Report reveals spyware still active despite U.S. sanctions, with reported use in Pakistan
A recent investigation into Intellexa, the Israeli spyware firm behind Predator— a one-click spyware tool that covertly infects devices to harvest sensitive data, including messages, photos, location, and audio, while also enabling remote surveillance and control — has uncovered evidence of its ongoing operations despite international sanctions, with some leaks indicating the use of the spyware in Pakistan
Jointly published by Haaretz, Inside Story and WAV Research Collective, the leaks reveal that Intellexa continues to operate its spyware systems with minimal disruption. Despite being sanctioned by the U.S Treasury Department in 2024 for selling spyware to various governments, Intellexa’s tools remain active.
Leaked documents suggest Intellexa staff retained remote access to customers’ surveillance operations. This included viewing data from devices infected by Predator, which exceeds what the firm has publicly disclosed and raises questions about the company’s accountability.
In addition, Intellexa has reportedly developed a new infection vector called “Aladdin”, which uses malicious online advertisements to infect users’ devices. This zero-click exploit is more insidious than previous methods, as simply viewing an ad can result in an infection, making surveillance far more stealthy and difficult to detect.
Predator in Pakistan
Leaks suggest Predator spyware has been used in Pakistan. In 2025, a human-rights lawyer in Balochistan received a suspicious WhatsApp link later linked to Intellexa’s spyware. This is reported as the first confirmed case of Predator spyware use in the country.
“[A] human rights lawyer in Pakistan received a WhatsApp message from an unfamiliar number. It was a journalist… sending a link to an article that mentioned the lawyer by name… [I]t was Predator, the phone–hacking technology sold by Intellexa, a firm run by Israelis…” https://t.co/zDHc9ja4rc
— Christopher Clary (@clary_co) December 4, 2025
A senior Pakistani intelligence officer has reportedly rejected the claims, calling them “baseless” and suggesting the report was intended to undermine the country. Evidence from Amnesty’s Security Lab, including forensic data and technical analysis, suggests the situation is more complex
According to the report, Intellexa’s founder, Tal Dilian, has denied any criminal activity.
Once activated via the one-click method, Predator blends into background processes and collects sensitive information. It establishes a communication channel between the infected device and the attacker’s command-and-control server, allowing attackers to issue commands remotely.
The spyware regularly sends the stolen data to a remote server, where it is stored for analysis or further use. This data transfer happens in the background, without triggering alerts on the device.