Donncha Ó Cearbhaill
@donncha.is
Head of Security Lab - Amnesty International
Hunting spyware and unlawful surveillance targeting activists and civil society.
For help with digital forensics or suspect spyware threats contact: https://securitylab.amnesty.org/get-help/
Hunting spyware and unlawful surveillance targeting activists and civil society.
For help with digital forensics or suspect spyware threats contact: https://securitylab.amnesty.org/get-help/
The level of remote access is more extensive and lax than previously thought. Intellexa staff simply logged in with TeamViewer (!) to a remote Predator customer system.
The video shows staff could see live targeting and infection attempts from EAGLE_2, a customer in Kazakhstan.
The video shows staff could see live targeting and infection attempts from EAGLE_2, a customer in Kazakhstan.
December 4, 2025 at 2:38 PM
The level of remote access is more extensive and lax than previously thought. Intellexa staff simply logged in with TeamViewer (!) to a remote Predator customer system.
The video shows staff could see live targeting and infection attempts from EAGLE_2, a customer in Kazakhstan.
The video shows staff could see live targeting and infection attempts from EAGLE_2, a customer in Kazakhstan.
A leaked training video show a client list (by codename): Dragon, Eagle, Falcon, Flamingo, Fox & more. Our investigation confirms Eagle is Kazakhstan; Phoenix, the 2023 Predator Files investigation found, was Libya.
www.haaretz.com/israel-news/...
www.haaretz.com/israel-news/...
December 4, 2025 at 2:38 PM
A leaked training video show a client list (by codename): Dragon, Eagle, Falcon, Flamingo, Fox & more. Our investigation confirms Eagle is Kazakhstan; Phoenix, the 2023 Predator Files investigation found, was Libya.
www.haaretz.com/israel-news/...
www.haaretz.com/israel-news/...
Shockingly, the leaks shows that Intellexa kept REMOTE ACCESS to Predator systems deployed on government clients’ premises — meaning the company had the potential to see data about surveillance victims in real time..
December 4, 2025 at 2:38 PM
Shockingly, the leaks shows that Intellexa kept REMOTE ACCESS to Predator systems deployed on government clients’ premises — meaning the company had the potential to see data about surveillance victims in real time..
🚨 A huge leak exposes the new targets and internal operations of Intellexa, the secretive and murky company behind the notorious Predator spyware.
Introducing #IntellexaLeaks, a joint investigation with partners @insidestory.gr, @haaretzcom.bsky.social & WAV Research Collective 🧵👇
Introducing #IntellexaLeaks, a joint investigation with partners @insidestory.gr, @haaretzcom.bsky.social & WAV Research Collective 🧵👇
December 4, 2025 at 2:38 PM
🚨 A huge leak exposes the new targets and internal operations of Intellexa, the secretive and murky company behind the notorious Predator spyware.
Introducing #IntellexaLeaks, a joint investigation with partners @insidestory.gr, @haaretzcom.bsky.social & WAV Research Collective 🧵👇
Introducing #IntellexaLeaks, a joint investigation with partners @insidestory.gr, @haaretzcom.bsky.social & WAV Research Collective 🧵👇
Great Firewall Export: A new investigation by @amnesty.org
and partners reveals how Geedge Networks, a Chinese company is commercializing the tech behind China's notorious "Great Firewall".
A huge leak of Geedge data reveal their products, deployed in China, Pakistan, and Myanmar among others.
and partners reveals how Geedge Networks, a Chinese company is commercializing the tech behind China's notorious "Great Firewall".
A huge leak of Geedge data reveal their products, deployed in China, Pakistan, and Myanmar among others.
September 9, 2025 at 12:51 PM
Great Firewall Export: A new investigation by @amnesty.org
and partners reveals how Geedge Networks, a Chinese company is commercializing the tech behind China's notorious "Great Firewall".
A huge leak of Geedge data reveal their products, deployed in China, Pakistan, and Myanmar among others.
and partners reveals how Geedge Networks, a Chinese company is commercializing the tech behind China's notorious "Great Firewall".
A huge leak of Geedge data reveal their products, deployed in China, Pakistan, and Myanmar among others.
