Shocking Truth: Who Really Buys Spyware Like Pegasus

Global Spyware

In October 2025, a group of American investors led by Hollywood producer Robert Simonds quietly bought a controlling stake in NSO Group — the Israeli company behind Pegasus, the spyware blamed for surveilling journalists, dissidents, and at least one murdered Saudi critic. A month later, former Trump ambassador to Israel David Friedman was named the company’s executive chairman, formally marking NSO’s transition to US ownership.

That a company sanctioned by the US Commerce Department, sued by Meta and Apple, and ordered to pay WhatsApp $167 million in damages, could be acquired by Americans with ties to the current administration — and emerge with its government contracts intact — tells you almost everything about the state of the global spyware industry in 2026. It is not shrinking under pressure. It is consolidating, rebranding, and finding new buyers among American capital and American government agencies.

The Players: A Market That Survives Its Own Scandals

The commercial spyware industry has weathered a remarkable run of public exposure without meaningfully contracting. A 2025 Atlantic Council mapping project, “Mythical Beasts,” tracked 561 entities across 46 countries involved in the spyware supply chain between 1992 and 2024 — 130 of them newly identified that year alone, including 20 new US-based investors. The growth in American capital flowing into the sector is itself one of the most significant recent shifts: a market once dominated by Israeli founders and European holding structures is now attracting Wall Street and private equity money at scale.

NSO Group

NSO Group remains the most infamous name, but far from the only one. The group reached a peak valuation of $1 billion under previous backer Francisco Partners, with Pegasus documented in use against journalists, activists, and heads of state in more than 45 countries. The Pegasus Project investigation — a collaboration between Forbidden Stories, Amnesty International, and more than 80 journalists across 17 media organizations — found the spyware had allegedly targeted approximately 50,000 phone numbers across at least 50 countries, with nearly a third of confirmed victims located in Mexico alone.

Intellexa

The consortium behind the Predator spyware, built around the formerly named Cytrox — has proven that sanctions barely slow a determined vendor down. The US sanctioned the Intellexa alliance in March 2024, yet the group’s products continued circulating. As of early 2026, Intellexa is effectively operating sanctions-free under the current administration’s posture, even as its original Intellexa.com domain has been abandoned along with associated email addresses — a sign of corporate reshuffling rather than retreat. Predator’s technical sophistication has reportedly exceeded Pegasus in at least one area: it can persist across iPhone reboots, a capability Pegasus lost after Apple patched the relevant vulnerability. Citizen Lab has documented Predator deployments by government clients in Armenia, Greece, Indonesia, Madagascar, Oman, and Serbia. In one striking case, found a single exiled Egyptian politician’s phone doubly infected with both Pegasus and Predator, run by two entirely separate government clients simultaneously. One of Intellexa’s founders did not escape consequence entirely: he was sentenced to eight years in prison in Greece over the Predator affair.

Paragon Solutions

Whose Graphite spyware emerged into public view in 2025, illustrates how quickly a new entrant can rack up victims. WhatsApp confirmed in January 2025 that Graphite had compromised 90 journalists across 24 countries via a zero-click exploit, prompting WhatsApp to sue Paragon directly. Paragon was acquired by Florida-based private equity firm AE Industrial Partners for approximately $500 million in 2024, and that acquisition appears to have functioned as a successful template, since a US government contract with Paragon that had been frozen under the Biden administration’s spyware executive order was reactivated under the Trump administration roughly a year later.

Beyond these three headline names sits a far larger and murkier ecosystem. DSIRF, Variston IT, and the more recently disclosed Quadream represent just a small visible slice of an industry where companies that get publicly exposed frequently don’t disappear — they rebrand or merge into other entities, as Cytrox itself did when it was absorbed into the broader Intellexa structure.

The Technical Arms Race Is Escalating

The sophistication of the exploits underpinning this industry has continued to advance well past the point most casual observers assume the cat-and-mouse game has stabilized. Google’s Threat Intelligence Group reported in its most recent zero-day analysis that, for the first time since the company began tracking exploitation patterns, more zero-day vulnerabilities were attributed to commercial surveillance vendors than to traditional state-sponsored espionage groups — a milestone that effectively confirms commercial spyware firms have overtaken nation-state hacking teams as the primary force driving zero-day exploitation globally.

The proliferation problem is also accelerating downward, from state-level actors to organized crime. Two new iOS exploit kits identified in early 2026, named Coruna and DarkSword, demonstrated that sophisticated iPhone exploitation chains are no longer confined to nation-states and their approved commercial vendors — DarkSword’s exploit code has since been published to GitHub, meaning any actor capable of hosting a website can now mount an iOS exploitation campaign against unpatched devices. The democratization of nation-state-grade hacking tools, once a slow-moving concern among researchers, is now a documented, active trend.

