Pakistan rejected allegations published in an Amnesty International report on Thursday that claimed an Israeli manufactured spyware system was in active use inside the country. A senior intelligence officer, speaking to Dawn on condition of anonymity, described the report as an attempt to malign Pakistan and asserted that there was not an iota of truth in the findings. The rebuttal came shortly after the release of Amnesty International’s investigation titled Intellexa Leaks, which detailed the account of a Pakistan based human rights lawyer who had contacted the organisation in the summer of 2025 after receiving a suspicious link through WhatsApp from an unknown number.
Amnesty Security Lab examined the link and determined it to be associated with a Predator attack attempt, identifying the indicators through the behaviour of the infection server. Predator is a sophisticated spyware tool developed by Israeli company Intellexa and is known for its ability to infiltrate mobile devices through a structured infection chain. The broader investigation drew on highly sensitive documents leaked from Intellexa’s internal operations. These included company files, sales records, marketing material, and training videos, offering insight into an ecosystem that researchers had long struggled to fully understand. Amnesty International published the findings in collaboration with partners in Greece, Israel, and Switzerland. Intellexa had previously been fined by the Greek Data Protection Authority in 2023 for failing to comply with inquiries into its activities. More recently, Google began issuing spyware threat notifications to hundreds of its users across several countries, Pakistan among them, identifying accounts that had been targeted using Predator.
The report outlined the method through which Predator operates. Intellexa’s system primarily relies on one click attacks that require the victim to open a malicious link sent to their device. Once accessed, the link triggers a browser based exploit through Chrome or Safari, granting the attacker initial entry and enabling the subsequent download of the complete spyware payload. After installation, Predator gains access to a wide range of encrypted and unencrypted data including messages from Signal and WhatsApp, audio recordings, emails, device location points, stored passwords, contacts, call logs, screenshots, and camera images. It also activates the device microphone to capture live surroundings. Surveillance data is then transmitted to a Predator backend server located physically within the customer’s country. All exfiltrated information is first routed through a CNC Anonymization Network, a multilayered chain designed to conceal the operator responsible for launching the original attack link.
Intellexa reportedly invested extensively in overcoming limitations linked to exposure during the infection phase. According to the leaked material reviewed in the investigation, the company developed mechanisms aimed at triggering the opening of malicious links without requiring the target to click manually. Among these was a strategic infection vector known as Aladdin, which enabled silent zero click infections worldwide by exploiting commercial mobile advertising systems. This approach allowed covert deployments that bypassed traditional user interaction requirements. Amnesty International stated that Intellexa’s business model centres on the development and sale of advanced surveillance tools to government clients, with Predator serving as its flagship product. Despite widespread scrutiny, much of its internal structure and operational workflow had remained largely concealed until the recent leak surfaced.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
