Introduction

Lurking in the murky depths of the global marketplace for offensive cyber capabilities sits a particularly dangerous capability—spyware.1 Spyware’s danger stems from its acute contribution to human rights abuses and national security risks. Most recently, NSO Group, a notorious spyware vendor known to have contributed to the surveillance of journalists, diplomats, and civil society actors across the globe, was fined $168 million in punitive damages by a US court for targeting WhatsApp’s infrastructure with Pegasus spyware. This most recent case reasserts the threat of spyware proliferation to national security and human rights. These risks and harms, coupled with a lack of market transparency, demand ongoing attention to the market’s structure and how actors circumvent accountability.

As highlighted in the 2024 report by the Atlantic Council’s Cyber Statecraft Initiative, Mythical Beasts and where to find them: Mapping the global spyware market and its threats to national security and human rights, spyware vendors often operate in complex networks of holding companies, investors, suppliers, and partners to obfuscate their business operations, making it difficult for policymakers to curb the misuse and proliferation of these capabilities.

...read more at atlanticcouncil.org