Meet the shady companies helping governments hack citizens’ phones

Named for the winged horse of Greek mythology and often sent by text message, Pegasus can burrow into your phone without your knowledge or even your click, hiding for days or weeks inside, surreptitiously recording everything—messages, photos, encrypted chats, and video and audio—in real-time. Exactly where your data is going often remains a mystery, lost in a tangle of servers. But the deadly impacts of Pegasus and other cyberweapons—wielded by governments from Spain to Saudi Arabia against human rights defenders, journalists, lawyers and others—is by now well documented. A wave of scrutiny and sanctions have helped expose the secretive, quasi-legal industry behind these tools, and put financial strain on firms like Israel’s NSO Group, which builds Pegasus.

And yet business is booming. New research published this month by Google and Meta suggest that despite new restrictions, the cyberattack market is growing, and growing more dangerous, aiding government violence and repression and eroding democracy around the globe.

“The industry is thriving,” says Maddie Stone, a researcher at Google’s Threat Analysis Group (TAG) who hunts zero-day exploits, the software bugs that have yet to be fixed and are worth potentially hundreds of millions to spyware sellers. “More companies keep popping up, and their government customers are determined to buy from them, and want these capabilities, and are using them.”

For the first time, half of known zero-days against Google and Android products now come from private companies, according to a report published this month by Stone’s team at Google. Beyond prominent firms like NSO and Candiru, Google’s researchers say they are tracking about 40 companies involved in the creation of hacking tools that have been deployed against “high risk individuals.”

Of the 72 zero-day exploits Google discovered in the wild between 2014 and last year, 35 were attributed to these and other industry players, as opposed to state-backed actors.

“If governments ever had a monopoly on the most sophisticated capabilities, that era is certainly over,” reads the report.

The Google findings and a spyware-focused threat report published by Meta a week later reflect an increasingly tough response by Big Tech to an industry that profits from breaking into its systems. The reports also put new pressure on the US and others to take action against the mostly unregulated industry.

In a blog post, Shane Huntley, senior director of Google’s TAG, noted a series of government agreements to limit spyware’s harms, but added that “we hope to see these initial steps followed by more concrete actions from a broader community of nations to reform the industry and shine more light on abuses.”

Cyber mercenaries and intelligence officials point to the use of the weaponry in law enforcement and counterterrorism, and dozens of countries have secretly used hacking tools to track and capture criminals and terror suspects, including the drug lord known as El Chapo. But a staggering body of research and reporting has shown the tools are often used against journalists, human rights defenders, and opposition figures, sometimes as part of brutal crackdowns.

Researchers estimate that government agencies in as many as 46 countries—including Spain, India, and Saudi Arabia—have used Pegasus in some form. A list of fifty thousand phone numbers that had been “selected for targeting” by NSO clients, obtained by reporters in 2020, included at least three presidents, ten prime ministers, and one king, as well as “several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials—including cabinet ministers, diplomats, and military and security officers.” (The Pegasus Project, a journalist consortium led by the French media non-profit Forbidden Stories, confirmed infections on dozens of phones on the list.) Pegasus has been found on the phones of journalists in India, Jordan, Armenia, Togo and the Dominican Republic; at least six Palestinian human rights defenders, one of whom is also a U.S. citizen; and the two women closest to the murdered Saudi dissident Jamal Khassoghi. A 2021 analysis by Forensic Architecture, a human rights-focused research group at the University of London, estimated that spyware was involved in at least three hundred instances of physical violence.

“The harm is not hypothetical,” says Stone.


The Biden administration has also blacklisted a number of spyware companies since 2021, banning any transfer of U.S. technology to the firms, and this month began taking a tougher stance on the people behind the spyware too. A day before Google released its report, the State Dept. announced new visa restrictions for people “involved in the misuse of commercial spyware” and their families, further limiting spyware makers’ access to the critical US technology sector. Spyware, secretary of state Antony Blinken said in a statement, “threatens privacy and freedoms of expression, peaceful assembly, and association,” and “has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases.”

