US Treasury Removes Sanctions on Intellexa Predator Spyware Executives
The US Treasury Department, under the Trump administration, has removed three individuals previously sanctioned for their involvement with the Intellexa consortium, the group behind the Predator commercial spyware platform. These individuals—Sara Hamou, Andrea Gambazzi, and Merom Harpaz—were originally sanctioned by the Biden administration in 2024 for their roles in managing and distributing Predator, which has been linked to surveillance activities targeting dissidents, journalists, and political opponents. The Treasury stated that the delistings were part of a normal administrative process following petitions for reconsideration, with each individual demonstrating steps to separate themselves from Intellexa. Despite the removals, concerns remain among researchers and human rights advocates, as recent investigations indicate that Intellexa continues to operate Predator and has expanded its targeting capabilities, including the use of malicious mobile advertisements for infection.
The decision to lift these sanctions signals a shift in US policy toward commercial spyware vendors, with critics warning that it may embolden the use of surveillance tools by authoritarian regimes. The move follows earlier actions by the Trump administration to ease restrictions on other spyware companies, raising questions about the future of US efforts to curb the proliferation of commercial surveillance technology. The Predator spyware remains a significant concern for national security and human rights, as it enables extensive device tracking, data theft, and surveillance operations on infected devices.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Treasury removes three former Intellexa-linked individuals from sanctions list
The Trump administration removed three Iranians from the U.S. sanctions list after a petition and evidence presented to the Treasury Department indicated they had separated themselves from Intellexa. The delisting reversed sanctions imposed in 2024 over their alleged involvement with the Predator spyware consortium.
Investigations find Predator spyware still operating despite sanctions
By late 2025, investigations reported that Intellexa was still operating the Predator spyware platform despite prior U.S. sanctions. The findings fueled continued human rights concerns and criticism over the effectiveness of the sanctions regime.
Biden administration sanctions three Iranians tied to Intellexa
In 2024, the U.S. government sanctioned three Iranian individuals for their roles in the Intellexa consortium, the commercial spyware operation behind Predator. The sanctions were part of broader U.S. action against spyware actors linked to abuses and surveillance activity.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
U.S. Treasury Removes Sanctions on Intellexa Predator Spyware Executives
The U.S. Department of the Treasury has lifted sanctions on three individuals—Merom Harpaz, Andrea Nicola Constantino Hermes Gambazzi, and Sara Aleksandra Fayssal Hamou—who were previously designated for their roles in the Intellexa Consortium, the company behind the Predator commercial spyware. These individuals had been sanctioned in 2024 for their involvement in developing, operating, and distributing Predator, as well as for facilitating the consortium’s financial and managerial operations. The reasons for their removal from the sanctions list have not been disclosed, and it is unclear whether they continue to hold their previous positions within the organization. The reversal marks a significant shift in the U.S. government’s approach to countering commercial spyware manufacturers, following earlier efforts that included sanctions, blacklisting, and international agreements targeting such companies. Digital rights advocates have expressed concern that lifting these sanctions could undermine accountability for those involved in the proliferation of spyware, which has been used by governments and other actors to conduct invasive surveillance through zero- and one-click attacks. The Treasury Department has not provided further comment on the decision, and the move has prompted calls for greater transparency regarding the evidence supporting the delisting.
Mar 21, 2026
Predator Spyware Campaigns Spur Sanctions and Convictions Tied to Intellexa
Investigations by Amnesty International, media partners, and other researchers linked the **Predator** mercenary spyware ecosystem to campaigns targeting politicians, journalists, civil society figures, and officials across multiple countries. One probe found suspected Vietnamese government-linked operators used malicious X posts and fake news links in an attempt to infect the phones of U.S. lawmakers and journalists, including members of Congress and reporters covering national security and Taiwan. Separate reporting tied Predator to earlier abuses in Greece and elsewhere, while technical analysis showed the malware could exploit multiple zero-days, pair with the **Alien** component for persistence, and steal messages, record calls, and activate device microphones. The widening scandal triggered government action and court cases against the spyware network behind Predator. The United States blacklisted Intellexa and Cytrox and later imposed additional sanctions on Intellexa, citing national security risks from the commercial surveillance trade. In Greece, courts convicted executives in the Predator wiretapping case, including an Israeli spyware maker who received an eight-year sentence, while Amnesty continued to document new alleged targeting, including a journalist in Angola and further evidence from the **"Intellexa Leaks"** that the spyware industry remained active despite mounting scrutiny.
May 26, 2026
Ongoing Global Deployment and Corporate Expansion of Intellexa Predator Spyware
Researchers have uncovered continued deployment of the Predator spyware, developed by Intellexa, in multiple countries despite U.S. sanctions and increased scrutiny. New evidence indicates active use in Iraq, with additional operations linked to entities in Pakistan, Saudi Arabia, Kazakhstan, Angola, and Mongolia. Some countries, such as Egypt, Botswana, and Trinidad and Tobago, appear to have ceased communication with Intellexa, though this may reflect changes in infrastructure rather than a halt in activity. The spyware has been used against civil society members, business executives, and other high-value targets, with its costly licensing model suggesting a focus on strategic individuals. Ongoing legal proceedings against former Intellexa executives in Greece highlight the international concern over the company's activities. Recorded Future’s Insikt Group has mapped a complex global network of individuals and entities associated with Intellexa, including those involved in backend development, infrastructure setup, and product distribution. Export and import data reveal that Intellexa’s products have been shipped to clients in various regions, with new evidence of product imports in Kazakhstan and the Philippines. The network also includes entities in the advertising sector potentially linked to the "Aladdin" ad-based infection vector. The persistent and likely unlawful use of Predator spyware continues to pose significant privacy, legal, and physical security risks, particularly for political opposition, business leaders, and individuals in sensitive roles worldwide.
Mar 21, 2026