TL;DR: On December 30, 2025, the Treasury Department quietly removed three Intellexa executives from its sanctions list. These are the people behind Predator spyware, the tool that targeted over 50 US government staffers and countless journalists and activists worldwide. Treasury says they "demonstrated measures to separate themselves" from Intellexa. No evidence provided. No details given. Predator remains actively deployed in Saudi Arabia, Kazakhstan, Angola, Mongolia, Iraq, and Pakistan.

The Silent Reversal

On the second-to-last day of 2025, the Treasury Department updated its sanctions list. Three names came off:

  • Merom Harpaz: Top executive at Intellexa's holding company
  • Andrea Nicola Constantino Hermes Gambazzi: Owner of companies that processed payments and held distribution rights to Predator
  • Sara Aleksandra Fayssal Hamou: Corporate off-shoring specialist who set up Intellexa's Greek operations

The timing wasn't subtle. December 30. A Monday. Between Christmas and New Year's. When nobody's paying attention.

Treasury's explanation: They petitioned for reconsideration and "demonstrated measures to separate themselves from the Intellexa Consortium."

What measures? Treasury didn't say. How did they demonstrate separation? Treasury didn't say. Is Intellexa still selling Predator? Yes. Does it matter? Apparently not.

Why They Were Sanctioned in the First Place

The Biden administration put these people on the list for a reason. Hamou was sanctioned in March 2024. Harpaz and Gambazzi followed in September 2024.

The charges weren't vague. Predator spyware, Intellexa's flagship product, was used to target:

  • Over 50 US government employees stationed around the world
  • Journalists investigating corruption and human rights abuses
  • Opposition politicians in multiple countries
  • Human rights activists from Pakistan to Greece

Treasury accused Intellexa of using "an opaque web of corporate entities designed to avoid accountability." The sanctions were supposed to make it harder for these people to operate: freeze their US assets, cut them off from the global financial system.

Nine months later: lifted. No accountability. Back to business.

Predator Didn't Stop Running

Here's the part that makes the delisting absurd: Predator never stopped.

According to Recorded Future's Insikt Group, Intellexa customers are currently operating in:

  • Saudi Arabia
  • Kazakhstan
  • Angola
  • Mongolia
  • Iraq
  • Pakistan

A Mozambique-linked cluster was still running as of late June 2025. Some customers in Egypt, Botswana, and Trinidad & Tobago may have stopped, or they just changed their infrastructure to avoid detection.

In December 2025 (the same month these sanctions got lifted) Amnesty International published leaked documents showing Intellexa staff had direct access to victims' stolen data. They used TeamViewer to remote into government customers' surveillance systems. They could see the photos, messages, and location data stolen from hacked phones.

The company also developed "Aladdin," a zero-click attack that infects phones through malicious ads. You don't click anything. You see an ad, you're compromised.

This is the company that just got its executives off the sanctions list.

What "Demonstrated Measures" Actually Means

Treasury said the three executives "demonstrated measures to separate themselves from the Intellexa Consortium."

Natalia Krapiva at Access Now wants to know what that means: "The public deserves to know what evidence exists to clearly demonstrate that these individuals have ceased their involvement with the Intellexa-affiliated entities."

She warned that lifting sanctions "risks signaling to malicious actors that this behavior may come with little consequences."

That's exactly what happened. You can help build a spyware empire that targets US government employees. You can get sanctioned. Then you can petition for removal, claim you've "separated" yourself, and walk free.

What's the evidence? Classified, presumably. Or maybe just missing.

Part of a Pattern

This fits a broader shift. The same week NSO Group's CEO stepped down, US investors bought the company, and former Trump official David Friedman became executive chairman. NSO (also sanctioned, also implicated in journalist surveillance) is trying to get off the blacklist too.

Meanwhile, Spain just closed its investigation into Pegasus hacking of Prime Minister Sanchez. Why? Israel refused to cooperate for three years.

The commercial spyware industry is consolidating. The accountability mechanisms are failing. And the people who built these tools are getting off scot-free.

What This Means

Sanctions were supposed to be the consequence. When you build spyware that targets American government employees, when you enable authoritarian regimes to hunt journalists, when you run a deliberately opaque corporate structure to avoid accountability, sanctions were the price.

Now we know that price is negotiable. Petition for reconsideration. Claim you've distanced yourself. Wait for a convenient news cycle. Walk away.

Predator is still running. Intellexa's infrastructure is still active. The only thing that changed is that three executives no longer have frozen assets.

That's the message: Build surveillance tools. Target dissidents. Target US officials. You might get sanctioned. You'll probably get un-sanctioned.

Sources

  1. The Hacker News - U.S. Treasury Lifts Sanctions on Three Individuals Linked to Intellexa and Predator Spyware (December 2025)
  2. The Record - Treasury removes sanctions for three executives tied to spyware maker Intellexa (December 2025)
  3. Bloomberg - US Lifts Sanctions on Trio Accused of Work on 'Predator' Spyware (December 2025)
  4. Risky Biz - US lifts sanctions on three Intellexa execs (December 2025)
  5. Recorded Future - Predator Spyware Resurgence: New Global Infrastructure (2025)
  6. The Record - Predator spyware is being used in several countries, including Iraq (2025)