French software company Nexa sold the notorious malware aptly dubbed “Predator” to various authoritarian regimes around the word, including the Vietnamese government, according to Amnesty International in its recently released “Predator Files” project.
In collaboration with European Investigative Collaborations (EIC) and backed by prominent media including French Mediapart and German der Spiegel magazine, the project disclosed that Vietnam then turned around and launched a vast hacking attempt via Twitter targeting officials, journalists, members of civil society organizations, and institutions in Europe and elsewhere.
Confidential Nexa data obtained by Amnesty revealed a 5.6-million-euro contract, codenamed “AnglerFish,” involving the sale of Predator to Vietnam’s Ministry of Public Security (MOP), the law enforcement body responsible for tracking political opponents and human rights advocates.
Predator, a spyware with the capability to remotely access a phone’s microphone, camera, contacts, and messages, was originally developed by the Macedonian company Cytrox.
Intellexa, an Irish conglomerate founded by former Israeli spies including former military officer Tal Dilian, partnered with French company Nexa and its Dubai subsidiary, Advanced Middle East Systems (Ames), in distributing Predator, with the alliance earning the reputation of being “one of the most mysterious and dangerous ventures in Europe,” according to Der Spiegel.
Predator was allegedly used in an extensive espionage campaign that targeted European lawmakers, institutions, and even the President of Taiwan, Tsai Ing-wen. The perpetrators posted deceptive links on X (formerly Twitter) to lure victims into clicking on them, which then connected to the technical infrastructure of Predator.
Using Predator spyware, the Vietnamese espionage campaign via the twitter account @Joseph_Gordon16 targeted major European figures such as French MEP Pierre Karleskind, European Parliament President Roberta Metsola, and the European Commission. Specifically targeted also were Taiwanese President Tsai Ing-wen, Germany’s ambassador to the US, US legislators, the UN Food and Agriculture Organization’s (FAO) Deputy Director, and an Albanian Minister and MP.
The malware attack also included experts, academics, and specialists in the geopolitics of the China Sea, a tense region where China, Vietnam, the Philippines, and Taiwan compete for sovereignty over a number of archipelagos.
Vietnam has also attempted to hack political opponents such as Khoa Le Trung, an entrepreneur, journalist and head of the “Thoi bao” news website, one of Vietnam’s biggest opposition media outlets.
Deceptive links on Twitter were often disguised as stories. Several media outlets were targeted, including France 24’s English Twitter account and four CNN journalists.
According to the investigation, at least 50 accounts belonging to 27 individuals and 23 institutions were affected by this “targeted surveillance activity,” which took place between February and June, 2023.
One rationale for the hacking of European Commission official accounts and that of one of its employees is that the European Commission has previously reprimanded Vietnam for insufficient efforts to curb illegal fishing.
Nonetheless, the study did not definitively indicate that the targets were effectively infected with the spyware.
In July, the United States blacklisted Cytrox and Intellexa, raising concerns about the wider implications of Predator spyware and its sellers. Given earlier claims of President Macron and his former security chief regarding selling spyware to Saudi Arabia, the principal involvement of French business Nexa raises questions about possible ties to the French government.