Intellexa Spyware Scandal Three Escape US Sanctions Net

In a surprising move, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) quietly removed three individuals connected to the Intellexa Consortium from its list of specially designated nationals. Intellexa, you might remember, is the company behind the notorious commercial spyware, Predator.

So, who got a reprieve from the sanctions?

• Merom Harpaz
• Andrea Nicola Constantino Hermes Gambazzi
• Sara Aleksandra Fayssal Hamou

These individuals were initially sanctioned (Hamou in March 2024) and targeted (Harpaz and Gambazzi in September 2024) for their roles in developing, operating, and distributing Predator. The big question: why the sudden change of heart?

The Treasury's official press release offered no explanation. However, a statement provided to Reuters suggests the decision "was done as part of the normal administrative process in response to a petition request for reconsideration." Apparently, these individuals "demonstrated measures to separate themselves from the Intellexa Consortium."

Let's break down their roles: Harpaz reportedly worked as a manager at Intellexa S.A., while Gambazzi was identified as the owner of Thalestris Limited and Intellexa Limited. Thalestris, according to the Treasury, held the distribution rights to Predator and handled transactions for other Intellexa entities – it's also the parent company to Intellexa S.A.

Hamou was considered a key enabler, acting as a corporate off-shoring specialist, even handling office space rentals in Greece for Intellexa S.A. Whether they still hold these positions remains unknown.

It's worth remembering that the Treasury previously highlighted the growing security risk posed by commercial spyware, emphasizing the need for responsible development and use of such technologies, balancing human rights and individual liberties.

"Any hasty decisions to remove sanctions from individuals involved in attacking U.S. persons and interests risk signaling to bad actors that this behavior may come with little consequences as long as you pay enough [money] for fancy lobbyists," said Natalia Krapiva, senior tech legal counsel at Access Now.

This news surfaces shortly after Amnesty International reported a Predator attack attempt on a human rights lawyer from Pakistan's Balochistan province via a WhatsApp message. Spooky stuff.

So, what makes Predator so dangerous? Active since at least 2019, it's designed to be stealthy, leaving minimal traces while extracting sensitive data from infected devices. It's often delivered through 1-click or even zero-click attacks.

Like NSO Group's Pegasus, Predator is officially marketed for counterterrorism and law enforcement. However, investigations point to a wider pattern of deployment against civil society figures, including journalists, activists, and politicians. Not exactly its intended use, is it?

A recent Recorded Future analysis of Intellexa's corporate web presence indicates that Predator is still in use, despite public scrutiny and international measures.

"Several key trends are shaping the spyware ecosystem, including growing balkanization as companies split along geopolitical lines, with some sanctioned entities seeking renewed legitimacy through acquisitions while others shift toward regions with weaker oversight," the Mastercard-owned company noted.

"Furthermore, rising competition and secrecy surrounding high-value exploit technologies are heightening risks of corruption, insider leaks, and attacks on spyware vendors themselves." Sounds like a recipe for even more trouble down the road.

(The story was updated after publication to include additional information from Reuters.)