Beyond Authoritarian Regimes: The Democracies Buying Into Spyware

The most persistent myth about the spyware industry is that its client list is confined to authoritarian governments using it to crush dissent. The documented reality is considerably more uncomfortable for democracies that like to imagine themselves above this market.

NSO’s client list has historically served Israeli diplomatic objectives directly, including licensing deals extended to Gulf states, Eastern European governments, and allies across Asia — relationships that transfer, observers note, to whatever entity now owns the company, including its new American ownership group. The 2021 Pegasus Project leak itself identified several advanced democracies among NSO’s dozens of suspected government clients — not the exclusively authoritarian client base the company’s public messaging implies.

European Union

Pegasus has been documented targeting French politicians, lawyers, and journalists, prompting an investigation by Spain’s high criminal court that was ultimately dismissed in 2025 due to a lack of cooperation from Israeli authorities — meaning even when a EU member state’s own judiciary tries to investigate, it can be stonewalled by the seller’s home government. Poland’s former justice minister Zbigniew Ziobro was arrested in January 2025 over allegations that Pegasus had been misused domestically, while Greece’s own intelligence chief resigned in 2022 after Predator was found deployed against a journalist inside the country — a scandal serious enough that Greece subsequently banned commercial spyware use outright, a policy reversal exactly none of its EU peers have matched.

The United States

The United States presents the most consequential case of all, precisely because it positions itself as the chief international critic of spyware abuse. A 2023 Biden executive order prohibited the US government’s operational use of commercial spyware deemed a national security risk or linked to human rights abuses. The policy reversed within roughly two years, and by early 2026, the current administration shows no appetite for restricting these contracts. Both Paragon’s reactivated federal contract and Intellexa’s effectively sanctions-free operating status under the current administration have alarmed organizations like Amnesty International, whose researchers describe the federal government as having lost most of the institutional expertise needed to even track the issue, after staff focused on spyware policy were moved out of relevant agencies and not replaced. NSO itself responded to the changed political climate with a direct lobbying push: the company hired Vogel Group lobbyists with close ties to the administration and spent over $1.8 million on Republican political campaigns during the 2024 election cycle — a textbook case of a sanctioned foreign cyber-arms firm successfully buying its way back into a major democracy’s good graces.

Why Accountability Keeps Failing

The structural reason this industry survives scandal after scandal is that the regulatory architecture meant to constrain it was never built with binding force. The Wassenaar Arrangement, the main international framework governing trade in dual-use surveillance technology, is non-binding and easily circumvented through shell companies and creative licensing structures — and within the US specifically, the 2021 Commerce Department blacklisting of NSO was largely symbolic, restricting federal procurement while leaving private investment in the company almost entirely untouched.

That regulatory gap is precisely what allowed NSO’s 2025 sale to proceed without serious institutional friction. As one cybersecurity analyst observed, American ownership risks creating a hybrid entity that is nominally private but functionally strategic — accountable to no single government’s oversight regime, even as it inherits the diplomatic relationships and client base its previous ownership built.

Civil litigation has produced the sharpest accountability so far, even if the financial penalties have proven survivable. NSO was found liable in December 2024 for unlawfully exploiting WhatsApp to install Pegasus, and a permanent injunction was issued in October 2025 — but in June 2026, Meta accused NSO of violating that injunction outright, alleging the company had attempted new spear-phishing campaigns against WhatsApp users in Jordan and Lebanon, suggesting that even a court order barely interrupts the underlying business.

Spyware: The Bottom Line

Five years after the Pegasus Project first made “commercial spyware” a household phrase, the industry it exposed is larger, better capitalized, and more deeply intertwined with American capital and government contracting than it was at the moment of maximum public outrage. Sanctions have proven porous. Lawsuits have produced fines that the industry treats as a cost of doing business. And the most reliable predictor of whether a government will use this technology is not its democratic character, but whether its intelligence and law enforcement agencies want a capability that conventional oversight structures were never designed to govern.

The next chapter of this story will likely be written less by international agreements — which have consistently failed to bind this market — and more by domestic courts, corporate acquisitions, and the platforms, like WhatsApp and Apple, that keep finding the infections on their own networks and deciding, increasingly, to sue.


Further reading in: Deep Dives Section


Sources: Atlantic Council, “Mythical Beasts: Diving into the Depths of the Global Spyware Market” (2025); Citizen Lab Spyware Litigation Tracker; Corrata; Dark Reading; Wikipedia (NSO Group, Pegasus); TechPolicy.Press; Centre for International Governance Innovation; Cisco Talos Intelligence; Cunicula.

Leave a Reply

Your email address will not be published. Required fields are marked *