Sign in Subscribe
7 min read

The Pegasus Paradox: Why the World's Most Famous Spyware Is Also the World's Most Convenient Distraction

Share
The Pegasus Paradox: Why the World's Most Famous Spyware Is Also the World's Most Convenient Distraction

SURVEILLANCE, POLITICS & POWER

There are dozens of commercial spyware tools operating globally. One name dominates the headlines. That asymmetry is not an accident — it is a political choice, and understanding it tells us more about power than about privacy.

By The CyberDiplomat | June 2026

The Spyware You Know, and the Ones You Don't

Ask most people to name a piece of surveillance software and they will say: Pegasus. Developed by Israel's NSO Group, it has been the subject of international investigations, parliamentary inquiries, court rulings, and countless front-page headlines. It has become, in effect, the public face of the global spyware industry.

But Pegasus is not alone. It is not even necessarily the most widely deployed. It is simply the most talked about — and that distinction, on closer examination, has as much to do with politics as with technology.

Three platforms dominate what researchers call the commercial spyware market: Pegasus, developed by Israel's NSO Group; Predator, produced by the European Intellexa alliance; and Graphite, built by Paragon Solutions. Beyond these three, the commercial spyware landscape stretches from early pioneers like FinFisher and Hacking Team to more recent entrants including Candiru and the broader Intellexa consortium — all with documented histories of being deployed against journalists, activists, lawyers, and political opponents. 

So why does Pegasus absorb the oxygen in every room while its rivals operate in relative obscurity? The answer involves a leaked database, a media consortium, geopolitical convenience, and — most recently — an American acquisition that should have changed everything but largely hasn't.

How Pegasus Became the Story

The turning point was July 2021. The Pegasus Project — a consortium of more than 80 journalists from 17 media organisations in 10 countries, working with Forbidden Stories and Amnesty International — focused global attention on the spyware and its suspected use in facilitating human rights violations around the world. At the heart of the investigation was a leaked list of more than 50,000 phone numbers reportedly targeted by Pegasus clients. 

That leaked list was the ignition. Once 80 journalists across 17 newsrooms began cross-referencing it simultaneously and publishing coordinated exposés, Pegasus became a household name. The scale of the collaborative investigation was unprecedented. It was extraordinary journalism — and it permanently branded one company above all others.

But consider what that framing obscured.

Predator, the mobile spyware developed by Cytrox and sold by the Intellexa consortium, remains operational despite being sanctioned by the US in 2023. Security researchers identified five layers of infrastructure supporting Predator deployments in 2025, including servers linked to Intellexa's financial network — with the tiered architecture deliberately designed to obscure operator identity and evade attribution. 

Firms like Nexa Technologies and Candiru have re-emerged under new names after previous scandals and continue to do business with states previously flagged for abuse. The surveillance industry even operates its own trade show — ISS World — which explicitly bars journalists and NGOs from attending.

A secretive trade show. Rebranded firms. Five-layer obfuscation infrastructure. This is an industry operating in plain sight, confident that the world's attention will remain fixed on one name.

The Geopolitical Convenience of Pegasus

Pegasus is Israeli. That fact matters enormously to the politics of its coverage.

Israel is a Western-aligned democracy and a close US ally. When democratic governments use Pegasus against their own citizens — Hungary, India, Mexico, Poland — the story becomes a powerful narrative about democratic backsliding. It is uncomfortable for Western institutions precisely because the supplier is within their own orbit of trust and alliance.

In a notable coincidence of timing, on the same day the Biden administration and a large group of allies formally called out China for state-sponsored international hacking, the Pegasus Project published its revelations showing how US-allied governments were hacking their opponents' phones with Israeli-made software. Two surveillance stories broke simultaneously. One condemned an adversary. The other embarrassed allies. Guess which one received sustained long-term scrutiny. 

Predator is European-linked. FinFisher has German roots. Candiru and Paragon are Israeli. The Western surveillance industry is not a shadowy foreign operation — it is homegrown. But the political incentive to sustain focus on one Israeli firm rather than examine the entire ecosystem is obvious: doing so allows governments to perform concern about surveillance abuse while avoiding uncomfortable questions about their own procurement decisions.

The NSO Group operates under Israel's export control system, which classifies Pegasus as military-grade technology requiring Ministry of Defence approval for every sale. This arrangement is not unique — the United States, European Union, and 43 other nations impose similar controls on surveillance tools. What distinguishes Israel's approach is how these approvals have aligned with diplomatic goals. 

In other words: every country with a surveillance industry has an export control system. Every export control system is a foreign policy instrument. The question of who gets sold which spyware is never purely commercial. It is always political.

The Twist Nobody Wants to Discuss: America Now Owns Pegasus

In October 2025, the story took a turn that should have generated sustained global outrage but instead produced a week of headlines and then relative silence.

NSO Group confirmed that an American investment group has acquired controlling ownership of the company — the consortium led by Hollywood producer Robert Simonds, with the deal valued at tens of millions of dollars. 

Let that land for a moment. The United States government had placed NSO Group on its Entity List in 2021, designating it a national security threat and prohibiting American companies from doing business with it. NSO lobbied extensively to get off the US blacklist, hiring Trump-connected lobbying firms as recently as May 2025. Then, months later, American investors acquired controlling ownership. 

