Connect with us

Hi, what are you looking for?



US Gov Mercenary Spyware Clampdown Hits Cytrox, Intellexa

The two foreign companies are being sanctioned for “for trafficking in cyber exploits used to gain access to information systems.” 

The US government’s clampdown on commercial spyware and mercenary hacking companies ramped up this week with the addition of Cytrox and Intellexa to an ‘entity list’ that limits their access to American-made components and technologies.

A new announcement (PDF) from the Biden administration’s Commerce Department flagged the two foreign companies “for trafficking in cyber exploits used to gain access to information systems, thereby threatening the privacy and security of individuals and organizations worldwide.” 

Cytrox, which has been linked to malware found spying on a European lawmaker, was exposed as the vendor behind the notorious Predator iPhone eavesdropper implant.

The University of Toronto’s Citizen Lab teamed up with the threat-intel team at Facebook parent company Meta to identify Cytrox alongside a handful of PSOAs (private sector offensive actors) in the murky surveillance-for-hire industry. Citizen Lab said Cytrox is responsible for a piece of iPhone eavesdropping malware that was planted on phones belonging to two notable Egyptians.  

The company’s Predator eavesdropper was able to infect the then-latest iOS version (14.6) using single-click links sent via WhatsApp messenger.  

Like Cytrox, Intellexa has also been publicly outed as a mercenary offensive security outfit selling million-dollar iOS and Android hacking services.

In November 2021, the US government added Israeli commercial spyware firm NSO Group to the entity list, a move that will require special government permission to do business with American companies. 

Advertisement. Scroll to continue reading.

The department said putting these companies on the entity list was part of the Biden administration’s efforts to promote human rights in US foreign policy.

Related: Spyware Firm Offering iOS, Android Hacking Services for $8 Million

Related: European Lawmaker Targeted With Cytrox Predator Surveillance Spyware

Related: Citizen Lab Exposes Cytrox as Vendor Behind ‘Predator’ iPhone Spyware

Related: Calls Mount for US Gov Clampdown on Mercenary Spyware Merchants

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...