A new investigation from Amnesty International has uncovered evidence that a government client of spyware firm Intellexa infiltrated the iPhone of a well-known journalist in Angola, underscoring ongoing concerns about the misuse of commercial surveillance tools.
The target, Teixeira Cândido — a journalist and advocate for press freedom — was reportedly subjected to multiple hacking attempts throughout 2024. According to Amnesty’s findings, he received a series of malicious links via WhatsApp. After eventually clicking one of them, his iPhone was compromised with Predator, a surveillance tool developed and sold by Intellexa.
Forensic experts from Amnesty’s Security Lab analyzed traces left on Cândido’s device and linked the intrusion to Predator infrastructure. The organization said the spyware relied on infection servers previously associated with Intellexa’s operations. Although Cândido’s phone was running an outdated version of iOS at the time, investigators could not determine the exact technical vulnerability exploited in the attack.
Predator is designed to operate covertly. Researchers found that once installed, the spyware disguised itself as legitimate iOS system processes, helping it evade detection. In this instance, Cândido rebooted his phone several hours after clicking the malicious link, which appears to have removed the spyware from the device.
This case adds to a growing list of documented abuses involving Predator. Previous investigations have connected the spyware to surveillance activities in Egypt, Greece, Vietnam, and Pakistan, among other countries. In some instances, journalists, opposition figures, and even foreign officials were reportedly targeted.
Intellexa has drawn scrutiny in recent years for operating through a complex network of corporate entities across multiple jurisdictions, a structure critics say allows it to sidestep export controls and obscure accountability. In 2024, the U.S. government imposed sanctions on the company, as well as on its founder, Tal Dilian, and associate Sara Aleksandra Fayssal Hamou. More recently, sanctions on several other executives linked to the firm were lifted, prompting questions from lawmakers.
Amnesty believes Cândido’s case may not be isolated. Investigators identified multiple domains tied to Predator activity in Angola, with some dating back to early 2023 — suggesting earlier testing or deployment in the country. However, the organization said it could not definitively identify which government entity was responsible for the attack.
Despite sanctions and public controversy, Amnesty’s report indicates that Intellexa’s spyware operations remain active. Researchers warn that documented cases likely represent only a fraction of the broader, largely hidden use of such surveillance technology worldwide.
