Convicted in Greece, Still Selling to Dictators Worldwide

A court handed Intellexa's founder an eight-year suspended sentence. The Predator spyware network shrugged - and kept running. This is how the surveillance industry survives every consequence thrown at it.

On February 26, 2026, a Greek court delivered what one researcher called "the first time an executive at a mercenary spy company has been convicted and sentenced to prison." The defendants included Tal Dilian, founder of the Intellexa consortium and former commander of an elite Israeli military intelligence unit, alongside his ex-wife and business partner Sara Hamou, senior executive Felix Bitzios, and Greek security firm owner Yiannis Lavranos.

The charge: breaching the confidentiality of telephone communications, plus illegal access to information systems. The sentence: eight years each, suspended pending appeal.

The problem: Predator spyware, Intellexa's flagship surveillance product, was used to hack a journalist in Angola in May 2024 - after the US sanctions. It was detected in Pakistan in summer 2025 - after every public exposure, every congressional hearing, every sanctions listing. And as of late 2025, Amnesty International's Security Lab confirmed it was still being actively deployed against human rights defenders across multiple continents.

The verdict was historic. The surveillance kept running. This is the story of how one of the world's most dangerous commercial spyware companies has survived sanctions, criminal prosecution, and years of investigative exposure - by building its network to be deliberately, structurally indestructible.

The Predatorgate Scandal: What Happened in Greece

Greece's "Predatorgate" scandal erupted in 2022 when investigators discovered that Intellexa's Predator spyware had been used to infect the phones of 87 prominent individuals - including the current leader of the main opposition party, a journalist who covered corruption in the Greek banking sector, the editor of the country's top newspaper, and multiple military officials.

The revelations forced the resignation of the head of Greece's intelligence agency, EYP, and a senior aide to Prime Minister Kyriakos Mitsotakis. Despite this, no criminal charges were brought against senior government officials. The prosecution that eventually led to last month's conviction targeted the private businesspeople who operated the infrastructure - not the government clients who ordered the surveillance.

Yiannis Lavranos owned the Greek security firm that purchased Intellexa's Predator license. He was the customer-facing end of the operation. Tal Dilian and Sara Hamou were the architects who built and sold it. Felix Bitzios was the executive who ran the commercial operation. The court found all four guilty of deploying the surveillance capability against Greek citizens, including protected journalists.

"This is the first time that an executive at a mercenary spy company has been convicted and sentenced to prison. What this shows is when all the facts of spyware companies' business models get in front of a fair judge, consequences will follow." - John Scott-Railton, Senior Researcher, Citizen Lab at the University of Toronto

Scott-Railton's optimism is earned - but it comes with a caveat the researcher knows well. The sentences are suspended pending appeals. Dilian has already stated he plans to appeal, calling the verdict "fundamentally irreconcilable with the evidentiary record." His legal team has resources. The judicial process in Greece could drag on for years. Meanwhile, every shell company, every Cyprus offshore entity, every Portuguese front firm continues to operate.

The court agreed to share the trial record with judicial authorities to investigate potential additional offenses, including possible espionage charges. That investigation has not yet begun. The prosecutor indicated the evidence warranted scrutiny of whether the hacking constituted state espionage. But "may investigate" is not "will prosecute," and the European Union has yet to sanction a single Intellexa-linked entity - despite the US having done so twice.

Who Built Predator: The Architecture of a Surveillance Empire

Intellexa is not a company. It is a consortium - a deliberate web of interlocking entities designed to make accountability geometrically complex. Tal Dilian constructed this architecture intentionally, drawing on his background in Israeli military signals intelligence.

Predator is the product. It gives any government customer complete covert access to a target's mobile device: microphone, camera, contacts, messages, files - everything. The infection typically requires a single click on a malicious link delivered over WhatsApp or SMS. In some documented cases, Predator achieved "zero-click" infection - no interaction from the target at all.

The consortium's structure was built around Cyprus, an EU member state that offered Intellexa a combination of light-touch regulation, favorable tax treatment, and geographic proximity to both European clients and Middle Eastern ones. Sara Hamou established the Cyprus hub specifically to leverage EU single-market access while keeping operational details offshore. As ICIJ's 2023 Cyprus Confidential investigation documented, the Cypriot corporate registry contained a dense web of Intellexa-linked shell companies, nominee directors, and offshore subsidiaries.

Cytrox, the North Macedonian subsidiary that actually developed Predator's code, was connected through layers of intermediate holding companies. This distance between the product, the sale, and the liability was not accidental. It was architecture.

The Clients: Selling Surveillance to Regimes That Use It for Genocide

Intellexa did not sell surveillance capability to governments with good human rights records. The business model depended on selling to clients who faced no accountability for how they used it.

Sudan's Rapid Support Forces (RSF) - a paramilitary group whose actions in the ongoing Sudanese civil war have been described by United Nations experts as bearing "the hallmarks of genocide" - were Intellexa clients. The RSF, led by General Mohamed Hamdan Dagalo, known as Hemeti, has been accused of mass rape, ethnic cleansing, and the deliberate targeting of civilian infrastructure. They had access to Predator.

Egypt's intelligence services purchased Predator. The Egyptian government under President Abdel Fattah el-Sisi has imprisoned tens of thousands of political opponents, journalists, and activists since the 2013 coup. Predator gave Cairo the ability to monitor critics both domestically and in the diaspora.

Vietnam attempted to use Predator to hack the devices of US government officials - an extraordinary act of espionage against a nation with which it ostensibly maintains normal diplomatic relations. This detail appeared in the US Treasury's September 2024 sanctions filing against additional Intellexa executives.

The Insikt Group, a division of Recorded Future, reported in June 2024 that Predator spyware appeared to be operating in more than a dozen countries - including Saudi Arabia, the Democratic Republic of Congo, and Kazakhstan. The resurgence report noted that Predator operators had adopted new technical tactics to evade detection by security researchers and conceal the geographic origin of infrastructure.

Teixeira Candido, an Angolan journalist and outspoken advocate for press freedom, discovered his phone had been infected with Predator in May 2024. That was two months after the United States imposed its first round of sanctions on Dilian and Hamou. The sanctions had made no operational difference to the Predator network.

"I was scared, of course, because I didn't know what content they took from my phone, from my emails, and I didn't know what they had listened to. It feels like you're walking naked and being watched." - Teixeira Candido, Angolan journalist, to ICIJ

Candido approached Amnesty International's Security Lab after a burglary at the headquarters of the Syndicate of Angolan Journalists - where he served as president - in which computers were stolen. The burglary and the spyware infection formed a pattern that pointed to state surveillance. The Angolan government denied involvement.

The Sanctions That Changed Nothing

The United States has now acted against Intellexa twice. In March 2024, the Treasury Department's Office of Foreign Assets Control sanctioned Tal Dilian and Sara Hamou directly. The Treasury described Dilian as "the architect behind Intellexa's spyware tools" and Hamou as "a corporate off-shoring specialist." Both were placed on the Specially Designated Nationals list, freezing any US-based assets and prohibiting Americans from doing business with them.

Six months later, in September 2024, OFAC expanded the sanctions to five additional individuals: Felix Bitzios, Andrea Gambazzi, Merom Harpaz, Panagiota Karaoli, and Artemis Artemiou. A British Virgin Islands-based company called the Aliada Group was also sanctioned for allegedly enabling tens of millions of dollars in transactions for the spyware consortium. The Treasury noted that Aliada had moved significant sums to keep Intellexa operational despite growing regulatory pressure.

The US also placed Intellexa on its Entity List - effectively an export blacklist - and the State Department imposed visa bans on individuals involved in commercial spyware misuse.

None of it stopped the surveillance.

The structural reason sanctions failed is geography. The United States can freeze US-held assets and prohibit American firms from transacting with sanctioned entities. But Intellexa operated primarily through EU-based structures - Cyprus, Greece, Portugal, and other member states - where no equivalent sanctions regime existed. The European Union, despite the Predatorgate scandal erupting inside its own borders, despite an EU parliamentary committee investigation that produced scathing findings, did not sanction Intellexa, Dilian, Hamou, or any entity in the constellation.

Sophie in 't Veld, former chair of the EU Parliament's special committee on the Pegasus and Predator spyware scandals, said it plainly on social media: "Maybe the US should then also sanction the Member State governments, the EU Commission and EUCO. They are the enablers in chief of the abuse of, and illicit trade in spyware, giving Intellexa tax breaks, government contracts and export licenses."

Hamou's US sanctions were lifted in late 2025 - even as evidence mounted that the network she helped construct remained operational.

