Research says Intellexa’s Predator spyware was used to hack journalist’s iPhone in Angola

A government agent of sanctioned spyware maker Intellexa has hacked into the phone of a prominent journalist in Angola, according to Amnesty International, in the latest case of someone in civil society being targeted with powerful phone-hacking software.

The human rights organization published a new report on Tuesday analyzing several hacking attempts against local journalist and press freedom activist Teixeira Candido, in which a series of malicious links were sent via WhatsApp during 2024.

Amnesty International found that Candido eventually clicked on one of these programs, and his iPhone was hacked using spyware from Intellexa, dubbed Predator.

New research shows once again that government agents of commercial surveillance vendors are increasingly using spyware to target journalists, politicians and other ordinary citizens, including critics. Researchers have previously found evidence of Predator abuse in Egypt, Greece and Vietnam, where the government reportedly targeted US officials by sending the spyware via links on X.

Intellexa, one of the most controversial spyware manufacturers of the past few years, operates from various jurisdictions to circumvent export laws and uses an “opaque network of corporate entities” – in the words of a US government official at the time – to hide its activities.

In 2024, around the same time that an Intellexa customer was targeting Cândido with its own spyware, the outgoing Biden administration imposed sanctions on the company, as well as its founder Tal Dilian and his business partner Sarah Alexandra Faisal Hammou.

Earlier this year, the Treasury Department lifted sanctions on three more executives linked to Intellexa, a decision that left Senate Democrats demanding answers from the Trump administration.

Dillian did not respond to a request for comment.

Amnesty International researchers wrote in the report that they linked the intrusions to Intellexa by examining forensic traces found on Candido’s phone. Intellexa used infection servers that were previously linked to the company’s spyware infrastructure, AI said.

Several hours after clicking on the link that led to his phone being hacked, Candido rebooted his phone, which erased the spyware from his device. Amnesty International said it was not clear how the spyware was able to hack into Candido’s phone, as his phone was running an old version of the iOS operating system at the time.

The researchers found that the Predator remained hidden by impersonating legitimate iOS processes to avoid detection.

Amnesty International believes Candido may be just one of many targets in the country, based on its findings that they were able to find multiple domains linked to the maker of spyware used in Angola.

“The first domains associated with Angola were deployed as early as March 2023, suggesting Predator testing or deployment had begun in the country,” Amnesty International researchers wrote, adding that they had no evidence to determine who exactly hacked Candido.

“It is not currently possible to conclusively determine the identity of the Predator spyware agent in the country,” the report said.

Last year, based on leaks of internal documents, Amnesty International and media organizations revealed that Intellexa employees had the ability to access customer systems remotely, potentially giving the spyware maker a clear view into government surveillance operations.

These leaks, like this report, show that despite the controversy and sanctions, Intellexa has remained active in recent years.

“We have now seen confirmed abuses in Angola, Egypt, Pakistan, Greece and other countries – and for every case we uncover, many more abuses are sure to remain hidden,” said Donncha O Kerbhill, head of Amnesty International’s Security Lab.