Sanctioned spyware developer Intellexa reportedly maintained remote access to the surveillance systems of some government clients, allowing its staff to directly view the personal data of individuals targeted by its Predator spyware. This significant revelation comes from a series of reports published by Amnesty International and a coalition of media partners, including Israeli newspaper Haaretz, Greek news site Inside Story, and Swiss outlet Inside IT. These reports are based on leaked internal company documents, sales and marketing materials, and training videos.

Perhaps the most alarming discovery is the alleged remote access by Intellexa employees to customer surveillance systems, facilitated by TeamViewer, a standard tool for internet-based computer connections. This access was reportedly demonstrated in a leaked training video, which exposed privileged sections of the Predator spyware system, including its dashboard and the "storage system containing photos, messages and all other surveillance data gathered from victims of the Predator spyware," as detailed in Amnesty's report. While Amnesty published screenshots, the full video was not released.

According to Amnesty's researchers, the leaked video depicted "live" Predator infection attempts "against real targets," evidenced by specific details from "at least one infection attempt against a target in Kazakhstan." This included the infection URL, the target's IP address, and the software versions of the target's phone.

A screenshot of the dashboard of an Intellexa customer surveillance system, which shows the types of sensitive personal data of hacked targets that customers and Intellexa support staff may have access to.
A screenshot of the dashboard of an Intellexa customer surveillance system, which shows the types of sensitive personal data of hacked targets that customers and Intellexa support staff may have access to. Image Credits: Amnesty International

Industry Norms Challenged

This alleged remote access directly contradicts the long-standing assertions of spyware companies, including prominent firms like NSO Group and the defunct Hacking Team. These companies have consistently maintained that they do not access their customers' target data or surveillance systems. There are several reasons for this industry standard:

  • Legal Liability: Spyware makers aim to avoid potential legal responsibility if their products are used unlawfully by customers. They prefer to assert that customers bear full responsibility for the spyware's use post-sale.
  • Customer Privacy: Government clients typically wish to protect the sensitive details of their investigations, such as targets' identities, locations, and personal data, from exposure to private companies, especially those based internationally.

Paolo Lezzi, CEO of spyware maker Memento Labs, confirmed to TechCrunch that such remote access is "absolutely not normal." He stated, "No [government] agency would accept it." Lezzi expressed skepticism that the leaked training video showed a live customer system, suggesting it might be a demo environment. He noted that while Memento Labs occasionally grants temporary, supervised TeamViewer access to customer systems for technical troubleshooting, it is always under strict client oversight.

Amnesty Confirms Live System Access

Despite Lezzi's skepticism, Amnesty International remains convinced that the leaked video indeed demonstrates access to live Predator surveillance systems. Donncha Ó Cearbhaill, head of Amnesty's security lab, which conducted the technical analysis of the leaked material, stated, "One of the staff in the training call ask if it was a demo environment, and the instructor confirmed it was a live customer system."

The revelation that Intellexa staffers could potentially see who their customers were spying on has significantly amplified Amnesty's concerns regarding security and privacy.

"These findings can only add to the concerns of potential surveillance victims. Not only is their most sensitive data exposed to a government or other spyware customer, but their data risks being exposed to a foreign surveillance company, which has demonstrable issues in keeping their confidential data stored securely," the nonprofit wrote in its report.

Intellexa and Founder Tal Dilian Under Scrutiny

Intellexa could not be reached for comment regarding these allegations. A lawyer representing Intellexa's founder, Tal Dilian, informed Haaretz that Dilian has "not committed any crime nor operated any cyber system in Greece or anywhere else."

Dilian is a controversial figure within the government spyware industry. A veteran of the sector previously described Dilian to TechCrunch as someone who "moves like an elephant in a crystal shop," implying a lack of discretion in his activities. "In that particular space of spyware sellers you have to be extremely balanced and attentive… but he didn't care," the source added.

In 2024, the U.S. government imposed sanctions against Tal Dilian and his business partner, Sara Aleksandra Fayssal Hamou. These sanctions were based on allegations that Intellexa's spyware was used to target Americans, including U.S. government officials, journalists, and policy experts. The sanctions prohibit American companies and nationals from engaging in commercial relationships with Dilian and Hamou. This marked the first instance of the U.S. government targeting a specific individual in the spyware industry, following previous actions against firms like NSO Group.

In his response to Haaretz, Dilian dismissed journalists as "useful idiots" in an "orchestrated campaign" designed to harm him and his company, which he claimed was "fed into the Biden administration."