Skip to main content
Amnesty International UK
Log in

'Predator' spyware brazenly targeting journalists, politicians, civil society and academics - Major New Investigation

© Amnesty International

Amnesty has uncovered a highly-invasive spyware being used to gain access to people’s phones through links on X (formerly Twitter) and Facebook

Once the spyware has infiltrated a device it has unconstrained access to its microphone, camera and all its data, while the user is entirely unaware

Predator can also be used in ‘zero-click’ attacks, meaning it can infiltrate a device without the user having clicked on a link

‘Yet again, we have evidence of powerful surveillance tools being used in brazen attacks …  [and] the victims are all of us, our societies, good governance and everyone’s human rights’ – Agnès Callamard

Shocking spyware attacks have been attempted against journalists, politicians, civil society groups and academics in the EU, US and Asia, according to a major new investigation by Amnesty International in partnership with the European Investigative Collaborations and backed by additional in-depth reporting by Mediapart and Der Spiegel. 

In the report, “The Predator Files: Caught in the Net”, Amnesty’s Security Lab reveals how targets of a cyber-surveillance weapon called Predator include UN officials, a senator and congressman in the USA and even the Presidents of the European Parliament and Taiwan.  

Predator was developed and sold by the Intellexa alliance. This alliance, which has advertised itself as “EU-based and regulated”, is a complex and often changing group of companies that develops and sells surveillance products, including the Predator spyware.

Between February and June this year, social media platforms X (formerly Twitter) and Facebook were used to publicly target at least 50 accounts belonging to 27 individuals and 23 institutions.

Predator: Intrusive and insidious

Predator is a type of highly invasive spyware because once it has infiltrated a device it has unrestricted access to its microphone and camera and all its data such as contacts, messages, photos and videos, while the user is entirely unaware.

Although often hidden in links on social media, Predator can also be used in “zero-click attacks”, meaning it can infiltrate a device without the user having clicked on a link. This can be done, for example, by so-called "tactical attacks" which can infect nearby devices.

Such spyware cannot, at present, be independently audited or limited in its functionality to only those functions that are necessary and proportionate to a specific use.  It is, therefore, exceedingly difficult to investigate abuses linked to its use.   

Amnesty uncovered that those who were targeted - though not necessarily infected - include the President of the European Parliament, Roberta Metsola, the President of Taiwan, Tsai Ing-Wen, US Congressman Michael McCaul, US Senator John Hoeven, the German Ambassador to the US, Emily Haber and French MEP Pierre Karleskind. Multiple officials, academics and institutions were also targeted.  

Agnès Callamard, Secretary General at Amnesty International, said:

“Yet again, we have evidence of powerful surveillance tools being used in brazen attacks. The targets this time around are journalists in exile, public figures and intergovernmental officials. But let’s make no mistake: the victims are all of us, our societies, good governance and everyone’s human rights.

“The Intellexa alliance, European-based developers of Predator and other surveillance products have done nothing to limit who is able to use this spyware and for what purpose.

“Instead, they are lining their pockets and ignoring the serious human rights implications at stake. In the wake of this latest scandal, surely the only effective response is for states to impose an immediate worldwide ban on highly invasive spyware.” 

Vietnam: Predator zeroes in on journalist

Amnesty’s Security Lab has been investigating the use of the powerful Predator spyware and its link to the Intellexa alliance for some time.   

An attacker-controlled X account, named ‘@Joseph_Gordon16', shared many of the identified attack links which aimed to infect targets with the Predator spyware.

One early target of this account was Berlin-based journalist Khoa Lê Trung, originally from Vietnam. Khoa is editor-in-chief of thoibao.de, a news website that is blocked in his home country, and he has faced death threats over his reporting since 2018. Vietnam has a repressive media landscape where journalists, bloggers and human rights activists are often intimidated into silence.  The attack, though unsuccessful, is especially significant as the website and journalist are based in the EU, and all EU member states have an obligation to control the sale and transfer of surveillance technologies.  

Khoa told Amnesty:

“You can't just sell them to countries like Vietnam. This also harms the freedom of the press and freedom of expression for the people here in Germany.”

The investigation revealed that the @Joseph_Gordon16 account had close links to Vietnam and may have been acting on behalf of Vietnamese authorities or interest groups.  

In April this year, Amnesty’s Security Lab began to observe the same ‘@Joseph_Gordon16’ user targeting multiple academics and officials working on maritime issues, specifically researchers and officials responsible for EU and UN policies on illegal or undocumented fishing. Vietnam was given a “yellow card warning” by the European Commission in 2017 for illegal, unreported, and unregulated fishing.

Donncha Ó Cearbhaill, Head of Amnesty International’s Security Lab, said:

“We observed dozens of instances in which ‘@Joseph_Gordon16’ pasted a malicious link to Predator in public social media posts. Sometimes the link seemed to be a benign news outlet, such as The South China Morning Post, to lull the reader into clicking on it.

“Our analysis demonstrated that clicking the link could lead to the reader’s device being infected with Predator. We do not know if any device was infected, and we cannot say with absolute certainty that the perpetrator was within the government of Vietnam itself, but both the interests of the account and the Vietnam authorities were very closely aligned.”   

Shady deals with political ties

The investigation also uncovered evidence that a company within the Intellexa alliance signed a multi-million euro deal for “infection solutions” with Vietnam’s Ministry of Public Security (MOPS) in early 2020, codenamed “Angler Fish”. Documents and export records also confirmed the sale of Predator to MOPS through broker companies.  

Google’s security researchers who also independently analysed the malicious links, told Amnesty: “We believe this Predator attack infrastructure is associated with a government actor in Vietnam.”

EU-regulated spyware running rampant  

The Predator investigation found the presence of Intellexa alliance products in at least 25 countries across Europe, Asia, the Middle East and Africa, and documents how they have been used to undermine human rights, press freedom, and social movements across the globe.   

It also found Intellexa alliance products had been sold to at least 25 countries including Switzerland, Austria and Germany. Other clients include Congo, Jordan, Kenya, Oman, Pakistan, Qatar, Singapore, the UAE and Viet Nam.  

The Intellexa alliance has corporate entities in various countries including France, Germany, Greece, Ireland, Czech Republic, Cyprus, Hungary, Switzerland, Israel, North Macedonia, and the United Arab Emirates (UAE).

Amnesty is calling on all these countries to immediately revoke all marketing and export licences issued to the Intellexa alliance and conduct an independent, impartial, transparent investigation to determine the extent of unlawful targeting.  

Agnès Callamard added: 

“Intellexa says it is an ‘EU-based and regulated’ company which is, in itself, a damning indictment of how EU member states and institutions have failed to prevent the ever-expanding reach of these surveillance products despite a series of investigations such as the ‘Pegasus Project’ in 2021. So much so that, as this investigation highlights, even EU officials and institutions themselves were caught in its net.”

Safeguards desperately needed

Amnesty is calling on the Intellexa alliance to stop the production and sale of Predator and any other similarly invasive spyware that does not include technical safeguards allowing for its lawful use under a human rights respecting regulatory framework. It should also provide adequate compensation or other forms of effective redress to victims of unlawful surveillance.    

Amnesty’s analysis of recent technical infrastructure linked to the Predator spyware system indicates related activity, in one form or another, in Angola, Egypt, Mongolia, Kazakhstan, Indonesia, Madagascar, Sudan and Vietnam among others.  Amnesty has published indicators of compromise to help civil society technologists identify and respond to this spyware. 

Amnesty contacted Intellexa and its related companies for comment but received no response. However, EIC did receive a response from the main shareholders and former executives of Nexa group. In their response they claim that the Intellexa alliance has ceased to exist. In relation to Vietnam, they claim that Nexa Group only honoured part of the contract related to cybersecurity. They also claim that the entities of Intellexa alliance “scrupulously respected export regulations”, while acknowledging that they established “commercial relations” with countries that "were far from perfect in terms of the rule of law," further stating that it was often a function of “political choices” from the French government. 

Amnesty wrote to Vietnam’s Ministry of Public Security for comment but did not receive a response. 

View latest press releases