The Global Spyware Market Index

UPDATED July 22: This report has been updated to include new information regarding the Israeli spyware vendor, Candiru.

74 countries have bought and/or used invasive spyware technology since 2015.
Spyware firms: 86% are based in countries considered full or flawed democracies by the EIU.
Suspected customers: 55% are authoritarian or hybrid regimes, with only 7% considered full democracies.
FinFisher has the most reported state customers (34), followed by Circles (25), and NSO Group (23).
Spyware targets: more than 3,000 have been identified, although the true figure is likely far higher.
Activists & dissidents have been targeted in 25 countries, followed by political figures (23) and journalists (17).

The Impact of Spyware

This report reveals how companies based in economically developed and largely democratic states are profiting from exporting highly invasive digital surveillance technologies to repressive regimes where its misuse is likely.

We analyzed almost 100 reports and articles published since 2015 to provide a comprehensive view of this largely unrestricted and highly secretive market for technology used to hack and spy on individuals’ personal devices. The findings demonstrate the need for meaningful regulation and increased transparency within the sector.

Our goal with this investigation was to try to quantify the impact of this intrusive technology in order to raise public awareness of the serious infringements of individuals’ digital privacy. Our hope is that democratic governments more tightly regulate these spyware companies operating under their jurisdiction.

We found that 74 governments around the world have purchased and/or used invasive spyware technology manufactured by 18 companies since 2015. Europe, the U.S., and Israel are home to 78% of these companies.

Their customers are predominantly repressive regimes looking for new ways to control the flow of digital information and stifle dissent. Less than 10% of suspected customers are considered full democracies by the Economist Intelligence Unit (EIU).

The technologies discussed in this report can all secretly monitor someone’s digital activity from afar. They range from highly sophisticated and expensive exploits such as NSO’s “zero-click attacks” to those that exploit widespread vulnerabilities in telecommunication protocols.

The impact of these tools on civil society is increasingly well known, with the likes of NSO Group becoming household names due to their alleged role selling invasive tech to repressive regimes that use them to track down and silence dissidents. Despite growing evidence, most of the companies named in this report have vehemently denied enabling human rights abuses.

The most recent revelation regarding NSO Group’s spyware unearthed over 50,000 individuals’ phone numbers that were allegedly identified as potential targets by NSO’s clients since 2016. The target list contained the phone numbers of politicians, journalists, activists, doctors and academics in countries including India, Hungary and Saudi Arabia.

“The private surveillance industry is a free-for-all… States and industry are collaborating in the spread of technology that is causing immediate and regular harm to individuals and organizations that are essential to democratic life” – David Kaye, former UN Special Rapporteur on Freedom of Expression^[1]

The true number of those impacted by spyware is almost impossible to determine, particularly given that many people will fall victim to the technology and not notice.

Our research reveals that at least 3,111 individuals that have been affected. While their precise identities are often concealed due to security concerns, many of those identified are prominent figures that play an important role in defending freedom of expression and promoting human rights.

Activists and dissidents were the most frequently targeted, followed by government officials and journalists. We also discovered that spyware had been used to hack the devices of individuals across nation state boundaries at least 85 times, including the targeting of Rwandan political figures based in Belgium.

This report shows that despite repeated criticisms and attempted regulation,^[2] the commercial spyware industry continues to grow unabated. Estimated to be worth $12 billion,^[3] it is clear more needs to be done to reign in the industry to protect human rights and safeguard freedom of expression.

Spyware Tech Vendors

The following table shows the five largest spyware tech companies based on the number of suspected customers.

Details of our full findings are available on this Google data sheet.

FinFisher GmbH / Gamma Group

Location: Germany (Previously UK & Germany)
Number of suspected customers: 33
Client regime type: 6% full democracies

FinSpy is a highly intrusive spyware technology suite initially manufactured by UK-headquartered Gamma Group. Production of the spyware shifted to FinFisher GmbH in 2013, a Germany-based company.^[4]

Since its inception, the company has sold invasive surveillance tools to governments and state agencies around the world. Once infected, a victim’s device is silently monitored in real time allowing the end-user to intercept communications, access private data, monitor geolocation, and record audio and video.

The company gained notoriety when it was revealed that the company had sold FinSpy to the Egyptian government’s notorious State Security Investigations Service.^[5] Since then, researchers have documented the repeated abuse of the company’s spyware to hack the devices of activists and political opponents in authoritarian countries such as Ethiopia, Turkey and Uganda.

