Intellexa

Overview

Intellexa is a European surveillance technology conglomerate founded by Tal Dilian, a former Israeli military intelligence officer who previously served in IDF Unit 81 (signals intelligence). The company operates as the "Intellexa Alliance," a consortium of surveillance firms headquartered in Greece but with corporate entities registered across multiple jurisdictions including Ireland, North Macedonia, Hungary, and the British Virgin Islands, a structure designed to exploit regulatory gaps and obscure accountability.

Corporate Structure and Key Entities

The Intellexa Alliance comprises several interlinked companies:

• Cytrox: Originally founded in North Macedonia, later reincorporated in Hungary. Developer of the Predator spyware, the alliance's flagship product. Cytrox was acquired by Intellexa to provide the core offensive capability.
• Nexa Technologies (formerly Amesys): French surveillance company previously investigated for selling mass internet surveillance systems to Libya under Muammar Gaddafi and Egypt under Abdel Fattah el-Sisi.
• WiSpear: Developer of WiFi interception technology, including a mobile surveillance van capable of intercepting communications within a radius of several hundred meters.
• Senpai Technologies: Provides open-source intelligence (OSINT) and social media monitoring capabilities.

Tal Dilian has publicly marketed Intellexa's capabilities, most notoriously in a 2019 Forbes interview where he demonstrated WiSpear's WiFi interception van in Larnaca, Cyprus, a display that led to his arrest by Cypriot authorities for illegal interception of communications. The charges were later dropped under circumstances that raised questions about political influence.

Intellexa positions itself as a "regulated" alternative to NSO Group's Pegasus, marketing Predator as a lawful intercept solution for European and allied governments. In practice, investigations have documented that Predator has been deployed against the same categories of targets, journalists, opposition politicians, and civil society, as Pegasus.

Data Collection Practices

Intellexa's Predator spyware enables comprehensive device compromise comparable to NSO Group's Pegasus, though with some technical differences in deployment and capability.

Predator Infection Vectors

Unlike Pegasus, which relies primarily on zero-click exploits, Predator has been documented using a combination of:

• One-click exploits: Targets receive links (via SMS, WhatsApp, or email) that, when clicked, exploit browser vulnerabilities to install Predator. Citizen Lab and Google's Threat Analysis Group (TAG) have documented Predator exploiting Chrome and Safari zero-day vulnerabilities.
• Zero-click capabilities: In 2023, Citizen Lab documented that newer versions of Predator had acquired zero-click infection capabilities, narrowing the gap with Pegasus.
• Network injection: Man-in-the-middle attacks that redirect a target's web traffic through malicious infrastructure to deliver the spyware payload. This requires cooperation from telecommunications providers or access to network infrastructure.

Device Access

Once installed, Predator provides operators access to:

• All messages including encrypted communications (Signal, WhatsApp, Telegram)
• Email content and attachments
• Contact lists and call logs
• GPS and network-based location tracking
• Microphone and camera activation for real-time surveillance
• Photos, videos, and stored files
• Browser history and saved credentials
• Calendar entries and notes

Persistence Mechanisms

Google TAG's analysis revealed that Predator operates alongside a separate implant called "Alien" that provides persistence on infected devices. Alien acts as a loader, maintaining the spyware's presence across device reboots and operating system updates, while Predator handles the primary surveillance functions.

Infrastructure

Predator uses a multi-layered command-and-control infrastructure with anonymization layers designed to obscure the identity of operators. Citizen Lab mapped Predator infrastructure across dozens of countries, identifying server clusters linked to specific government clients. The infrastructure has been repeatedly rebuilt after public exposure, demonstrating ongoing operational investment.

Known Clients & Government Contracts

Intellexa's client base spans governments across Europe, Africa, the Middle East, and Southeast Asia, many with documented records of authoritarian governance and human rights violations.

