Aspiring presidential candidate Ahmed Tantawi’s mobile phone was hacked by European commercial spyware manufacturer Cytrox’s Predator spyware multiple times in recent months, Citizen Lab has found.

The University of Toronto-based lab, which investigates malware threats against members of civil society worldwide, completed a report detailing the attacks, a copy of which was obtained by Mada Masr.

“I received repeated messages saying that my WhatsApp account had been hacked and inviting me to open particular links to fix the hacks,” Tantawi told Mada Masr. “I would get the same messages via SMS.”

After Tantawi asked Citizen Lab to scan his devices, the lab found that his iPhone was targeted in the period between May and September 2023 and was potentially subject to hacks at other times.

The hacks come as Tantawi prepares a bid to challenge incumbent President Abdel Fattah al-Sisi in presidential elections due to take place at the outset of 2024. Tantawi, who announced in April his intention to submit his candidacy and has taken the clearest steps of any of the aspiring candidates to mount a campaign, has been subject to close security monitoring. The politician said that security forces conducted arrests targeting several volunteers in his campaign.

Though Citizen Lab report does not hold a specific party responsible for the hacks, the findings come in line with its 2021 findings on the devices of exiled opposition figure Ayman Nour as well as an Egyptian journalist who spoke to Mada Masr on condition of anonymity. They were both targeted in similar attacks, some using the Predator software. In its report on those attacks, Citizen Lab held the Egyptian government responsible.

Nour’s phone — a prominent opposition figure with connections to a number of Egyptian opposition groups, including the Muslim Brotherhood — was infected with the infamous Israeli-made Pegasus spyware as well as Cytrox’s Predator, operated by two different government clients, Citizen Lab said.

Predator was developed by a Macedonian start-up called Cytrox, operating primarily in Israel and Hungary, and is thought to be used by clients in several different countries, including Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia and Serbia.

Predator, said Citizen Lab, is a surveillance tool providing “its operator complete and persistent access to a targetʼs mobile device” and allowing the extraction of “passwords, files, photos, web history, contacts, as well as identity data (such as information about the mobile device).”

Predator can also take screen captures and monitor user inputs, as well as activate a mobile handsetʼs microphone and camera, allowing attackers to monitor all activity on and in the vicinity of the device, such as conversations conducted in real life. Virtual chat messages can be recorded as they are sent and received, even if sent via encrypted or disappearing-message-enabled apps like WhatsApp or Telegram, as can phone and VoIP calls, including calls through “encrypted” calling apps.

A former vocal parliamentarian and Nasserite opposition figure, Tantawi announced in April that he intends to run in the upcoming presidential elections, which are due to take place between the end of this year and the beginning of the next.

With no other serious contender challenging President Abdel Fattah al-Sisi’s re-election so far, Tantawi’s bid has made headlines in the domestic press, with other active opposition groups considering backing the would-be candidate.

As the contender conducts a campaign to rally support for the nominations stage, Tantawi said this week that security forces are targeting members of his campaign, arresting, detaining and forcibly disappearing a number of participants across the country. The Interior Ministry denied Tantawi’s accusations.

*Note: This piece has been lightly edited for clarity and a copy of the Citizen Lab report has been added since it was originally published.