Report reveals that spyware is still active despite US sanctions and its use is reported in Pakistan
A recent investigation into Intellexa, the Israeli spyware company behind Predator, a one-click spyware tool that covertly infects devices to collect sensitive data, including messages, photos, location and audio, while enabling remote surveillance and control, has uncovered evidence of its ongoing operations despite international sanctions, with some leaks indicating the use of the spyware in Pakistan.
Jointly published by Haaretz, Inside Story and WAV Research Collective, the leaks reveal that Intellexa continues to operate its spyware systems with minimal disruption. Despite being sanctioned by the US Treasury Department in 2024 for selling spyware to various governments, Intellexa’s tools remain active.
The leaked documents suggest that Intellexa staff maintained remote access to clients’ surveillance operations. This included viewing data from Predator-infected devices, which exceeds what the company has publicly disclosed and raises questions about the company’s liability.
In addition, Intellexa has reportedly developed a new infection vector called “Aladdin,” which uses malicious online ads to infect users’ devices. This no-click exploit is more insidious than previous methods, as simply viewing an ad can lead to an infection, making surveillance much stealthier and harder to detect.
Predator in Pakistan
Leaks suggest that Predator spyware has been used in Pakistan. In 2025, a human rights lawyer in Balochistan received a suspicious WhatsApp link that was later linked to Intellexa spyware. This is the first confirmed case of Predator spyware being used in the country.
“[A] A human rights lawyer in Pakistan received a WhatsApp message from an unknown number. It was a journalist… sending a link to an article that mentioned the lawyer by name… [I]It was Predator, the phone hacking technology sold by Intellexa, a company run by Israelis…”
—Christopher Clary (@clary_co) December 4, 2025
A senior Pakistani intelligence official reportedly rejected the claims, calling them “baseless” and suggesting that the report was aimed at undermining the country. Amnesty Security Laboratory evidence, including forensic data and technical analysis, suggests the situation is more complex.
According to the report, Intellexa founder Tal Dilian has denied any criminal activity.
Once activated via the one-click method, Predator integrates into background processes and collects sensitive information. It establishes a communication channel between the infected device and the attacker’s command and control server, allowing attackers to issue commands remotely.
Spyware periodically sends stolen data to a remote server, where it is stored for analysis or later use. This data transfer occurs in the background, without triggering alerts on the device.
