A new Amnesty International investigation has established that Predator spyware was used in 2024 to target Teixeira Cândido, a prominent Angolan journalist, press freedom activist, jurist and former Secretary General of the Syndicate of Angolan Journalists (SJA).
Predator is a highly invasive mobile phone spyware, developed and sold by Intellexa – a mercenary spyware company – for use by governments in surveillance operations. This is the first forensic confirmation of its use in Angola.
“I feel naked knowing that I was the target of this invasion of my privacy. I don’t know what they have in their possession about my life. […] Now I only do and say what is essential. I don’t trust my devices. I exchange correspondence, but I don’t deal with intimate matters on my devices. I feel very limited,” said Teixeira Cândido.
Teixeira Cândido’s case emerged from a broader investigation into surveillance threats in Angola throughout 2025, originally conducted by Friends of Angola and Front Line Defenders.
The 2024 spyware attack in Angola is one of the most recently confirmed Predator cases, along with the 2025 attack on a human rights lawyer in Pakistan’s Balochistan province, providing further evidence that Intellexa and its spyware system remained operational until 2025 and in jurisdictions unknown until now. While these investigations establish conclusively that the Predator spyware was used, Amnesty International cannot attribute the attacks to specific government customers.
“I feel naked knowing that I was the target of this invasion of my privacy. I don’t know what they have in their possession about my life. […] Now I only do and say what is essential. I don’t trust my devices. I exchange correspondence, but I don’t deal with intimate matters on my devices. I feel very limited,
Teixeira Cândido
Intellexa’s Predator spyware continues contributing to unlawful surveillance despite repeated public exposure, ongoing criminal investigations, and sanctions directed at the company and its senior executives.
In addition to being targeted with spyware, Teixeira Cândido has faced multiple attacks and intimidation since 2022, including unexplained break-ins at his office.
From April to June 2024, during the final months as Secretary General of the SJA, Teixeira Cândido received a series of WhatsApp messages on his iPhone from an unknown Angolan number. The sender used a common Angolan name for their WhatsApp profile and pretended to be part of a group of students interested in the country’s social and economic affairs. After an initial period of building rapport, the attacker sent the first malicious Predator link on 3 May at 16:18 pm local time, designed to infect the journalist’s phone. This pattern continued for weeks with the attacker sending additional malicious links, each pretending to direct to news articles and seemingly genuine websites. Further messages encouraged him to open the links.
On 4 May 2024, Teixeira Cândido appears to have opened one malicious link, which would have resulted in the successful infection of his phone with the Predator spyware. Once the spyware was installed, the attacker could gain unrestricted access to Teixeira Cândido’s iPhone.
Amnesty International’s Security Lab analyzed Teixeira Cândido’s phone and identified forensic traces of network communications made by the spyware on 4 May, confirming that Predator was installed and running on the journalist’s phone during that day. These forensic traces, in addition to known Predator infection domains used in the infection links, allow for the attribution of this attack to Intellexa’s Predator.
The infection on Teixeira Cândido’s phone appears to have been removed when the phone was restarted on the evening of 4 May. Between 4 May and 16 June 2024, the attacker sent 11 further Predator infection links, all of which appear to have failed, possibly because they were not opened.
Detailed information about the attack can be found in the technical briefing Journalism under attack: Predator spyware in Angola.
Predator spyware has been used to actively target individuals in Angola since at least early 2023. Amnesty researchers believe the targeting of Teixeira Cândido is likely part of a broader spyware campaign in the country.
“Forensic analysis conducted by Amnesty International’s Security Lab confirmed with high confidence that the infection links are tied to Intellexa’s Predator spyware and resulted in at least one successful infection of Teixeira Cândido’s phone,
Carolina Rocha da Silva, Operations Manager at Amnesty International’s Security Lab.
Teixeira Cândido’s spyware attack is a grave violation of his rights to privacy and freedom of expression, which in themselves impact a host of other rights such as freedom of association and peaceful assembly, as reported by Amnesty International. Such attacks have a chilling effect on journalists’ ability to do their work.
In a previous investigation, Amnesty International revealed that, once installed, Predator spyware can gain total access to data stored on or transmitted from a target’s device including encrypted messaging apps, audio recordings, emails, device locations, screenshots, photos, stored passwords, contacts and call logs. It can also activate the microphone. The spyware is designed to leave no traces on the target’s device, which renders renders any independent audit of potential abuses difficult. This type of highly invasive spyware is fundamentally incompatible with human rights.
The attack occurs amid a tightening authoritarian environment in Angola under President João Lourenço’s administration, marked by the repression of peaceful protests and the routine use of excessive or unnecessary force, arbitrary arrests and detentions, as well as abuses in detention, and enforced disappearances.
The case also underscores how the commercial sale and use of surveillance technologies without adequate safeguards continues to enable human rights abuses globally.
Amnesty International sent a letter on 27 January 2026 to Intellexa outlining the findings of the investigation and seeking information about the company’s human rights due diligence processes. No response had been received by the time of publication.
Background
In December 2025, Amnesty International, together with Inside Story, Haaretz and WAV Research Collective, published the Intellexa Leaks, which revealed new evidence on Intellexa’s internal operations and documented further Predator-linked abuses.
