Predator spyware infrastructure taken down after exposure

For the second time in six months, the operators of the Predator spyware burned down their infrastructure after it was publicly documented.
Data center with abstract connections. (imaginima/Getty Images).

After its infrastructure was exposed in a pair of reports last week, the operators of the Predator spyware platform dismantled a swath of delivery servers over the weekend that are used to administer the tool.

The move to spin down the servers came after researchers with Recorded Future’s Insikt Group and Sekoia separately published analyses detailing how the operators of Predator — one of a number of digital tools billed as a platform to combat crime and terrorism but widely abused to violate human rights — had rebuilt their technical infrastructure after an earlier instance in which it had been exposed by researchers.

The decision to pull down Predator’s infrastructure is the second time in about six months that the operators of the spyware have taken down their infrastructure after it was exposed, illustrating what has become a cat-and-mouse game between researchers who seek to understand and publicly document the spyware industry and companies trying to operate undetected.

The first wind down occurred in the weeks following the October 2023 publication of “The Predator Files,” in which a consortium of news outlets working together with Amnesty International’s Security Lab detailed how the tool had been abused to target civil society, journalists, politicians and academics.


That the operators took down the delivery infrastructure is “somewhat unsurprising but certainly interesting,” Julian-Ferdinand Vögele, a threat analyst and the lead author of the Insikt Group’s report, told CyberScoop on Monday.

When confronted about the ways their tools are being abused, spyware companies often argue that their technologies cannot be centrally administered, but the “coordinated or simultaneous nature of the takedown” indicates that a central player provides and manages the infrastructure, contrary to firms’ typical arguments around “plausible deniability,” Vögele argued.

The operators may face pressure from clients to swiftly establish new servers to continue operations or fulfill service agreements, Vögele added, and an open question is the degree to which the infrastructure will change. When Predator reconstituted after the reports published in October, for instance, its infrastructure saw only minor changes, he said.

“The second in-depth public reporting on their infrastructure might now compel them to rebuild in a more substantial and distinct manner this time,” Vögele said.

Predator dates to at least 2019 and was originally developed by a firm known as Cytrox, which was eventually folded into a conglomeration of multiple entities under the “Intellexa alliance” umbrella, Vitor Ventura, a researcher with Cisco Talos, said in a presentation at the September 2023 LABScon security conference in Arizona.


Both Cytrox and Intellexa were blacklisted by the U.S. government in July 2023.

Neither Tal Dilian, the Israeli businessman behind Intellexa, nor his ex-wife and business partner who is also reportedly linked to Intellexa, responded to a request for comment Monday.

Latest Podcasts