Spyware maker Intellexa had remote access to some of its government customers' surveillance systems, allowing its employees to view the personal data of people whose phones had been hacked with its Predator spyware, according to new evidence released by Amnesty International.
On Thursday, Amnesty International and a coalition of media partners, including Israeli newspaper Haaretz, Greek news site Inside Story, and Swiss news agency Inside IT, released a series of reports based on leaked material from Intellexa, including internal documents, sales and marketing materials, and training videos.
Perhaps the most shocking revelation is that people working at Intellexa allegedly had remote access to at least some customers' monitoring systems through TeamViewer, an off-the-shelf tool that allows users to connect to other computers over the Internet.
The remote access is shown in a leaked training video revealing privileged parts of the Predator spyware system, including its dashboard and “storage systems containing photos, messages and all other surveillance data collected from Predator spyware victims,” Amnesty International said in its report. (Amnesty International published screenshots taken from the video, but not the entire video.)
The nonprofit researchers wrote that the leaked video shows an apparent “live” Predator infection attempt on a “real target,” based on details of “at least one infection attempt against a target in Kazakhstan.” The video included the infected URL, the target's IP address, and the software version of the target's phone.
Screenshot of the Intellexa customer monitoring system dashboard. Displays the types of sensitive personal data of hacked targets that customers and Intellexa support staff may have access to. Image credit: Amnesty International
Companies that sell spyware to government agencies, such as NSO Group and the now-defunct Hacking Team, have long maintained that they never have access to the data of their customers' targets or their customers' systems. There are several reasons.
From a spyware manufacturer's perspective, they do not want to expose themselves to potential legal liability if their customers use their spyware illegally. And spyware manufacturers would rather say that once they sell spyware, the customer is solely responsible for using it. From a government customer's perspective, they don't want sensitive investigation details, such as the target's name, location, and personal data, to be exposed to private companies that may be based overseas.
In other words, this type of remote access is not “normal” at all. Paolo Lezzi, CEO of spyware maker Memento Labs, told TechCrunch when contacted to ask about this article from the spyware maker's perspective. “no [government] The agency will accept that,” he said.
That's why Rezzi was skeptical that the leaked training video showed access to an actual customer's live monitoring system. Perhaps this was training material, he surmised, showing a demo environment. The CEO also said that some customers had asked Memento Labs for access to their systems, but the company only accepted offers if it needed to resolve technical issues. In any case, “they will give us access to TeamViewer for as long as we need, we will carry out the intervention under their supervision, and we will leave,” he said.
Contact Us Do you have more information about Intellexa? Or another spyware manufacturer? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382), on Telegram and Keybase @lorenzofb, or by email.
However, Amnesty International believes the leaked video shows access to an actual Predator surveillance system.
“One of the staff members on the training call asked if this was a demo environment, and the instructor confirmed it was a real customer system,” said Donncha Ó Carebail, head of Amnesty International's Security Lab, which has conducted technical analysis of leaked material and investigated several cases of Predator infections.
Claims that Intellexa staff had visibility into who customers were spying on raised concerns from Amnesty International over security and privacy.
“These findings only increase concerns for potential surveillance victims. Not only are their most sensitive data exposed to governments and other spyware customers, but they also risk exposing that data to foreign surveillance companies, which have clear problems keeping sensitive data secure,” the nonprofit group wrote in its report.
Intellexa could not be reached for comment. A lawyer representing Intellexa founder Tal Dilian told Haaretz that Dilian “did not commit any crimes and did not operate any cyber systems in Greece or elsewhere.”
Dillian is one of the most controversial figures in the world of government spyware. A spyware industry veteran previously told TechCrunch that Dillian “operates like an elephant in a crystal shop,” implying that he is making little effort to hide his activities.
“That special space of being a spyware seller requires a lot of balance and care…but he didn't care,” the person said.
In 2024, the US government announced sanctions against Tal Dirian and one of his business partners, Sara Alexandra Faisal Hamou. In this case, the U.S. Treasury Department imposed sanctions based on allegations that Intellexa's spyware was used against U.S. persons, including U.S. government officials, journalists, and policy experts. The sanctions make it illegal for U.S. companies and citizens to have commercial relationships with Dillian and Hamou.
This was the first time the US government, taking action against the spyware NSO group, had targeted specific industry figures.
In his response to Haaretz, Dillian accused the journalists of being “useful idiots” who took part in a “coordinated campaign” to harm him and his company and “fell prey to the Biden administration.”
Catch the latest announcements on everything from agent AI to cloud infrastructure to security and more from Amazon Web Services' flagship event in Las Vegas. This video is provided in partnership with AWS.