US hits Intellexa spyware maker with more sanctions

The Treasury Department on Monday sanctioned five people and one entity tied to the Intellexa Consortium – a notorious holding company responsible for the Predator spyware. 

The company was sanctioned last year and again in March but senior administration officials told reporters on Monday that more was needed to target the company’s “opaque web of corporate entities, which are designed to avoid accountability.”

The senior official said Intellexa Consortium has taken a range of steps since the initial sanctions to move money around and to continue selling the Predator spyware through other holding companies. 

“These sanctions are the next step in our continued effort to deny problematic vendors safe haven across jurisdictions, and also demonstrates that there will be accountability measures regardless of corporate structures and shell games that they may be playing now,” the official said. 

The Predator spyware is used by governments and other actors to steal information from devices through one-click and zero-click attacks that require no interaction from victims. It allows users to track victims, monitor their calls and gather information from their smartphones or other devices.

The Biden administration previously said it is tracking a campaign that involved more than 50 U.S. government workers in more than 10 countries being targeted with commercial spyware. It has not been revealed where these incidents took place. 

Predator was also deployed against Meta security policy manager Artemis Seaford in 2021 at the behest of Greece’s national intelligence agency, according to The New York Times.

The company additionally sells access to new vulnerabilities that can be exploited in commonly used products and software. 

The new sanctions target Felix Bitzios — the owner of a company within the Intellexa Consortium that was used to sell Predator spyware to an unnamed foreign government — as well as Andrea Nicola Constantino Hermes Gambazzi for running another entity that was used to process financial transactions on behalf of other entities within the Intellexa Consortium.

Other employees facing sanctions include Merom Harpaz, Panagiota Karaoli and Artemis Artemiou. The Treasury Department also sanctioned Aliada Group Inc. — a company based in the British Virgin Islands that was used to transfer tens of millions of dollars to Intellexa Consortium. Intellexa Consortium founder Tal Jonathan Dilian was sanctioned in March. 

“The United States will not tolerate the reckless propagation of disruptive technologies that threatens our national security and undermines the privacy and civil liberties of our citizens,” said Bradley Smith, the acting under secretary of the Treasury for terrorism and financial intelligence.

“We will continue to hold accountable those that seek to enable the proliferation of exploitative technologies, while also encouraging the responsible development of technologies that align with international standards.”

Predator has been deployed since at least 2019, infecting both Android and iPhone devices. A consortium of journalists, activists and cyber experts previously examined the spyware in a project called the Predator Files.

The Treasury Department said Intellexa Consortium has continued to sell Predator to state-sponsored actors and governments around the world, allowing it to be used against government officials, journalists, opposition politicians and policy experts. 

Researchers have found evidence of Predator’s use among governments around the world — including potentially Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia and Trinidad and Tobago.

Last week, researchers said there is now evidence that Predator was able to rebound after the March sanctions and has been able to secure new customers despite the efforts of the U.S. government. Alleged customers include officials in the Democratic Republic of Congo, Angola, United Arab Emirates, Madagascar and more. 

Google also found evidence last month that the Russian government has been using vulnerability exploits developed by Intellexa Consortium. 

The senior administration official said the new sanctions are part of a larger effort by the U.S. government to add more friction to the spyware economy. Several spyware companies have been sanctioned, and the State Department has already used its new visa ban policy against thirteen people connected to the misuse of commercial spyware. 

The Israeli spyware companies NSO Group and Candiru were previously added to the Commerce Department’s entity list in November 2021.

The senior administration official said on Monday that despite recent reports about Predator spyware, the U.S. government has seen results from its work in limiting the actions of companies like Intellexa Consortium. 

The official added that on the sidelines of the upcoming UN General Assembly session, the U.S. will be convening a high-level meeting about commercial spyware and new countries are expected to sign on to a previous diplomatic agreement about the misuse of the technology. 

“Entities like the Intellexa Consortium are struggling to move their money around, disrupting their business operations,” the official said. 

“We also have information that commercial spyware executives are concerned about the prospect of these events, which we expect will continue to shape their behavior. And we've also seen publicly available reflections that some cyber technical talent is choosing to avoid getting into the commercial spyware industry to avoid the risk of these accountability measures.”