Intellexa’s Predator spyware used to hack iPhone of journalist in Angola, research says

Source: TechCrunch

Intellexa’s Predator spyware used to hack Angolan journalist

Intellexa’s Predator spyware was used to hack the iPhone of Angolan journalist Teixeira Cândido, according to a new Amnesty International report.

Amnesty International report

Amnesty International published a report analyzing several hacking attempts against Cândido, a local journalist and press‑freedom activist. In 2024 he received a series of malicious links via WhatsApp; after clicking one, his iPhone was infected with Intellexa’s Predator spyware.

The report highlights the growing use of commercial surveillance tools by government customers to target journalists, politicians, and ordinary citizens.

Previous instances of Predator abuse

Research has previously documented Predator’s deployment in:

• Egypt – see Citizen Lab investigation.
• Greece – detailed by the Council of Europe.
• Vietnam – where the government reportedly targeted U.S. officials via links on X.

These cases illustrate a pattern of state‑linked abuse of the spyware.

Intellexa and sanctions

Intellexa is a controversial spyware maker that operates through a complex network of corporate entities to evade export controls.

• In March 2024, the outgoing Biden administration sanctioned Intellexa, its founder Tal Dilian, and partner Sara Aleksandra Fayssal Hamou for targeting Americans.
• Earlier in 2025, the Treasury lifted sanctions on three other Intellexa‑linked executives, prompting Senate Democrats to demand answers from the Trump administration.

Dilian did not respond to requests for comment.

Image credit: Amnesty International

Technical findings

Amnesty researchers linked the intrusion to Intellexa by examining forensic traces on Cândido’s phone. The infection servers matched infrastructure previously associated with Predator.

• After clicking the malicious link, Cândido rebooted his device, which removed the spyware.
• The spyware exploited an outdated iOS version and concealed itself by impersonating legitimate iOS system processes.
• Multiple domains tied to Intellexa were identified in Angola, with the earliest observed in March 2023, suggesting early testing or deployment of Predator in the country.

The report states that it is not possible to conclusively identify the specific customer of the Predator spyware in Angola.

Broader implications

Leaks of internal Intellexa documents have shown that the company’s employees could remotely access customers’ systems, giving them visibility into government surveillance operations. Despite sanctions and controversy, Intellexa remains active.

“We’ve now seen confirmed abuses in Angola, Egypt, Pakistan, Greece, and beyond — and for every case we uncover, many more abuses surely remain hidden,” — Donncha Ó Cearbhaill, head of Amnesty International’s security lab.