Report reveals spyware still active despite US sanctions, with reported use in Pakistan
A recent investigation into Intellexa, the Israeli spyware company behind Predator – a one-click spyware tool that secretly infects devices to harvest sensitive data, including messages, photos, location and audio, while enabling remote monitoring and control – has revealed evidence of its ongoing operations despite international sanctions, with some leaks indicating its use by Pakistan.
Published jointly by Haaretz, Inside Story and the WAV Research Collective, the leak reveals that Intellexa continues to operate its spyware systems with minimal disruption. Despite being sanctioned by the US Treasury Department in 2024 for selling spyware to various governments, Intellexa’s tools remain active.
Leaked documents suggest that Intellexa staff retained remote access to customers’ surveillance operations. This included displaying data from devices infected by Predator, which goes beyond what the company has disclosed and raises questions about the company’s accountability.
In addition, Intellexa has reportedly developed a new infection vector called “Aladdin” that uses malicious online advertisements to infect users’ devices. This zero-click exploit is more insidious than previous methods, as simply viewing an ad can result in an infection, making surveillance far more stealthy and difficult to detect.
Predators in Pakistan
Leaks suggest Predator spyware has been used in Pakistan. In 2025, a human rights lawyer in Balochistan received a suspicious WhatsApp link later linked to Intellexa’s spyware. This is reported as the first confirmed case of Predator spyware use in the country.
“[A] human rights lawyer in Pakistan received a WhatsApp message from an unknown number. It was a journalist… who sent a link to an article that mentioned the lawyer by name… [I]It was Predator, the phone-hacking technology sold by Intellexa, a company run by Israelis…”
— Christopher Clary (@clary_co) December 4, 2025
A senior Pakistani intelligence official has reportedly rejected the claims, calling them “baseless” and suggesting the report was intended to undermine the country. Evidence from Amnesty’s security lab, including forensic data and technical analysis, suggests the situation is more complex
According to the report, Intellexa’s founder, Tal Dilian, has denied any criminal activity.
Once activated via the one-click method, Predator interferes with background processes and collects sensitive information. It establishes a communication channel between the infected device and the attacker’s command-and-control server, allowing attackers to issue commands remotely.
The spyware regularly sends the stolen data to an external server, where it is stored for analysis or further use. This data transfer happens in the background without triggering alerts on the device.
