To Catch a Predator: Leak exposes the internal operations of Intellexa’s mercenary spyware
The “Intellexa Leaks”, a new investigation published jointly by Inside Story, Haaretz and WAV Research Collective, presents troubling revelations about the surveillance company Intellexa and its signature product Predator, a form of highly invasive spyware that has been linked to human rights abuses in multiple countries.
Intellexa is one of the most notorious of the so-called “mercenary spyware companies”, a description used by civil society and industry researchers for private entities that develop spyware and sell it for use by governments. While numerous reports on Intellexa, including by Amnesty International, have documented human rights harms related to the use of its products, its internal operations have remained largely unknown to researchers. Amnesty International has previously sent detailed questions to Intellexa about its products, operations and corporate structure. Intellexa has always declined to answer these questions. In 2023, Intellexa was fined by the Greek Data Protection Authority for failing to comply with its investigations into the company.
Now, drawing on leaked internal company documents, sales and marketing material, as well as training videos, the “Intellexa Leaks” investigation gives a never-before-seen glimpse of the internal operations of a mercenary spyware company focused on exploiting vulnerabilities in mobile devices, which enable targeted surveillance attacks on human rights defenders, journalists and members of civil society.
Among the most startling findings is evidence that, at the time of the leaked training videos, Intellexa retained the capability to remotely access Predator customer systems, even those physically located on the premises of its governmental customers. Therefore, Intellexa would have access to data on those subject to targeted surveillance attacks by governments. The leaked files, covering much of the company’s recent history, include further technical evidence which forensically confirms that Intellexa’s flagship Predator spyware was used in specific cases of surveillance abuses previously found in Greece and Egypt.
Amnesty International was the technical partner on the “Intellexa Leaks”, supporting media partners with verification and analysis of the leaked data. This article outlines the evidence that Amnesty International’s Security Lab (our in-house specialists on digital security and forensics) analysed, and what we believe it tells us about Intellexa’s operations.
Predator spyware poses an ongoing threat to civil society in 2025
This new investigation by Amnesty International’s Security Lab comes at a critical time for civil society to stop human rights abuses powered by the spyware industry. The new research indicates that Intellexa’s Predator spyware continues to be used to unlawfully surveil activists, journalists and human rights defenders around the world, despite repeated public exposure, criminal investigations, and financial sanctions directed at the company and its senior executives.
Ongoing forensic investigations from Amnesty International’s Security Lab – independent of this publication – have found new evidence that Predator spyware is being actively used in Pakistan. In summer 2025, a human rights lawyer from Pakistan’s Balochistan province received a malicious link over WhatsApp from an unknown number. Amnesty International’s Security Lab attributes the link to a Predator attack attempt based on the technical behaviour of the infection server, and on specific characteristics of the one-time infection link which were consistent with previously observed Predator 1-click links. This is the first reported evidence of Predator spyware being used in the country. The targeting comes at a time of severe limits and restrictions placed on the rights of human rights activists in Balochistan province, including increasingly common province-wide internet shutdowns.
Amnesty International is continuing to investigate this and other attacks, and will release further details, as well as additional cases of Predator abuses found in Africa, in a series of upcoming reports.
These new forensically confirmed cases highlight the continued digital threat that Intellexa’s Predator spyware poses to activists and human rights defenders.
Methodology
Inside Story, Haaretz and WAV Research Collective have collaborated on a months-long investigation, the “Intellexa Leaks”, drawing on a set of highly sensitive documents and other materials leaked from the company, including internal company documents, sales and marketing material, as well as training videos. Amnesty International researchers reviewed a selection of the leaked Intellexa material as part of this collaboration to verify technical evidence and for fact-checking purposes.
The material was highly consistent with Amnesty International’s knowledge and understanding of the Predator spyware system, including non-public technical evidence gathered by Amnesty International through forensic research and other investigative efforts. Amnesty International has previously documented Intellexa’s technical capabilities, and numerous cases of abuse linked to the spyware product, as part of the 2023 Predator Files project. On this basis, our technologists were able to confirm with a high degree of confidence that the files are genuine and provide a unique perspective into Intellexa’s operations.
Significantly, the leaked material also validates independent research published by other civil society and industry researchers, including Citizen Lab, Recorded Future and Google’s Threat Analysis Group, who have tracked Predator spyware activity in recent years. In addition to verifying the authenticity of the material, Amnesty’s Security Lab analysed the leaked materials for insights into the technical capabilities of Intellexa’s spyware, and what this might tell us about the evolving nature of mobile spyware threats more broadly. The analysis, summarized in this technical briefing, was also shared with media partners to support their research. Unedited screenshots and reproductions of the leaked material are presented in the present briefing.
Cybersecurity researchers at Google’s Threat Analysis Group and Recorded Future have today published two independent, but complementary, technical briefings which provide further insights on Intellexa’s corporate structure, active customers, exploits and technical capabilities. These reports draw on separate investigations and visibility into Intellexa activities. Google has also announced a round of spyware threat notifications sent to individuals Google identified as likely Predator spyware targets, including “several hundred accounts across various countries, including Pakistan, Kazakhstan, Angola, Egypt, Uzbekistan, Saudi Arabia and Tajikistan”
Acting on behalf of the organisations working on the “Intellexa Leaks”, Haaretz wrote to Intellexa on 26 November 2025 to outline the findings from the investigation, including those in this article, and invited them to comment. On 3 December, a legal representative acting on behalf of Tal Dilian, the founder of Intellexa, sent a written response to Haaretz that states that he has “not committed any crime nor operated any cyber system in Greece or anywhere else”. The full statement does not provide specific answers to the questions posed or allegations raised by the evidential findings in the Intellexa Leaks. The verbatim response letter can be viewed in full in the articles by Haaretz and by Inside Story.