For now, though, zero-day researchers describe the fight against spyware as a global game of whack-a-mole. And like a determined hacker, the moles are poised to do everything they can to bypass a barrage of defenses. Firms are increasingly setting up shop or relocating to countries outside Israel—where they are not bound by the same export controls.

Despite the chilling effects that have come with US sanctions, the business is hard for some entrepreneurs and investors to resist. A 2022 estimate valued the size of the global spyware market at $12 billion.

“If NSO Group goes bankrupt tomorrow, there are other companies, perhaps seeded with U.S. venture capital, that will attempt to step in to fill the gap,” Citizen Lab’s John-Scott Railton told a congressional hearing last year. “As long as U.S. investors see the mercenary spyware industry as a growth market, the U.S. financial sector is poised to turbocharge the problem and set fire to our collective cybersecurity and privacy.”

In its report, Google describes a “rise in turnkey espionage solutions” offered by dozens of shady companies. While Israeli cyberattack firms like NSO and Candiru have drawn the most scrutiny, Google’s analysis highlights the rise of smaller spyware firms based in Europe and Asia. That includes what the Carnegie Endowment called last year a secondary tier “of boutique spyware firms, hacker-by-night operations, exploit brokers, and similar groups.” Google chose to name 11 firms and nine affiliates in its report, each of which had appeared in previous reports; Stone and a spokesperson did not specify why the other companies were not disclosed.

The spyware firms represent only a small fraction of a global hacking-for-hire industry. (A leak this week from I-Soon, a Shanghai-based cybersecurity vendor with government ties, suggests that it carried out global attacks on a series of high-value government targets and dissidents in 2021 and 2022, in part by breaching WiFi networks and devices.) Some of the spyware companies lack websites, and hide under complex corporate structures to conceal their owners, investors, and clients. Tel Aviv-based Candiru, Google notes, has changed names multiple times, to Grindavik, then Taveta, then Saito Tech. Another firm named by Google, the Vienna-based DSRIF, shuttered its operations in August 2023, but an affiliate, Machine Learning Solutions (MLS), is reportedly continuing some of its work.

The companies did not respond to requests for comment or were not reachable. The companies named by Google include:

  • Candiru, founded in 2014, is thought to be Israel’s second-largest spyware maker after NSO. With funding from NSO investors as well as the government of Qatar, its systems have been found to have been operated by multiple countries, including Saudi Arabia, Israel, U.A.E., Hungary, Indonesia, and Uzbekistan. In November 2021, the US Commerce Department added Candiru and NSO to its trade blacklist. 
  • Cy4Gate, founded in 2014, specializes in “lawful interception” technology, including the Epeius spyware targeting Android and iOS systems. In 2022, Cy4Gate acquired fellow Italian firm RCS Lab, known for its “Hermit” spyware tools. Google and Meta have observed RCS Lab campaigns in Italy, Kazakhstan, Azerbaijan and Mongolia. 
  • The Intellexa Alliance acts as a hub for various surveillance companies, including Cytrox—the creator of a Pegasus-like tool called Predator—as well as WiFi and mobile interception firm WiSpear and Senpai, which specializes in open-source intelligence gathering. In June 2021, four executives of an Intellexa member, Nexa Technologies, were indicted by the Paris Judicial Court for “complicity in acts of torture,” a decade after the Wall Street Journal revealed the firm was selling surveillance software to the government of Libya. In 2021 Meta banned Cytrox for abusing its platforms, and the US Commerce Dept. blacklisted the company in 2023. 
  • NSO Group, based in Herzliya, Israel, was first exposed in 2016, when Citizen Lab found Pegasus on the phone of Ahmed Mansoor, a human-rights defender based in the United Arab Emirates. Around the globe, the Pegasus Project estimates that hundreds of members of civil society have been targeted by its spyware. 
  • Negg Group, an Italian cybersecurity firm, was first revealed in 2017 by Kaspersky as the developer of the “VBiss” and “Skygofree” Android malware, which can infect mobile devices through one-click exploit chains or by drive-by downloads. Google discovered targets in Italy, Malaysia, and Kazakhstan. 
  • PARS Defense is a cybersecurity company headquartered in Istanbul that, says its website, “helps customers to solve forensic challenges in mobile world [sic].” It has been linked to the exploitation of two recent vulnerabilities targeting iOS. 
  • QuaDream, founded in 2014 by a group that included two former NSO employees, developed REIGN, a spyware that includes capabilities such as “real-time call recordings, camera activation — front and back,” and “microphone activation,” according to a brochure. In April 2023, Quadream abruptly shut down, according to Haaretz, after the Israeli government prevented it from exporting its tools to foreign countries including Morocco, and after researchers at Microsoft and Citizen Lab reported that REIGN had been used against journalists, opposition figures and advocacy organizations across the globe. 
  • Variston Information Technology was founded in Barcelona in 2018 and soon after acquired TrueL IT, an Italian firm specializing in zero-day vulnerabilities. The company works with the ironically-named, Abu Dhabi-based Protect Electronic Systems to package and sell its spyware and infrastructure. In April 2023, the trade publication Intelligence Online reported that Variston had established closer ties to the cyber subsidiary of the UAE-owned defense company Edge Group
  • Wintego Systems, founded by alumni of Verint, another Israeli firm, develops advanced communication, intelligence, and data-decoding solutions for the government and homeland security sectors. According to a company brochure, its spyware “uses Wi-Fi to obtain secured data from web accounts (cloud services) and apps, including the entire contents of email, photos, files, chats, social network activity, contact lists, and calendars.” 

