Treasury removes sanctions for three executives tied to spyware maker Intellexa

The Treasury Department on Tuesday took three people closely affiliated with the holding company behind Predator spyware off of a sanctions list, reversing their designation in 2024 by the Biden administration.

Merom Harpaz and Andrea Gambazzi were sanctioned in September 2024 in an effort to crack down on Intellexa Consortium’s “opaque web of corporate entities, which are designed to avoid accountability,” a senior Biden administration official said at the time. Months earlier, Sara Hamou was among two people and five entities to be sanctioned due to links to the notorious spyware manufacturer.

Hamou is a corporate off-shoring specialist who provided managerial services to the consortium, according to the Treasury Department. Gambazzi owned an entity that processed financial transactions for consortium entities, Treasury said, and Harpaz was a top executive at the consortium. It is unclear if they are still in those roles.

Intellexa’s Predator spyware is used by governments and possibly other actors to spy on individuals’ devices through zero- and one-click attacks. The spyware gives attackers the ability to see everything that happens on a given device and even remotely activate microphones and cameras.

The decision to strip the sanctions is a stark reversal from the Biden administration’s crackdown on spyware manufacturers, including through sanctions, blacklisting, international pacts and visa bans.

In July 2023, the Biden administration put Intellexa on the Commerce Department’s Entity List, which places strict licensing and other requirements on companies attempting to do business in the U.S. A Treasury spokesperson did not immediately respond to a request for comment.

Digital freedom advocates were alarmed by Tuesday’s delisting.

"The public deserves to know what evidence exists to clearly demonstrate that these individuals have ceased their involvement with the Intellexa-affiliated entities that have been targeting US officials, both Republicans and Democrats, with spyware,” said Natalia Krapiva, senior tech legal counsel at Access Now. 

The spyware was used to target more than 50 U.S. government staffers working worldwide, the Biden administration alleged.

“Any hasty decisions to remove sanctions from individuals involved in attacking US persons and interests risk signaling to bad actors that this behavior may come with little consequences,” Krapiva added.

Researchers at Recorded Future recently found that while use of Predator appears to have slowed in 2025, it is still being deployed in countries worldwide, including in Iraq and likely Pakistan. A cluster in Mozambique remained active until at least late June 2025, the researchers found. The Record is an editorially independent unit of Recorded Future.

The researchers noted that it is possible Intellexa remains more active than is readily apparent due to changes in domain naming conventions which could make it more difficult for them to find its infrastructure.

When Biden officials announced the sanctions against Harpaz and Gambazzi in September 2024, they said the consortium had continued to sell spyware after the previous round of sanctions in March.

Shortly before Gambazzi and Harpaz were sanctioned, along with three other people and one entity, researchers surfaced evidence showing likely new customers in the Democratic Republic of Congo, Angola, United Arab Emirates, Madagascar and other countries. 

In August 2024, Google also said it had found the Russian government deploying exploits developed by Intellexa.

The New York Times has reported that Greece’s national intelligence agency unleashed Predator on a Meta security policy manager in 2021. 

In September 2024, Bradley Smith, then the acting under secretary of the Treasury for terrorism and financial intelligence, said Predator “threatens our national security and undermines the privacy and civil liberties of our citizens.”