Spyware maker Intellexa remotely accessed some of its government customers’ monitoring systems, allowing company executives to see the personal data of people whose phones were hacked with Predator spyware, according to new evidence released by Amnesty International.
on Thursday, Amnesty and a coalition of media partners, including the Israeli newspaper HaaretzGreek news website Inside Storyand Swiss socket Inside ITpublished a series of reports based on leaked material from Intellexa, including internal company documents, sales and marketing materials, and training videos.
Perhaps the most startling revelation is that people working at Intellexa were reportedly able to remotely access the monitoring systems of at least some of its customers through TeamViewer, a tool that allows users to connect to other computers over the Internet.
The remote access is shown in a leaked training video that reveals privileged parts of the Predator spyware system, including its dashboard, as well as “the storage system containing photos, messages and all other surveillance data collected from victims of the Predator spyware,” Amnesty wrote in its report. (Amnesty published screenshots taken from the video, but not the entire video.)
The nonprofit researchers wrote that the leaked video shows apparent “live” infection attempts by Predator “against real targets,” based on detailed information “from at least one infection attempt against a target in Kazakhstan.” The video contained the infection URL, the target’s IP address, and the software versions of the target’s phone.
Companies that sell spyware to government agencies, such as NSO Group and the now-defunct Hacking Team, have long maintained that they never have access to their customers’ targets’ data, nor to their customers’ systems. There are several reasons.
From the spyware makers’ point of view, they don’t want the potential legal liability if their customers use the spyware illegally. And spyware makers would prefer to say that once they sell their spyware, customers are fully responsible for its use. From the perspective of government clients, they do not want to expose details of their sensitive investigations, such as target names, locations and personal data, to a private company that may be based overseas.
In other words, this type of remote access isn’t entirely “normal,” as Paolo Lezzi, the CEO of spyware maker Memento Labs, told TechCrunch when contacted for this story to ask about a spyware maker’s perspective. “No [government] the service would accept it,” he said.
That’s why Lezzi was skeptical that the leaked tutorial video showed access to a real customer’s live monitoring system. Perhaps, he surmised, this was training material showing a demonstration environment. The CEO also said that some customers have asked Memento Labs to access their systems, but the company accepts the offer only if necessary to resolve technical issues. In any case, he said, “they allow us access to TeamViewer for the necessary time and under their supervision we carry out the intervention and leave.”
Contact us
Do you have more information about Intellexa? Or other spyware manufacturers? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
Amnesty, however, is convinced that the leaked video shows access to live Predator surveillance systems.
“One of the staff on the training call asked if it was a demo environment and the trainer confirmed it was a live client system,” said Donncha Ó Cearbhaill, head of Amnesty’s security lab, which did the technical analysis of the leaked material and has investigated several cases of Predator infections.
The allegation that Intellexa executives had visibility into who their clients were spying on heightened Amnesty’s security and privacy concerns.
“These findings can only add to the concerns of potential surveillance victims. Not only is their most sensitive data exposed to a government or other spyware client, but their data is at risk of being exposed to a foreign surveillance company, which has proven problems keeping their confidential data secure,” the NGO wrote in the report.
Intellexa could not be reached for comment. A lawyer speaking on behalf of Intellexa founder Tal Dilian told Haaretz that Dilian “has not committed any crime or operated any cyber system in Greece or anywhere else.”
Dillian is one of the most controversial people in the world of government spyware. A veteran of the spyware industry told TechCrunch that Dilian “moves like an elephant in a crystal shop,” implying that he made little effort to hide his activities.
“In this particular space of spyware vendors you have to be extremely balanced and careful … but he didn’t care,” the person said.
In 2024, the US government announced sanctions against Tal Dilian and one of his business partners, Sarah Alexandra Faisal Hamou. In that case, the US Treasury Department imposed sanctions based on allegations that Intellexa’s spyware was used against Americans, including US government officials, journalists and policy experts. The sanctions make it illegal for US companies and nationals to have any commercial relationship with Dilian and Hamou.
This was the first time the US government, which took action against spyware developer NSO Group, targeted a specific individual involved in the industry.
In his response to Haaretz, Dilian accused reporters of being “useful idiots” in an “orchestrated campaign” to harm him and his company, which was “fueled by the Biden administration.”