In 2019, Reporters Without Borders alleged the company was responsible for enabling Turkish authorities to target journalists and opposition voices in the country.^[6] The following year, the company’s headquarters were raided by police after it was reported that the company had been exporting its technology without the relevant licences.^[7]

Circles

Location: Israel
Number of suspected customers: 25
Client regime type: 12% full democracies

Circles is a lesser-known company in the digital surveillance industry. According to a recent report by the University of Toronto’s Citizen Lab, it has sold its equipment to at least 25 countries including several countries with poor human rights records such as Nigeria, UAE and Vietnam.^[8]

Leaked documents show the system is designed to exploit telecommunication protocol vulnerabilities.^[9] Customers can also purchase a separate system called “Circles Cloud”. This tool allows users to connect to telecommunication companies’ infrastructure around the world.

Such attacks are known as Signaling System 7 (SS7) Attacks.^[10] They allow an end-user to capture information including voice calls, messages and live location information.

The researchers also found that the government agencies connected to the Circles’ technology have a history of exploiting digital surveillance methods for human rights abuses.

NSO Group

Location: Israel
Number of suspected customers: 23
Client regime type: 10% full democracies

Founded in 2010, the Israel-based NSO group has built a reputation for providing one of the most “sophisticated pieces of cyber-espionage software” ever seen.^[11]

The company’s most well known software, Pegasus, is capable of covertly tracking every detail of a target’s digital activity, giving the user access to a target’s camera, files and even encrypted messages. The malware is traditionally delivered via a carefully designed phishing message, although details of “zero-click exploits” have recently emerged.^[12]

The company is renowned for selling its technology to governments globally and its spyware has been frequently linked to human rights abuses in countries including Mexico, UAE and Rwanda.^[13]

In one of the biggest revelations to date, an internal investigation by WhatsApp revealed 1,400 devices had been infected with Pegasus in 2019.^[14] NSO Group is part-owned by London-based investment firm, Novalpina Capital. The transaction valued NSO at $1 billion in 2019.^[15]

Suspected State Actors

This table shows the countries with the most extensive and varied spyware arsenals based on the number of different vendors from whom they are reported to have purchased technology.

Details of our full findings are available on this Google data sheet.

UAE

The United Arab Emirates is reported to have purchased spyware from Candiru, Circles, FinFisher, Hacking Team and NSO Group. The country even has its own bespoke hack-for-hire team from cybersecurity firm DarkMatter, which uses a cutting-edge hacking platform known as Karma.^[16]

The Emirates were Hacking Team’s second-biggest clients, behind only Morocco, reportedly paying the company more than $634,500 to target 1,100 devices with spyware in 2015.^[17] Moreover, leaked contracts suggested a total licensing fee of at least $18 million for NSO Group’s surveillance software.^[18]

The rise in surveillance technology in the Middle East has had serious implications for pro-democracy activists in the region. Ahmed Mansoor, a prominent human rights activist, has reportedly been repeatedly targeted with spyware. Researchers found that his devices had been digitally targeted with technology made by FinFisher, Hacking Team and NSO Group over recent years.^[19]

Political espionage has also been a dominant driving force behind the UAE’s use of spyware. The Emirati target list has reportedly included the hacking of devices belonging to Saudi Arabia’s Prince Mutaib bin Abdullah,^[18] Lebanon’s Prime Minister Saad Hariri^[20] and Sheikh Tamim bin Hamad of Qatar.^[21]

Mexico

Over the past decade, Mexico has become renowned for its use of spyware. We found Mexico to be one of the countries with the most spyware tools in their arsenal, second only to the UAE. Authorities in Mexico are reported to have access to tech made by Ability Inc., Circles, and NSO Group as well as Hacking Team and FinFisher.

Mexico have reportedly been NSO Group’s biggest customer, spending $80 million on their surveillance technologies between 2011 and 2017.^[22]

NSO’s products have reportedly been used against some of the country’s most outspoken human rights lawyers, journalists and anti-corruption activists.

It has even been suggested that the authorities with access to spyware may end up supplying it to organized crime groups. According to a statement provided by a Mexican official to the Cartel Project, “The police who have the technology would just sell it to the cartels.”^[23]

Morocco

Digital attacks have been symptomatic of a larger trend of increasingly repressive governance in Morocco.^[24] A 2015 leak of Italian spyware vendor Hacking Team’s emails revealed that the Moroccan government had spent close to $4 million on the company’s Remote Control System (RCS) software.^[25]

A 2020 report by Amnesty International revealed a sustained campaign by the Moroccan government to spy on prominent journalist and activist, Omar Radi, using NSO Group’s Pegasus.^[26] The revelation came just days after NSO had pledged to prevent its products being used to target human right defenders.

Spyware Targets

The following table displays the types of individuals targeted with spyware and the countries where they were located at the time of attack.

See our full findings on this public Google Sheet.

Activists & