11
Angolan Journalist Targeted by Intellexa’s Predator Spyware, Amnesty International Reveals
A prominent Angolan journalist and press freedom activist, Teixeira Cândido, has had his iPhone compromised by Predator spyware, a sophisticated phone hacking tool developed by the sanctioned company Intellexa. The revelation comes from a new report published by Amnesty International on Tuesday, which details how a government customer of the controversial spyware maker exploited Cândido’s device following a series of malicious links sent via WhatsApp during 2024. This incident marks the latest in a troubling global trend of powerful phone hacking software being deployed against individuals in civil society, particularly journalists and critics.
Amnesty International, a renowned human rights organization, meticulously analyzed multiple hacking attempts directed at Cândido throughout 2024. Their investigation uncovered that Cândido eventually clicked on one of the deceptive links, leading to his iPhone being infected with Intellexa’s Predator spyware. The human rights group’s forensic analysis identified clear traces linking the intrusions directly to Intellexa’s spyware infrastructure, utilizing infection servers previously associated with the company.
The report highlights the escalating misuse of commercial surveillance technologies by government entities to target not only journalists but also politicians and ordinary citizens who express dissenting views. Researchers have previously documented widespread abuse of Predator spyware in various countries, including Egypt, Greece, and Vietnam. Notably, in Vietnam, the government was reportedly involved in targeting U.S. officials by distributing the spyware through links on X (formerly Twitter).
Intellexa has emerged as one of the most contentious spyware manufacturers in recent years. The company is known for operating across multiple jurisdictions, a tactic often employed to circumvent stringent export control laws. It maintains what a U.S. government official described as an "opaque web of corporate entities" to obscure its operations and clients, making it challenging to trace its activities and hold it accountable.
The targeting of Cândido with Predator spyware in 2024 coincided with significant developments concerning Intellexa in the United States. In the same year, the outgoing Biden administration imposed sanctions on Intellexa, its founder Tal Dilian, and his business partner Sara Aleksandra Fayssal Hamou. These sanctions were a direct response to the company’s involvement in targeting Americans and its role in proliferating dangerous surveillance technology. However, earlier this year, the Treasury Department controversially lifted sanctions against three other executives tied to Intellexa. This decision sparked considerable concern among Senate Democrats, who subsequently demanded answers from the Trump administration regarding the sudden reversal. Tal Dilian, when contacted for comment on the recent findings, did not respond.
Amnesty researchers were able to link the cyberattacks on Cândido to Intellexa through the examination of specific forensic traces found on his iPhone. These traces pointed to the use of infection servers that had been previously identified as part of Intellexa’s established spyware infrastructure. Fortunately, several hours after the initial compromise, Cândido rebooted his phone, an action that inadvertently wiped the Predator spyware from his device. While the phone was running an outdated version of iOS at the time of the attack, the exact method Predator utilized to breach the device remained unclear. The researchers did discover that Predator employed sophisticated techniques to remain hidden, impersonating legitimate iOS system processes to evade detection.
Amnesty International suspects that Teixeira Cândido may represent just one of many potential targets within Angola. Their findings indicate the presence of multiple domains linked to Intellexa’s spyware operations being actively used in the country. "The first domains linked to Angola were deployed as early as March 2023, indicating the start of Predator testing or deployment in the country," stated the Amnesty researchers in their report. Despite these findings, the report acknowledges the difficulty in definitively identifying the specific customer of the Predator spyware in Angola, stating, "It is not currently possible to conclusively identify the customer of the Predator spyware in the country." This highlights the challenge in holding state actors accountable due to the clandestine nature of commercial spyware sales and deployment.
Last year, revelations from leaked internal documents, brought to light by Amnesty International and other media organizations, exposed the extent of Intellexa’s involvement in its customers’ operations. These leaks showed that Intellexa employees had direct remote access to customers’ systems, potentially granting the spyware maker visibility into various government surveillance operations globally. Such revelations, coupled with the latest report on Angola, underscore that despite numerous controversies and international sanctions, Intellexa has managed to remain active and continues to sell its potent surveillance tools in recent years.
Donncha Ó Cearbhaill, the head of the security lab at Amnesty International, emphasized the widespread nature of this threat. "We’ve now seen confirmed abuses in Angola, Egypt, Pakistan, Greece, and beyond – and for every case we uncover, many more abuses surely remain hidden," Ó Cearbhaill stated. His comments underscore the significant challenge posed by the largely unregulated commercial spyware industry and the urgent need for greater transparency and accountability to protect journalists, activists, and ordinary citizens from invasive state-sponsored surveillance. The ongoing lack of transparency surrounding companies like Intellexa makes it exceedingly difficult to fully grasp the scale of their operations and the impact on human rights worldwide.
