Ongoing Global Deployment and Corporate Expansion of Intellexa Predator Spyware
Researchers have uncovered continued deployment of the Predator spyware, developed by Intellexa, in multiple countries despite U.S. sanctions and increased scrutiny. New evidence indicates active use in Iraq, with additional operations linked to entities in Pakistan, Saudi Arabia, Kazakhstan, Angola, and Mongolia. Some countries, such as Egypt, Botswana, and Trinidad and Tobago, appear to have ceased communication with Intellexa, though this may reflect changes in infrastructure rather than a halt in activity. The spyware has been used against civil society members, business executives, and other high-value targets, with its costly licensing model suggesting a focus on strategic individuals. Ongoing legal proceedings against former Intellexa executives in Greece highlight the international concern over the company's activities.
Recorded Future’s Insikt Group has mapped a complex global network of individuals and entities associated with Intellexa, including those involved in backend development, infrastructure setup, and product distribution. Export and import data reveal that Intellexa’s products have been shipped to clients in various regions, with new evidence of product imports in Kazakhstan and the Philippines. The network also includes entities in the advertising sector potentially linked to the "Aladdin" ad-based infection vector. The persistent and likely unlawful use of Predator spyware continues to pose significant privacy, legal, and physical security risks, particularly for political opposition, business leaders, and individuals in sensitive roles worldwide.
Timeline
Dec 8, 2025
Google issues Intellexa-linked spyware warnings to users
Google followed Apple's alerts with warnings affecting several hundred accounts across multiple countries, linking the activity to Intellexa exploit chains. Google said Intellexa continued operating despite sanctions and scrutiny.
Dec 4, 2025
Researchers uncover Intellexa remote access to customer systems
Investigations by Amnesty International, Google, and Recorded Future found Intellexa retained the ability to remotely access some customer Predator deployments. The finding raised concerns that the vendor could directly access surveillance operations run by its clients.
Dec 3, 2025
Recorded Future maps Intellexa's global corporate network
Recorded Future's Insikt Group published research detailing Intellexa's web of front companies and facilitators across multiple jurisdictions. The report said Predator operations continued despite sanctions and identified ongoing or recent activity in countries including Iraq, Saudi Arabia, Kazakhstan, Angola, Mongolia, and Mozambique.
Dec 2, 2025
Apple sends new spyware threat notifications worldwide
Apple sent a new round of threat notifications on December 2 to users it believed may have been targeted by sophisticated spyware operators. The company said it has now notified users in more than 150 countries overall.
Jan 1, 2025
Predator targets a human rights lawyer in Pakistan
A human rights lawyer in Pakistan's Balochistan province was targeted with Predator via a suspicious WhatsApp link. The reporting describes this as the first known Predator infection or civil society targeting documented in Pakistan.
Jan 1, 2025
Google disrupts Intellexa-linked ad ecosystem companies
Google identified companies created by Intellexa that had infiltrated the online advertising ecosystem and helped shut them down. The action targeted infrastructure used to support ad-based Predator delivery such as the 'Aladdin' vector.
Jan 1, 2024
U.S. sanctions Intellexa and related executives
Intellexa and several executives, including founder Tal Jonathan Dilian, were subjected to U.S. sanctions and other legal or regulatory actions. The sanctions were repeatedly cited as a major response to the company's spyware business.
Jan 1, 2023
Google begins tracking Intellexa infrastructure with partners
Google said it has worked with partners since at least 2023 to track Intellexa infrastructure, add related domains to Safe Browsing, and notify affected users. This marks an ongoing defensive effort against Predator-linked operations.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
1 more from sources like recorded future blog
Related Stories
Intellexa Executives Sentenced in Greece Over Predator Spyware Wiretapping Scandal
A Greek court in Athens sentenced **Intellexa** founder **Tal Dilian** and three associates—**Sara Hamou**, **Felix Bitzios**, and **Yiannis Lavranos**—to prison for their roles in the “Greek Watergate” spyware scandal involving illegal wiretapping and privacy violations tied to Intellexa’s *Predator* spyware. Local reporting cited by multiple outlets indicates the court imposed sentences totaling more than **126 years**, which under Greek law translate to **eight years** to be served; the court also ordered further investigation, and the defendants are expected to **appeal** and remain free pending the appeal process. The case stems from allegations that *Predator* was used to surveil Greek targets including **politicians, journalists, businesspeople, military officials, and other public figures**, with reporting citing **more than 90** victims in Greece during **2020–2021**. Lavranos’s company **Krikel** was reported to have links to the procurement of *Predator*. The convictions mark a notable legal milestone against a commercial spyware vendor; Intellexa and associated entities have also faced international scrutiny, including **U.S. sanctions** in 2024 over alleged misuse of the spyware, and experts noted the guilty verdict and custodial sentence could increase cross-border legal exposure even if defendants attempt to avoid Greek jurisdiction.
1 months ago
US Treasury Removes Sanctions on Intellexa Predator Spyware Executives
The US Treasury Department, under the Trump administration, has removed three individuals previously sanctioned for their involvement with the Intellexa consortium, the group behind the Predator commercial spyware platform. These individuals—Sara Hamou, Andrea Gambazzi, and Merom Harpaz—were originally sanctioned by the Biden administration in 2024 for their roles in managing and distributing Predator, which has been linked to surveillance activities targeting dissidents, journalists, and political opponents. The Treasury stated that the delistings were part of a normal administrative process following petitions for reconsideration, with each individual demonstrating steps to separate themselves from Intellexa. Despite the removals, concerns remain among researchers and human rights advocates, as recent investigations indicate that Intellexa continues to operate Predator and has expanded its targeting capabilities, including the use of malicious mobile advertisements for infection. The decision to lift these sanctions signals a shift in US policy toward commercial spyware vendors, with critics warning that it may embolden the use of surveillance tools by authoritarian regimes. The move follows earlier actions by the Trump administration to ease restrictions on other spyware companies, raising questions about the future of US efforts to curb the proliferation of commercial surveillance technology. The Predator spyware remains a significant concern for national security and human rights, as it enables extensive device tracking, data theft, and surveillance operations on infected devices.
1 months ago
Predator Spyware Infection of Angolan Journalist via WhatsApp Links
Amnesty International reported that the iPhone of Angolan journalist and press freedom advocate **Teixeira Cândido** was infected with **Intellexa’s Predator spyware** after he received multiple **malicious links via WhatsApp** in 2024. According to the investigation, Cândido was messaged from an unknown Angolan number over several weeks; he clicked one link on **May 4, 2024**, after which Predator was installed, and the spyware was later removed the same day when the device was restarted. Amnesty described this as the **first documented Predator case in Angola**, and said attribution remains unclear, though the activity is consistent with use by a government customer. The reporting underscores continued alleged abuse of commercial spyware against civil society despite international pressure on Intellexa. Intellexa and associated individuals have faced U.S. actions including placement on the **Entity List** and subsequent **sanctions** (with later changes to some designations noted in coverage), yet Predator has been repeatedly linked to targeting of journalists and officials in multiple countries. Amnesty’s findings add to prior public reporting on Predator’s use in places such as **Greece, Egypt, and Vietnam**, reinforcing the ongoing risk posed by link-based mobile spyware delivery through common messaging platforms like WhatsApp.
1 months ago