A government client of spyware maker Intellexa hacked the phone of a prominent journalist in Angola, according to Amnesty International, the latest case of someone in civil society being targeted with powerful phone-hacking software.
The human rights organization published a new report On Tuesday analyzing several hacking attempts against local journalist and press freedom activist Teixeira Cândido, in which she was sent a series of malicious links via WhatsApp in 2024.
Candido eventually clicked one and his iPhone was hacked with Intellexa’s spyware, dubbed Predator, Amnesty found.
New research again shows that government customers of commercial surveillance vendors are increasingly using spyware to target journalists, politicians and other ordinary citizens, including critics. Researchers have previously found evidence of predator abuse in Egypt, Greeceand Vietnam, where the Govt they reportedly targeted American officials sending the spyware via links to X.
Contact us
Do you have more information about Intellexa? Or other spyware manufacturers? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
Intellexa is one of the most controversial spyware makers of recent years, operating from different jurisdictions to circumvent export laws and using an “opaque web of corporate entities” — as a US government official put it on at that time — to hide her activities.
In 2024, around the same time that one of Intellexa’s customers was targeting Cândido with its spyware, the outgoing Biden administration imposed sanctions on the company, as well as its founder Tal Dilian and his partner Sarah Alexandra Faisal Hamou.
Earlier this year, the Ministry of Finance lift the sanctions against three other executives linked to Intellexa, a decision that left Senate Democrats demanding answers by the Trump administration.
Dillian did not respond to a request for comment.
Amnesty researchers wrote in the report that they linked the hacks to Intellexa by examining forensic traces found on Cândido’s phone. Amnesty said Intellexa used infection servers that were previously connected to the company’s spyware infrastructure.
Several hours after clicking on the link that led to his phone being hacked, Candido rebooted his phone, which deleted the spyware from his device. Amnesty said it was unclear how the spyware was able to hack Cândido’s phone, as his phone was running an old version of iOS at the time.
Researchers found that Predator remained hidden by impersonating legitimate iOS system processes to avoid detection.
Amnesty believes that Cândido may be just one of many targets in the country, based on their findings that they were able to find multiple domains linked to the spyware maker used in Angola.
“The first domains linked to Angola were developed as early as March 2023, indicating the start of Predator testing or development in the country,” the Amnesty researchers wrote, adding that they had no evidence to identify exactly who hacked Cândido.
“It is currently not possible to definitively identify the client of the Predator spyware in the country,” the report said.
Last year, based on leaked internal documents, Amnesty and media organizations revealed that Intellexa employees were able to access customer systems remotely, potentially giving the spyware maker visibility into government surveillance operations.
These leaks, like this report, show that despite its controversy and sanctions, Intellexa has remained active in recent years.
“We have now seen confirmed abuses in Angola, Egypt, Pakistan, Greece and beyond – and for every case we uncover, many more abuses surely remain hidden,” said Donncha Ó Cearbhaill, head of the security lab at Amnesty International.
