21WIRE.TV
VISIT OUR TELEGRAM CHANNEL