The Shell Game: How Intellexa Rebuilt After Sanctions

When the first round of US sanctions hit in March 2024, the Intellexa network did not dissolve. It restructured. The corporate archaeology that investigators have traced over the following 18 months reveals a methodical process of moving assets, relabeling entities, and inserting new nominal owners to sever the visible ownership chain from the sanctioned individuals.

The most revealing example is Medovie, a skincare company that Sara Hamou co-founded and described publicly as the product of "all my savings." The company positioned itself as combining traditional Chinese medicine with Western dermatology research. It had no apparent connection to surveillance technology. It operated through a Cypriot firm.

Shortly after Hamou was sanctioned, Medovie's website went offline. Then, in early 2025, it came back - under a new Portuguese company called MDV Skin Care. The director of MDV Skin Care is Sylwia Jastrzebska, a 26-year-old Polish citizen who had previously served as director of Cytrox, the North Macedonian company that developed Predator spyware. Cytrox is itself a sanctioned entity.

The discovery of Jastrzebska as the link between Medovie and Cytrox came after a Czech journalist visited the home of the previous nominal Cytrox director - a 70-year-old pensioner in a small Czech village who told the reporter she had never heard of the company. Jastrzebska was appointed to replace this front figure.

Medovie's privacy policy, as ICIJ noted, states that it shares client data with unnamed companies in the "Medovie Group" based in Israel, Cyprus, and Switzerland. For a skincare firm, that is an unusual data-sharing arrangement.

The Portuguese thread does not end with Jastrzebska. She also serves as president of Douro Dynamics, a Warsaw-based company owned by Amos Levy, an Israeli-Portuguese businessman. In June 2024, Levy incorporated a Portuguese company called Odyssey in the Sky and used it to acquire a Cyprus-based company previously owned by Tal Dilian himself. The transfer moved Dilian's Cyprus entity out of his name and into Levy's corporate structure - a clean break in the ownership record, executed months after the first US sanctions landed.

Levy obtained Portuguese citizenship through a certificate of Sephardic Jewish descent issued by the Jewish Community of Porto in 2017 - a program designed to offer citizenship to descendants of Jews expelled from Iberia in the 15th century. The program has been used by numerous individuals seeking EU residency and business access.

The Leaks: Intellexa's Deepest Secret

In December 2025, a consortium of journalists from Inside Story, Haaretz, and WAV Research Collective published what they called "the Intellexa Leaks" - a cache of internal company documents, sales materials, and training videos that revealed the operational architecture of Predator in unprecedented detail.

Amnesty International's Security Lab served as technical partner on the project, verifying the leaked materials and conducting forensic analysis to confirm their authenticity. The findings were alarming on multiple levels.

The most significant revelation: Intellexa retained the capability to remotely access Predator customer systems - including those physically located on the premises of government intelligence agencies. This means that when Egypt's intelligence service used Predator to surveil a journalist, Intellexa had technical access to the surveillance data being collected. When Sudan's RSF used Predator, Intellexa could observe the RSF's target list.

This is not simply a corporate backdoor. It means Intellexa - a private company operating through a web of offshore entities and fronts - has been sitting inside the surveillance operations of every government client it has ever served. It has visibility into who authoritarian governments are watching, what they know, and potentially what they plan to do with that information.

The intelligence implications are profound. A company with this access is not just a spyware vendor. It is a node in a global surveillance network with a unique position: it can see across all clients simultaneously. That position has enormous value, both commercially and to any intelligence service that might have penetrated or co-opted Intellexa's own infrastructure.

The leaked materials also provided forensic confirmation of previously reported cases. Technical evidence in the leaked files confirmed that Predator was used in the specific Greek and Egyptian cases that Amnesty and Citizen Lab had documented independently - closing any remaining dispute about whether those incidents involved Intellexa's product specifically.

Separately, Amnesty's Security Lab confirmed new evidence of Predator operations in Pakistan. In summer 2025, a human rights lawyer from Pakistan's Balochistan province received a malicious link over WhatsApp. The link was attributed to a Predator attack based on the infection server's technical behavior and the specific characteristics of the one-time infection link - consistent with previously documented Predator methodology. This was the first documented use of Predator in Pakistan.

The targeting came at a moment of severe repression in Balochistan, a province experiencing increasing internet shutdowns, arrests of activists, and paramilitary operations. The Baloch human rights community has been designated by Pakistani authorities as a terrorist threat. Predator gave the government another tool for identifying and monitoring individuals it considered a threat.

