The mercenary spyware industry, long thought to be in retreat under the weight of international sanctions and public exposure, has demonstrated a stubborn resilience. New research reveals that Intellexa’s notorious Predator spyware was deployed against a journalist in Angola, marking one of the most significant confirmed cases of surveillance targeting press freedom in Africa in recent memory. The findings underscore how commercial surveillance tools continue to find willing government buyers despite diplomatic pressure, export controls, and the blacklisting of their manufacturers.
According to a report published by TechCrunch, researchers have confirmed that Predator spyware — developed and sold by the Intellexa alliance of surveillance companies — was used to compromise the iPhone of a journalist working in Angola. The discovery was made through forensic analysis of the device, which revealed telltale indicators of Predator infection, including artifacts consistent with the spyware’s known exploitation chains and command-and-control infrastructure.
A Familiar Weapon With a New Target
Predator is not a newcomer to the global surveillance stage. Developed by Cytrox, a North Macedonian company that operates under the Intellexa umbrella, Predator has been documented in attacks against politicians, dissidents, and journalists across multiple continents. The spyware is capable of extracting messages, emails, photos, and contact lists from infected devices. It can also silently activate a phone’s microphone and camera, turning the device into a real-time surveillance tool. Unlike some spyware that requires a target to click a malicious link, Predator has been deployed using both one-click and zero-click exploits, making it exceptionally dangerous.
The Angola case is particularly alarming because it represents the expansion of Predator’s known operational footprint into a new region. While previous documented deployments have been concentrated in countries such as Greece, Egypt, Madagascar, and several other nations, Angola had not previously appeared on the confirmed list of Predator customers. The targeting of a journalist — rather than a political rival or security threat — raises pointed questions about the stated justifications governments use when procuring such tools.
Inside the Forensic Discovery
The forensic analysis that uncovered the infection was conducted by researchers who have become increasingly adept at identifying the digital fingerprints left behind by commercial spyware. As TechCrunch reported, the investigation revealed traces of Predator’s infrastructure embedded within the journalist’s device data. These traces included connections to domains and servers previously associated with Intellexa’s command-and-control network, as well as exploitation artifacts that matched known Predator delivery mechanisms.
Apple, which manufactures the iPhone, has in recent years implemented a feature called Lockdown Mode specifically designed to harden devices against sophisticated spyware attacks. The company has also filed lawsuits against spyware makers and regularly issues security patches to close vulnerabilities exploited by surveillance vendors. Despite these efforts, the arms race between device manufacturers and spyware developers continues unabated. Each patch Apple releases is met by new exploit research from companies like Intellexa, which invest millions in discovering and weaponizing previously unknown software vulnerabilities.
Sanctions and Their Limits
The United States government took the unprecedented step in 2023 of adding Intellexa and Cytrox to the Commerce Department’s Entity List, effectively barring American companies from doing business with them. The Treasury Department followed up with sanctions against specific individuals associated with the Intellexa alliance, including its founder, Tal Dilian, an Israeli entrepreneur with a background in military intelligence. The European Union has also grappled with the Predator scandal, particularly after revelations that the spyware was used against journalists and politicians in Greece — a controversy that became known as “Predatorgate” and led to a European Parliament investigation.
Yet the Angola case demonstrates the inherent limitations of sanctions regimes when applied to an industry built on secrecy and shell companies. Intellexa has historically operated through a labyrinthine corporate structure spanning multiple jurisdictions, including Ireland, North Macedonia, Hungary, and several offshore financial centers. Researchers and journalists who have investigated the alliance have documented how it has repeatedly restructured and rebranded its operations to evade regulatory scrutiny. The appearance of Predator in Angola suggests that these evasion tactics continue to be effective, allowing the technology to reach new customers even as the net of international restrictions tightens.
Angola’s Press Freedom Under Scrutiny
Angola, a southern African nation rich in oil and diamonds, has a complicated relationship with press freedom. While the country has made strides since the end of its civil war in 2002, journalists and media organizations continue to face significant pressures. Reporters Without Borders has consistently ranked Angola in the lower half of its World Press Freedom Index, citing concerns about government influence over media, legal harassment of journalists, and self-censorship driven by fear of reprisal. The confirmed use of Predator spyware against a journalist in the country adds a potent new dimension to these concerns, suggesting that the Angolan government — or actors within it — may be willing to deploy the most sophisticated digital surveillance tools available against members of the press.
The identity of the targeted journalist has not been publicly disclosed, a decision likely made to protect the individual from further retaliation. However, the nature of their reporting — which, according to available information, touched on sensitive political and governance issues — provides a plausible motive for surveillance. Governments that purchase commercial spyware frequently justify its use as a counterterrorism or law enforcement necessity, but the growing body of evidence from cases around the world shows that these tools are routinely turned against journalists, human rights defenders, opposition politicians, and civil society leaders.
The Broader Spyware Economy Refuses to Die
The persistence of Predator is emblematic of a broader trend in the commercial surveillance industry. Despite the high-profile exposure of NSO Group’s Pegasus spyware beginning in 2021, and the subsequent wave of sanctions, lawsuits, and diplomatic initiatives aimed at curbing the industry, the market for mercenary spyware remains robust. New entrants continue to emerge, and established players adapt their business models and corporate structures to survive. A report from Google’s Threat Analysis Group published in early 2025 identified dozens of companies actively selling surveillance capabilities to governments, many of them operating with little or no public scrutiny.
The economic incentives are simply too powerful to be easily disrupted. A single zero-click exploit chain for an iPhone can command prices in the millions of dollars on the gray market, and governments with deep pockets and authoritarian tendencies represent eager buyers. For companies like Intellexa, the risk-reward calculus still favors continued operations, even in the face of sanctions. The penalties for violating export controls are often difficult to enforce across jurisdictions, and the demand signal from potential government clients remains strong.
What Comes Next for Accountability
The Angola revelation is likely to intensify calls for more aggressive international action against the commercial spyware industry. Civil society organizations, including Amnesty International, the Electronic Frontier Foundation, and Citizen Lab at the University of Toronto, have long advocated for a global moratorium on the sale and use of mercenary spyware until adequate regulatory frameworks are in place. The Pall Mall Process, a diplomatic initiative launched by the United Kingdom and France in 2024, aims to establish international norms around the responsible use of commercial cyber capabilities, but progress has been slow and the initiative lacks enforcement mechanisms.
For the journalist in Angola whose iPhone was compromised, the implications are deeply personal and immediately dangerous. The extraction of sensitive communications, source identities, and unpublished reporting material can put not only the journalist at risk but also their entire network of contacts and sources. In authoritarian and semi-authoritarian contexts, such information can be used to identify and punish whistleblowers, dismantle investigative networks, and chill the kind of accountability journalism that is essential to democratic governance.
The Predator spyware’s reappearance in a new theater of operations serves as a stark reminder that the commercial surveillance industry is not retreating — it is adapting. Until the international community develops enforcement mechanisms with real teeth, the cycle of exposure, condemnation, and continued deployment is likely to persist. The journalists, activists, and dissidents who find themselves in the crosshairs of these tools will continue to bear the heaviest costs of that failure.
Pingback: Predator Spyware Resurfaces In Angola: How Intellexa’s Surveillance Tool Breached A Journalist’s IPhone And What It Means For Global Press Freedom - AWNews