Here’s a number to make you sit up: zero. That’s how many legitimate reasons governments have to hire shadowy hacking outfits to spy on their own citizens, especially journalists. Yet, that’s precisely what a new investigation from Access Now’s Digital Security Helpline alleges, pointing the finger at sophisticated, paid phishing operations targeting prominent Egyptian journalists and government critics, Mustafa Al-Aasar and Ahmed Tantawi.
This isn’t your grandma’s spam email, folks. This is targeted espionage. The attackers, according to the report, meticulously craft messages that appear to come from trusted sources, aiming to trick victims into handing over their account credentials. We’re talking about the kind of digital sleight-of-hand that makes your standard Nigerian prince scam look like a kid’s lemonade stand.
The incidents occurred between 2023 and 2024, and the targets aren’t exactly random. Both Al-Aasar and Tantawi are vocal critics of the Egyptian government, have faced politically motivated arrests, and Tantawi himself was previously targeted with spyware. It’s a pattern, and frankly, it’s a disturbing one.
The Usual Suspects (and the Money Trail)
To dig into this mess, Access Now teamed up with Lookout, a mobile security outfit. Their analysis, looking at the technical infrastructure and the attack vectors, independently concluded that “unidentified entities” used an “Asia-linked mercenary hacking organization” to conduct these spying operations. The kicker? The infrastructure used isn’t just for breaking in; it’s capable of deploying spyware that can steal data, access your files, track your location, and even turn on your phone’s microphone and camera. Nice.
And it doesn’t stop there. This same type of sophisticated attack infrastructure, according to analysis from SMEX (an organization promoting digital rights in Western Asia and North Africa), was also likely behind a similar 2025 attack targeting a prominent, unnamed Lebanese journalist. The implication is clear: we’re looking at a recurring problem, possibly with the same culprits or at least a shared playbook.
When civilian society is facing increasingly complex and dangerous digital attacks, sharing knowledge about these espionage campaigns and methods becomes less of an option and more of a necessity. So, what are we really looking at here?
Who Are These People They’re Trying to Silence?
Let’s get specific about the targets. Mustafa Al-Aasar is an award-winning independent Egyptian journalist and human rights defender. He spent nearly four years as a political prisoner in Egypt for his work before relocating. Ahmed Tantawi, another journalist and a former member of the Egyptian Journalists Syndicate, transitioned into politics. He led coverage of domestic affairs and socio-economic challenges at the weekly Al-Karama newspaper. Between 2015 and 2020, he served as a Member of Parliament. He then emerged as a prominent opposition figure to the current president, Abdel Fattah el-Sisi. In 2023, Tantawi announced his intention to run for president but withdrew from the race after dozens of his supporters and relatives were arrested, his campaign activities were stifled, and he himself was eventually detained. A separate investigation by Citizen Lab at the University of Toronto found that his phone was targeted with Predator spyware from Intellexa in September 2021 and again between May and September 2023.
The third individual, who wishes to remain anonymous, is another journalist whose career spans decades, including reporting, editing, and shaping public discourse on political issues. They were the target in the SMEX investigation.
The ‘How’ Is Even More Alarming
The attackers launched their phishing campaign against Al-Aasar and Tantawi in October 2023, with renewed attempts in January 2024. Their goal: to breach Al-Aasar’s and Tantawi’s digital accounts, specifically their Apple and Google accounts. As noted, they impersonated trusted individuals and services, building rapport through various channels.
Our investigation uncovered a persistent and established attack infrastructure, with interconnected domains, hosting providers, and scripting companies. This setup is capable of deploying Android spyware that grants access to files, contacts, text messages, location data, and can even activate the microphone and camera on smartphones. The attackers are using fake accounts, messages, and pages to impersonate real people and mimic popular services like Signal, all to deliver malware to their targets. This has prompted Signal and other companies to issue warnings to their users about such phishing campaigns.
After receiving a message that appeared to be from Apple, Al-Aasar entered his account details. However, when he received a two-factor authentication notification indicating a login attempt from a remote location in Egypt, he recognized the danger, ceased interaction, and immediately sought assistance. Tantawi, on the other hand, did not fall for the trap, and the attackers ultimately failed to breach his or Al-Aasar’s accounts.
Had they succeeded, they would have gained unrestricted access to the personal and professional information stored in their Apple or Google accounts, including details concerning their families, associates, and journalistic sources. Given the years of ongoing government pressure on independent media and opposition movements in Egypt, coupled with the arrests of Tantawi’s family members and supporters, it’s clear that this digital attack would have put both victims, as well as their networks of family, friends, colleagues, and supporters, at considerable risk.
Who Is Actually Making Money Here?
This is where my internal skepticism alarm starts blaring. When you hear about “mercenary hacking organizations” and “paid phishing operations,” the first question that needs asking is: Who is the client? And more importantly, who is footing the bill? In this scenario, the primary suspects are, unsurprisingly, state actors or entities closely aligned with them. The infrastructure and the sophistication suggest a deep pocket and a clear directive. The profit motive for the hacking group is obvious – they get paid. But the real money and power, the ones truly benefiting from the silencing of journalists and dissidents, are the ones commissioning these digital hits.
This isn’t just about data theft; it’s about suffocating opposition and controlling narratives. The tech itself—the spyware, the phishing infrastructure—is merely the tool. The true story is about power, repression, and the commodification of digital surveillance for political gain.
What Can Be Done?
While general advice is provided, it’s crucial to understand your personal risk level. If you’re a journalist, activist, or anyone in the crosshairs of a sophisticated threat actor, seek professional, trusted guidance. Don’t just rely on generic internet tips; your digital life might be worth more than you think.
Key Takeaways:
- Targeted phishing attacks are becoming more sophisticated and are allegedly being carried out by paid mercenary groups.
- Egyptian journalists and government critics are facing advanced digital espionage campaigns.
- The infrastructure used is capable of deploying powerful spyware on mobile devices.
- Identifying the ultimate paymasters behind such operations is crucial for accountability.
🧬 Related Insights
- Read more: Meta Faces $174.5M Patent Verdict: What It Means for Tech
- Read more: Nonequity Partners Are Burning Out — And AI Might Be the Final Straw
Frequently Asked Questions
What does this report mean for digital security in the Middle East and North Africa? This report highlights an escalating threat landscape where sophisticated, potentially state-sponsored digital attacks are being used to target civil society and silence dissent in the MENA region, underscoring the need for enhanced digital security measures and international cooperation.
Will these attacks replace traditional methods of surveillance and suppression? While these advanced digital attacks are a growing concern and can be highly effective, they often complement, rather than entirely replace, traditional methods of surveillance and suppression, creating a multi-layered approach to control.
How can I protect myself from targeted phishing attacks like these? Protect yourself by enabling two-factor authentication on all important accounts, being extremely cautious of unsolicited messages, verifying sender identities, and never clicking on suspicious links or downloading unexpected attachments; for high-risk individuals, consider specialized security consulting.
