Ongoing Global Deployment and Corporate Expansion of Intellexa Predator Spyware
Researchers have uncovered continued deployment of the Predator spyware, developed by Intellexa, in multiple countries despite U.S. sanctions and increased scrutiny. New evidence indicates active use in Iraq, with additional operations linked to entities in Pakistan, Saudi Arabia, Kazakhstan, Angola, and Mongolia. Some countries, such as Egypt, Botswana, and Trinidad and Tobago, appear to have ceased communication with Intellexa, though this may reflect changes in infrastructure rather than a halt in activity. The spyware has been used against civil society members, business executives, and other high-value targets, with its costly licensing model suggesting a focus on strategic individuals. Ongoing legal proceedings against former Intellexa executives in Greece highlight the international concern over the company's activities.
Recorded Future’s Insikt Group has mapped a complex global network of individuals and entities associated with Intellexa, including those involved in backend development, infrastructure setup, and product distribution. Export and import data reveal that Intellexa’s products have been shipped to clients in various regions, with new evidence of product imports in Kazakhstan and the Philippines. The network also includes entities in the advertising sector potentially linked to the "Aladdin" ad-based infection vector. The persistent and likely unlawful use of Predator spyware continues to pose significant privacy, legal, and physical security risks, particularly for political opposition, business leaders, and individuals in sensitive roles worldwide.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Google issues Intellexa-linked spyware warnings to users
Google followed Apple's alerts with warnings affecting several hundred accounts across multiple countries, linking the activity to Intellexa exploit chains. Google said Intellexa continued operating despite sanctions and scrutiny.
Researchers uncover Intellexa remote access to customer systems
Investigations by Amnesty International, Google, and Recorded Future found Intellexa retained the ability to remotely access some customer Predator deployments. The finding raised concerns that the vendor could directly access surveillance operations run by its clients.
Recorded Future maps Intellexa's global corporate network
Recorded Future's Insikt Group published research detailing Intellexa's web of front companies and facilitators across multiple jurisdictions. The report said Predator operations continued despite sanctions and identified ongoing or recent activity in countries including Iraq, Saudi Arabia, Kazakhstan, Angola, Mongolia, and Mozambique.
Apple sends new spyware threat notifications worldwide
Apple sent a new round of threat notifications on December 2 to users it believed may have been targeted by sophisticated spyware operators. The company said it has now notified users in more than 150 countries overall.
Predator targets a human rights lawyer in Pakistan
A human rights lawyer in Pakistan's Balochistan province was targeted with Predator via a suspicious WhatsApp link. The reporting describes this as the first known Predator infection or civil society targeting documented in Pakistan.
Google disrupts Intellexa-linked ad ecosystem companies
Google identified companies created by Intellexa that had infiltrated the online advertising ecosystem and helped shut them down. The action targeted infrastructure used to support ad-based Predator delivery such as the 'Aladdin' vector.
U.S. sanctions Intellexa and related executives
Intellexa and several executives, including founder Tal Jonathan Dilian, were subjected to U.S. sanctions and other legal or regulatory actions. The sanctions were repeatedly cited as a major response to the company's spyware business.
