Custom Styles

When most people hear “spyware,” they imagine a lone hacker targeting individual victims. The reality is far more organized and troubling: a legitimate multi-billion dollar industry that sells surveillance technology to governments, corporations, and private investigators. Companies like NSO Group (makers of Pegasus), Hacking Team, and Intellexa develop and sell spyware capable of infecting devices without any user interaction—no clicks, no downloads, no suspicious emails. These “zero-click” exploits leverage undisclosed vulnerabilities in WhatsApp, iMessage, and even the core operating systems of iPhones and Android devices. A target receives a missed call or a text message that appears blank; they never touch anything. Yet the spyware installs silently, granting the operator full access to messages, photos, location, microphone, and camera. The market for this technology is driven by nation-states seeking surveillance capabilities against terrorists, criminals, and political dissidents—but also against journalists, human rights defenders, and opposition politicians.

The ethical line between legitimate law enforcement and authoritarian abuse has proven impossible to maintain. Amnesty International and Citizen Lab have documented dozens of cases where government-purchased spyware was used against activists, lawyers, and reporters. In one典型案例, Pegasus was found on the phone of a murdered Saudi journalist’s associate; in another, Indian journalists critical of the government were targeted. The problem is structural: once a government purchases spyware, the vendor has no practical ability to control who is added to the surveillance list. Contracts promising “human rights compliance” have proven meaningless. Furthermore, spyware companies have repeatedly lost control of their own products; Hacking Team suffered a 2015 data breach that released its entire spyware source code to the public, and NSO Group’s exploits have been repurposed by cybercriminals who reverse-engineered them. The industry’s business model—selling the ability to break into any device—is fundamentally incompatible with digital security for everyone else.

For ordinary users, the existence of commercial spyware is both alarming and, paradoxically, not a primary concern. Zero-click exploits are expensive (NSO reportedly charges $500,000 or more per deployment) and are reserved for high-value targets. The average person remains at far greater risk from inexpensive, mass-market spyware sold for $50 to “catch a cheating spouse.” Still, the commercial spyware industry has prompted significant responses. Apple introduced “Lockdown Mode” for iPhone, which disables features that zero-click exploits commonly use. Google has sued spyware vendors for violating its terms of service. The U.S. government has added NSO Group to its entity list, restricting American companies from doing business with them. The long-term solution requires international agreement: spyware exploits are weapons, and selling them should be regulated like weapons. Until then, the most vulnerable—journalists, dissidents, lawyers—must assume their devices are compromised and act accordingly. Encryption, air-gapped devices, and in-person conversations remain the only true safeguards against an industry that profits from invisibly invading your life.