Jordanian authorities used Cellebrite phone-cracking technology to access the devices of domestic activists and human rights defenders and then extract information from them, according to an investigation published Thursday.

The nonconsensual access stood in conflict with international human rights treaties that Jordan ratified, the University of Toronto’s Citizen Lab investigation determined, prompting the research organization to call on Cellebrite to open a probe into clients in Jordan.

Citizen Lab, which released its investigation in coordination with the Organized Crime and Corruption Reporting Project (OCCRP), analyzed the phones of four activists after Jordanian authorities seized and returned them, then concluded with “high confidence” that the  devices had been subjected to Cellebrite’s forensic extraction products. Court documents from criminal proceedings under Jordan’s 2023 Cybercrime Law supplied additional evidence.

The cases Citizen Lab evaluated transpired between late 2023 and mid-2025, during a time of protests in support of Palestinians. They involved a political activist, student organizer, activist/researcher and human rights defender, three of whom had iPhones and the other of whom had an Android device.

The Citizen Lab probe adds to a body of reporting about alleged Cellebrite abuses. Last year, Amnesty International reported that Serbian authorities had used Cellebrite in conjunction with spyware to eavesdrop on activists and journalists, the latter category of whom have reportedly had their phones accessed in a number of countries via Cellebrite tech.

Citizen Lab further concluded that products by the Israel-based Cellebrite are widely used against civil society in Jordan, with forensic data showing its use dating back to at least 2020.

“Surveillance is not limited to spyware,” said the lead author of the report, Kamel Al-Shawareb, a pseudonymous research fellow at Citizen Lab. “Authoritarian states access smartphone data remotely with spyware like Pegasus or by physically seizing a device and using Cellebrite to access the contents.”

Activists whose phones Citizen Lab examined said it shook their confidence and had them resorting to self-censorship.

“I felt wronged and violated, like they stole something from me, and not because they’re strong, but because we’re legally weak,” one of the people told the OCCRP on condition of anonymity. 

Victor Cooper, a spokesperson for Cellebrite, said that the company can’t disclose specific information on its customers. But he said it prohibits transactions with any entities on the sanctions list of the United States and other nations and organizations. 

“Beyond these baselines, the company vets potential customers against internal human rights parameters, leading us to historically cease business in jurisdictions where risks were deemed incompatible with our corporate values,” he said in an email to CyberScoop. “We license technology solely for lawful purposes, requiring customers to explicitly certify they possess valid legal authority prior to usage.”

He said that Cellebrite tech, unlike spyware, can’t intercept communications or monitor devices in real time, but rather can access private data under legal processes to aid investigations after something has occurred.

“We take seriously all allegations of potential misuse of our technology in ways that would run counter to both explicit and implied conditions outlined in our end-user agreement,” Cooper said. “ Once solid information is shared with Cellebrite, we review the allegations and take proactive precise steps to investigate each claim in accordance with our ethics and integrity policies. When appropriate we stop the use of our products by the relevant customers. ”

Citizen Lab said Cellebrite’s responses to its questions as part of the investigation were “vague and unsubstantiated.”

Jordan’s Ministry of Government Affairs and its embassy in the United States did not respond to requests for comment.

The post Researchers find Jordan government used Cellebrite phone-cracking tech against activists appeared first on CyberScoop.

The Trump administration is withdrawing the United States from a handful of international organizations that work to strengthen cybersecurity.

As part of a broader pullback from 66 international organizations, the administration is leaving the Global Forum on Cyber Expertise, the Online Freedom Coalition and the European Centre of Excellence for Countering Hybrid Threats.

Trump’s decision is in line with a president who has expressed hostility toward the existing international order, an approach critics fear creates a leadership power vacuum for U.S. adversaries to fill.

“The Trump Administration has found these institutions to be redundant in their scope, mismanaged, unnecessary, wasteful, poorly run, captured by the interests of actors advancing their own agendas contrary to our own, or a threat to our nation’s sovereignty, freedoms, and general prosperity,” Secretary of State Marco Rubio said in a statement Thursday. “President Trump is clear: It is no longer acceptable to be sending these institutions the blood, sweat, and treasure of the American people, with little to nothing to show for it. The days of billions of dollars in taxpayer money flowing to foreign interests at the expense of our people are over.”

Rubio criticized the international organizations over “DEI mandates,” “‘gender equity’ campaigns” and activities that “constrain American sovereignty.”

The Global Forum on Cyber Expertise works on issues such as critical infrastructure protection, cybercrime, cyber skills and policy and emerging technology. Its members include nations and government organizations like Interpol, but also tech companies like Hewlett Packard, Mastercard and Palo Alto Networks.

The forum says it supports gender inclusivity, asserting that “gender is a cross cutting issue with direct relevance to achieving international peace and security.”

A former president of the Global Forum on Cyber Expertise Foundation, Chris Painter, said he was “ surprised” by the withdrawal.

“It’s a non-political capacity-building platform that the U.S. helped establish and that has done good work in the Western Balkans and Asian Pacific, among other places, that I think advances U.S. interests,” said Painter, also the former top cyber diplomat at the State Department.

Ron Deibert, a professor of political science and the founder and director of the University of Toronto’s Citizen Lab, said the withdrawal from the forum and the cuts at the U.S. Cybersecurity and Infrastructure Security Agency would “further erode network security coordination at a time when the magnitude of cyber threats are rapidly increasing.”

Nina Jankowicz, a former Biden administration disinformation official who now head of the American Sunlight Project, a nonprofit dedicated to fighting disinformation, took note of the Trump administration — “which claims to care about free speech” — exiting the Freedom Online Coalition, which counts as its goals the support of “free expression, association, assembly, and privacy online.”

The coalition has campaigned against cybersecurity laws that suppress human rights and cyberattacks that imperil individual safety.

The European Centre of Excellence for Countering Hybrid Threats works to protect its members, which include members of the North Atlantic Treaty Organization, from an array of threats, among them those that manifest in cyberspace.

The Trump administration also withdrew from other organizations whose work more tangentially touches on cybersecurity, such as the International Law Commission.

Whatever flaws there are with some of the organizations Trump withdrew from, they are contributors to the “international rules-based order,” Deibert said 

“Without state participation, especially the powerful rich states, these forums will grind to a halt,” he said. “Even on a symbolic level, having a government like the U.S. ‘not there’ means very little can happen on a global level. This will likely lead to more regionalization and likely greater spaces for corruption and authoritarian practices to spread.”

The U.S. decision will “inevitably weaken the rights and security of Americans and people around the world for years to come,” said Alexandra Givens, president of the Center for Democracy and Technology.

“Americans should be concerned that their government is abandoning longstanding efforts to advance democracy, defend human rights online, and stop the abuses of spyware, particularly as free expression comes under attack from governments around the world — including our own,” Givens said. “U.S. participation in international collaboration on human rights standards helps keep Americans safe.”

The post Trump pulls US out of international cyber orgs appeared first on CyberScoop.

Leaked training videos suggest that Intellexa retained the ability to remotely access the systems of customers who had used its Predator spyware, raising questions about human rights safeguards, according to an investigation published Thursday.

That was just one finding from a series of separate but overlapping probes released over the past 24 hours. The training video revelations came via a joint investigation by Inside Story, Haaretz and WAV Research Collective in partnership with Amnesty International. Google and Recorded Future also published research Thursday about Intellexa.

“The fact that, at least in some cases, Intellexa appears to have retained the capability to remotely access Predator customer logs – allowing company staff to see details of surveillance operations and targeted individuals [—] raises questions about its own human rights due diligence processes,” Jurre van Bergen, technologist at Amnesty International Security Lab, said in a news release.

“If a mercenary spyware company is found to be directly involved in the operation of its product, then by human rights standards, it could potentially leave them open to claims of liability in cases of misuse and if any human rights abuses are caused by the use of spyware,” he continued.

The “Intellexa Leaks” investigation learned more about the U.S.-sanctioned company’s operations as well. One revelation was that Intellexa was exploiting malicious mobile advertisements to infect targets, a vector named “Aladdin,” investigators concluded.

Other findings include confirmation of Predator domains imitating legitimate Kazakhstani news sites, and additional evidence linking Predator spyware to surveillance of prominent Egyptian political activist Ayman Nour and Greek investigative journalist Thanasis Koukakis, according to Amnesty. And the news publications reported on the first reported Predator infection in Pakistan, of a human rights lawyer, and additional targeting in the country.

A lawyer for Intellexa founder Tal Dilian only responded in part to questions from Haaretz, the publication reported, saying that ‘progressive groups rely on biased and politically motivated international organizations that spread unfounded claims, and use journalists, as ‘useful idiots,’ who repeatedly publish so-called investigative reports directed by the same actors.”

The attorney added: “I have not committed any crime nor operated any cyber system in Greece or anywhere else. Any claim suggesting otherwise is false and defamatory. I categorically reject any attempt to link me to events in Greece or to the media campaign surrounding them. I protect my rights and will continue pursuing legal action against those who defame me.”

Recorded Future’s Insikt Group, meanwhile, published a study on individuals and groups connected to Intellexa.

“These connections span technical, operational, and corporate roles, including backend development, infrastructure setup, and company formation,” wrote Julian-Ferdinand Vögele, principle threat researcher. “In addition, Recorded Future’s proprietary intelligence revealed ongoing Predator spyware activity in multiple countries, including new evidence of its deployment in Iraq.”

On Wednesday, Google said it had identified the companies Intellexa had created to infiltrate the advertising ecosystems, with partners subsequently shutting down the accounts.

Additionally, the firm pointed to one way Intellexa stands out among others.

“Over the past several years, Intellexa has solidified its position as one of, if not the most, prolific spyware vendors exploiting zero-day vulnerabilities against mobile browsers,” a blog post from Google Threat Intelligence Group reads. “Despite the consistent efforts of security researchers and platform vendors to identify and patch these flaws, Intellexa repeatedly demonstrates an ability to procure or develop new zero-day exploits, quickly adapting and continuing operations for their customers.”

The post Intellexa remotely accessed Predator spyware customer systems, investigation finds appeared first on CyberScoop.