Sanctioned Spyware Hacked an Angolan Journalist's iPhone on World Press Freedom Day

What Happened

On May 3, 2024, a date recognized worldwide as World Press Freedom Day, Angolan journalist Teixeira Candido received a WhatsApp message from someone claiming to be a group of Angolan students interested in discussing socioeconomic development. The message contained a link. Candido clicked it. By the next day, his iPhone was infected with Predator, one of the most invasive commercial spyware tools ever built.

The attack was discovered by Amnesty International's Security Lab, working alongside human rights organizations Friends of Angola and Front Line Defenders. Their forensic analysis confirmed the infection and traced the spyware to the Intellexa consortium, a surveillance technology company sanctioned by the United States government.

"I literally felt naked," Candido told the Committee to Protect Journalists. "It's as if someone I don't know had stripped me naked in public."

Who Is Teixeira Candido

Candido is one of Angola's most prominent journalists and press freedom advocates. He hosts a program at Radio Essencial, a privately owned broadcaster, and led the Syndicate of Angolan Journalists until 2024. He is known for his critical coverage of government authorities and has consistently advocated for journalistic independence in a country where media freedom has been steadily eroding.

The timing of the attack, on a day dedicated to press freedom, underscores the brazenness of the operation. It also fits a broader pattern: Predator has been documented in attacks against journalists, politicians, and dissidents across multiple continents.

What Predator Can Do

Predator is developed by Cytrox, a North Macedonian company operating under the Intellexa umbrella. Once installed on a device, the spyware gives its operator near total access:

• Read every message, including those in encrypted apps
• Silently activate the device's microphone and camera
• Extract contacts, photos, videos, and stored files
• Track the device's precise location in real time
• Harvest browsing history, passwords, and authentication tokens

In Candido's case, the infection lasted less than 24 hours before a device restart removed the active payload. But even a brief infection window is enough to exfiltrate enormous amounts of personal data, and there is no way to know exactly what was accessed.

How the Attack Unfolded

The attacker's approach was methodical. The first malicious link arrived at 4:18 PM local time on May 3. Over the following weeks, additional messages continued, each containing links disguised as legitimate news articles or authentic looking websites. The social engineering was designed to appear natural and build trust before delivering the payload.

Amnesty International's researchers traced the first Predator infrastructure domains linked to Angola back to March 2023, indicating that this was not a spontaneous attack. The surveillance operation had been prepared well in advance, with domain infrastructure established more than a year before the targeting of Candido.

While the specific customer behind the attack has not been conclusively identified, the researchers noted that Predator is exclusively sold to government clients.

Angola's Deteriorating Press Freedom

The spyware deployment against Candido comes amid a sharp decline in press freedom under President Joao Lourenco's second term, which began in 2022. The government has enacted a National Security Law in 2024 and a separate vandalism law that criminalizes documenting security service operations.

Draft legislation introduced in 2026 would go further, criminalizing the publication of "false information" and expanding state surveillance powers with minimal judicial oversight. Journalists have been prosecuted under criminal defamation charges, and human rights advocates describe the country as transitioning toward authoritarianism.

The deployment of commercial spyware against a journalist fits this trajectory. When governments cannot silence critics through legal means, surveillance technology offers a quieter alternative.

Intellexa and the Global Spyware Market

The U.S. government sanctioned Intellexa and its founder in 2024 for developing and distributing commercial spyware used to target journalists, policy experts, and U.S. government officials. Despite those sanctions, the Angola case demonstrates that Predator remains operational and actively deployed.

Intellexa is part of a growing commercial spyware industry that includes NSO Group's Pegasus, Paragon's Graphite, and several lesser known tools. These companies sell exclusively to government clients, but the end use of their products has repeatedly been documented in attacks against civil society rather than legitimate criminal investigations.

According to Amnesty International, Predator has been linked to surveillance operations in at least a dozen countries, including Greece, Egypt, Madagascar, and now Angola.

How Journalists Can Protect Themselves

No defense is foolproof against state sponsored spyware, but several measures can reduce risk:

• Enable Lockdown Mode on iPhones. Apple designed this feature specifically to defend against mercenary spyware attacks
• Never click links from unknown contacts, even if the message appears to come from a legitimate organization
• Keep your device's operating system fully updated. Many spyware exploits target known vulnerabilities that patches have already fixed
• Restart your phone daily. Some spyware, including Predator, does not survive a reboot
• Use a separate device for sensitive communications. Keeping your reporting work on a dedicated phone limits what an attacker can access if one device is compromised

The Predator attack on Candido is a reminder that surveillance tools built for counterterrorism are routinely turned against the press. For journalists working in restrictive environments, digital security is no longer optional. It is a condition of doing the job.