Sanctioned spyware maker Intellexa had direct access to government espionage victims, researchers say

Spyware maker Intellexa had remote access to some of its government customers’ surveillance systems, giving company staffers the ability to see the personal data of people whose phones had been hacked with its Predator spyware, according to new evidence published by Amnesty International. On Thursday, Amnesty and a coalition of media partners, including Israeli newspaper Haaretz, Greek news site Inside Story, and Swiss outlet Inside IT, published a series of reports based on leaked material from Intellexa, including internal company documents, sales and marketing material, and training videos. Perhaps the most striking revelation is that people working at Intellexa could allegedly remotely access the surveillance systems of at least some of its customers via TeamViewer, an off-the-shelf tool that allows users to connect to other computers over the internet. The remote access is shown in a leaked training video revealing privileged parts of the Predator spyware system, including its dashboard, as well as the “storage system containing photos, messages and all other surveillance data gathered from victims of the Predator spyware,” Amnesty wrote in its report. (Amnesty published screenshots taken from the video, but not the full video.) The nonprofit researchers wrote that the leaked video shows apparent “live” Predator infection attempts “against real targets,” based on detailed information “from at least one infection attempt against a target in Kazakhstan.” The video contained the infection URL, the target’s IP address, and the software versions of the target’s phone. A screenshot of the dashboard of an Intellexa customer surveillance system, which shows the types of sensitive personal data of hacked targets that customers and Intellexa support staff may have access to. (Image: Amnesty International) Companies that sell spyware to government agencies, such as NSO Group and the now-defunct Hacking Team, have long maintained that they never have access to the data of their customers’ targets, nor their customers’ systems. There are several reasons why. From the point of view of the spyware makers, they don’t want the potential legal liability if their customers use the spyware unlawfully. And, spyware makers would rather say that once they sell their spyware, the customers are fully responsible for using it. From the government customers’ standpoint, they don’t want to expose details of their sensitive investigations, such as targets’ names, locations, and personal data, to a private company that may be based overseas. In other words, this type of remote access is absolutely not “normal,” as Paolo Lezzi, the chief executive of spyware maker Memento Labs, told TechCrunch when contacted for this story to ask from the perspective of a spyware maker. “No [government] agency would accept it,” he said. That’s why Lezzi was skeptical that the leaked training video was showing access to an actual customer’s live surveillance system. Perhaps, he posited, this was training material showing a demo environment. The chief executive also said that some customers have asked Memento Labs to have access to their systems, but the company only accepts the offer if it’s necessary to solve technical issues. In any case, he said, “they enable us to have TeamViewer access for the necessary time and under their supervision we carry out the intervention and leave.” Contact Us Do you have more information about Intellexa? Or other spyware makers? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. Amnesty, however, is convinced that the leaked video does show access to live Predator surveillance systems. “One of the staff in the training call ask if it was a demo environment, and the instructor confirmed it was a live customer system,” said Donncha Ó Cearbhaill the head of Amnesty’s security lab, which did the technical analysis of the leaked material, and has investigated several cases of Predator infections. The claim that Intellexa staffers had visibility into who their customers were spying on raised Amnesty’s concerns about security and privacy. “These findings can only add to the concerns of potential surveillance victims. Not only is their most sensitive data exposed to a government or other spyware customer, but their data risks being exposed to a foreign surveillance company, which has demonstrable issues in keeping their confidential data stored securely,” the nonprofit wrote in the report. Intellexa could not be reached for comment. A lawyer speaking on behalf of Intellexa’s founder Tal Dilian told Haaretz that Dilian has “not committed any crime nor operated any cyber system in Greece or anywhere else.” Dilian is one of the more controversial people in the world of government spyware. A veteran of the spyware industry previously told TechCrunch that Dilian “moves like an elephant in a crystal shop,” implying he made little effort to conceal his activities. “In that particular space of spyware sellers you have to be extremely balanced and attentive… but he didn’t care,” said the person. In 2024, the U.S. government announced sanctions against Tal Dilian and one of his business partners, Sara Aleksandra Fayssal Hamou. In that case, the U.S. Treasury imposed sanctions based on allegations that Intellexa’s spyware was used against Americans, including U.S. government officials, journalists, and policy experts. The sanctions make it illegal for American companies and nationals to have any commercial relationship with Dilian and Hamou. That was the first time the U.S. government, which has taken actions against spyware NSO Group, targeted a specific person involved in the industry. In his response to Haaretz, Dilian accused journalists of being “useful idiots” in an “orchestrated campaign” to hurt him and his company, which was “fed into the Biden administration.”