The EU's Deliberate Blindness

The contrast between US and European responses to Intellexa is not accidental. It reflects a structural feature of how European governments have related to their commercial surveillance industries.

When the EU's Pega Committee - established specifically to investigate the Pegasus and Predator spyware abuses that had infected EU member states - published its findings in 2023, it concluded that EU member state governments, including Greece, Hungary, and Spain, had deployed commercial spyware against journalists, politicians, and civil society. The committee recommended sanctions, export controls, and a prohibition on deploying commercial spyware within the EU.

None of those recommendations were implemented. The European Commission declined to introduce legislation banning commercial spyware. EU member states continued to grant export licenses to spyware firms. Greece's government - despite its own Predatorgate scandal - did not implement the committee's recommended reforms.

Intellexa has operated continuously within EU territory throughout the period from initial exposure in 2022 through the conviction in February 2026. As Sophie in 't Veld noted, the company received tax breaks and government contracts from EU member states even while being listed on a US export blacklist and sanctioned by the Treasury Department.

The structural problem is interest alignment. European intelligence services are themselves customers of commercial spyware. Member state governments that purchase Predator have an interest in ensuring those vendors remain accessible and operational. Sanctioning Intellexa would sanction their own surveillance capability. The EU institutions that might enforce rules have consistently deferred to member state interests on this question.

"Maybe the US should then also sanction the Member State governments, the EU Commission and EUCO. They are the enablers in chief of the abuse of, and illicit trade in spyware, giving Intellexa tax breaks, government contracts and export licenses." - Sophie in 't Veld, former chair of EU Parliament Pega Committee, writing on X

The conviction in Greece represents an exception - a domestic criminal prosecution brought under existing wiretapping laws rather than any new regulatory framework targeting the spyware industry. Its significance may be precisely that it happened through ordinary criminal law rather than the specialized regulatory infrastructure that has consistently failed to materialize.

Timeline: A Surveillance Company Outlasts Every Consequence

What Comes Next: Appeals, Espionage Charges, and a Broken System

Tal Dilian has made clear he intends to appeal the conviction. His response, sent by email to ICIJ after the verdict, contested the factual basis of the ruling and accused the court of scapegoating the defendants for "political leverage or external agendas." His lawyers will argue - as spyware executives consistently argue - that Intellexa sold a technology that clients then chose to deploy, and that the company cannot be responsible for customer use.

This argument has been partially successful elsewhere. NSO Group, maker of the Pegasus spyware and Israel's most prominent commercial surveillance firm, has used similar logic in US litigation - with varying degrees of success. A California federal court ruled in 2024 that NSO Group was not entitled to immunity as a foreign government agent in a lawsuit brought by WhatsApp, a significant setback for the "we just sell the tool" defense.

The Greek prosecutor's recommendation to investigate espionage charges is potentially more serious. Espionage carries different penalties and different evidentiary standards than the wiretapping conviction. If a subsequent investigation established that Intellexa had actively shared surveillance data collected on Greek citizens - including political figures and military personnel - with foreign intelligence services, the charges could escalate dramatically.

The revelation in the Intellexa Leaks that the company maintained remote access to customer surveillance systems makes this question urgent. If Intellexa could see what Greek intelligence was doing with Predator, what did they do with that access? Who received that intelligence? Did it flow back to Israeli military intelligence networks? To other government clients? To private buyers?

These questions remain unanswered. No government has launched a formal investigation into Intellexa's own data collection practices. The December 2025 leaks have not yet generated the prosecutorial attention they warrant. The EU has still not sanctioned a single Intellexa-linked entity. The Greek conviction, for now, stands alone as the single meaningful legal consequence delivered to the surveillance industry's most publicly documented bad actor.

Meanwhile, the infrastructure keeps running. The skincare websites redirect. The Portuguese companies maintain their registrations. The Balochistan human rights lawyer's phone is less secure than it was before someone paid to infect it. And somewhere, in a server cluster in an undisclosed jurisdiction, Predator waits for the next government to place an order and wire the funds.

The surveillance industry's core insight - that its product is too useful to powerful people for those powerful people to actually shut it down - has survived every test so far. One suspended prison sentence, however historic, does not change the structural calculus. Until the EU closes the regulatory gap that the US has partially addressed, until the financial flows enabling Intellexa's reconstituted network are traced and frozen, and until governments that purchased Predator face consequences for buying it, Tal Dilian's appeal will proceed in courts his lawyers know well - and the spyware will keep finding new phones to infect.