A foreign government attempted to use commercial spyware to put listening devices in the phones of U.S. lawmakers and U.S. journalists. The campaign used public replies on the social platform X to push one-click links that led to servers tied to the Predator spyware infrastructure. That effort is not theory. It was documented by forensic investigators working with major news outlets and Amnesty International’s Security Lab.

The operation was unusually blunt. Attackers posted reply tweets that contained links which, if clicked, would have delivered Predator to iOS or Android devices. Google and independent researchers tested those links and traced them to infrastructure associated with Predator. To date there is no public evidence the attacks succeeded in implanting the spyware on the lawmakers’ devices, but the technique exposed both a clear intent and a dangerous capability available to actors outside the major powers.

Predator is not a cottage-industry tool. It is produced and distributed by companies in the Intellexa/Cytrox network and it behaves like other high-end commercial spyware: full access to microphone, camera, messages and files once installed. The U.S. government has already taken steps to choke off that trade. The Commerce Department added Intellexa and Cytrox-related entities to an export control entity list in mid 2023 and Treasury actions have followed to punish related actors. Those moves set a precedent, but they are not a comprehensive defense.

Why this matters to homeland security is simple. Commercial spyware lowers the barrier to high-end surveillance. Nations or proxies that previously could not field sophisticated cyber-espionage now can lease or buy it. When the targets are members of Congress, think tank experts, or journalists, the intelligence payoff is direct: private policy deliberations, committee strategy, diplomatic backchannels and reporting angles all become harvestable data if a device is compromised. This is exactly the risk documented by Amnesty and independent labs during the Predator Files investigation.

There are immediate, practical steps that protect high-value targets and limit damage. First, compartmentalize. Elected officials and senior staff should use dedicated, hardened devices for classified or sensitive policy work and separate consumer phones for public-facing tasks. Second, adopt defensive features and best practices: enable platform hardening options such as Apple’s Lockdown Mode where feasible, keep devices patched, restrict link-clicking by staff, and reduce social media account administration privileges. Third, invest in detection and forensic tooling. Amnesty’s Security Lab and others publish indicators and tools that help find traces of Predator and similar spyware. These are not silver bullets but they matter.

Longer term the policy response needs to be strategic and uncompromising. Tighten export and secondary-market controls on exploit tooling. Expand the legal and financial penalties for intermediaries that traffic in offensive cyber capabilities. Require mandatory breach notification and forensic review when devices used by public officials are flagged or targeted. Fund defensive research that finds and neutralizes zero click and one-click vectors before adversaries can weaponize them at scale. The Commerce Department’s entity listing and Treasury measures show tools exist to disrupt this market. Use them deliberately and more broadly.

Finally, treat user-facing platforms as strategic terrain. The attackers chose public replies on X because social platforms scale reach and create cover. Platforms must remain accountable for rapid takedown, for sharing forensic indicators with defenders, and for blocking accounts and infrastructure tied to commercial spyware distribution. Government and platform operators must coordinate faster and with clearer rules about disclosure to affected officials. The Predator incidents are a clear warning: the attack surface for surveillance is now social, mobile and merchantized. The defense must be equally adaptive and direct.

No one should underplay how close this came to a different outcome. The operational clumsiness of the campaign helped investigators trace it. That luck can change. Make the technical fixes. Push the policy levers. Harden the people. If we accept anything less we will be playing catch up while foreign tools eat away at our decision space.