A government customer of sanctioned spyware maker Intellex has hacked the phone of a prominent journalist in Angola, in what Amnesty International says is the latest case of targeting someone in civil society using powerful phone-hacking software.
A human rights organization published a new report on Tuesday analyzing several attempted hacking attacks against local journalist and press freedom activist Teixeira Cândido, in which a series of malicious WhatsApp links were sent to him in 2024.
Cândido eventually clicked on one and his iPhone was hacked by Intellex’s spyware, dubbed the Predator, Amnesty found.
New research shows again that government customers of commercial surveillance vendors are increasingly using spyware to target journalists, politicians and other ordinary citizens, including critics. Researchers have previously found evidence of Predator exploits in Egypt, Greece and Vietnam, where they allegedly targeted US officials by sending spyware through links to X.
Contact us
Do you have more information about Intellexa? Or other spyware manufacturers? From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or email.
Intellexa is one of the most controversial spyware makers in recent years, operating in multiple jurisdictions to avoid export laws and using an “opaque network of corporate entities” to hide its activities – as a US government official put it at the time.
In 2024, around the same time that one of Intellexa’s customers targeted Cândido with its spyware, the outgoing Biden administration sanctified the company, as did its founder Tal Dilian and his business partner Sara Aleksandra Fayssal Hamou.
Earlier this year, the Treasury Department lifted sanctions against three other executives tied to Intellexa, a decision that left Senate Democrats demanding answers from the Trump administration.
Dilian did not respond to a request for comment.
Amnesty researchers wrote in the report that they linked the hacks to Intellexa by examining forensic clues found on Cândido’s phone. Amnesty said Intellexa used infection servers that were previously connected to the company’s spyware infrastructure.
A few hours after clicking on the link that led to his phone being hacked, Cândido rebooted his phone, which wiped the spyware off his device. Amnesty said it was unclear how the spyware was able to hack Cândido’s phone, as his phone was running an outdated version of iOS at the time.
Researchers discovered that Predator remained hidden by masquerading as legitimate iOS processes to avoid detection.
Amnesty believes that Cândido may be just one of many targets in the country, based on their findings that they were able to find multiple domains linked to a spyware producer used in Angola.
“The first domains linked to Angola were deployed as early as March 2023, suggesting the start of testing or deployment of Predators in the country,” Amnesty researchers wrote, adding that they had no evidence to pinpoint who hacked Cândido.
“Currently, it is not possible to uniquely identify the Predator spyware customer in the country,” the report said.
Last year, based on leaked internal documents, Amnesty and media organizations revealed that Intellexa employees were able to access customer systems remotely, potentially giving the spyware maker insight into government surveillance operations.
Those leaks, like this report, show that despite its controversies and sanctions, Intellexa has remained active in recent years.
“We have now seen confirmed cases of abuse in Angola, Egypt, Pakistan, Greece and beyond – and for every case we uncover, many more abuses are sure to remain hidden,” said Donncha Ó Cearbhaill, head of Amnesty International’s security lab.