Meta’s threat team also recently took action against dozens of accounts run by eight spyware firms from Spain, Italy and the United Arab Emirates. In a quarterly threat report issued on February 14, the company named Italian firms Cy4Gate and RCS Labs, Negg Group, and IPS Intelligence; Spanish companies Variston and its subsidiary TrueL IT, and Mollitiam Industries; and the UAE-based Protect Electronic Systems. Meta said the firms used fake accounts to scrape data, perform social engineering or test their spyware capabilities.


Among the most arresting aspects of Google’s report are the profiles of six spyware victims, compiled by researchers at its think tank Jigsaw. They include Galina Timchenko, editor of the exiled independent Russian news outlet Meduza, who was at home in Riga, Latvia in June 2022, when she received a strange message from Apple. It said she was being targeted by “state-sponsored attackers [who] are likely targeting you individually because of who you are or what you do.” Used to years of phishing attempts and denial-of-service attacks, she let her technical team know and put it out of mind.

But as an investigation by the nonprofit Access Now and the cyber sleuths of Citizen Lab would soon find, her phone had been infected by Pegasus. The infection had occurred months earlier, a day before Timochenko attended a secret meeting in Berlin of exiled Russian media outlets to discuss the Kremlin’s expansion of its “foreign agents” laws. Using an exploit targeting Apple’s HomeKit and iMessage, the attackers presumably had access to her device during the meeting and for possibly weeks afterwards. Sensitive communications, data, and sources had potentially been compromised. Timchenko had no idea anything was amiss.

Even a single, stealthy infiltration—or just the threat of one—poses a broader threat. “It affects us when political opponents are being targeted and hacked, because that calls into question free and fair elections,” Stone says. “It affects us all when our journalists are being targeted and [are] scared to put out the truth.”

Who hacked Timchenko’s phone? Either Kazakhstan or Azerbaijan, two suspected Pegasus clients, could have carried out the attack at Moscow’s request, Access Now investigators said. But as far as researchers knew, neither country had ever used Pegasus in Europe, and Timchenko was in Berlin when her phone was attacked. Or the culprit may have been a European country: Germany, Latvia, and Estonia are known Pegasus customers.

U.S. agencies have also bought Pegasus and similar spyware. Months after the Commerce Dept put NSO and another Israeli firm, Candiru, on its blacklist, the New York Times reported that the FBI had purchased Pegasus for “testing,” and had considered a product for US phone numbers called Phantom, which NSO had previously pitched to police departments. The CIA had purchased Pegasus for the government of Djibouti, the Times reported, despite longstanding concerns about human rights there.

