The Trump administration this week removed three Iranians from its sanctions list who were previously accused of working for Intellexa, the consortium behind the Predator spyware that recent investigations say has circumvented human rights safeguards.

The Biden administration imposed sanctions against the trio in 2024 as part of a broader move to sanction spyware operators. The Treasury Department noted the deletions this week as part of other sanctions moves.

Under the prior sanctions designations, the Biden administration said that Merom Harpaz was manager of Intellexa S.A., a member of the consortium; that Andrea Nicola Constantino Hermes Gambazzi was functionally the owner of Thalestris Limited and Intellexa Limited, two other consortium members; and that Sara Aleksandra Fayssal Hamou was a corporate off-shoring specialist who has provided managerial services to the Intellexa Consortium.

While the Tuesday notice about the sanctions removal provided no explanation, “this removal was done as part of the normal administrative process in response to a petition request for reconsideration,” a U.S. official told CyberScoop.

“Each individual has demonstrated measures to separate themselves from the Intellexa Consortium and it has been determined that the circumstances resulting in the sanction no longer apply,” the official said. “The power of sanctions derive not only from the ability to designate individuals, but also from our willingness to remove sanctions consistent with the law.”

Only last month, an investigation concluded that despite sanctions against those three individuals and others, Intellexa had retained the capacity to remotely access the systems of Predator customers, raising human rights questions. Other reports from last month found evidence of expanded Predator targeting and exploitation of malicious mobile advertisements to infect targets.

Researchers and advocates who work on spyware issues found the sanctions removals concerning.

“The public deserves to know what evidence exists to prove that these individuals have ceased their involvement with Intellexa,” Natalia Krapiva, senior tech-legal counsel at Access Now, wrote on Bluesky.

John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab, said on X that he found the removals “puzzling,” adding that “Some in the mercenary spyware ecosystem are probably reading today’s Intellexa exec [delisting] as: ‘scoff at US, help hack Americans & you can still skirt consequences with the right lobbying.’”

The post Treasury removes Intellexa spyware-linked trio from sanctions list appeared first on CyberScoop.

The Treasury Department on Tuesday sanctioned eight people and two companies it accused of laundering money obtained from cybercrime and IT worker schemes to fund North Korean government objectives.

According to the department, over the last three years North Korea-linked cybercriminals have stolen over $3 billion, mostly in cryptocurrency. In addition, it said, North Korean IT workers are netting hundreds of millions from schemes by faking their identities. It’s all in service of goals that endanger the security of the world, Treasury said.

The bank, IT company and financial institution personnel that the Office of Foreign Assets Control placed on the sanctions list Tuesday add to an ever-growing list this calendar year of parties the United States associates with North Korean cyber activity.

“North Korean state-sponsored hackers steal and launder money to fund the regime’s nuclear weapons program,” said John Hurley, Treasury undersecretary for terrorism and financial intelligence. “By generating revenue for Pyongyang’s weapons development, these actors directly threaten U.S. and global security.”

The department designated Jang Kuk Chol and Ho Jong Son, two North Korean bankers; Korea Mangyongdae Computer Technology Company, an IT company; U Yong Su, president of that firm; and Ryujong Credit Bank, a North Korea-based financial institution. It also designated five people who work for North Korean financial institutions: Ho Yong Chol, Han Hong Gil, Jong Sung Hyok, Choe Chun Pom and Ri Jin Hyok.

The two bankers stand accused of managing cryptocurrency funds on behalf of a previously designated entity, First Credit Bank. The IT firm allegedly operates IT worker delegations from at least two cities in China. Treasury said Ryujong Credit Bank aids in avoiding sanctions between China and North Korea. The five employees are China or Russia-based North Korean representatives of the financial institutions who have allegedly facilitated illicit transactions.

Last month, a group of countries including the United States and allies in Europe and Asia published its latest report on North Korea’s evasions and violations of United Nations Security Council resolutions, this time focused on Pyongyang’s cyber and IT operations.

“The Democratic People’s Republic of Korea (DPRK or North Korea) is systematically engaged in violations of United Nations Security Council resolutions (UNSCRs) and related evasion activities through its Information Technology (IT) worker deployments and cyber operations, particularly as related to cryptocurrency theft and cryptocurrency laundering activities,” the report states. ”The DPRK’s cyber force is a full-spectrum, national program operating at a sophistication approaching the cyber programs of China and Russia.”

The post North Korean companies, people sanctioned for money laundering from cybercrime, IT worker schemes appeared first on CyberScoop.