A government customer of sanctioned spyware maker Intellexa hacked the phone of a prominent journalist in Angola, according to Amnesty International, the latest case of targeting someone in civil society with powerful phone hacking software.

The human rights organization published a new report Tuesday analyzing several hacking attempts against local journalist and press freedom activist Teixeira Cândido, in which he was sent a series of malicious links via WhatsApp during 2024. 

Cândido eventually clicked on one and his iPhone was hacked with Intellexa’s spyware, dubbed Predator, Amnesty found.

The new research shows again that government customers of commercial surveillance vendors are increasingly using spyware used to target journalists, politicians, and other ordinary citizens, including critics. Researchers have previously found evidence of Predator abuse in Egypt, Greece, and Vietnam, where the government reportedly targeted U.S. officials by sending the spyware via links on X.  

Intellexa is one of the most controversial spyware makers of the last few years, operating from different jurisdictions to skirt export laws, and using an “opaque web of corporate entities” — as a U.S government official put it at the time — to hide its activities.

In 2024, around the same time one of Intellexa’s customers was targeting Cândido with its spyware, the outgoing Biden administration sanctioned the company, as well as its founder Tal Dilian and his business partner Sara Aleksandra Fayssal Hamou. 

Earlier this year, the Treasury lifted sanctions against three other executives tied to Intellexa, a decision that left Senate Democrats demanding answers from the Trump administration. 

Dilian did not respond to a request for comment.

Amnesty researchers wrote in the report that they linked the intrusions to Intellexa by examining forensic traces found on Cândido’s phone. Amnesty said that Intellexa used infection servers that had been previously linked to the company’s spyware infrastructure. 

Several hours after clicking on the link that led to his phone hack, Cândido rebooted his phone, which wiped the spyware from his device. Amnesty said it wasn’t clear how the spyware was capable of hacking Cândido’s phone, as his phone was running an outdated version of iOS at the time.

The researchers found that Predator stayed hidden by impersonating legitimate iOS system processes to avoid detection. 

Amnesty believes Cândido may be just one of many targets in the country, based on their findings that they were able to find multiple domains linked to the spyware maker used in Angola. 

“The first domains linked to Angola were deployed as early as March 2023, indicating the start of Predator testing or deployment in the country,” wrote the Amnesty researchers, who added that they had no evidence to determine exactly who hacked Cândido. 

“It is not currently possible to conclusively identify the customer of the Predator spyware in the country,” read the report. 

Last year, based on leaks of internal documents, Amnesty and media organizations revealed that Intellexa employees had the ability to access customers’ systems remotely, potentially giving the spyware maker visibility into government surveillance operations. 

Those leaks, like this report, shows that despite its controversies and sanctions, Intellexa has remained active in recent years.

“We’ve now seen confirmed abuses in Angola, Egypt, Pakistan, Greece, and beyond — and for every case we uncover, many more abuses surely remain hidden,” said Donncha Ó Cearbhaill, the head of the security lab at Amnesty International.