The invisible hands of the surveillance state
The global market for commercial spyware is a murky, high-stakes business where powerful digital weapons are sold to governments. For years, headlines have focused on notorious vendors like NSO Group, the creator of the Pegasus spyware. However, a groundbreaking report from Access Now and Citizen Lab reveals a critical, often-overlooked component of this ecosystem: a sprawling network of third-party intermediaries. These brokers, resellers, and integrators are fueling the proliferation of surveillance technology, circumventing regulations, and enabling digital repression on a global scale.
The report, titled “Global Spyware Industry Intermediaries,” pulls back the curtain on the shadowy middlemen who connect spyware developers with government clients. By acting as a buffer, these entities obscure the supply chain, making it nearly impossible for researchers and regulators to track the flow of these dangerous tools and hold perpetrators of abuse accountable.
Background: The rise of the cyber mercenary
The use of commercial spyware by state actors is not a new phenomenon. The mid-2010s saw revelations about firms like Hacking Team and FinFisher selling surveillance tools to authoritarian regimes. But it was the 2021 “Pegasus Project,” an investigation by Amnesty International and Forbidden Stories, that exposed the true extent of the crisis. The investigation revealed that NSO Group’s spyware was used to target thousands of journalists, human rights defenders, and politicians worldwide.
In response, governments took action. In November 2021, the U.S. Commerce Department added NSO Group and its competitor Candiru to its Entity List, restricting their access to U.S. technology. In March 2023, President Biden issued an Executive Order prohibiting U.S. government use of commercial spyware deemed a threat to national security or human rights. While these steps were significant, the new research shows they target only one part of a complex, resilient supply chain.
Technical details: The weapons of digital espionage
The spyware sold through these intermediary networks represents the pinnacle of offensive cyber capability. These are not consumer-grade monitoring apps; they are military-grade surveillance tools designed for stealth and total access. Their primary method of infection relies on exploiting vulnerabilities in software that billions of people use every day.
The most potent attack vector is the **zero-click exploit**. This technique requires no interaction from the target. A specially crafted message or data packet sent to a device can trigger a vulnerability in an app like iMessage or WhatsApp, installing the spyware without the user ever clicking a link or opening a file. This makes traditional phishing awareness training almost useless against the most sophisticated threats.
Once a device is compromised, the spyware grants its operator near-total control. Capabilities include:
- Data Exfiltration: The ability to siphon off emails, text messages (even from encrypted apps), call logs, photos, and files.
- Live Surveillance: Remotely activating the device’s microphone and camera to eavesdrop on conversations and capture video.
- Location Tracking: Real-time GPS monitoring of the target's movements.
- Persistence: Advanced mechanisms to ensure the spyware remains on the device even after a reboot.
Spyware variants like Intellexa's Predator and QuaDream's Reign have demonstrated similar zero-click capabilities, showing that this is an industry-wide practice, not an anomaly limited to one company. The intermediaries ensure these powerful tools reach a wider market, regardless of the end-user’s human rights record.
Impact assessment: A direct threat to civil society
The impact of this unchecked proliferation is profound and devastating. The primary targets are not terrorists or hardened criminals, as vendors often claim. Instead, evidence consistently shows the victims are the very pillars of a free and open society.
Journalists investigating corruption are silenced. Human rights defenders advocating for change are monitored and intimidated. Opposition politicians are spied on, undermining democratic processes. The chilling effect is immense; when individuals know their every digital move could be monitored, self-censorship becomes a survival mechanism, and free expression withers.
The use of intermediaries exacerbates this problem by providing governments with plausible deniability. A regime can acquire a tool like Predator through a local reseller or an offshore shell corporation, making it difficult to definitively link the purchase back to the original developer, such as the Intellexa Alliance. This accountability gap emboldens abusive states and weakens international efforts to impose sanctions or other penalties. The result is a system where repression-as-a-service is a thriving global business.
How to protect yourself
Defending against state-sponsored spyware is exceptionally difficult, especially when zero-click exploits are involved. However, high-risk individuals can take steps to harden their digital defenses and reduce their attack surface.
- Update Everything, Always: The foundation of digital security is keeping your operating system and all applications updated. Zero-click exploits often target known vulnerabilities that have been patched, so timely updates are your first line of defense.
- Enable Lockdown Mode: For iPhone users at high risk, Apple’s Lockdown Mode significantly reduces the attack surface by limiting certain features, such as link previews in messages and complex web technologies, that spyware often targets.
- Use Secure Messengers with Disappearing Messages: Apps like Signal are built with security in mind. Using features like disappearing messages can limit the amount of data available to an attacker if your device is ever compromised.
- Reboot Regularly: Some of the less persistent forms of spyware may not survive a device reboot. Restarting your phone daily can be a simple but effective disruption technique.
- Be Skeptical of All Links: While zero-clicks are the most advanced threat, one-click exploits delivered via spear-phishing are still common. Treat every unsolicited link in an email or message with extreme suspicion.
- Enhance Network Privacy: Masking your IP address and encrypting your internet traffic can add a layer of privacy protection. Using a reliable VPN service can help protect your data, especially on untrusted Wi-Fi networks where network injection attacks might occur.
For those who believe they may have been targeted, forensic tools like Amnesty International’s Mobile Verification Toolkit (MVT) can help identify indicators of compromise, though they often require technical expertise to use effectively.
The path forward: Regulating the entire supply chain
The findings from Access Now and Citizen Lab are a clear call to action. Efforts to curb the spyware industry cannot succeed by focusing solely on the primary vendors. Any meaningful regulatory framework must address the entire supply chain, including the brokers, resellers, and integrators who enable the trade.
Human rights organizations have long called for a moratorium on the sale and transfer of surveillance technology until adequate human rights safeguards are in place. This latest research reinforces the urgency of that demand. Governments in Europe and North America must strengthen and enforce export controls, implement stringent vetting of end-users, and impose severe penalties on any entity—vendor or intermediary—found facilitating the sale of these tools to repressive regimes. Without a concerted effort to dismantle this shadowy network, the global spyware market will continue to expand, and the tools of digital repression will continue to land in the hands of those who would use them to silence dissent and crush freedom.
