Espionage for repression: hack-for-hire phishing campaign targets civil society in MENA

Access Now’s Digital Security Helpline has exposed a hack-for-hire phishing campaign targeting prominent Egyptian journalists and government critics. Together with Lookout and SMEX, we discovered how attackers use the same technical infrastructure, which also has the capacity to deliver spyware, to lure multiple victims. “We are raising the alarm — especially as a warning to journalists in the Middle East and North Africa — to exercise caution and shore up their digital practices,” says Access Now’s Marwa Fatafta. Read the report to find out how the attacks were carried out and how to protect your community. Read more via Access Now

Stay safe and secure

WATCH: How to spot a phishing attack

The attackers exposed in our investigation sent messages that appeared to be from trusted services and platforms in efforts to compromise targets’ accounts. This not only divulges your information, but can also expose your colleagues, clients and sources, or family members. In case you missed it, our Digital Security Helpline’s recent webinar shows how to strengthen your digital defenses, offering insight from some of the experts who worked with us on the investigation. And remember, the Helpline is available 24/7 to assist civil society members facing digital threats. Watch now via Access Now

Follow the money

Sandvine’s tech sales to Egypt almost broke the private equity-backed company

One victim of the phishing attacks we uncovered is former Egyptian MP Ahmed Eltantawy, who faced multiple hacking attempts after declaring his presidential run against incumbent Abdel Fattah El-Sisi, and who was imprisoned for peaceful political activities. Spyware attacks against Eltantawy documented by The Citizen Lab were facilitated using technology from the company formerly known as Sandvine, which now claims to be a “technology solution leader for democracies.” Access Now’s Natalia Krapiva talks to Bloomberg about Sandvine’s recent rebrand — and whether its technology remains a threat. Read more via Bloomberg

Lebanon under fire

Can Lebanon survive the digital war?

Despite a fragile ceasefire reached between the U.S. and Iran earlier this week, as we write Israeli forces continue to bombard Lebanon, and at least 250 people were killed on Wednesday alone. The reported death toll currently stands at more than 1,500 people; another one million have been displaced. Amid this devastation, Lebanon’s already fragile digital infrastructure is buckling, and digital rights are under attack, as documented by local partner SMEX. “Recognizing the digital front of the war is the first step,” says Mohamad Najem, SMEX’s executive director. “What matters now is responding to it as an active and consequential reality.” Read more via SMEX

Release Ahmed, now

Civil society calls for the immediate release of Ahmed Douma

This week, Egyptian activist, poet, and political writer Ahmed Douma was arrested and detained by Egyptian authorities on spurious grounds of spreading “false news and rumors inside and outside the country that would disturb public order.” This is part of a campaign of judicial harassment against Douma for his online expression, which has persisted even after his 2023 presidential pardon and subsequent release following a decade in prison. Access Now joins more than 30 other civil society organizations in demanding Douma’s immediate release from pretrial detention and an end to his persecution. Read more via Egyptian Front for Human Rights

The scourge of spyware

The market for spyware is growing — and it’s being used differently against women

Women activists, journalists, and human rights defenders living in exile are increasingly attacked, threatened, or censored in cases of gender-based digital transnational repression. Fuller examines the gender-specific harms that occur when women, girls, and non-binary people are targeted with spyware and surveillance tools, with Eva Galperin from the Electronic Frontier Foundation (EFF) underscoring the importance of culture and context: “A lot of the kind of imagery that you might think might be harmless in certain contexts might get someone killed.” Read more via Fuller

ICE acknowledges it is using powerful spyware

Last year, news broke that U.S. Immigration and Customs Enforcement (ICE) was reactivating a USD $ 2 million contract with spyware vendor Paragon Solutions. Now it seems they have put that money to work; ICE has notified members of the U.S. Congress that they have used Paragon’s spyware tools in drug trafficking cases. As NPR notes, this is the first time ICE has admitted to using Graphite, a tool that has been misused to violate human rights around the world. We need urgent action to ensure that federal agencies do not use spyware in violation of U.S. laws and fundamental human rights. Read more via NPR

Opportunities and other highlights

RightsCon 2026 is fast approaching!

With less than a month to go until RightsCon 2026 kicks off on May 5 in Lusaka, Zambia and online, you still have one more week to grab your spot at regular prices. Don’t miss your chance to join four days of sessions, networking, and dialogue on digital rights at our first-ever summit in Southern Africa. Want to learn more? Start exploring the program and plan your participation today. Read more via Access Now

LISTEN: “The dark side of the kill switch”

If you haven’t had the chance yet to read our latest #KeepItOn report packed full of data on 2025’s internet shutdowns, fear not: the latest episode of Somewhere on Earth’s Global Tech Podcast has essential insights from Access Now’s Felicia Anthonio and Zack Rosson, including what the data reveals about who is hitting the kill switch, and who is fighting back. Tune in via Somewhere on Earth

You are receiving this newsletter because you subscribed to the Access Now Express. This email and all other Access Now communications are sent in compliance with our Data Usage Policy. Feel free to contact us at [email protected] with any questions or concerns.