Sign in Subscribe
9 min read

The $12 Billion Shadow Industry That 561 Companies Are Running — And the Toothless Rules Supposed to Stop Them

Share
The $12 Billion Shadow Industry That 561 Companies Are Running — And the Toothless Rules Supposed to Stop Them

SURVEILLANCE & GLOBAL GOVERNANCE

The global spyware market has more participants, more money, and more reach than ever before. The compliance frameworks designed to govern it are voluntary, unsigned by the world's largest players, and actively being gamed by the industry itself. Here is the full picture.

By The CyberDiplomat | June 2026

561 — Entities now documented in the global spyware market across 46 countries 

43 — Entirely new spyware entities that entered the market in 2024 alone 

100 — Countries estimated by the UK's NCSC to have access to spyware tools

 25— States that have signed the Pall Mall Code of Practice — all voluntary, none enforced

An Industry That Grew While the World Watched

The story of the global spyware market is not one of a hidden industry operating in the dark. It is one of an industry that grew in plain sight, faster than the frameworks designed to govern it, and has now become too large, too fragmented, and too politically entangled to be contained by the tools currently on offer.

The global spyware ecosystem has grown from 435 documented entities in an initial assessment to 561 organisations spanning 46 countries — with 130 new entities identified between that first assessment and 2024, and 43 entirely new entities entering the market specifically during 2024 alone. 

These are not small operators. In 2025, for the first time, more zero-day exploits — the most sophisticated and valuable attack tools in existence — were attributed to commercial surveillance vendors than to traditional state-sponsored hacking groups. The private sector has overtaken nation-state intelligence agencies in the exploitation of unknown software vulnerabilities. That is not a footnote. That is a fundamental shift in the global threat landscape.

And the market is not slowing. Fuelled by demand from governments for law enforcement investigations, espionage, and in many cases the surveillance of political opponents and dissenters, the spyware ecosystem continues to expand. Meanwhile, US government moves — including reactivating cancelled contracts and removing sanctions — appear to have smoothed the way for surveillance-tech vendors.

Who Is Actually In This Market

Most public discussion of commercial spyware fixates on three or four named vendors. The reality of the market is far more complex — and far harder to regulate.

The Atlantic Council's Mythical Beasts project, which surveys the global spyware market, now catalogues 561 entities across 46 countries from 1992 to 2024. The 2025 edition added 20 new US-based investors, seven newly identified resellers and brokers, and three newly documented countries — Japan, Malaysia, and Panama — bringing the total geographic spread to 46 nations.

US-based investment in spyware has notably increased. AE Industrial Partners invested in Paragon Solutions in late 2024. In early 2025, American company Integrity Partners invested in Saito Tech — better known as Candiru — which has been on the US Commerce Department's Entity List since 2021. American capital is flowing into companies that American regulators have officially designated as national security threats. The left hand has not informed the right.

The market also extends well beyond the vendors most people can name. Export controls remain porous. Many spyware firms circumvent restrictions by operating through shell companies in Cyprus, Bulgaria, or the UAE. Others rely on intermediaries to manage licensing and distribution. In one documented case, Swiss-based Toru Group facilitated Predator sales to Bangladesh via an Intellexa-linked firm — a transaction routed through three corporate layers across multiple jurisdictions to evade detection.

The Middlemen Nobody Is Watching

If vendors are the visible face of the spyware market, intermediaries are its invisible engine — and they are the part the compliance frameworks have almost entirely failed to address.

Brokers, resellers, and partners act as indispensable enablers in the global supply chain for offensive cyber capabilities. They have facilitated transactions that otherwise could not have taken place due to regional export controls or trade bans. In one documented case, a reseller called InReach Technologies was founded solely by spyware vendor Quadream to promote its product outside Israel and to bypass EU export controls.

In Mexico alone, researchers catalogued ten historically overlooked intermediaries that facilitated Pegasus sales to government clients using misleading contracts to conceal both the product and its origin.

These intermediaries obscure connections between vendors, suppliers, and buyers through complex corporate structures and jurisdictional arbitrage. Their presence in research datasets is almost certainly underrepresented given the opaque nature of brokers and resellers — and there is effectively no systematic policy framework that addresses them.

