Intellexa Spyware: Direct Access to Government Espionage Victims

Intellexa's Remote Access to Surveillance Systems Revealed

New evidence, released by Amnesty International, indicates that Intellexa, a manufacturer of spyware, possessed remote access to the surveillance infrastructure of certain governmental clients. This access reportedly allowed company personnel to view the private information of individuals whose devices had been compromised by their Predator spyware.

Leaked Materials Detail Internal Operations

Amnesty International, alongside a coalition of media organizations – including Haaretz, Inside Story, and Inside IT – published a series of reports on Thursday. These reports are based on leaked materials originating from Intellexa, encompassing internal documentation, sales presentations, and instructional videos.

A particularly noteworthy finding is the allegation that Intellexa employees could remotely access customer surveillance systems utilizing TeamViewer. This readily available software facilitates connections to computers over the internet.

Predator Spyware System Access Demonstrated

A leaked training video showcases privileged sections of the Predator spyware system, including its control panel. It also displays the “storage system containing photos, messages, and all other surveillance data collected from individuals targeted by the Predator spyware,” as detailed in Amnesty’s report. Screenshots from the video were published, though the complete video remains unreleased.

Researchers at the nonprofit organization state that the leaked video demonstrates apparent “live” Predator infection attempts “directed at actual targets.” This assessment is based on detailed information, including data from an attempted infection targeting an individual in Kazakhstan, which included the infection URL, the target’s IP address, and the phone’s software versions.

Industry Practices and Concerns

Companies involved in selling spyware to governmental bodies, like NSO Group and the now-defunct Hacking Team, have consistently asserted that they do not access the data of their customers’ targets or their systems. This stance is motivated by several factors.

Spyware developers aim to avoid potential legal repercussions should their products be misused. They generally maintain that customers bear full responsibility for how the spyware is deployed. Governmental clients, conversely, are reluctant to reveal details of sensitive investigations – including target identities and personal data – to private companies, particularly those based abroad.

Consequently, this type of remote access is considered highly unusual, according to Paolo Lezzi, CEO of Memento Labs, who commented on the situation. He stated that “no [government] agency would accept it.”

Skepticism and Limited Access

Lezzi expressed skepticism regarding the authenticity of the leaked training video, suggesting it might depict a demonstration environment. He also noted that some customers have requested access to their systems, but Memento Labs only grants such access when essential for resolving technical issues. In such cases, access is provided under the customer’s supervision and for a limited duration.

Amnesty's Confidence in the Leak's Authenticity

However, Amnesty International remains confident that the leaked video demonstrates access to active Predator surveillance systems.

Donncha Ó Cearbhaill, head of Amnesty’s security lab, confirmed that during the training call, an inquiry about whether it was a demo environment was met with a confirmation that it was a live customer system. His team conducted the technical analysis of the leaked materials and has previously investigated instances of Predator infections.

Privacy and Security Implications

The revelation that Intellexa staff had visibility into their customers’ surveillance targets has heightened concerns regarding security and privacy.

“These findings only amplify the anxieties of potential surveillance victims. Their most sensitive data is not only exposed to a government or spyware customer but also risks exposure to a foreign surveillance company with a documented history of insecure data storage,” the nonprofit organization stated in its report.

Intellexa's Response and U.S. Sanctions

Intellexa was unavailable for comment. A legal representative for Intellexa’s founder, Tal Dilian, informed Haaretz that Dilian has “not committed any crime nor operated any cyber system in Greece or elsewhere.”

Dilian is a prominent and controversial figure in the governmental spyware industry. A veteran of the sector described Dilian as operating with a disregard for discretion, “moving like an elephant in a crystal shop.”

In 2024, the U.S. government imposed sanctions on Tal Dilian and Sara Aleksandra Fayssal Hamou, a business associate. The sanctions were based on allegations that Intellexa’s spyware was used against Americans, including government officials, journalists, and policy experts. These sanctions prohibit U.S. companies and citizens from engaging in commercial transactions with Dilian and Hamou.

This marked the first instance of the U.S. government targeting an individual involved in the spyware industry, following previous actions against NSO Group.

Dilian's Accusations

In response to Haaretz, Dilian accused journalists of being “useful idiots” in a coordinated effort to damage his reputation and his company, alleging that this campaign was “fed into the Biden administration.”