Predators for Hire: A New Report Exposes the Thriving Global Spyware Industry

Commercial spyware is no longer the shadowy tool of a few niche companies—it has grown into a global industry worth millions, thriving despite repeated scandals and exposure. A new strategic report from Sekoia.io’s Threat Detection & Research (TDR) team, “Predators for Hire: A Global Overview of Commercial Surveillance Vendors”, sheds light on how these vendors operate, who their customers are, and why they pose a persistent threat to democracy and human rights.

According to the report, commercial surveillance vendors (CSVs) first gained prominence in the early 2010s, when authoritarian governments sought rapid tools to suppress dissent during the Arab Spring. Vendors like FinFisher and Hacking Team rose to prominence by providing “ready-to-use surveillance and repression solutions.”

By 2016, the industry had industrialized, selling full turnkey platforms rather than individual exploits. Companies such as NSO Group pioneered zero-click spyware like Pegasus, capable of silently infecting phones without any user action.

But from 2021 onwards, CSVs faced what Sekoia calls a “legitimacy crisis”, as journalists, NGOs, and courts exposed widespread abuse. “After multiple exposures of the use of spyware in an unlawful and repressive way… CSV faced a veritable legitimacy crisis,” the report notes.

Despite legal actions and sanctions, the spyware business remains highly profitable. Prices have skyrocketed—from a few thousand euros for early activations to millions for full deployments today. For example, Intellexa’s Predator spyware was offered in 2022 at 8 million euros for use on up to 100 mobile phones.

The report explains that “the surveillance market has remained highly lucrative, with commercial surveillance vendors making important benefits through the selling of their surveillance products.”

Even companies forced to shut down or rebrand—like Amesys, implicated in torture in Libya—have resurfaced under new names, continuing their trade through complex webs of subsidiaries.

CSV customers deploy spyware using sophisticated intrusion chains. These include 1-click exploits, where a malicious link is sent to a target, and 0-click exploits, where devices are compromised without any interaction.

The report highlights real-world examples: “In January 2025, WhatsApp accused the Israeli company Paragon of targeting nearly 100 journalists and civil society members… using a 0-click exploiting WhatsApp’s automatic content preview feature.”

Other vendors exploit Wi-Fi, Bluetooth, or even baseband flaws to compromise devices over the air, bypassing traditional defenses.

While vendors market spyware as tools for legitimate law enforcement, Sekoia emphasizes that in practice, CSVs are repeatedly linked to human rights violations. “Documented use of commercial spyware by state actors have shown surveillance campaigns targeting dissidents, civil society activists and journalists,” the report warns.

Cases like the Pegasus Project and Predator Files showed how spyware was deployed against heads of state, opposition politicians, and journalists worldwide, with devastating consequences for democracy and free expression.

The report also highlights the failure of governments to regulate spyware effectively. Even in Europe, where the NSO Group and Intellexa were sanctioned, domestic agencies continued to purchase similar tools from local vendors. “Democracies, too, exploit or overlook the misuse of spyware when oversight mechanisms are weak,” the authors note.

The Pall Mall Process, launched in 2025 by the UK and France, represents one attempt to curb misuse by establishing a code of practice for states. But with CSVs relying on rebranding, intermediaries, and shell companies, enforcement remains elusive.

Despite mounting pressure from regulators and civil society, CSVs continue to thrive by innovating both technically and organizationally.

As the report concludes: “The absence of effective political and regulatory safeguards has left spyware targets more exposed than ever, as infection techniques have grown more covert and resilient.”

Related Posts:

• The Largest DDoS Attack in History: Cloudflare Fights Back
• Hidden Skimmers, Web Whispers: New JavaScript Theft Tricks
• Predator Spyware Roars Back: New Infrastructure, Evasive Tactics
• Biometric Bypass: Chameleon Banking Trojan Evolves, Android 13 Vulnerable
• Microsoft Fixes Bug That Caused Windows Server Clusters to Fail
• Predator Spyware Spreads: 11 Countries Now at Risk