Report finds spyware still active despite US sanctions, with use reported in Pakistan
A recent investigation into Intellexa, the Israeli spyware company behind Predator – a one-click spyware that covertly infects devices to harvest sensitive data, including messages, photos, locations and audio files, while also enabling remote monitoring and control – has uncovered evidence of its ongoing operations despite international sanctions, with some leaks indicating use of the spyware in Pakistan.
Jointly published by Haaretz, Inside Story and WAV Research Collective, the leaks reveal that Intellexa continues to operate its spyware systems with minimal disruption. Despite being sanctioned by the US Treasury Department in 2024 for selling spyware to various governments, Intellexa’s tools remain active.
Leaked documents suggest Intellexa staff maintained remote access to client surveillance operations. This included viewing data from Predator-infected devices, which goes beyond what the company has publicly disclosed and raises questions about the company’s liability.
Additionally, Intellexa has reportedly developed a new infection vector called “Aladdin”, which uses malicious online advertisements to infect user devices. This no-click exploit is more insidious than previous methods, as simply viewing an ad can result in an infection, making surveillance much more stealthy and difficult to detect.
Predator in Pakistan
Leaks suggest Predator spyware was used in Pakistan. In 2025, a human rights lawyer in Balochistan received a suspicious WhatsApp link later linked to Intellexa spyware. This is the first confirmed case of use of Predator spyware in the country.
“[A] A human rights lawyer in Pakistan received a WhatsApp message from an unknown number. It was a journalist… who sent a link to an article mentioning the lawyer’s name… [I]It was Predator, the phone hacking technology sold by Intellexa, an Israeli-run company…”
– Christophe Clary (@clary_co) December 4, 2025
A senior Pakistani intelligence official reportedly dismissed the claims, calling them “baseless” and suggesting the report was aimed at undermining the country. Evidence provided by Amnesty’s security lab, including forensic data and technical analysis, suggests the situation is more complex.
According to the report, Intellexa founder Tal Dilian denied any criminal activity.
Once activated via the one-click method, Predator blends into background processes and collects sensitive information. It establishes a communication channel between the infected device and the attacker’s command and control server, allowing attackers to issue commands remotely.
The spyware regularly sends the stolen data to a remote server, where it is stored for analysis or later use. This data transfer happens in the background, without triggering alerts on the device.