Google begins tracking Intellexa infrastructure with partners
Google said it has worked with partners since at least 2023 to track Intellexa infrastructure, add related domains to Safe Browsing, and notify affected users. This marks an ongoing defensive effort against Predator-linked operations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Apple and Google Alert Users Worldwide After New Spyware Activity Surfaces
techrepublic.com
Open sourceIntellexa Leaks Reveal Zero-Days and Ads-Based Vector for Predator Spyware Delivery
thehackernews.com
Open sourceLeaks show Intellexa burning zero-days to keep Predator spyware running
malwarebytes.com
Open sourceResearchers find Predator spyware is being used in several countries, including Iraq
therecord.media
Open sourceIntellexa remotely accessed Predator spyware customer systems, investigation finds
cyberscoop.com
Open sourceIntellexa’s Global Corporate Web
recordedfuture.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Predator Spyware Campaigns Spur Sanctions and Convictions Tied to Intellexa
Investigations by Amnesty International, media partners, and other researchers linked the **Predator** mercenary spyware ecosystem to campaigns targeting politicians, journalists, civil society figures, and officials across multiple countries. One probe found suspected Vietnamese government-linked operators used malicious X posts and fake news links in an attempt to infect the phones of U.S. lawmakers and journalists, including members of Congress and reporters covering national security and Taiwan. Separate reporting tied Predator to earlier abuses in Greece and elsewhere, while technical analysis showed the malware could exploit multiple zero-days, pair with the **Alien** component for persistence, and steal messages, record calls, and activate device microphones. The widening scandal triggered government action and court cases against the spyware network behind Predator. The United States blacklisted Intellexa and Cytrox and later imposed additional sanctions on Intellexa, citing national security risks from the commercial surveillance trade. In Greece, courts convicted executives in the Predator wiretapping case, including an Israeli spyware maker who received an eight-year sentence, while Amnesty continued to document new alleged targeting, including a journalist in Angola and further evidence from the **"Intellexa Leaks"** that the spyware industry remained active despite mounting scrutiny.
May 26, 2026
Intellexa Executives Sentenced in Greece Over Predator Spyware Wiretapping Scandal
A Greek court in Athens sentenced **Intellexa** founder **Tal Dilian** and three associates—**Sara Hamou**, **Felix Bitzios**, and **Yiannis Lavranos**—to prison for their roles in the “Greek Watergate” spyware scandal involving illegal wiretapping and privacy violations tied to Intellexa’s *Predator* spyware. Local reporting cited by multiple outlets indicates the court imposed sentences totaling more than **126 years**, which under Greek law translate to **eight years** to be served; the court also ordered further investigation, and the defendants are expected to **appeal** and remain free pending the appeal process. The case stems from allegations that *Predator* was used to surveil Greek targets including **politicians, journalists, businesspeople, military officials, and other public figures**, with reporting citing **more than 90** victims in Greece during **2020–2021**. Lavranos’s company **Krikel** was reported to have links to the procurement of *Predator*. The convictions mark a notable legal milestone against a commercial spyware vendor; Intellexa and associated entities have also faced international scrutiny, including **U.S. sanctions** in 2024 over alleged misuse of the spyware, and experts noted the guilty verdict and custodial sentence could increase cross-border legal exposure even if defendants attempt to avoid Greek jurisdiction.
Mar 25, 2026
US Treasury Removes Sanctions on Intellexa Predator Spyware Executives
The US Treasury Department, under the Trump administration, has removed three individuals previously sanctioned for their involvement with the Intellexa consortium, the group behind the Predator commercial spyware platform. These individuals—Sara Hamou, Andrea Gambazzi, and Merom Harpaz—were originally sanctioned by the Biden administration in 2024 for their roles in managing and distributing Predator, which has been linked to surveillance activities targeting dissidents, journalists, and political opponents. The Treasury stated that the delistings were part of a normal administrative process following petitions for reconsideration, with each individual demonstrating steps to separate themselves from Intellexa. Despite the removals, concerns remain among researchers and human rights advocates, as recent investigations indicate that Intellexa continues to operate Predator and has expanded its targeting capabilities, including the use of malicious mobile advertisements for infection. The decision to lift these sanctions signals a shift in US policy toward commercial spyware vendors, with critics warning that it may embolden the use of surveillance tools by authoritarian regimes. The move follows earlier actions by the Trump administration to ease restrictions on other spyware companies, raising questions about the future of US efforts to curb the proliferation of commercial surveillance technology. The Predator spyware remains a significant concern for national security and human rights, as it enables extensive device tracking, data theft, and surveillance operations on infected devices.
Mar 21, 2026