KARACHI: Israeli firm Intellexa’s Predator spyware has been used to target individuals in Pakistan, according to findings from human rights group Amnesty International’s new report ‘Intellexa Leaks’.
Amnesty International’s Security Lab reports that forensic analysis confirms an attempted Predator attack on a human rights lawyer in Balochistan during summer 2025, representing the first documented use of the spyware in the country amid heightened restrictions on activists and recurring internet shutdowns.
Intellexa, described by civil society groups as a “mercenary spyware company”, has long refused to answer detailed questions from Amnesty International about its operations and corporate structure. In 2023, the company was fined by the Greek Data Protection Authority for failing to comply with its investigations.
The leaked material shows how Intellexa exploits vulnerabilities in mobile devices to enable targeted surveillance of journalists, human rights defenders and civil society. Among the most striking findings is evidence that, at the time of the leaked training videos, the company retained the capability to remotely access Predator customer systems, even those located physically within government premises, effectively giving it access to data collected through surveillance operations.
The attack attempt in Pakistan involved a malicious link sent via WhatsApp, which researchers attributed to Predator based on the behaviour of the infection server and the characteristics of the one-time link, consistent with previously observed Predator 1-click pathways. Amnesty says it is continuing to investigate this and other cases, including upcoming reports on abuses in Africa.
Inside Story, Haaretz and WAV Research Collective conducted the months-long investigation drawing on highly sensitive leaked materials. Amnesty researchers reviewed selected documents to authenticate technical evidence. The information was consistent with non-public data previously gathered through Amnesty’s forensic research, including from the 2023 Predator Files project. Researchers concluded with high confidence that the files are genuine and shed new light on Intellexa’s operations.
The leaked data also reinforce previous work by organisations such as Citizen Lab, Recorded Future and Google’s Threat Analysis Group (TAG), which have tracked Predator deployments.
Google TAG has published its own technical briefing alongside Recorded Future, detailing Intellexa’s customers, exploits and capabilities. Google also issued spyware threat notifications to several hundred accounts it identified as likely Predator targets, including individuals in Pakistan, Kazakhstan, Angola, Egypt, Uzbekistan, Saudi Arabia and Tajikistan.