This is the critical blind spot at the heart of every current compliance regime. You can sanction a vendor. You cannot easily sanction a reseller incorporated in the British Virgin Islands, distributing for a Swiss broker, selling to a government client in Southeast Asia. The chain is designed to be untraceable, and the design is working.

The Compliance Landscape: What Exists, What It Does, and What It Cannot Do

The Wassenaar Arrangement

The oldest multilateral export control framework applicable to surveillance technology is the Wassenaar Arrangement — a 42-nation agreement originally established in 1995 to control conventional weapons and dual-use items. Intrusion software was added to its control list in 2013 in response to Arab Spring-era spyware abuses.

The experience since has been instructive — and largely sobering. Wassenaar requires consensus among all member states to add items to control lists, giving any single nation effective veto power. Its definitions of controlled items have consistently lagged behind the technology. And it has no enforcement mechanism: a country that decides to export a controlled item faces no binding consequences. Export controls under Wassenaar are, at their core, a statement of national intent — not an international obligation.

The Pall Mall Process

The most significant recent attempt to build a multilateral governance framework for commercial spyware is the Pall Mall Process, co-led by France and the United Kingdom.

In April 2025, France and the UK organised the second Pall Mall Process Conference in Paris, bringing together 45 states and international organisations along with a large coalition of private sector, civil society, and academic representatives. A Code of Practice was adopted — backed by 25 states — establishing voluntary political commitments and practical recommendations to tackle the proliferation and irresponsible use of commercial cyber intrusion tools. 

The 2025 Code of Practice for States sets out voluntary commitments across the development, export, procurement, and use of commercial cyber intrusion capabilities. It encourages governments to establish rules for suppliers, clarify conditions for state use, strengthen oversight, and provide remedies for victims. These measures are underpinned by principles of accountability, precision, oversight, and transparency. 

The word that appears most in descriptions of the Pall Mall Process is "voluntary." There is no binding enforcement mechanism. No penalties for non-compliance. No independent monitoring body. No mechanism to exclude non-signatories from procurement by signatories.

The United States did not sign the Pall Mall Code of Practice, though the Biden administration used sanctions, visa restrictions, and other tools to push back against commercial spyware makers. Under the current administration, those tools have been selectively reversed.

The Entity List: Sanctions That Rebrand

The US Commerce Department's Entity List — which designates foreign companies as national security threats and prohibits American entities from doing business with them — has been the most aggressive unilateral compliance tool deployed against spyware vendors.

NSO Group, Candiru, and Intellexa have all been designated. The practical results have been mixed at best.

Security researchers found that Predator, made by the Intellexa consortium, remained operational despite US sanctions, with five layers of infrastructure supporting its deployments in 2025 — including servers linked to Intellexa's financial network through a Czech company called FoxItech.

Firms like Nexa Technologies and Candiru have re-emerged under new names after previous scandals, some continuing to do business with states previously flagged for abuse. 

Sanctions do not kill spyware companies. They slow them down, cost them clients, and force a rebranding exercise. Then the corporate structure shifts, a new subsidiary is incorporated in a lower-scrutiny jurisdiction, and the product continues to sell.

The Industry's Playbook for Gaming Compliance

What the Pall Mall Process revealed — and what civil society observers have documented in detail — is that the spyware industry has developed a sophisticated playbook for engaging with governance frameworks while undermining them in practice.

NSO Group held up its engagement with the Pall Mall Process as evidence of its commitment to responsible governance, presenting itself as "a regulated defence technology provider operating under stringent export licensing requirements." Civil society leaders dismissed the claim entirely, pointing to documented abuses of Pegasus against Serbian journalists as recently as February 2025 — abuses that occurred while NSO was publicly committing to accountability.

The playbook works as follows. A vendor facing sanctions or reputational damage publishes a transparency report with broad commitments and no specifics. It hires a politically connected former official — ideally from the government currently applying pressure — as a chairman or adviser. It engages with multilateral governance processes to signal legitimacy. It simultaneously continues to sell to clients engaged in the very abuses the framework was designed to prevent. And it lobbies quietly for the sanctions to be reversed, framing the ask as a national security benefit rather than a commercial one.

NSO Group reportedly spent nearly $1 million on lobbying in 2025 alone — engaging multiple public relations and law firms in an attempt to rehabilitate its image while seeking removal from the Entity List. This is not an aberration. It is an industry standard operating procedure. 