The U.S. Drug Enforcement Administration has also deployed a Pegasus-like product, Graphite, to pursue drug cartels. The company that makes it, Paragon—backed by ex-Prime Minister Ehud Barak and at least one US-based venture capital firm, Battery Ventures—has sought to skirt scandal, and in 2021 hired the well-connected WestExec Advisors to ease its entry into the US. The company has even sought guidance on which other government customers would be acceptable to US officials, the Financial Times reported.

NSO has also enlisted powerful lobbyists to burnish its image in DC, including the NSA’s former general counsel. In a letter last May to the American Bar Association, NSO warned of the risks of a federal moratorium on commercial spyware. “While we fully support the effort to develop a regulatory framework to govern the sale and use of commercial intelligence technology,” NSO’s general counsel Shmuel Sunray wrote, “we fear that a moratorium would leave the industry dominated by companies operating with less regulation, less oversight, and less motivation to respect human rights,including companies operating from Russia and China.”

Part of NSO’s messaging has also revolved around the Israel-Hamas war: After the October 7 attack, Haaretz reported that Israel’s security services began pulling in companies like NSO, Candiru and Paragon to try to track hostages in the Gaza Strip.

“NSO’s technology is supporting the current global fight against terrorism in any and all forms,” one company lobbyist wrote in a November letter to Sec. of State Antony Blinken, requesting an urgent meeting. “These efforts squarely align with the Biden-Harris administration’s repeated messages and actions of support for the Israeli government.” Cybersecurity experts cast doubt on the hostage-tracking idea, and a U.S. official told Fast Company that the U.S. government “has no plans to change the status of NSO group on the entity list.”

Despite the government restrictions, the growth of the cybermercenary business reflects a subterranean, symbiotic relationship. As with the disinformation business, the spyware industry often relies on the talent and expertise of former government hackers, while the  vendors afford governments plausible deniability. This, says Google, “shifts the burden of the cost and reputational risk of the exposure of these tools from the government customer to the [vendor],” which “may increase the likelihood the tools will be used.”

Israel’s homegrown cyberattack industry, considered the world’s best, isn’t just a point of pride for government officials but a tool of realpolitik. As with conventional

Creată 11mo | 22 feb. 2024, 18:20:05


Autentifică-te pentru a adăuga comentarii

Alte posturi din acest grup

Find out who’s behind any phone number with this free lookup tool

I don’t know about you, but practically every time my phone rings, my heart rate starts skyrocketing.

Who the hell could be calling me? What in the world do they want? And why, for the l

5 ian. 2025, 07:50:03 | Fast company - tech
‘This app saved our business’: Small businesses are bracing for a TikTok ban

As the clock ticks closer to a U.S. ban on TikTok, small businesses are bracing for the loss of an app that has, in many cases, proven vital for their success.

Millions of small business

5 ian. 2025, 05:30:04 | Fast company - tech
How Big Tech became the world’s most powerful ‘religion’ and why we need to become agnostic

Greg Epstein is the Humanist chaplain at Harvard University and at MIT, where he advises students, faculty, and staff members on ethical and existential concerns from a humanist perspective. He ha

4 ian. 2025, 10:50:02 | Fast company - tech
3 hidden reasons you keep running out of iCloud storage

Apple gives every iCloud user 5GB of free storage space. This storage space can be used for any

4 ian. 2025, 10:50:02 | Fast company - tech
Apple’s Siri settlement feeds the ‘eavesdropping iPhone’ narrative

Apple, which has built its brand on data privacy, settled a class action suit this week in w

3 ian. 2025, 23:20:03 | Fast company - tech
Dating Wrapped: TikTok users are crunching the numbers on their dating life

If Spotify Wrapped left you underwhelmed this year, TikTok’s “Dating Wrapped” trend is here to sp

3 ian. 2025, 20:50:03 | Fast company - tech
Dating Sunday 2025: The busiest day on dating apps is almost here

Dating apps are gearing up for their busiest day of the year: Dating Sunday. 

This landmark day in the dating world always lands on the first Sunday of January. The idea is that sin

3 ian. 2025, 16:20:06 | Fast company - tech