A government customer of the sanctioned spyware maker Intellexa hacked the phone of a prominent journalist in Angola, according to Amnesty International. This is the latest case of targeting a member of civil society with powerful phone-hacking software.
The human rights organization published a new report Tuesday analyzing several hacking attempts against local journalist and press freedom activist Teixeira Cândido. He was sent a series of malicious links via WhatsApp during 2024. Cândido eventually clicked on one, and his iPhone was hacked with Intellexa’s spyware, dubbed Predator, Amnesty found.
The new research shows again that government customers of commercial surveillance vendors are increasingly using spyware to target journalists, politicians, and other ordinary citizens, including critics. Researchers have previously found evidence of Predator abuse in Egypt, Greece, and Vietnam, where the government reportedly targeted U.S. officials by sending the spyware via links on X.
Intellexa is one of the most controversial spyware makers of the last few years. It operates from different jurisdictions to skirt export laws and uses an opaque web of corporate entities, as a U.S government official put it, to hide its activities.
In 2024, around the same time one of Intellexa’s customers was targeting Cândido with its spyware, the outgoing Biden administration sanctioned the company, as well as its founder Tal Dilian and his business partner Sara Aleksandra Fayssal Hamou. Earlier this year, the Treasury lifted sanctions against three other executives tied to Intellexa, a decision that left Senate Democrats demanding answers from the Trump administration. Dilian did not respond to a request for comment.
Amnesty researchers wrote in the report that they linked the intrusions to Intellexa by examining forensic traces found on Cândido’s phone. Amnesty said that Intellexa used infection servers that had been previously linked to the company’s spyware infrastructure.
Several hours after clicking on the link that led to his phone hack, Cândido rebooted his phone, which wiped the spyware from his device. Amnesty said it wasn’t clear how the spyware was capable of hacking Cândido’s phone, as his phone was running an outdated version of iOS at the time. The researchers found that Predator stayed hidden by impersonating legitimate iOS system processes to avoid detection.
Amnesty believes Cândido may be just one of many targets in the country, based on their findings that they were able to find multiple domains linked to the spyware maker used in Angola. The first domains linked to Angola were deployed as early as March 2023, indicating the start of Predator testing or deployment in the country. The Amnesty researchers added that they had no evidence to determine exactly who hacked Cândido. The report states it is not currently possible to conclusively identify the customer of the Predator spyware in the country.
Last year, based on leaks of internal documents, Amnesty and media organizations revealed that Intellexa employees had the ability to access customers’ systems remotely, potentially giving the spyware maker visibility into government surveillance operations. Those leaks, like this report, show that despite its controversies and sanctions, Intellexa has remained active in recent years.
Donncha Ó Cearbhaill, the head of the security lab at Amnesty International, said, “We’ve now seen confirmed abuses in Angola, Egypt, Pakistan, Greece, and beyond — and for every case we uncover, many more abuses surely remain hidden.”