For years, Washington condemned Pegasus as a symbol of unrestrained digital surveillance. Now, American investors own it. The immediate question is why. Strategically, it may align Pegasus and similar technologies with American defence interests. Yet it also exposes the absence of rules for how those tools are managed, audited or repurposed once inside the US. There is no technical barrier preventing Pegasus from targeting American phones, and existing legal protections are limited.

A Biden-era executive order sought to bar federal agencies from using commercial spyware, but it did not prevent foreign governments, private actors, or even state and local agencies from deploying such tools. Once the infrastructure exists under American ownership, the gap between authorised foreign surveillance and domestic misuse narrows to a policy choice — one that could shift with each administration. 

The company that Washington once called a threat is now an American asset. The sanctions remain on paper. The lobbying continues. The coverage, compared to 2021, is muted.

The Shadow Industry Operating Without Scrutiny

While the world debates Pegasus, the rest of the industry quietly thrives.

Early 2026 has brought a fundamental shift in the surveillance landscape. Two exploit kits — Coruna and DarkSword — have demonstrated that sophisticated iOS exploitation is no longer the exclusive preserve of nation-states and approved commercial vendors. The tooling is now proliferating to organised crime. DarkSword's exploit code has since been published to GitHub, meaning any threat actor capable of hosting a website can now mount an iOS exploitation campaign. 

This is the real horror of the Pegasus fixation: while the world argues about one regulated, court-sanctioned, internationally scrutinised company, the underlying capability is democratising. It is moving down-market, into criminal hands, into unregulated jurisdictions, beyond the reach of any export control system.

The commercial spyware industry traces its genesis to the aftermath of the Arab Spring, when authoritarian regimes sought off-the-shelf tools for surveillance after citizen uprisings fuelled via social media. Early vendors emerged between 2010 and 2015. By 2016, it had industrialised into turnkey solutions. Between 2019 and 2021, new vendors like Candiru, Paragon Solutions, and Intellexa emerged, often led by former military intelligence personnel. 

Despite lawsuits and sanctions — including a $167 million verdict against NSO Group for WhatsApp exploits — vendors have adapted through rebranding, creating opaque subsidiaries across jurisdictions, and enlisting intermediaries to bypass export controls. 

Sanctions do not kill spyware companies. They rename them.

The Deception Hidden in Plain Sight

The article that prompted this analysis makes a compelling case that democracies are drifting toward digital authoritarianism. It is right. But it also participates — perhaps unavoidably — in the same selective framing it is trying to critique.

India and Israel are named. Hungary gets a mention. But France, which has its own surveillance export controversies, does not feature. Germany, home to FinFisher's parent Gamma Group, is absent. The United States — which now owns Pegasus, whose intelligence agencies pioneered mass surveillance, and whose tech platforms are the primary vectors for the data harvesting that enables modern state surveillance — is framed as a potential critic rather than a central actor.

This is not a failure of individual journalists. It is a structural feature of how surveillance gets discussed. The industry is global. The harms are universal. But the naming and shaming follows political alignments, media resources, and the availability of leaked evidence — not the actual distribution of harm.

The commercial state spyware landscape in 2026 includes NSO, Intellexa, Paragon, Candiru, and FinFisher — with US sanctions applied to NSO in 2021 and Intellexa in 2024. Meanwhile, AI systems can now score communication metadata to flag high-value targets before anyone reads content — making mass targeted surveillance faster and cheaper than ever before.

The technology is accelerating. The political will to address it comprehensively is not.

What Genuine Accountability Would Require

Focussing solely on Pegasus is comfortable because it has a single identifiable company, a leaked dataset, and courtroom victories to point to. Real accountability is harder because it requires confronting the following:

Every major democracy either operates a surveillance industry, purchases from one, or both. Export controls are foreign policy tools, not human rights instruments. Rebranding and subsidiary structures make sanctions largely performative. The democratisation of exploit tooling means the problem is now far beyond any single vendor. And American ownership of the world's most infamous spyware is not a solution — it is a merger of the problem with the institution supposed to regulate it.

The Pall Mall Code of Practice, issued in April 2025, represents an attempt to establish norms around the responsible use of commercial cyber intrusion capabilities. While it demonstrates that some governments are willing to take measures to reassure the public and reaffirm democratic values, such actions also reveal troubling ambiguities — because the same states signing codes of practice are also the industry's primary customers. 

Pegasus is real. Its abuses are documented, serious, and deserving of scrutiny. But using it as the singular face of commercial surveillance is itself a kind of deception — one that keeps the conversation manageable, keeps the villains identifiable, and keeps the rest of the industry operating in the dark.

The question worth asking is not just: who deployed Pegasus? It is: who built, bought, sold, and looked away from all the others?

The answer to that question involves governments, investors, intelligence agencies, and tech companies across Europe, the United States, and beyond. It is a much larger conversation. And that, perhaps, is precisely why we keep having the smaller one instead.

Sources: TechPolicy Press, Citizen Lab, Sekoia Threat Intelligence, CyberPress, Kashmir Times, TechCrunch, SiliconAngle, Bitdefender, Corrata, Britannica.

© The CyberDiplomat, 2026. All rights reserved.

Published by:

The CyberDiplomat

Member discussion