Right, so here’s what’s actually happening.

Teixeira Cândido is a prominent Angolan journalist, press freedom activist, jurist, and former Secretary General of the Syndicate of Angolan Journalists. In December 2022, under his leadership, the Syndicate organized a national protest condemning attacks on journalists in Angola.

From April to June 2024, someone posing as students contacted him on WhatsApp. They asked about Angolan social and economic affairs. Standard social engineering — build rapport, seem legitimate, then drop the payload. On May 4, 2024, Cândido clicked one malicious link.

That was it. Full device compromise. Predator had everything: messages, calls, emails, location, camera, microphone, passwords. The spyware disguised itself as a legitimate iOS system process.

Several hours later, Cândido rebooted his phone — which happened to wipe Predator from memory. Between May 4 and June 16, the attacker sent 11 more infection links. All failed, possibly because Cândido didn’t open them. Lucky break.

His own words: “I feel naked knowing that I was the target of this invasion of my privacy. I don’t know what they have in their possession about my life.”

Right, so here’s what’s actually happening at the exploit level.

Internally, Intellexa calls their exploit chain “smack.” It’s a three-stage process:

• Stage 1 — Initial Access: Safari RCE zero-day (like CVE-2023-41993). Uses a framework called “JSKit” to get arbitrary memory read/write in the browser renderer
• Stage 2 — Sandbox Escape: Kernel-level flaw for sandbox escape and privilege escalation, plus code-signing bypass
• Stage 3 — Payload: A two-part system called “PREYHUNTER” — a watcher module and a helper module that deploys the actual spyware

Delivery methods include one-time links via encrypted messaging apps. But here’s the fun part — Intellexa also developed “Aladdin,” a system that can infect phones silently through malicious digital ads. You don’t even need to click. Just view the ad.

Google has attributed 15 unique zero-day exploits to Intellexa since 2021. A single weaponized RCE exploit costs $100K–$300K on the market. Predator burns through them like kindling.

Cândido was running an outdated iOS version. Amnesty couldn’t determine the exact vulnerability used. But the infection server fingerprints matched known Intellexa infrastructure with high confidence.

Licenses are restricted to a single phone country code prefix. Want to spy in more countries? Pay more. This isn’t a product for criminals — it’s a product for governments with deep pockets and flexible ethics.

Google sent spyware threat notifications to “several hundred accounts” across:

• Angola — first forensic confirmation, infrastructure active since March 2023
• Pakistan — human rights lawyer targeted in Balochistan, summer 2025
• Kazakhstan — active threat notifications
• Egypt — active threat notifications
• Uzbekistan — active threat notifications
• Saudi Arabia — active threat notifications
• Tajikistan — active threat notifications
• Iraq — new evidence of deployment

Amnesty believes Cândido may be just one of many targets in Angola alone, based on the number of infection domains found. Multiple domains, plural operators, long-running campaigns.

Amnesty International: Published the forensic proof. Sent a letter to Intellexa on January 27, 2026. No response.

Biden administration (2024): Sanctioned Intellexa, founder Tal Dilian, and associate Sara Aleksandra Fayssal Hamou.

Trump administration (2025): Quietly delisted three Intellexa executives. Senate Democrats demanded answers.

Intellexa Leaks (Dec 2025): Amnesty and media partners revealed that Intellexa employees had remote access to customer systems — meaning the spyware vendor could see what governments were doing with the tool. No evident technical limitations on this access.

Greece (Feb 2026): Convictions in the “Predatorgate” scandal — rare accountability in the commercial spyware space.

The pattern: sanction, delist, rebrand, keep selling. Intellexa has restructured across jurisdictions so many times that Recorded Future published an entire report just mapping their corporate web.

This didn’t happen in a vacuum. Under President João Lourenço:

• Repression of peaceful protests is routine
• Excessive force, arbitrary arrests, and detentions are documented
• Enforced disappearances have been reported
• The Syndicate of Angolan Journalists organized a national protest in 2022 condemning attacks on press freedom — led by the very journalist who was later targeted

Cândido wasn’t some random target. He was the guy organizing resistance to exactly the kind of government that buys Predator licenses.