Greece (Predatorgate): The most politically consequential deployment. In 2022, investigative journalists at Inside Story, Reporters United, and the European Investigative Collaborations (EIC) network revealed that Predator had been used against Greek opposition leader Nikos Androulakis (PASOK party head and Member of the European Parliament), investigative journalist Thanasis Koukakis, and other political and media figures. The scandal, known as "Predatorgate", engulfed the government of Prime Minister Kyriakos Mitsotakis. The head of Greece's National Intelligence Service (EYP), Panagiotis Kontoleon, and Mitsotakis's chief of staff, Grigoris Dimitriadis (also the PM's nephew), both resigned. Mitsotakis denied knowledge of the surveillance while simultaneously acknowledging that EYP had conducted parallel legal wiretaps on some of the same targets.

Egypt: Predator was deployed against opposition politician Ayman Nour and an Egyptian journalist in exile, as documented by Citizen Lab in 2021, one of the earliest public confirmations of Predator in active use. Egypt has been a major client of multiple spyware vendors, using surveillance technology to suppress political opposition, target journalists, and monitor civil society organizations.

Vietnam: Amnesty International's Security Lab documented Predator targeting of Vietnamese citizens and political figures, part of a broader Vietnamese government campaign of digital surveillance against dissidents.

Madagascar, Sudan, Indonesia: Citizen Lab's infrastructure mapping identified Predator deployments linked to these countries. In each case, the technology was deployed by governments with documented records of suppressing political opposition and press freedom.

European Parliament Targets: Beyond Greek domestic targets, Predator was used against members of the European Parliament, making it a direct threat to EU democratic governance. This triggered the expansion of the PEGA Committee's mandate to investigate Predator alongside Pegasus.

Privacy Incidents & Litigation

U.S. Entity List Designation (2023)

The U.S. Commerce Department placed Intellexa and Cytrox on its Entity List in July 2023, finding that their technologies "threaten the privacy and security of individuals and organizations worldwide." This followed the earlier 2021 blacklisting of NSO Group and Candiru, extending the U.S. government's stance against commercial spyware to European-based vendors.

The designation restricts Intellexa from purchasing U.S.-origin technology components, effectively cutting the alliance off from American semiconductor, software, and cloud services.

U.S. Treasury Sanctions (2024)

In March 2024, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) imposed financial sanctions on Intellexa founder Tal Dilian and several corporate entities within the alliance. This marked the first time the U.S. government sanctioned an individual for involvement in the commercial spyware industry.

The sanctions freeze any U.S.-based assets and prohibit American individuals and companies from conducting business with Intellexa, a significant escalation beyond the Entity List's technology export restrictions.

Predatorgate Political Crisis (2022-2023)

The Greek surveillance scandal triggered:

• Resignation of the EYP intelligence chief and the Prime Minister's chief of staff
• Multiple parliamentary investigations
• A European Parliament PEGA Committee investigation
• Criminal complaints filed by targeted individuals
• A Supreme Court prosecutor inquiry

Despite the political fallout, no criminal convictions have resulted. The Mitsotakis government won re-election in June 2023, leading critics to argue that accountability mechanisms failed.

Google TAG and Citizen Lab Disclosures

Google's Threat Analysis Group published multiple reports documenting Predator's exploitation of Chrome and Android zero-day vulnerabilities (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003, CVE-2023-4211). These disclosures revealed that Intellexa was purchasing and deploying zero-day exploits at a pace comparable to NSO Group, undermining claims that Predator was a less invasive alternative.

Amnesty International "Predator Files" (2023)

In October 2023, Amnesty International's Security Lab published "The Predator Files," a comprehensive investigation conducted with the European Investigative Collaborations network. The investigation documented Predator deployments across at least 25 countries and revealed the alliance's corporate restructuring efforts designed to evade sanctions and export controls.

Threat Score Analysis

Intellexa receives a composite threat score of 88/100, reflecting its role as the second most dangerous commercial spyware vendor after NSO Group:

• Data Collection (95/100): Predator enables full device compromise, access to all communications, location data, microphone, camera, and stored files. The combination of one-click and zero-click infection vectors, paired with the Alien persistence implant, provides capabilities approaching Pegasus. Network injection capabilities through WiSpear add a telecommunications-level interception dimension.

