Show summary Hide summary
An Amnesty International investigation says a prominent Angolan reporter was infected with powerful commercial spyware after clicking a link sent over messaging. The case, traced to infrastructure tied to the firm Intellexa, highlights how off‑the‑shelf phone‑hacking tools are increasingly used to surveil journalists and other members of civil society.
Amnesty’s report focuses on attacks during 2024 against press freedom activist Teixeira Cândido, who received multiple malicious links on WhatsApp. After opening one, his device was compromised by spyware that forensic analysts linked to the spyware vendor.
What investigators found
Researchers said forensic traces on Cândido’s device pointed to infection servers and domains previously associated with the vendor known as Intellexa. The malicious software, identified by Amnesty as Predator, reportedly masked itself by imitating legitimate system processes to evade detection on the phone.
Breeze Airways launches 5 new international routes in Caribbean
Roaring Kitty’s X account posts after 16 months, GameStop jumps 13%
Several hours after the intrusion, Cândido restarted his phone, which removed the implant. Amnesty noted it remains unclear exactly which vulnerability the spyware exploited, since the device was running an outdated version of iOS at the time of the attack.
- Vector: malicious links sent via WhatsApp in 2024.
- Malware: Predator, according to Amnesty’s forensic analysis.
- Evidence linking to vendor: reuse of infection servers and domains tied to Intellexa’s infrastructure.
- Outcome for the target: reboot removed the implant; investigators could not conclusively identify the customer that ordered the attack.
Broader pattern and timeline
The Angola case adds to earlier findings that government customers of commercial spyware makers have used these tools against journalists, politicians and critics. Amnesty and other researchers have previously documented suspected Predator activity in countries including Egypt, Greece and Vietnam.
According to the new analysis, the first domain names linked to the spy platform in Angola appeared as early as March 2023, suggesting testing or deployment there well before the 2024 incidents.
Sanctions and corporate practices
Intellexa has attracted controversy for operating through a series of companies across jurisdictions, a setup critics say can obscure exports and accountability. In 2024 the outgoing U.S. administration imposed sanctions on the company and on its founder, Tal Dilian, as well as a business partner. A later Treasury decision to lift sanctions on three executives prompted scrutiny from Senate Democrats, who sought explanations from the current administration.
Amnesty’s report also references past document leaks showing that personnel at the spyware firm had the technical ability to access customers’ surveillance systems remotely — a detail that raised concerns about the degree of control and visibility vendors may retain over operations they facilitate.
The company founder did not respond to a request for comment from the investigators.
Why this matters now
Commercial spyware once marketed to states as a law‑enforcement tool has repeatedly been repurposed to monitor independent journalists and critics. That shift carries immediate consequences: targeted reporting can be disrupted, sources exposed and civic space chilled.
Amnesty’s security lab head warned that confirmed cases are likely only a fraction of the total incidents, underscoring the difficulty of detecting covert surveillance and the wider implications for press freedom.
As governments and vendors trade claims about legality and oversight, the new Angola findings underline an urgent policy question for regulators and tech platforms: how to prevent powerful surveillance tools from being turned against those who hold power to account.
