A government customer of sanctioned spyware manufacturer Intellexa hacked the phone of a prominent Angola journalist, Amnesty International said. This is the latest incident in which civil society members have been targeted with powerful phone hacking software.
The human rights group released a new report on Tuesday analyzing several hacking attempts against local journalist and press freedom activist Teixeira Cândido. In the report, he sent a series of malicious links via WhatsApp in 2024.
Cândido eventually clicked on one and his iPhone was hacked with Intellexa’s spyware, Predator, Amnesty International said.
A new study shows that government customers of commercial surveillance vendors are increasingly using spyware that is used to target journalists, politicians and other ordinary citizens, including critics. Researchers previously found evidence of Predator abuse in Egypt, Greece, and Vietnam, where governments in those regions targeted U.S. officials by sending spyware through links in X.
Contact us
Do you have more information about Intellexa? Or is it another spyware manufacturer? For non-work devices, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, on Telegram and Keybase @lorenzofb or via email.
Intellexa is one of the most controversial spyware manufacturers of the past few years, operating in a variety of jurisdictions to evade export laws and using an “opaque web of corporations” to hide its activities, as a U.S. government official put it at the time.
In 2024, when one of Intellexa’s customers targeted Cândido with spyware, the outgoing Biden administration sanctioned the company and its founder Tal Dilian and his business partner Sara Aleksandra Fayssal Hamou.
Earlier this year, the Treasury Department lifted sanctions on three other executives linked to Intellexa, leading Senate Democrats to demand answers from the Trump administration.
Dillian did not respond to a request for comment.
Amnesty researchers wrote in their report that they examined forensic traces found on Candido’s phone and linked the break-in to Intellexa. Amnesty said Intellexa had previously used infected servers connected to the company’s spyware infrastructure.
A few hours after clicking the link to hacking his phone, Cândido rebooted his phone, which removed the spyware from his device. Amnesty said it was unclear how the spyware was able to hack Candido’s phone because it was running an outdated version of iOS at the time.
Researchers discovered that Predator hides itself by impersonating legitimate iOS system processes to avoid detection.
Amnesty believes Candido may be just one of many targets in the country, following investigations that uncovered several domains linked to spyware creators used in Angola.
“The first domain linked to Angola was deployed in March 2023, meaning that Predator testing or deployment began in Angola,” Amnesty investigators said, adding that there was no evidence to confirm exactly who hacked Candido.
“It is currently impossible to definitively identify the customers of Predator spyware in Korea,” the report said.
Last year, based on leaked internal documents, Amnesty and media organizations revealed that Intellexa employees had the ability to remotely access customers’ systems, giving the spyware maker visibility into government surveillance activities.
Leaks like this report show that despite controversy and sanctions, Intellexa has remained active in recent years.
“We have seen confirmed cases of abuse in places such as Angola, Egypt, Pakistan and Greece,” said Donncha Ó Cearbhaill, head of security research at Amnesty International. “It is clear that in each case we uncover, there is much more hidden.”