The two investigative journalist - who focus heavily on corruption by public officials and connected business figures - received infection links from an unknown number over Viber.
Amnesty was able to confirm with high-confidence that these were Pegasus infection links.
Amnesty was able to confirm with high-confidence that these were Pegasus infection links.
March 27, 2025 at 1:08 PM
The two investigative journalist - who focus heavily on corruption by public officials and connected business figures - received infection links from an unknown number over Viber.
Amnesty was able to confirm with high-confidence that these were Pegasus infection links.
Amnesty was able to confirm with high-confidence that these were Pegasus infection links.
📢 LAST CHANCE: Apply for @amnesty.org's Digital Forensic Fellowship!
Working with our team at the Security Lab, you'll learn the tech and investigative skills needed to expose how governments abuse advanced spyware and other surveillance tech against activists and civil society.
Working with our team at the Security Lab, you'll learn the tech and investigative skills needed to expose how governments abuse advanced spyware and other surveillance tech against activists and civil society.
January 21, 2025 at 11:22 AM
📢 LAST CHANCE: Apply for @amnesty.org's Digital Forensic Fellowship!
Working with our team at the Security Lab, you'll learn the tech and investigative skills needed to expose how governments abuse advanced spyware and other surveillance tech against activists and civil society.
Working with our team at the Security Lab, you'll learn the tech and investigative skills needed to expose how governments abuse advanced spyware and other surveillance tech against activists and civil society.
7/ There is much more tech info including Android forensic traces, Cellebrite exploit analysis, and possible Android zero-click spyware traces in the report.
We also have recommendations for mobile devices vendors on how to harden against these threats.
We also have recommendations for mobile devices vendors on how to harden against these threats.
December 16, 2024 at 9:58 AM
7/ There is much more tech info including Android forensic traces, Cellebrite exploit analysis, and possible Android zero-click spyware traces in the report.
We also have recommendations for mobile devices vendors on how to harden against these threats.
We also have recommendations for mobile devices vendors on how to harden against these threats.
5/ We documented seven individual spyware cases - three with NSO Group's Pegasus spyware, and with the newly discovered NoviSpy.
We found that NoviSpy has been active since at least 2019, and there are indications hundreds of devices may have been targeted in recent years.
We found that NoviSpy has been active since at least 2019, and there are indications hundreds of devices may have been targeted in recent years.
December 16, 2024 at 9:58 AM
5/ We documented seven individual spyware cases - three with NSO Group's Pegasus spyware, and with the newly discovered NoviSpy.
We found that NoviSpy has been active since at least 2019, and there are indications hundreds of devices may have been targeted in recent years.
We found that NoviSpy has been active since at least 2019, and there are indications hundreds of devices may have been targeted in recent years.
4/ We found that NoviSpy infections often occur during police encounters. In one shocking case, an activist went to BIA (Serbia's domestic intelligence service) to fill a complaint as a victim of a crime. During the 2 hour interview, BIA infected their phone
December 16, 2024 at 9:58 AM
4/ We found that NoviSpy infections often occur during police encounters. In one shocking case, an activist went to BIA (Serbia's domestic intelligence service) to fill a complaint as a victim of a crime. During the 2 hour interview, BIA infected their phone
2/ Our forensic investigation found a pattern where Cellebrite zero-day exploits were used to first bypass Android device lock screens and encryption before infection. Cellebrite UFED has also been used widely to extract data from phones of youth activists and protestors
December 16, 2024 at 9:58 AM
2/ Our forensic investigation found a pattern where Cellebrite zero-day exploits were used to first bypass Android device lock screens and encryption before infection. Cellebrite UFED has also been used widely to extract data from phones of youth activists and protestors
1/ In February 2024, During a supposedly routine police traffic stop, Serbian journalist Slaviša Milanov had his phone unlocked with Cellebrite and covertly hacked and infected with the #NoviSpy spyware by Serbian authorities
December 16, 2024 at 9:58 AM
1/ In February 2024, During a supposedly routine police traffic stop, Serbian journalist Slaviša Milanov had his phone unlocked with Cellebrite and covertly hacked and infected with the #NoviSpy spyware by Serbian authorities