TL;DR: Amnesty International found forensic evidence that Predator spyware was installed on the iPhone of Teixeira Cândido, a prominent Angolan journalist and former head of the country's journalist union. The attack happened on May 4, 2024—while US sanctions on Intellexa executives were still in effect. This is the first forensically confirmed Predator deployment in Angola. The attacker posed as a student on WhatsApp, sent malicious links, and gained access to Cândido's phone for several hours before he restarted it.
How the Attack Worked
Someone wanted to read Teixeira Cândido's messages, access his contacts, and listen through his microphone. So they played the long game.
Starting in April 2024, Cândido received WhatsApp messages from an unknown Angolan number. The sender claimed to be part of a student group interested in Angola's social and economic affairs [1][2]. They built rapport. Made conversation. Seemed legitimate.
Then, on May 3 at 4:18 pm local time, the attacker sent the first malicious link—disguised as a news article. Cândido clicked it on May 4. Predator installed silently on his iPhone [2].
He got lucky. He restarted his phone that same evening, which cleared the spyware from memory. But for several hours, whoever deployed Predator had full access to his device [2].
The attacker didn't give up. Eleven more infection attempts followed. Cândido didn't click any of them [2].
Who Is Teixeira Cândido
This wasn't some random target. Cândido is a prominent journalist, jurist, and press freedom activist in Angola. He served as Secretary General of the Syndicate of Angolan Journalists (SJA)—the country's journalist union [1][3].
In a country where press freedom is under pressure, that makes him exactly the kind of person authoritarian governments want to monitor.
"I literally felt naked knowing that I was the target of this invasion of my privacy," Cândido told the Committee to Protect Journalists. "I don't know what they have in my possession about my life" [3].
Amnesty International confirmed this is the first forensically documented use of Predator spyware in Angola [1]. But given how Predator operates—and who buys it—there are almost certainly more victims who don't know they've been compromised.
What Predator Can Do
Predator isn't some low-grade stalkerware. This is top-tier commercial spyware sold exclusively to governments.
Once installed, Predator can:
- Read all messages (WhatsApp, Signal, SMS, email—encryption doesn't help)
- Access the camera and microphone without indicators showing
- Track location in real-time
- Copy contacts, call logs, and files
- Capture passwords and login credentials
Amnesty's 2023 "Predator Files" investigation documented its use against the European Parliament president, Taiwan's president, and US government officials [2]. This is military-grade surveillance hardware being used against journalists.
The Sanctions That Didn't Stop It
Here's the timing that matters: Cândido was hacked in May 2024. US sanctions on Intellexa executives were still in effect. The Biden administration had added Intellexa to the Entity List in July 2023 and sanctioned individual executives in March and September 2024 [4].
None of it stopped Predator from being deployed against an Angolan journalist.
And now? The Trump administration quietly removed those sanctions on December 30, 2025. Three Intellexa executives are off the hook. Treasury says they "demonstrated measures to separate themselves" from the company. No evidence provided [5].
Meanwhile, Amnesty reports Predator remains actively deployed in Saudi Arabia, Kazakhstan, Angola, Mongolia, Iraq, and Pakistan [1].
The Pattern Keeps Repeating
Every few months, another Predator victim gets revealed:
- Greece (2022): Opposition politicians and journalists
- Egypt (2021-2023): Exiled activists and their family members
- Pakistan (2023): Human rights defenders
- Angola (2024): Press freedom advocate Teixeira Cândido
Amnesty's Donncha Ó Cearbhaill put it bluntly: "We've now seen confirmed abuses in Angola, Egypt, Pakistan, Greece, and beyond—and for every case we uncover, many more abuses surely remain hidden" [1].
Governments buy Predator to spy on the people who might challenge them. The spyware industry makes this possible. US sanctions haven't stopped it. And now those sanctions are being rolled back.
Protecting Yourself
If you're a journalist, activist, or dissident who might be targeted:
- Enable Lockdown Mode on iPhone (Settings → Privacy & Security → Lockdown Mode). It blocks many spyware infection vectors.
- Don't click links from unknown contacts. Even if they build rapport first. Especially if they build rapport first.
- Restart your phone daily. Many spyware infections don't survive a reboot—exactly what saved Cândido.
- Keep iOS updated. Spyware exploits known vulnerabilities.
- Use a separate device for sensitive communications. Your main phone is your biggest vulnerability.
If you suspect you've been targeted, contact Amnesty International's Security Lab or the Citizen Lab at the University of Toronto. They can perform forensic analysis.
References
- Amnesty International — Angola: Prominent Journalist Hacked with Predator Spyware (February 17, 2026)
- The Record — Predator spyware used to infect phone belonging to Angolan journalist (February 17, 2026)
- Committee to Protect Journalists — 'I literally felt naked': Angolan journalist Teixeira Cândido targeted with Predator spyware (February 2026)
- TechCrunch — Intellexa's Predator spyware used to hack iPhone of journalist in Angola (February 17, 2026)
- State of Surveillance — Treasury Let Predator Spyware Execs Off the Hook (February 17, 2026)