Trump administration removes sanctions on Intellexa Predator spyware figures

TL;DR

The U.S. Treasury has removed three people from its sanctions list who were linked to the Intellexa consortium and the Predator spyware, citing administrative petitions and claimed separation from the group. The move follows other Trump-administration actions easing restrictions on commercial spyware procurement and comes amid a broader set of recent cybersecurity incidents reported globally.

What happened

The Treasury Department has taken three individuals off its Specially Designated Nationals list after they were previously sanctioned for ties to Intellexa, the consortium behind the Predator commercial spyware. The delisted individuals are Sara Hamou (sanctioned March 2024 for managerial services to Intellexa-linked firms), Andrea Gambazzi (beneficial owner of Thalestris Limited, which held Predator distribution rights), and Merom Harpaz (described by U.S. officials as a senior Intellexa executive and sanctioned in September 2024). Reuters reported the Treasury said the removals resulted from routine administrative petitions and that each person had shown measures to separate from the consortium. The article places the delistings in the context of other Trump-administration moves related to commercial spyware, including an earlier lifting of restrictions on ICE procurement. The report also summarizes unrelated infosec developments: a Korean Air contractor data leak tied to Clop, a high-severity router RCE disclosed by researchers at Pwn.ai, a hijacked EmEditor installer distributed in December, and a November data theft affecting Westminster City Council systems.

Why it matters

• Removing sanctioned individuals may ease their ability to engage with U.S. businesses and financial systems, altering enforcement posture toward commercial spyware actors.
• The delistings follow other policy changes that permit U.S. agencies to acquire commercial spyware, raising concerns about proliferation and misuse.
• Commercial spyware like Predator provides broad surveillance capabilities that have been linked to abuse against journalists, dissidents, and political opponents.
• The episode underscores tension between national security sanctions policy and administrative petition processes for delisting.

Key facts

• Three people were removed from the U.S. Treasury's Specially Designated Nationals list after prior sanctions tied to Intellexa and Predator.
• The delisted individuals named in the report are Sara Hamou, Andrea Gambazzi, and Merom Harpaz.
• Hamou was sanctioned in March 2024 for managerial services to Intellexa-linked firms; Gambazzi and Harpaz were sanctioned in September 2024.
• Treasury characterized the delistings as the result of normal administrative petitions and said each individual had demonstrated steps to separate from Intellexa.
• Predator is described as a commercial spyware product that enables device tracking, surveillance, and data theft and remained available through the Intellexa consortium despite earlier U.S. sanctions.
• In a separate development, ICE lifted a stop-work order in September allowing the agency to proceed with acquiring commercial spyware it had previously been blocked from deploying.
• The Atlantic Council reported the United States became the largest investor in commercial spyware, with three times more investors than the next three countries combined.
• Other incidents in the same briefing: KC&D (a former Korean Air unit) disclosed a breach affecting about 30,000 employees, with Clop taking credit; researchers at Pwn.ai disclosed CVE-2025-54322, a CVSS 10.0 RCE in Xspeeder SXZOS; Emurasoft reported a maliciously altered EmEditor installer between Dec. 19–22; Westminster City Council confirmed likely theft of sensitive council data from a November incident.

What to watch next

• Whether Treasury releases further documentation detailing the petitions and the separation measures those individuals reportedly took (not confirmed in the source).
• Whether ICE or other U.S. agencies move forward with new commercial spyware procurements following prior stop‑work order lifts (not confirmed in the source).
• Reactions from privacy and civil‑liberties organizations or additional regulatory steps in response to delistings and procurement changes (not confirmed in the source).

Quick glossary

• Intellexa: A consortium linked in reporting to the distribution of Predator, a commercial surveillance tool; described in prior U.S. sanctions as a security threat.
• Predator: A commercial spyware product that, per reporting, offers capabilities such as device tracking, surveillance, and data exfiltration when installed on target devices.
• Specially Designated Nationals (SDN) list: A Treasury Department list that blocks U.S. persons from dealing with designated individuals and entities and typically restricts access to the U.S. financial system.
• Zero‑day: A software vulnerability that is exploited by attackers before the vendor has released a patch or become aware of the issue.
• Remote Code Execution (RCE): A vulnerability class that allows an attacker to execute arbitrary code on a victim system, potentially leading to full system compromise.

Reader FAQ

Who was removed from the sanctions list?
The report names Sara Hamou, Andrea Gambazzi, and Merom Harpaz as delisted individuals.

Why were these people sanctioned originally?
They were sanctioned for roles tied to Intellexa and Predator: managerial services, ownership tied to distribution rights, and senior executive responsibilities, according to prior Treasury announcements.

Does this mean Predator is now lawful for U.S. use?
Not confirmed in the source.

What other cybersecurity incidents were noted in the same briefing?
The briefing also covered a Korean Air contractor leak affecting about 30,000 employees, a critical router RCE disclosed by Pwn.ai, an EmEditor download hijack in December, and a November data theft affecting Westminster City Council systems.

SECURITY Trump admin sends heart emoji to commercial spyware makers with lifted Predator sanctions Also, Korean Air hacked, EmEditor installer hijacked, a perfect 10 router RCE vuln, and more Brandon…

Sources

• Trump admin sends heart emoji to commercial spyware makers with lifted Predator sanctions
• Trump administration removes three spyware-linked …
• Trump admin lifts sanctions on Predator-linked spyware …

Related posts

• Venezuela interim government says it stands united in support of Maduro
• Using Hinge as a Command and Control Server: Android C2 Proof-of-Concept
• Why PGP still fails: decades of design debt, complexity and risk