A new report by Access Now’s Digital Security Helpline, Espionage for repression: forensic analysis of a cross-border hack-for-hire campaign targeting civil society in MENA, exposes a hack-for-hire campaign targeting two prominent Egyptian journalists and government critics, Mostafa Al-A’sar and Ahmed Eltantawy, through a series of spear-phishing attacks.
The attacks — which used messages that appeared to be from legitimate people and services to obtain personal data including credentials and financial data from targets — were carried out from 2023 to 2024. Both targets have previously faced political imprisonment; one was previously targeted with spyware.
The phishing attacks against prominent Egyptian journalists were notable for their persistence and the high level of knowledge from the attackers of the targets. In the face of mounting digital risks for independent voices, the investigation also confirms the importance of exercising caution and improving one’s ability to spot and prevent possible attacks. By showing the way these threat actors operate, Access Now’s Digital Security Helpline seeks to increase awareness among other people and communities who may be at risk themselves.Mohammed Al-Maskati, Digital Security Helpline Director at Access Now
To complete the technical assessments of the attacks, Access Now collaborated with mobile security company Lookout, who assert that the hack-for-hire campaign is likely tied to an Asian threat actor.
The complexities of such attacks can often help mask the identity of the perpetrators, meaning attribution can not always be assigned with certainty. There is not enough information for Access Now to confidently conclude which government(s) may be behind these attacks, however, at least one spear-phishing instance appears to originate from Egypt.
This hack-for-hire campaign exposes yet another weapon in the arsenal of malicious actors determined to crush dissent and silence truth-tellers in the region. Spear-phishing attacks are often a cheaper alternative or a complementary tool to spyware, so we are raising the alarm — especially as a warning to journalists in the Middle East and North Africa — to exercise caution and shore up their digital practices.Marwa Fatafta, MENA Policy and Advocacy Director at Access Now
Access Now also contributed to SMEX’s investigation of a similar attack in 2025, likely by the same actor, against a Lebanese journalist.
Read the forensic report and the accompanying narrative post that dives into the findings. Read the reports from SMEX and Lookout.