NextFin News - A new forensic investigation has revealed that Intellexa’s notorious Predator spyware was used to compromise the iPhone of a prominent journalist in Angola, marking the first documented instance of this mercenary surveillance tool being deployed in the southern African nation. According to Amnesty International, the target, Teixeira Cândido, a well-known press freedom activist and journalist, was subjected to multiple hacking attempts throughout 2024. The successful breach occurred in May 2024 after Cândido clicked on a malicious link delivered via WhatsApp, which triggered the installation of the Predator implant.
The technical analysis conducted by Amnesty’s Security Lab linked the intrusion to Intellexa’s infrastructure by identifying infection servers previously associated with the company’s operations. Researchers noted that the spyware was designed to be highly stealthy, masquerading as legitimate iOS system processes to evade detection. While the specific exploit chain remains unconfirmed due to the device running an outdated version of iOS at the time, the implant appeared to lack persistence; Cândido unknowingly neutralized the threat by rebooting his phone several hours after the infection, which wiped the memory-resident malware. Despite the technical success of the forensic audit, researchers stated it is currently impossible to definitively identify the specific government client within Angola responsible for the attack.
This incident in Angola is not an isolated case but rather a symptom of a resilient and evolving global mercenary spyware market. Intellexa, a consortium of surveillance firms, has remained operational despite significant regulatory pressure. In 2024, the U.S. government imposed sanctions on Intellexa, its founder Tal Dilian, and associate Sara Alexandra Faisal Hamou. However, the recent lifting of sanctions against three other company executives by the U.S. Treasury earlier this year has sparked intense debate. According to Bloomberg.com, Senate Democrats have recently demanded answers from the administration of U.S. President Trump regarding the rationale behind easing these restrictions, suggesting a potential shift in the U.S. stance on commercial spyware enforcement.
The persistence of Predator in the global market, with confirmed abuses now spanning Angola, Egypt, Greece, Pakistan, and Vietnam, demonstrates the limitations of unilateral sanctions. Intellexa has historically utilized an "opaque web of corporate structures" across multiple jurisdictions to circumvent export controls and hide its activities. The Angolan case specifically highlights a strategic shift by spyware vendors toward emerging markets where legal frameworks for digital privacy are often underdeveloped. Amnesty’s discovery of multiple Angola-linked domains dating back to March 2023 suggests that the surveillance infrastructure was being tested and deployed long before the attack on Cândido was detected.
From a technical perspective, the use of "one-click" lures—themed links sent via social messaging apps—remains a highly effective vector for targeting civil society actors. Unlike the more expensive "zero-click" exploits that require no user interaction, one-click attacks leverage social engineering. For journalists like Cândido, who must remain accessible to unknown sources, this creates a permanent vulnerability. The fact that the spyware was wiped upon reboot is a double-edged sword: while it limits the duration of surveillance, it also serves as a sophisticated anti-forensic measure, making it significantly harder for researchers to recover the payload for analysis once a device has been power-cycled.
The economic and political implications of this breach are profound. The commercial spyware industry continues to thrive because there is a high-margin demand from state actors seeking to suppress domestic dissent. As long as the cost of developing and deploying these tools remains lower than the geopolitical or economic cost of the resulting sanctions, the market will persist. The Angolan incident suggests that the "Predatorgate" model seen in Greece—where surveillance tools were used against journalists and political rivals—is being exported to nations with even fewer institutional checks and balances.
Looking forward, the international community faces a critical juncture in the regulation of mercenary surveillance. The effectiveness of the U.S. President’s administration in maintaining a unified front against these vendors will be a decisive factor. If sanctions are inconsistently applied or prematurely lifted, it signals to the market that the risks of non-compliance are temporary. Furthermore, the Angolan case will likely accelerate calls for a global moratorium on the sale and transfer of such technology until a human rights-compliant regulatory framework is established. For high-risk individuals, the reliance on hardware-level security features, such as Apple’s Lockdown Mode, and frequent device reboots will remain the primary, albeit imperfect, line of defense against an industry that continues to operate with near-impunity.
Explore more exclusive insights at nextfin.ai.