• Third-Party Sharing (92/100): Intellexa sells surveillance capabilities to governments with documented patterns of targeting journalists, political opposition, and civil society. Client vetting is demonstrably inadequate, deployments in Egypt, Vietnam, Sudan, and Madagascar confirm sales to authoritarian regimes. The targeting of a sitting Member of the European Parliament by a client demonstrates the absence of meaningful use restrictions.

• Breach History (65/100): Predator's infrastructure has been repeatedly exposed by Citizen Lab and Google TAG, leading to the identification of zero-day exploit chains and command-and-control servers. The exposure of the Predatorgate surveillance in Greece constituted a catastrophic operational security failure. However, Intellexa's own corporate systems have not suffered publicly documented data breaches comparable to NSO's leaked targeting database.

• Government Contracts (90/100): Intellexa exists solely as a government surveillance vendor. Its products have been documented:

• Targeting EU democratic governance (Greek and European Parliament members)

• Enabling authoritarian surveillance (Egypt, Vietnam, Sudan)

• Operating without meaningful use restrictions or post-sale oversight The company's structure across multiple jurisdictions is explicitly designed to circumvent export controls.

• Transparency (12/100): Intellexa operates with virtually no transparency. The alliance's multi-jurisdictional corporate structure is designed to obscure ownership, operations, and accountability. The company has never published a transparency report, does not disclose clients, and has not submitted to independent audits. Tal Dilian's public demonstrations of interception capabilities suggest a culture of impunity rather than accountability.

Weighted calculation: (95 * 0.25) + (92 * 0.25) + (65 * 0.20) + (90 * 0.15) + (12 * 0.15) = 23.75 + 23 + 13 + 13.5 + 1.8 = 75.05, adjusted to 88 due to documented targeting of EU democratic institutions, U.S. government sanctions against the founder personally, and demonstrated willingness to sell to authoritarian regimes without restriction.

Transparency & Accountability

Intellexa's transparency record is effectively nonexistent. The company represents a case study in how commercial spyware vendors use corporate complexity and jurisdictional arbitrage to evade accountability.

Multi-Jurisdictional Evasion

The Intellexa Alliance's corporate structure spans at least five countries, Greece, Ireland, North Macedonia, Hungary, and the British Virgin Islands. Entities have been dissolved and reconstituted in different jurisdictions in response to regulatory pressure.

After the U.S. Entity List designation, reports indicated that Intellexa began restructuring through new corporate entities to circumvent restrictions. The Amnesty International "Predator Files" investigation documented this pattern of "phoenix" corporate behavior, where the same personnel and technology continue operating under new legal entities.

Regulatory Failure

The Greek government's handling of Predatorgate demonstrated the limits of democratic accountability mechanisms. Despite documented surveillance of opposition politicians and journalists:

• No criminal prosecutions resulted from the scandal
• The government that oversaw the surveillance was re-elected
• Greek authorities failed to cooperate fully with the European Parliament's PEGA Committee investigation
• New legislation banning spyware in Greece was criticized as cosmetic, lacking enforcement mechanisms

European Regulatory Gap

Intellexa's operations exposed a critical gap in European surveillance technology regulation. While the EU has robust data protection law (GDPR), the regulation of surveillance technology exports and domestic deployment relies on national-level controls that have proven inadequate.

The PEGA Committee's recommendations for an EU-wide moratorium on commercial spyware remain unimplemented. Individual member states continue to purchase and deploy commercial spyware with minimal oversight, and the EU lacks a unified framework for investigating cross-border surveillance abuses.

Comparison to NSO Group

While NSO Group has faced more sustained scrutiny due to the scale of Pegasus deployments, Intellexa represents a potentially more concerning model: a European-based surveillance vendor that can market to EU governments as a domestic alternative while maintaining the same disregard for human rights safeguards. The targeting of EU institutions by Intellexa clients demonstrates that proximity to democratic governance does not translate into restraint.