TL;DR: Leaked documents reveal Intellexa, the sanctioned spyware company behind Predator, had remote access to its government customers' surveillance systems. Staff could view stolen photos, messages, and data from hacked phones. The company also developed a zero-click attack called "Aladdin" that infects targets through malicious ads. Despite US sanctions in March 2024, Intellexa continues operating in Saudi Arabia, Kazakhstan, Angola, and Mongolia.

They Sold Spyware, Then Watched the Spying

When governments buy surveillance tools, they expect one thing: privacy. The target's data stays with the government. The vendor doesn't get to peek.

Intellexa broke that rule.

On December 4, 2025, Amnesty International published findings from leaked internal documents, sales materials, and training videos. The investigation, conducted with Haaretz, Inside Story, and Inside IT, exposed something the spyware industry claims never happens: vendor access to victim data.

Intellexa staff allegedly used TeamViewer (an off-the-shelf remote access tool) to connect directly to government customers' surveillance systems. Once connected, they could see everything: photos, messages, location data. All the intimate details stolen from hacked phones.

"These findings can only add to the concerns of potential surveillance victims," Amnesty stated. "Not only is their most sensitive data exposed to a government or other spyware customer, but their data risks being exposed to a foreign surveillance company."

The Training Video That Showed Too Much

One leaked video revealed a live demonstration of Predator infections against real targets. Not simulations. Real people.

The video showed detailed information from a Kazakhstan-based target: their IP address, the infection URL used to compromise their phone, and the software versions running on their device. This wasn't a controlled lab environment. Intellexa trainers were showing customers how to hack real humans.

A Memento Labs CEO, speaking to researchers, confirmed this level of access violates industry norms: "No [government] agency would accept it." Even NSO Group, maker of the infamous Pegasus spyware, claims it never accesses customer data.

Intellexa apparently didn't get that memo.

Aladdin: The Zero-Click Ad Attack

The leaks also revealed a new infection vector called "Aladdin." Here's how it works: Intellexa customers push malicious advertisements through ad networks. When a target views the ad (just views it, no clicking required) their phone gets compromised.

Zero-click. Zero interaction. You see an ad, you're hacked.

Google's Threat Intelligence Group noted that Intellexa has "solidified its position as one of, if not the most, prolific spyware vendors exploiting zero-day vulnerabilities against mobile browsers." The company burns through expensive zero-day exploits to keep Predator running, constantly finding new holes in iOS and Android.

In summer 2025, Amnesty's Security Lab documented an attack against a human rights lawyer in Pakistan's Balochistan province. The attack came through WhatsApp. Google sent spyware threat notifications to "several hundred accounts across various countries, including Pakistan, Kazakhstan, Angola, Egypt, Uzbekistan, Saudi Arabia and Tajikistan."

Sanctioned But Still Operating

In March 2024, the US Treasury sanctioned Intellexa founder Tal Dilian and his business partner Sara Aleksandra Fayssal Hamou. It marked the first time the US targeted a specific individual in the commercial spyware industry.

The sanctions cited misuse against Americans, including government officials and journalists.

Didn't matter. Researchers found evidence of Intellexa customers currently operating in Saudi Arabia, Kazakhstan, Angola, and Mongolia. Three former Intellexa executives are on trial in Greece, where dozens of Predator victims are located.

Dilian's lawyer issued a written response denying any crimes. Dilian himself called the journalists behind the investigation "useful idiots" in an orchestrated campaign against him. One source described Dilian as moving "like an elephant in a crystal shop" when it comes to discretion.

The elephant keeps stomping.

What You Can Do

If You're a Potential Target

Journalists, lawyers, activists, and dissidents are primary targets. Use Amnesty's Mobile Verification Toolkit to check your device for spyware indicators. Enable Lockdown Mode on iOS. Keep devices updated. Though Intellexa burns zero-days, patches eventually catch up.

Limit Your Attack Surface

The Aladdin attack uses ad networks. Use aggressive ad blockers. Avoid clicking suspicious links, but remember: zero-click attacks don't require interaction. Consider using a separate device for sensitive communications. Don't trust any single device completely.

Support Accountability Efforts

Organizations like Citizen Lab, Amnesty Tech, and EFF investigate spyware abuses. Their research led to these leaks and the US sanctions. Support their work. The more exposure, the harder it gets for these companies to operate.

The Mercenary Spyware Industry Won't Police Itself

Intellexa isn't unique. It's just the one that got caught with its hands in the cookie jar. The commercial spyware industry sells surveillance tools to governments with poor human rights records, then claims ignorance when those tools get used against journalists and activists.

The Intellexa leaks prove something worse: the vendors themselves may be watching. When you buy spyware, you might be sharing your victims with the company that sold it to you.

That's not a bug. That's leverage.

References

  1. TechCrunch - Sanctioned spyware maker Intellexa had direct access to government espionage victims (December 4, 2025)
  2. Amnesty International - "Intellexa Leaks" investigation provides further evidence of spyware threats to human rights (December 2025)
  3. Amnesty Security Lab - To Catch a Predator: Leak exposes internal operations of Intellexa's mercenary spyware (December 2025)
  4. The Hacker News - Intellexa Leaks Reveal Zero-Days and Ads-Based Vector for Predator Spyware Delivery (December 2025)
  5. Google Cloud Blog - Intellexa's Prolific Zero-Day Exploits Continue (December 2025)
  6. CyberScoop - Intellexa remotely accessed Predator spyware customer systems (December 2025)