Spyware maker Intellexa had remote access to some of its government customers’ surveillance systems. This allowed company staff to see the personal data of people whose phones had been hacked with its Predator spyware, according to new evidence published by Amnesty International.
On Thursday, Amnesty and a coalition of media partners published a series of reports based on leaked material from Intellexa. The leaks included internal company documents, sales and marketing material, and training videos.
Perhaps the most striking revelation is that people working at Intellexa could allegedly remotely access the surveillance systems of at least some of its customers via TeamViewer. This is an off-the-shelf tool that allows users to connect to other computers over the internet.
The remote access is shown in a leaked training video revealing privileged parts of the Predator spyware system, including its dashboard. The video also shows the storage system containing photos, messages, and all other surveillance data gathered from victims of the Predator spyware. Amnesty published screenshots taken from the video, but not the full video.
The nonprofit researchers wrote that the leaked video shows apparent live Predator infection attempts against real targets. This assessment is based on detailed information from at least one infection attempt against a target in Kazakhstan. The video contained the infection URL, the target’s IP address, and the software versions of the target’s phone.
Companies that sell spyware to government agencies have long maintained that they never have access to the data of their customers’ targets, nor their customers’ systems. There are several reasons for this. Spyware makers want to avoid potential legal liability if their customers use the spyware unlawfully. They also prefer to say that once they sell their spyware, the customers are fully responsible for using it. From the government customers’ standpoint, they do not want to expose details of their sensitive investigations to a private company that may be based overseas.
In other words, this type of remote access is absolutely not normal. One spyware industry executive stated that no government agency would accept it. That executive was skeptical that the leaked training video was showing access to an actual customer’s live surveillance system, positing it could be a demo environment.
Amnesty, however, is convinced that the leaked video does show access to live Predator surveillance systems. In the training call, a staff member asked if it was a demo environment, and the instructor confirmed it was a live customer system.
The claim that Intellexa staffers had visibility into who their customers were spying on raised Amnesty’s concerns about security and privacy. The nonprofit stated that these findings add to the concerns of potential surveillance victims, as their sensitive data risks exposure not only to a government but also to a foreign surveillance company with demonstrable security issues.
Intellexa could not be reached for comment. A lawyer speaking on behalf of Intellexa’s founder, Tal Dilian, told media that Dilian has not committed any crime nor operated any cyber system in Greece or anywhere else.
Dilian is a controversial figure in the world of government spyware. A veteran of the industry previously said Dilian moves like an elephant in a crystal shop, implying he made little effort to conceal his activities.
In 2024, the U.S. government announced sanctions against Tal Dilian and one of his business partners. The U.S. Treasury imposed sanctions based on allegations that Intellexa’s spyware was used against Americans, including U.S. government officials, journalists, and policy experts. That was the first time the U.S. government targeted a specific person involved in the spyware industry.
In his response to media, Dilian accused journalists of being useful idiots in an orchestrated campaign to hurt him and his company.