Journalist Teixeira Cândido surveilled with Predator spyware, a first in Angola

Imagine being in the middle of an investigation, interviewing a source, or even just talking to your loved ones while constantly being watched. That is what Teixeira Candidofelt when he learned that his phone had been infected with the spyware Predator, developedby Cytrox, a company registered in North Macedonia, and marketed by the Intellexa group. It is the first known case of a journalist or member of civil society being targeted by the spyware in Angola.

According to Amnesty International's technical report, which the RSF Digital Security Lab supported, the phone was infected on 4 May 2024, after the journalist clicked on a malicious link sent by an unidentified individual via WhatsApp, and the infection only lasted a few hours. "The individual initially introduced himself as a member of a group of students conducting research, without sending me any links," Teixeira Cândido recalls. The malicious links came later. Over a two-month period, at least ten links were sent to the journalist from the same number. Both the attacker and the person who commissioned the attack have yet to be identified. When contacted for comment, the Intellexa group did not respond.

When interviewed by RSF on 10 February 2026, the journalist, who has worked in the industry for more than 25 years, expressed his concern: "I feel as though I took a shower with the door wide open. They had access to my private life, to deeply personal matters. To this day, I still don't know what they took from my phone." In the spring of 2024, around the time the surveillance took place, Teixeira Cândido, who also hosts a program every Saturday on Radio Essencial, was preparing the transition out of his management role at the Angolan Journalists' Union.

Teixeira Cândido's initial suspicions date back to 2022, when the SJA's office was burgled three times in three months. Other journalists - including João Armando, the director of Jornal Expansão, and Raquel Rio, at the time a correspondent for the Portuguese news agency Lusa- were also victims of similar incidents at their homes that same year. In each case, computers belonging to the union and the journalists were stolen.

Goodbye phone calls about sensitive topics, hello face-to-face meetings

Since these revelations, Teixeira Cândido has taken precautions regarding his digital identity. He no longer discusses sensitive topics over the phone or via messaging applications and now prioritises face-to-face meetings. Several Angolan journalists who were informed of the case have also changed their habits for fear of surveillance.

Evaristo Mulaza, Director-General of Valor Económiconewspaper and Rádio Essencialradio station, close to Teixeira Cândido, believes that these revelations "only confirm the suspicions that have always existed within the Angolan journalism community." Although he has not yet taken "exceptional measures," he is now more cautious about the type of information he shares by text or phone call.

Evidence of Predator found by several institutions

Although the infection of Teixeira Cândido's phone is a first in Angola, several organisations had previously warned of the likely use of Predator in the country. In an October 2023 report, Amnesty International statedits analysis indicated "active customers or targeting of individuals [...]in Angola." This assessment was echoedthat same month by the cybersecurity company Sekoia. In February 2024, the company reportedthat Predator was still active in the country, with strengthened operational security. Seven months later, the Insikt Group - a subsidiary of the American cybersecurity company Recorded Future - revealeda new infrastructure "associated with Predator customer(s) in Angola."

To read Amnesty International's technical report, click here.

Launched in July 2022, the RSF Digital Security Lab conducts in-depth analyses of devices belonging to journalists who suspect they are under digital surveillance.