The U.S. government announced sanctions on Tuesday against two people and five entities tied to Predator spyware, just days after the company behind the tool took down infrastructure in response to new research about its operations.

The Treasury Department said it sanctioned people and entities connected to the Intellexa Commercial Spyware Consortium — a holding company used to sell Predator — for their role in “developing, operating, and distributing commercial spyware technology used to target Americans, including U.S. government officials, journalists, and policy experts.”

Predator has been deployed since at least 2019, infecting both Android and iPhone devices. A consortium of journalists, activists and cyber experts previously examined the spyware in a project called the Predator Files.

“Today’s actions represent a tangible step forward in discouraging the misuse of commercial surveillance tools, which increasingly present a security risk to the United States and our citizens,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian Nelson.

“The United States remains focused on establishing clear guardrails for the responsible development and use of these technologies while also ensuring the protection of human rights and civil liberties of individuals around the world.”

The sanctions name Tal Jonathan Dilian — the founder of the Intellexa Consortium and a former Israeli army officer — as the architect behind the spyware tools and noted that the consortium is a “complex international web of decentralized companies controlled either fully or partially by Dilian, including through Sara Aleksandra Fayssal Hamou.”

Hamou is named in the sanctions as an expert in “corporate off-shoring” who assisted Dilian by renting office space in Greece and holding leadership roles in several of the entities used to sell Predator spyware.

In addition to Dilian and Hamou, the sanctions list a complex web of holding companies and entities based in Ireland, Greece, Hungary and North Macedonia that helped develop, sell or market the spyware products and hacking tools used.

The people and companies are being sanctioned for their role in developing tools that are a “significant threat to the national security, foreign policy, or economic health or financial stability of the United States.”

The consortium is used as a marketing label for several offensive cyber companies that offer commercial spyware, surveillance tools and vulnerabilities that can be used to target victims.

All of the tools are packaged under the “Predator” brand name and allow users to infiltrate different devices through “zero-click attacks that require no user interaction for the spyware to infect the device,” according to the sanctions.

Once devices are compromised by Predator spyware, victims have had data extracted and their locations tracked. The hackers can also see a victim’s contacts, call logs, messaging information, microphone recordings and more.

‘A global customer base’

The Treasury Department said the consortium has a “global customer base” that includes authoritarian regimes.

The sanctions, according to a senior administration official, are designed to cut off Intellexa from the U.S. financial system.

“Any new corporate structures that these companies establish to continue this unacceptable behavior will also face risks. We will work to follow any new entity that attempts to play corporate shell games, seek refuge in jurisdictions with lax export policies or obfuscate money flows or hide their finances,” they said.

“These actions highlight that there are two paths here. There's one path in which companies implement safeguards to ensure responsible use of their tools, and then another path where there are consequences for those vendors that cloud safeguards and seek to profit on continued misuse of their tools.”

A report from Google in February cited research from The New York Times and Amnesty International that Intellexa offered customers the ability to install spyware implants on 10 Android or iOS devices for €8 million.

The price increased based on if the devices are within the government’s borders or in other countries. The company guaranteed maintenance of the spyware infection for one year, and committed to deploying new zero-day exploits if others are patched.

The U.S. Treasury Department previously sanctioned Intellexa itself in July 2023. The U.S. government and several research firms have implicated Intellexa in the “trafficking” of cyber exploits that were used to gain access to vulnerable systems.

Two Ireland-based arms of the company were also sanctioned last July alongside an entity named Cytrox — which is based in North Macedonia and “acts as a developer of the consortium’s Predator spyware.” A Hungary-based holding company previously used by the developers was also sanctioned.

Greece fined the consortium last year for failing to comply with its investigations into the use of the controversial technology. That inquiry was launched following press reports in Greece which claimed that senior public figures — including the chief of national defense staff and the leadership of the political opposition — had been placed under surveillance.

Intellexa has been investigated by Citizen Lab as part of its civil society work tracking the abuses of spyware.

According to Citizen Lab, companies participating in the consortium have faced legal challenges before judges in France that specialize in crimes against humanity and war crimes cases. Two separate allegations related to "complicity in torture in relation to product sales to the Libyan government and complicity in torture and forced disappearance in relation to product sales to the Egyptian government."

One of these companies, Cytrox, was identified by Meta in 2021 as part of the global surveillance-for-hire industry. Meta stated that it believes the company's customers include organizations in Armenia, Colombia, Côte d’Ivoire, Egypt, Germany, Greece, Oman, Saudi Arabia, Vietnam and the Philippines.

Amnesty International previously identified technical infrastructure indicating a presence, in one form or another, in Sudan, Mongolia, Madagascar, Kazakhstan, Egypt, Indonesia, Vietnam and Angola.

Agnès Callamard, Amnesty International’s Secretary General, said in October that the ‘Predator Files’ investigation “shows what we have long feared: that highly invasive surveillance products are being traded on a near industrial scale and are free to operate in the shadows without oversight or any genuine accountability.”

Infrastructure takedown

The announcement comes just one day after the operators took servers offline following reports from Sekoia and Recorded Future about the group’s activities. The Record is an editorially independent unit of Recorded Future.

By analyzing the domains likely used to deliver the spyware, analysts at Recorded Future’s Insikt Group were able to spot potential Predator customers in Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia and Trinidad and Tobago.

No Predator customers within Botswana and the Philippines had been identified before Recorded Future’s analysis.

For example, the domains krisha-kz.com and kollesa.com appear to be spoofing a real estate company and an auto sales platform in Kazakhstan. The country's history of using cyber surveillance vendors such as NSO Group, FinFisher and RCS Lab to target activists and politicians further suggests that it is likely a Predator customer. Over half of the domains identified by Insikt Group were linked to Kazakhstan, indicating a potentially heightened level of spyware activity, researchers said.

Senior administration officials tied the sanctions on Tuesday to several efforts by the U.S. government to address the proliferation of spyware tools and commercial entities selling vulnerabilities to oppressive governments.

In February, Secretary of State Antony Blinken announced a new policy where the U.S. will restrict visas for people involved in the misuse of commercial spyware.

The policy, which also applies to spouses and children, was targeted at those “believed to facilitate or derive financial benefit from the misuse of commercial spyware” and who are involved in “developing, directing, or operationally controlling companies that furnish technologies such as commercial spyware to governments, or those acting on behalf of governments, that engage in activities.”

The latest action against Intellexa was launched in advance of the third Summit for Democracy, which will take place in Seoul on March 18.

Senior administration officials declined to discuss specific instances where Intellexa’s products were used but said the company and others like it pose a “fundamental national security and foreign policy” threat to the U.S. government, personnel and others.

The Israeli spyware companies NSO Group and Candiru were previously added to the Commerce Department’s entity list in November 2021.