Hack-for-Hire: New Report Investigates Hacking Campaign Against Egyptian Journalists

A new report by Access Now's Digital Security Helpline, Espionage for repression: forensic analysis of a cross-border hack-for-hire campaign targeting civil society in MENA, exposes a hack-for-hire campaign targeting two prominent Egyptian journalists and government critics, Mostafa Al-A'sar and Ahmed Eltantawy, through a series of spear-phishing attacks.

The attacks — which used messages that appeared to be from legitimate people and services to obtain personal data including credentials and financial data from targets — were carried out from 2023 to 2024. Both targets have previously faced political imprisonment; one was previously targeted with spyware.

"The phishing attacks against prominent Egyptian journalists were notable for their persistence and the high level of knowledge from the attackers of the targets," said Mohammed Al-Maskati, Digital Security Helpline Director at Access Now. "In the face of mounting digital risks for independent voices, the investigation also confirms the importance of exercising caution and improving one's ability to spot and prevent possible attacks. By showing the way these threat actors operate, Access Now's Digital Security Helpline seeks to increase awareness among other people and communities who may be at risk themselves."

To complete the technical assessments of the attacks, Access Now collaborated with mobile security company Lookout, who assert that the hack-for-hire campaign is likely tied to an Asian threat actor.

The complexities of such attacks can often help mask the identity of the perpetrators, meaning attribution can not always be assigned with certainty. There is not enough information for Access Now to confidently conclude which government(s) may be behind these attacks, however, at least one spear-phishing instance appears to originate from Egypt.

"This hack-for-hire campaign exposes yet another weapon in the arsenal of malicious actors determined to crush dissent and silence truth-tellers in the region," said Marwa Fatafta, MENA Policy and Advocacy Director at Access Now. "Spear-phishing attacks are often a cheaper alternative or a complementary tool to spyware, so we are raising the alarm — especially as a warning to journalists in the Middle East and North Africa — to exercise caution and shore up their digital practices."

Access Now also contributed to SMEX's investigation of a similar attack in 2025, likely by the same actor, against a Lebanese journalist.

© Scoop Media