A government customer of licensed spyware maker Intellexa hacked the phone of a prominent Angolan journalist, the latest incident in which powerful phone hacking software was used to target someone in civil society, according to Amnesty International.
A human rights group on Tuesday released a new report analyzing multiple hacking attempts against local journalist and press freedom activist Teixeira Candido, in which it says he was sent a series of malicious links via WhatsApp during 2024.
Candido eventually clicked on one, and Amnesty International found that his iPhone was hacked by Intellexa's spyware called Predator.
A new study once again shows that government customers of commercial surveillance vendors are increasingly using spyware to target journalists, politicians, and other members of the public, including commentators. Researchers have previously found evidence of Predator exploits in Egypt, Greece, and Vietnam, where governments reportedly targeted U.S. officials by sending spyware via links on X.
Contact Us Do you have more information about Intellexa? Or another spyware manufacturer? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382), on Telegram and Keybase @lorenzofb, or by email.
Intellexa has been one of the most controversial spyware makers in recent years, operating in a variety of jurisdictions to circumvent export laws and using (as U.S. government officials said at the time) an “opaque web of corporate entities” to hide its activities.
In 2024, around the same time that one of Intellexa's customers targeted Cândido with spyware, the outgoing Biden administration sanctioned the company, its founder Tal Dirian, and his business partner Sara Alexandra Faisal Hamou.
Earlier this year, the Treasury Department lifted sanctions on three other executives connected to Interexa, a decision that prompted Senate Democrats to demand answers from the Trump administration.
Dillian did not respond to requests for comment.
An example of a malicious link sent by a hacker to Cândido on WhatsApp. (Image: Amnesty International)
Amnesty International researchers said in their report that they linked the break-in to Intellexa by examining forensic traces found on Candido's phone. Amnesty International said Intellexa previously used infected servers that were linked to the company's spyware infrastructure.
A few hours after clicking on the link that led to his phone being hacked, Candido restarted his phone and cleared the spyware from his device. Amnesty International said it was unclear how the spyware was able to hack Candido's phone because it was running an older version of iOS at the time.
Researchers discovered that Predator remained hidden by impersonating legitimate iOS system processes to avoid detection.
Amnesty International believes Candido may be just one of many targets in the country, based on its findings that it was able to discover multiple domains associated with spyware authors used in Angola.
“The first domain associated with Angola was deployed as early as March 2023, indicating the beginning of Predator testing and deployment in this country,” Amnesty researchers wrote, adding that there is no evidence to pinpoint who exactly hacked Candido.
“At this time, it is not possible to conclusively identify the domestic customers of Predator spyware,” the report said.
Last year, based on leaked internal documents, Amnesty International and news outlets revealed that Intellexa employees had the ability to access customers' systems remotely, potentially giving the spyware maker visibility into government surveillance activities.
These leaks, like this report, indicate that Intellexa has continued to operate in recent years despite controversy and sanctions.
“We are now seeing confirmed abuses in countries such as Angola, Egypt, Pakistan and Greece, and every time we bring an incident to light, more abuses are ensured to remain hidden,” said Donncha Ó Carebail, head of Amnesty International's Security Lab.