Intellexa’s Predator Spyware Used To Hack iPhone Of Journalist In Angola, Research Says

What Happened to the Angolan Journalist's iPhone?

A prominent Angolan journalist's iPhone was compromised using Intellexa's Predator spyware after he clicked a malicious link sent via WhatsApp, according to a new report from Amnesty International. The incident, which occurred in 2024, marks another alarming case of commercial surveillance tools being deployed against press freedom advocates. Researchers confirmed the hack through forensic analysis of the device, linking the intrusion directly to the sanctioned spyware vendor. This breach raises urgent questions about digital safety for journalists operating in high-risk environments. Here's what we know about the attack, the technology behind it, and its broader implications for global press freedom.

Credit: Matthias Balk/picture alliance / Getty Images

How the WhatsApp Attack Unfolded in Angola

Teixeira Cândido, a respected Angolan journalist and press freedom activist, received a series of suspicious messages on WhatsApp throughout 2024. These messages contained links that appeared legitimate but were designed to deliver malicious code. After clicking one of these links, Cândido's iPhone was silently infected with Predator spyware, granting attackers extensive access to his device. Once installed, the spyware could harvest messages, photos, location data, and even activate the microphone and camera without the user's knowledge. This type of one-click attack remains highly effective because it exploits human curiosity rather than complex technical vulnerabilities. The incident underscores how everyday communication apps can become vectors for sophisticated surveillance.

Amnesty's Forensic Analysis Links Hack to Intellexa

Amnesty International's Security Lab conducted a detailed forensic examination of Cândido's iPhone to determine the source of the intrusion. Researchers identified unique digital fingerprints and code signatures that matched known samples of Intellexa's Predator spyware. These technical indicators, combined with the timing and method of the attack, allowed investigators to confidently attribute the hack to Intellexa's infrastructure. The report emphasizes that such forensic attribution is critical for holding surveillance vendors accountable. By publishing these findings, Amnesty aims to empower other at-risk individuals and organizations to recognize similar threats. This level of technical transparency helps build a stronger case for regulatory action against commercial spyware operators.

Intellexa's Controversial Operations and U.S. Sanctions

Intellexa has long operated in legal gray areas, using a complex network of corporate entities across multiple jurisdictions to obscure its activities. This opaque structure has allowed the company to circumvent export controls and continue selling powerful surveillance tools to governments with poor human rights records. In late 2024, the Biden administration imposed sanctions on Intellexa, its founder Tal Dilian, and business partner Sara Aleksandra Fayssal Hamou in response to documented abuses. However, earlier this year, the U.S. Treasury lifted sanctions on three other executives linked to the company, sparking criticism from Senate Democrats. These shifting policy decisions highlight the challenges of regulating a global surveillance industry that adapts quickly to enforcement efforts. Dilian did not respond to requests for comment regarding the Angola incident.

Journalists Globally Face Escalating Spyware Threats

The targeting of Teixeira Cândido is not an isolated event but part of a growing pattern of spyware abuse against civil society. Researchers have previously documented Predator deployments in Egypt, Greece, and Vietnam, where government actors used the tool to monitor journalists, activists, and even foreign officials. Journalists are particularly vulnerable because their work often involves handling sensitive information and communicating with confidential sources. When spyware compromises their devices, it not only endangers the individual but also undermines the integrity of their reporting and the safety of their contacts. This chilling effect can lead to self-censorship and a decline in investigative journalism, especially in regions with weak press protections. The Angola case reinforces the urgent need for stronger international norms around the sale and use of commercial surveillance technology.

What This Case Means for Digital Security and Press Freedom

The compromise of an Angolan journalist's iPhone using Predator spyware sends a stark warning to media professionals worldwide. It demonstrates that even cautious users can fall victim to well-crafted social engineering attacks delivered through trusted platforms like WhatsApp. For press freedom organizations, this incident underscores the importance of providing digital security training and resources to at-risk journalists. It also highlights the responsibility of technology companies to detect and block spyware distribution on their platforms. While no solution is foolproof against state-sponsored attacks, a layered approach to security can significantly reduce risk. Ultimately, protecting journalists requires both technical safeguards and robust legal frameworks that deter the misuse of surveillance tools.

Practical Steps to Reduce Spyware Risk on Your Device

While sophisticated spyware like Predator is difficult to detect and remove, there are practical measures individuals can take to lower their risk. First, exercise extreme caution with unsolicited links, even if they appear to come from known contacts. Keep your device's operating system and apps updated to patch known vulnerabilities that spyware might exploit. Enable two-factor authentication on all accounts to add an extra layer of security. Consider using security-focused messaging apps that offer end-to-end encryption and link-scanning features. If you suspect your device has been compromised, seek assistance from digital security experts who can perform a forensic analysis. Remember that staying informed about emerging threats is one of the most powerful defenses against surveillance.

Upholding Press Freedom in the Digital Age

The hacking of Teixeira Cândido's iPhone with Predator spyware is more than a technical breach—it's an attack on the fundamental right to report freely and safely. As commercial surveillance tools become more accessible to governments worldwide, the risks for journalists, activists, and ordinary citizens continue to grow. This case, documented by Amnesty International, adds to the mounting evidence that stronger oversight is needed for the global spyware industry. Supporting press freedom now means advocating for both digital security resources and policy reforms that hold surveillance vendors accountable. By learning from incidents like this, the global community can work toward a future where technology empowers journalism rather than endangers it. The resilience of journalists like Cândido reminds us that protecting truth-tellers is essential for healthy democracies everywhere.