Intellexa staff members connected directly to at least 10 deployed Predator customer systems using TeamViewer commercial remote administration software, a leaked 2023 internal training session revealed. It exposed how the sanctioned mercenary spyware vendor retained privileged access to government surveillance operations including the ability to view live targeting data, infection attempts, and potentially access dashboards containing collected surveillance data from victims.
The “Intellexa Leaks” investigation published jointly by Inside Story, Haaretz, WAV Research Collective, and Amnesty International’s Security Lab provides unprecedented visibility into internal operations of a commercial surveillance company whose Predator spyware has been linked to human rights abuses across countries.
The leaked materials, including internal documents, sales and marketing material, and training videos, expose how Intellexa operates despite US Treasury sanctions imposed in March 2024 and extensive public scrutiny from civil society and technology companies.
Direct Access to Ten Customer Systems
The TeamViewer control panel, briefly visible in the leaked training recording, showed at least 10 potential customers identified with code names including Dragon, Eagle, Falcon, Flamingo, Fox, Glen, Lion, Loco, Phoenix, and Rhino, plus one apparent Predator demo system. The visible customers represented only those through the letter F alphabetically, suggesting additional deployments beyond those shown.
Internal Intellexa business records show the company purchased seven TeamViewer licenses in June 2021, indicating remote management of deployed customer Predator systems began at least two years before the video was recorded. Amnesty International’s infrastructure mapping in September 2021 found seven likely active Predator customers, consistent with the purchased license count.
When a staff member asked if they were connecting to a testing environment, the instructor stated they were accessing a live “customer environment.” The video shows staff initiating remote connections without indication that customers or government end-users reviewed or approved specific connection requests.
Also read: Sanctioned Spyware Vendor Used iOS Zero-Day Exploit Chain Against Egyptian Targets
Visibility Into Live Targeting Operations
For 30 minutes, the video shows an Intellexa staff member browsing an Elasticsearch analytics dashboard displaying logs and analytics from various Predator system components assigned to a specific customer with codename EAGLE_2. The dashboard included logs from both on-premises backend systems and online systems on the public internet, containing both live and historical data.
The logging dashboard revealed live Predator infection attempts against real targets. Detailed information from at least one infection attempt against a target in Kazakhstan showed the infection URL, target’s IP address, and software versions of the target’s phone, though the attempt apparently failed.
Data visible in the log dashboard indicated that logs from other internal Predator backend system components were also accessible, including those storing targeting information and collected surveillance data.
Access to Customer Dashboard and Surveillance Data
During the training, the instructor switched windows on the remote Ubuntu desktop, revealing other open applications including a Chrome browser window displaying a login prompt for a system hosted at https://pds[.]my[.]admin:8884. The username “cyop” was prefilled, indicating the remote computer used by Intellexa staff had previously logged into the PDS system.
Amnesty International concluded the login prompt shown in the training video provides access to a customer’s Predator dashboard—the main control panel used by customers to conduct surveillance operations including adding targets, creating new infection links, and viewing surveillance data collected from victims.
The customer targeting dashboard is referred to in internal Intellexa documentation by various names including Predator Delivery Studio, Helios Delivery Studio, and the Cyber Operations Platform. Both terms PDS and CyOP appear in the URL and username field from the training video.
The remote desktop system used by Intellexa support staff could connect to the Predator dashboard, raising alarming questions about compartmentalization of live surveillance data and targeting from the company and its staff. The video suggests Intellexa staff retained privileged network access to the most sensitive parts of the Predator system, including storage containing photos, messages, and all surveillance data gathered from victims.
New Predator Attack in Pakistan
Ongoing forensic investigations independent of the leaks, found new evidence that Predator spyware is being actively used in Pakistan. In summer 2025, a human rights lawyer from Pakistan’s Balochistan province received a malicious link over WhatsApp from an unknown number.
Amnesty International’s Security Lab attributed the link to a Predator attack attempt based on technical behavior of the infection server and specific characteristics of the one-time infection link consistent with previously observed Predator 1-click links. This represents the first reported evidence of Predator spyware being used in Pakistan.
The targeting comes amid severe restrictions on rights of human rights activists in Balochistan province, including increasingly common province-wide internet shutdowns.
Advertising-Based Zero-Click Infections
The leaked materials provide fresh insights into Predator infection vectors, including a new strategic vector called “Aladdin” that exploits the commercial mobile advertising ecosystem to enable silent zero-click infection of target devices anywhere in the world.
The Aladdin system infects target phones by forcing malicious advertisements created by attackers to be shown on target devices. Internal company materials explain that simply viewing the advertisement triggers infection without any need to click, using the target’s public IP address as the unique target identifier.
Based on analysis of Predator network infrastructure, Amnesty International believes the Aladdin vector was supported in active Predator deployments in 2024.
Google delivered government-backed attack warnings to several hundred accounts across Pakistan, Kazakhstan, Angola, Egypt, Uzbekistan, Saudi Arabia, and Tajikistan associated with Intellexa customers since 2023.
