The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Tuesday removed three individuals linked to the Intellexa Consortium, the holding company behind a commercial spyware known as Predator, from the specially designated nationals list.
The names of the individuals are as follows –
- Merom Harpaz
- Andrea Nicola Constantino Hermes Gambazzi
- Sara Aleksandra Fayssal Hamou
Hamou was sanctioned by OFAC in March 2024, and Harpaz and Gambazzi were targeted in September 2024 in connection with developing, operating, and distributing Predator. The Treasury’s press release does not give any reason as to why they were removed from the list.
However, in a statement shared with Reuters, it said the removal “was done as part of the normal administrative process in response to a petition request for reconsideration.” The department added that the individuals had “demonstrated measures to separate themselves from the Intellexa Consortium.”
Harpaz is said to be working as a manager of Intellexa S.A., while Gambazzi was identified as the owner of Thalestris Limited and Intellexa Limited. Thalestris, Treasury Department said, held the distribution rights to the spyware, and processed transactions on behalf of other entities within the Intellexa Consortium. It’s also the parent company to Intellexa S.A.
Hamou was listed by the Treasury as one of the key enablers of the Intellexa Consortium, working as a corporate off-shoring specialist in charge of providing managerial services, including renting office space in Greece on behalf of Intellexa S.A. It’s not known if these individuals are still holding the same positions.
At that time, the agency said the proliferation of commercial spyware presents a growing security risk to the U.S. and its citizens. It called for the need to establish guardrails to ensure the responsible development and use of these technologies while balancing human rights and civil liberties of individuals.
“Any hasty decisions to remove sanctions from individuals involved in attacking U.S. persons and interests risk signaling to bad actors that this behavior may come with little consequences as long as you pay enough [money] for fancy lobbyists,” said Natalia Krapiva, senior tech legal counsel at Access Now.
The development comes merely weeks after an Amnesty International report revealed that a human rights lawyer from Pakistan’s Balochistan province was targeted by a Predator attack attempt via a WhatsApp message.
Active since at least 2019, Predator is designed for stealth, leaving little to no traces of compromise, while harvesting sensitive data from infected devices. It’s typically delivered via 1-click or zero-click attack vectors.
Similar to NSO Group’s Pegasus, the tool is officially marketed for counterterrorism and law enforcement use. But investigations have revealed a broader pattern of its deployment against civil society figures, including journalists, activists, and politicians.
A Recorded Future analysis of Intellexa’s corporate web published this month found continued use of Predator despite increased public reporting and international measures.
“Several key trends are shaping the spyware ecosystem, including growing balkanization as companies split along geopolitical lines, with some sanctioned entities seeking renewed legitimacy through acquisitions while others shift toward regions with weaker oversight,” the Mastercard-owned company said.
“Furthermore, rising competition and secrecy surrounding high-value exploit technologies are heightening risks of corruption, insider leaks, and attacks on spyware vendors themselves.”
(The story was updated after publication to include additional information from Reuters.)
