When Governments Buy Spyware, Who's Really Being Watched?

A WhatsApp Link That Changed Everything

Throughout 2024, Angolan journalist Teixeira Cândido received what seemed like ordinary WhatsApp messages. Harmless links, everyday chatter. Until he clicked on one that wasn't.

That single click transformed his iPhone into a government surveillance device, infected with Intellexa's Predator spyware—a tool capable of accessing everything from his messages to his location. According to Amnesty International's report released Tuesday, Cândido had unknowingly become another casualty in the expanding war on press freedom.

The irony? Hours after the infection, Cândido rebooted his phone, accidentally wiping the spyware clean. Had he not done so, his every conversation, photo, and movement would have remained under government watch.

The Sanctions That Didn't Stick

Here's where the story gets murky. Intellexa was sanctioned by the Biden administration in 2024, along with founder Tal Dilian and business partner Sara Aleksandra Fayssal Hamou. Yet their spyware continues operating across multiple continents, from Egypt to Vietnam to now Angola.

How? Through what U.S. officials call an "opaque web of corporate entities." When one jurisdiction cracks down, operations shift to another subsidiary in a different country. It's corporate whack-a-mole on a global scale.

Amnesty researchers found evidence that Intellexa-linked domains were active in Angola as early as March 2023—suggesting the spyware infrastructure was established well before the sanctions hit. The company's tentacles had already spread.

Beyond the Obvious Targets

What makes Cândido's case particularly chilling isn't that he was targeted—it's who he is. Not a high-profile dissident or terrorism suspect, but a local press freedom activist. This represents a fundamental shift in how governments use commercial spyware.

The targeting has democratized. Researchers have documented Predator abuse in Egypt, Greece, and Vietnam, where U.S. officials were reportedly targeted via malicious links on X. The tool once reserved for "national security threats" now surveils ordinary citizens whose only crime is asking uncomfortable questions.

Cândido's phone was running outdated iOS, highlighting how everyday users with aging devices become easy prey. The spyware disguised itself as legitimate system processes, making detection nearly impossible for the average user.

The Surveillance Economy Thrives

Previous leaks revealed that Intellexa employees could remotely access customer systems, potentially giving the spyware maker visibility into government surveillance operations worldwide. This creates a troubling dynamic: private companies not only selling surveillance tools but potentially overseeing how governments use them.

"For every case we uncover, many more abuses surely remain hidden," warned Donncha Ó Cearbhaill, head of Amnesty's Security Lab. The cases in Angola, Egypt, Pakistan, and Greece likely represent just the visible tip of a much larger iceberg.

Meanwhile, the Trump administration recently lifted sanctions against three Intellexa executives, prompting demands for answers from Senate Democrats. The revolving door of sanctions and their subsequent lifting raises questions about the effectiveness of current regulatory approaches.