Powerful and invasive foreign commercial spyware and surveillance products are being procured by or deployed in Indonesia, with the country’s national police and cyber agency among the top recipients or users of the technology.

The findings, released Thursday by Amnesty International’s Security Lab, uncover a sprawling international ecosystem of vendors, brokers and resellers supporting spyware exports to Indonesia. That ecosystem is populated in part by notorious commercial surveillance companies Intellexa, Candiru and Q Cyber Technologies, which is tied to the NSO Group, the company behind the highly invasive Pegasus spyware.

Shadowy commercial networks obscured the exports of the surveillance technology to Indonesia, Amnesty International said, making it extremely hard for national and international judicial authorities, regulators and others to track and monitor the sales, 

The sprawling spyware ecosystem supplying Indonesian authorities with the invasive technology has been enabled by what Amnesty referred to in a press release as a “systemic lack of information on dual-use surveillance transfers.”

Dual-use technologies are those that can be used for either civilian or military purposes.

Using open-source intelligence such as commercial trade databases, investigators found “numerous spyware imports or deployments” between 2017 and 2023 by both Indonesian corporations and state agencies, with Singapore often serving as a hub for the trafficking.

The report said many of the spyware imports were transferred through firms located in Singapore that appear to have been designed to facilitate the transfers in the shadows. Singapore and other jurisdictions do not make companies’ corporate ownership structures public, Amnesty International said, making tracking the transfer of the spyware all the more difficult. 

“By covering the beneficial owner in this way, verification of end-to-end supply chains for dual-use goods becomes close to impossible, making public procurement oversight challenging,” the report said. 

Amnesty International is unsure about whom the Indonesian procured spyware tools targeted, it said.

“Highly invasive spyware tools are designed to be covert and to leave as few traces as possible,” the report said. “This built-in secrecy can make it exceedingly difficult to detect cases of unlawful misuse of these tools against civil society, and risks creating impunity-by-design for rights violations.”

Indonesia’s political culture makes the spyware ecosystem there all the more concerning, the report said.

President Joko Widodo has been criticized for corruption and appointed a former military leader accused of significant human rights abuses as his defense minister, sparking outrage from civil society human rights groups.

In Indonesia “civic space has shrunk as a result of the ongoing assault on the rights to freedom of expression, peaceful assembly and association, personal security and freedom of arbitrary detention,” the report said.

Amnesty also found malicious domain names and numerous advanced spyware platforms tied to network infrastructure which appeared to be designed to target Indonesians, the report said.

Candiru and Intellexa’s Predator system were among the companies using these domains which they used to mimic Indonesian media outlets and opposition political parties.

“Such attack sites are typically chosen by spyware operators to trick their intended targets into clicking through to a site which may expose their device to a potential infection,” the report said. 

The U.S. has placed several spyware companies on its entities list, meaning they are subject to trade restrictions, and in March the Treasury Department sanctioned corporate entities and members of the Intellexa consortium for creating and distributing spyware.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.