U.S. Treasury Removes Sanctions on Intellexa Predator Spyware Executives
The U.S. Department of the Treasury has lifted sanctions on three individuals—Merom Harpaz, Andrea Nicola Constantino Hermes Gambazzi, and Sara Aleksandra Fayssal Hamou—who were previously designated for their roles in the Intellexa Consortium, the company behind the Predator commercial spyware. These individuals had been sanctioned in 2024 for their involvement in developing, operating, and distributing Predator, as well as for facilitating the consortium’s financial and managerial operations. The reasons for their removal from the sanctions list have not been disclosed, and it is unclear whether they continue to hold their previous positions within the organization.
The reversal marks a significant shift in the U.S. government’s approach to countering commercial spyware manufacturers, following earlier efforts that included sanctions, blacklisting, and international agreements targeting such companies. Digital rights advocates have expressed concern that lifting these sanctions could undermine accountability for those involved in the proliferation of spyware, which has been used by governments and other actors to conduct invasive surveillance through zero- and one-click attacks. The Treasury Department has not provided further comment on the decision, and the move has prompted calls for greater transparency regarding the evidence supporting the delisting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Recent Predator attempt targets Pakistani human rights lawyer
A recent reported attack attempt used Predator against a human rights lawyer in Pakistan, showing the spyware was still being deployed against civil society targets.
Treasury removes sanctions on three Intellexa-linked individuals
The U.S. Treasury Department's OFAC delisted Merom Harpaz, Andrea Gambazzi, and Sara Hamou from its sanctions list in late December 2025. The government did not publicly explain the basis for the reversal, prompting concern from researchers and rights advocates.
Researchers report Predator remains active in multiple countries
By 2025, researchers and digital rights advocates reported continued Predator deployments in countries including Iraq, Pakistan, and Mozambique, indicating the spyware ecosystem persisted despite earlier sanctions.
Predator spyware linked to targeting of more than 50 U.S. officials
U.S. authorities said Predator had been used to target over 50 U.S. government staffers, underscoring the national security impact of the spyware and helping drive enforcement actions against Intellexa-linked actors.
Commerce Department places Intellexa on the Entity List
The U.S. Commerce Department added Intellexa to its Entity List, restricting the company's ability to conduct business involving U.S. goods and services. The move was part of wider U.S. action against the spyware maker and its affiliates.
U.S. sanctions three Intellexa-linked executives over Predator spyware
In 2024, the Biden administration imposed sanctions on Merom Harpaz, Andrea Gambazzi, and Sara Hamou for their roles in developing, operating, and distributing Predator spyware as part of a broader crackdown on commercial spyware abuse.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
US Treasury Removes Sanctions on Intellexa Predator Spyware Executives
The US Treasury Department, under the Trump administration, has removed three individuals previously sanctioned for their involvement with the Intellexa consortium, the group behind the Predator commercial spyware platform. These individuals—Sara Hamou, Andrea Gambazzi, and Merom Harpaz—were originally sanctioned by the Biden administration in 2024 for their roles in managing and distributing Predator, which has been linked to surveillance activities targeting dissidents, journalists, and political opponents. The Treasury stated that the delistings were part of a normal administrative process following petitions for reconsideration, with each individual demonstrating steps to separate themselves from Intellexa. Despite the removals, concerns remain among researchers and human rights advocates, as recent investigations indicate that Intellexa continues to operate Predator and has expanded its targeting capabilities, including the use of malicious mobile advertisements for infection. The decision to lift these sanctions signals a shift in US policy toward commercial spyware vendors, with critics warning that it may embolden the use of surveillance tools by authoritarian regimes. The move follows earlier actions by the Trump administration to ease restrictions on other spyware companies, raising questions about the future of US efforts to curb the proliferation of commercial surveillance technology. The Predator spyware remains a significant concern for national security and human rights, as it enables extensive device tracking, data theft, and surveillance operations on infected devices.
Mar 21, 2026
Predator Spyware Campaigns Spur Sanctions and Convictions Tied to Intellexa
Investigations by Amnesty International, media partners, and other researchers linked the **Predator** mercenary spyware ecosystem to campaigns targeting politicians, journalists, civil society figures, and officials across multiple countries. One probe found suspected Vietnamese government-linked operators used malicious X posts and fake news links in an attempt to infect the phones of U.S. lawmakers and journalists, including members of Congress and reporters covering national security and Taiwan. Separate reporting tied Predator to earlier abuses in Greece and elsewhere, while technical analysis showed the malware could exploit multiple zero-days, pair with the **Alien** component for persistence, and steal messages, record calls, and activate device microphones. The widening scandal triggered government action and court cases against the spyware network behind Predator. The United States blacklisted Intellexa and Cytrox and later imposed additional sanctions on Intellexa, citing national security risks from the commercial surveillance trade. In Greece, courts convicted executives in the Predator wiretapping case, including an Israeli spyware maker who received an eight-year sentence, while Amnesty continued to document new alleged targeting, including a journalist in Angola and further evidence from the **"Intellexa Leaks"** that the spyware industry remained active despite mounting scrutiny.
May 26, 2026
Intellexa Executives Sentenced in Greece Over Predator Spyware Wiretapping Scandal
A Greek court in Athens sentenced **Intellexa** founder **Tal Dilian** and three associates—**Sara Hamou**, **Felix Bitzios**, and **Yiannis Lavranos**—to prison for their roles in the “Greek Watergate” spyware scandal involving illegal wiretapping and privacy violations tied to Intellexa’s *Predator* spyware. Local reporting cited by multiple outlets indicates the court imposed sentences totaling more than **126 years**, which under Greek law translate to **eight years** to be served; the court also ordered further investigation, and the defendants are expected to **appeal** and remain free pending the appeal process. The case stems from allegations that *Predator* was used to surveil Greek targets including **politicians, journalists, businesspeople, military officials, and other public figures**, with reporting citing **more than 90** victims in Greece during **2020–2021**. Lavranos’s company **Krikel** was reported to have links to the procurement of *Predator*. The convictions mark a notable legal milestone against a commercial spyware vendor; Intellexa and associated entities have also faced international scrutiny, including **U.S. sanctions** in 2024 over alleged misuse of the spyware, and experts noted the guilty verdict and custodial sentence could increase cross-border legal exposure even if defendants attempt to avoid Greek jurisdiction.
Mar 25, 2026