Predator spotted in Mozambique for first time, another sign of spyware’s availability
The discovery of new infrastructure linked to Predator spyware suggests the surveillance technology is still finding new customers despite its backers facing rounds of U.S. sanctions since July 2023.
In a report released Thursday, researchers at Insikt Group say they now can link the powerful spyware to operators in Mozambique for the first time. Insikt Group and The Record are both part of Recorded Future.
Mozambique is one of several African countries where the spyware has appeared, according to Insikt, which says that the continent hosts more than half of known Predator customers.
A separate finding in the report establishes “the first technical connection made between Predator infrastructure and corporate entities associated with the Intellexa Consortium,” Insikt says, referring to the organization believed to be backing Predator. Intellexa was among the entities sanctioned by the U.S.
The discovery stems from an Insikt probe of entities linked to Dvir Horef Hazan, a Czech bistro owner, entrepreneur and programmer whom a Czech news outlet alleges worked for Intellexa.
A Greek law enforcement investigative report into the potential Predator targeting of journalist Thanasis Koukakis also alleged that Intellexa transferred nearly €3 million (about $3.5 million) to Hazan and his companies.
Details of Hazan’s alleged work for Intellexa are murky, but Insikt said it found the link between Predator’s multi-tiered infrastructure and a Czech entity indirectly tied to Hazan.
The researchers said Predator’s general infrastructure has not changed much, but there is evidence that operators have evolved the spyware to make it harder to find on a device.
Insikt’s latest findings follow previous reports noting that Predator activity continued after the July 2023 actions by the U.S. government.
Initially the Commerce Department placed Intellexa and a related unit, Cytrox, on the Entity List, which restricts how companies do business with the U.S. and causes reputational damage. Then in 2024 federal agencies acted twice to restrict Predator-related entities.
Read more: Paragon spyware activity found on more journalists’ devices
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.