U.S. Lifts Sanctions on Three Individuals Tied to Intellexa and Predator Spyware Amid Growing Concerns Over Stealth Cyberattacks

U.S. Lifts Sanctions on Three Individuals Tied to Intellexa and Predator Spyware Amid Growing Concerns Over Stealth Cyberattacks

Look, this one’s messy. The U.S. just dropped sanctions on three people tied to Intellexa — the company behind the Predator spyware. Names: Merom Harpaz, Andrea Nicola Constantino Hermes Gambazzi, and Sara Aleksandra Fayssal Hamou.

It’s not a big announcement. No fanfare. No press conference. Just a quiet Treasury move, filed under “administrative reconsideration.” And honestly? It feels like a step backward in a fight that’s supposed to be about protecting people — not just playing corporate chess.

The Treasury said the decision followed a formal petition. That’s it. No details. No explanation of why these three specifically, or what changed. Just that they’ve “demonstrated measures to separate themselves” from the Intellexa group. Sounds like a legal loophole. Sounds like a rebrand. Sounds like a way to keep the machine running without the red flags.

And here’s where it gets real — just a few weeks ago, Amnesty International dropped a report showing a human rights lawyer in Balochistan, Pakistan, got targeted via a WhatsApp message using Predator. A single message. A single attack. And it worked. That’s not just scary. That’s terrifying. Because this isn’t some rogue state hacking. This is commercial-grade spyware — sold to governments, marketed as law enforcement, but used to silence activists, journalists, and anyone who dares speak up.

The Predator Spyware Ecosystem: A Tool Marketed for Law Enforcement, Used Elsewhere

Predator first came out in 2019. It’s not like regular malware. It doesn’t need you to click anything. No user interaction. Zero-click or one-click attacks. Just a message, a link, a notification — and suddenly, your phone is compromised. Messages, call logs, GPS tracking, camera, microphone — all gone. All harvested. And no one knows it happened.

Intellexa says it’s for counterterrorism and law enforcement. That’s what they sell it as. But Access Now and Recorded Future have been digging, and what they found? A pattern. Journalists. Activists. Political figures. Civil society leaders — all getting targeted. No oversight. No accountability. Just a black box with a price tag.

And the worst part? It’s not just being used. It’s being sold. And the people behind it? They’re not just engineers. They’re managers. Owners. Financial architects. And they’re doing it in places that don’t watch closely.

Who Were the Sanctioned Individuals?

Merom Harpaz was a manager at Intellexa S.A. — someone who helped run the day-to-day operations. Not the flashy CEO, but the guy who made sure things moved smoothly behind the scenes.

Andrea Nicola Constantino Hermes Gambazzi? She’s the owner of Thalestris Limited and Intellexa Limited. Thalestris? That’s the company that handled the distribution of Predator. It processed payments. Managed logistics. Acted as the financial backbone of the whole thing. And it’s also the parent company of Intellexa S.A. So Gambazzi wasn’t just involved — she was at the center of it all.

Sara Aleksandra Fayssal Hamou? She wasn’t a developer. She wasn’t a hacker. She was a corporate off-shoring specialist. Her job? Rent office space in Greece for Intellexa S.A. Sounds small. But it’s huge. It’s how they hide. It’s how they stay out of the U.S. radar. They move operations across borders. They use shell companies. They make it look like they’re not doing anything. And that’s exactly what the Treasury originally sanctioned them for — helping build, operate, and distribute Predator, tools capable of targeting U.S. persons and interests.

Why the Removal Raises Concerns

Now, I get it — sanctions are bureaucratic. They’re slow. They’re expensive. And sometimes, they just don’t work. But this? This feels like a loophole being exploited.

Natalia Krapiva, tech legal counsel at Access Now, put it plainly: “Any hasty decision to remove sanctions from people involved in attacking U.S. persons and interests risks signaling to bad actors that this behavior may come with little consequences as long as you pay enough for fancy lobbyists.”

That’s not just a theory. That’s what’s happening. Recorded Future’s analysis this month shows Intellexa is still active. Still deploying Predator. Still operating under new names, new structures. The sanctions on individuals don’t stop the flow. They just shift it.

So what does that mean? It means the real threat isn’t gone. It’s just been rebranded. And now, someone with a lot of money and connections can walk away, restructure, and keep doing what they were doing — quietly, efficiently, without a single red flag.

A Broader Trend in the Spyware Industry

This isn’t just Intellexa. This is a whole industry. A global market where companies are splitting up, moving operations, forming alliances — all to stay under the radar. When one gets hit with sanctions, another takes over. When one gets exposed, another gets more secretive.

Intellexa’s been doing this for years. Acquisitions. Restructuring. Legal pivots. They’re not shutting down. They’re just changing shape. And the competition? It’s getting fiercer. NSO Group, the makers of Pegasus, is doing the same thing. More secrecy. More obfuscation. More leaks — sometimes from inside the companies themselves.

Mastercard, which owns Recorded Future, has said this creates a dangerous ecosystem. No oversight. No accountability. Malicious actors can exploit the gaps. They can use the tools without being caught. And the worst part? The tools are getting better. More stealth. More powerful. More dangerous.

What This Means for the Future of Digital Security

So what’s the takeaway? The U.S. is still trying to play catch-up. Sanctions are a tool — but they’re not a solution. This removal doesn’t mean the spyware is safe. It doesn’t mean the threat is over.

The Treasury says it was an administrative decision. But that doesn’t sit right. There’s no transparency. No public reasoning. No explanation of how these individuals changed. No evidence they’ve stopped the harm.

The real problem isn’t just who’s sanctioned. It’s how we define what’s allowed. What’s lawful? What’s justifiable? Who gets to decide?

Right now, the line between intelligence gathering and digital authoritarianism is thin — and private companies, operating in legal gray zones, are stepping across it every day.

This case isn’t just about three people. It’s about a system that’s failing. A system where powerful tools can be sold, used, and hidden — all while the world watches and says, “We don’t know what’s happening.”

And if we don’t start building real guardrails — legal, technical, ethical — then the next attack could be on a teacher, a doctor, a mother. And we won’t even know it happened.

Because in the digital age, silence is the loudest sound of all.