Intellixa’s Predator spyware routinely hacks the iPhones of journalists in Angola, study says

A government client of reputable spyware maker Intellixa has hacked the phone of a prominent journalist in Angola, according to Amnesty International, the latest case of targeting a public figure with powerful phone-hacking software.

The human rights organization published a new report on Tuesday analyzing several attempts to hack local journalist and press freedom activist Teixeira Cândido, where he was sent a series of malicious links via WhatsApp in 2024.

Cândido finally clicked one and his iPhone was hacked with Intelxa’s spyware, called Predator, Amnesty found.

New research also shows that government clients of commercial surveillance vendors are increasingly using spyware to target journalists, politicians, and other ordinary citizens, including critics. Researchers previously found evidence of Predator abuse in Egypt, Greece, and Vietnam, where it was reported that the government targeted US officials by sending a spy with links to X.

Intellexa is one of the most controversial spyware makers of the past few years, operating from different locations to export laws and using a “mysterious web of corporate entities” – as a US government official put it at the time – to hide its activities.

In 2024, at the same time one of Intelxa’s clients was targeting Cândido for its spyware, the outgoing Biden administration approved the company, along with its founder Tal Dilian and his business partner Sara Aleksandra Fayssal Hamou.

Earlier this year, the Treasury Department lifted sanctions on three other executives tied to Intellexa, a decision that left Senate Democrats demanding answers from the Trump administration.

Dilian did not respond to a request for comment.

Amnesty researchers wrote in the report that they linked these incidents to Intellexa by examining fingerprints found on Cândido’s phone. Amnesty said Intellixa used infection servers that were previously linked to the company’s spyware infrastructure.

A few hours after clicking on the link that led to the hacking of his phone, Cândido restarted his phone, which deleted the spy from his phone. Amnesty said it was unclear how the spyware was able to hack Cândido’s phone, as his phone was running an old version of iOS at the time.

Researchers discovered that Predator remained hidden by masquerading as legitimate iOS system processes to avoid detection.

Amnesty believes that Cândido may be one of the many targets in the country, based on their findings that they were able to find many domains linked to a spyware manufacturer operating in Angola.

“The first sites linked to Angola were used in early March 2023, indicating the start of Predator testing or deployment in the country,” wrote Amnesty researchers, who added that they have no evidence to determine who hacked Cândido.

“It is currently not possible to fully identify the Predator spyware client in the country,” the report read.

Last year, based on leaked internal documents, Amnesty and media organizations revealed that Intellixa employees had the ability to remotely access customer systems, which could have made the spyware maker visible to government surveillance operations.

Those leaks, like this report, show that despite controversy and sanctions, Intellixa has remained active in recent years.

“We have now seen confirmed abuses in Angola, Egypt, Pakistan, Greece, and beyond – and for all the cases we expose, many abuses remain hidden,” said Donncha Ó Cearbhaill, head of the security lab at Amnesty International.