What Meaningful Compliance Would Actually Require

The gap between the compliance frameworks that exist and the compliance frameworks that would actually work is substantial. Experts and researchers have converged on several components that any effective regime would need to include.

Binding obligations, not voluntary commitments. Every major governance failure in the spyware space has occurred against the backdrop of voluntary frameworks. If the Pall Mall Process is to remain relevant, France and the UK must become advocates for national and global regulation on spyware — not just codes of practice, but legislative action with teeth. Voluntary commitments that cost nothing to make and nothing to break are marketing exercises, not governance. 

Intermediary regulation. Policymakers have largely ignored the brokers and resellers who drive global spyware proliferation. These intermediaries represent a critical information gap — and the lack of effective regulatory responses to curtail their activities is one of the most significant blind spots in current efforts. Any framework that does not reach brokers and resellers will be routed around.

Investor transparency. The number of US-based investors in spyware has notably increased, funding some of the most prolific rights-abusing vendors in the market. Investment flows into sanctioned or sanctionable companies through private equity structures that are opaque, loosely regulated, and rarely scrutinised. Mandatory disclosure of investment in surveillance technology companies — at the level applied to defence contractors — would be a minimum starting point.

Jurisdictional coordination. The spyware market's sophisticated organisational structures are explicitly designed to employ jurisdictional arbitrage — frequently shifting corporate structures and legal identities to evade detection and sanctions. A compliance regime that operates within national or even regional boundaries will always be outmanoeuvred by entities designed to operate across them. Effective governance requires coordinated enforcement across multiple jurisdictions simultaneously.

Victim remediation. Every major framework mentions victims. None has created a credible, accessible mechanism for journalists, activists, and officials who have been surveilled to seek accountability or compensation. Without that, the human rights framing of spyware governance remains rhetorical.

The Indo-Pacific: The Next Frontier the Frameworks Are Missing

As both a major source of demand and an increasingly important production and transit hub, the Indo-Pacific is a key player influencing how the spyware market evolves — and is governed. The market for commercial cyber intrusion capabilities is moving faster than the frameworks designed to govern it, and the Indo-Pacific's growing role in both supply and procurement is one of the dimensions current frameworks are least equipped to address.

New entrant countries — Japan, Malaysia, and Panama — have joined the documented spyware ecosystem. Regional governments seeking surveillance capabilities without the diplomatic complications of dealing with sanctioned Western vendors are turning to new suppliers. The geography of the market is expanding. The geography of compliance frameworks is not keeping pace.

Conclusion: The Scorecard Nobody Wants to Publish

Assess the current global spyware compliance landscape honestly and the picture is difficult to present as progress.

561 entities in 46 countries. 43 new market entrants in a single year. Zero-day exploit development now dominated by commercial vendors rather than state intelligence agencies. The world's most sanctioned spyware company now owned by American investors and chaired by a former American ambassador. A voluntary Code of Practice signed by 25 countries, not including the United States, with no enforcement mechanism and no penalties for non-compliance. Intermediaries — the invisible engine of global proliferation — almost entirely unaddressed by any existing framework. And the same companies the frameworks are designed to constrain actively participating in their design.

Nations continue to sign the Code of Practice in an effort to curb commercial spyware, yet implementation and enforcement concerns have yet to be resolved. That sentence, from a 2025 assessment, could have been written in 2021. It will likely still be true in 2030 if the fundamental architecture of governance does not change.

The spyware industry does not fear voluntary frameworks. It fears binding law, criminal liability for executives, mandatory investor disclosure, coordinated multi-jurisdictional enforcement, and the kind of sustained political will that has so far been absent everywhere it is most needed.

Until those elements are present, every code of practice and transparency report is, at best, a bookmark in a problem that the world has not yet decided to actually solve.

Sources: Atlantic Council Mythical Beasts Report (2025), Dark Reading, Sekoia Threat Intelligence, TechPolicy Press, Security Boulevard, Lawfare, ASPI Strategist, The Record, Just Security, France Ministry for Europe and Foreign Affairs, Cybersecurity News.

© The CyberDiplomat, 2026. All rights reserved.

Published by:

The CyberDiplomat

Member discussion