The market for checking whether someone’s phone has been compromised barely exists outside of Amnesty and Citizen Lab. Journalists, activists, lawyers, and NGO workers in high-risk countries need someone to run the checks — and most don’t know how.

Learn Amnesty’s Mobile Verification Toolkit (MVT), get familiar with iOS sysdiagnose logs, and offer forensic analysis as a service. You don’t need to be a nation-state. You need a laptop, MVT, and the patience to read log files.

Example: A freelance security researcher in Nairobi, Kenya started offering phone audits to East African journalists after the Pegasus revelations. Using MVT and iVerify, she checks 3–5 devices per week at $200–$400 per audit. After partnering with a local press freedom org, she’s pulling $3K/month with zero marketing spend.

Timeline: 2–4 weeks to learn MVT and practice on your own devices. First paying clients within 6 weeks if you connect with press freedom organizations.

Every journalist, activist, and human rights lawyer in the countries on that list needs operational security training. Most have never heard of Lockdown Mode. Most don’t restart their phones daily. Most click links from “students” asking about local politics.

Build a curriculum. Deliver it over Signal or in person. Charge NGOs and media organizations, not the individuals. Foundations like the Committee to Protect Journalists and Reporters Without Borders fund exactly this kind of work.

Example: A cybersecurity trainer in Accra, Ghana built a 2-day OPSEC workshop for West African journalists. Covers device hygiene, phishing recognition, and secure communication setup. Funded by a European press freedom foundation at €4,000 per workshop. Runs 2–3 per month across the region.

Timeline: 4–6 weeks to build curriculum and pitch to first NGO funder. Revenue starts when the first workshop is booked.

There’s a gap between “Apple released Lockdown Mode” and “anyone actually knows how to configure their phone properly.” Write device hardening guides — not the generic “use a strong password” stuff, but real guides covering Lockdown Mode, disabling iMessage link previews, restricting USB accessories, clearing browser state, and configuring automatic reboots.

Sell them on Gumroad or bundle them with consulting. Target: small newsrooms, NGOs, and law firms.

Example: A privacy researcher in Tbilisi, Georgia published an iOS hardening guide specifically for Caucasus-region journalists. Sold 800 copies at $15 on Gumroad in the first 3 months. Now maintains a subscription version ($5/month) that gets updated when new exploits drop. Monthly recurring: $2,100.

Timeline: 2–3 weeks to write. Revenue starts immediately on publication if you have a distribution channel (Twitter/X, Mastodon, relevant Telegram groups).

Amnesty and Citizen Lab can’t do it all. The Predator infection domains Amnesty mapped are public. The fingerprinting techniques are documented. If you have OSINT skills, you can contribute to tracking new infrastructure deployments — and get paid for it.

Companies like Recorded Future, Lookout, and iVerify hire contract researchers. Threat intel reports on commercial spyware infrastructure get published (and funded) regularly.

Example: An OSINT analyst in Bucharest, Romania started mapping Predator-linked domains as a side project after reading the Amnesty reports. Submitted findings to Citizen Lab and published a blog post that got picked up by The Record. Got contracted by a threat intelligence firm for $5K/month part-time to continue the work.

Timeline: 4–8 weeks of self-directed research before you have publishable findings. Contract opportunities follow publication.

Small newsrooms in Africa, South Asia, and Central Asia need to migrate off WhatsApp and set up proper secure comms. Signal deployment, encrypted email (ProtonMail/Tuta), secure file sharing, and device management. Most of them don’t have an IT person.

Offer remote setup packages: audit their current tools, migrate them to secure alternatives, and train the staff. Charge per-org, not per-person.

Example: A sysadmin in Kampala, Uganda started offering “digital safety packages” to small media houses after a local journalist’s phone was compromised. $500 per newsroom for full migration (Signal, ProtonMail, VPN setup, device hardening). Completed 12 organizations in 4 months, mostly through word-of-mouth and one CPJ referral.

Timeline: 1–2 weeks to build your service offering. First clients within a month if you reach out to press freedom organizations directly.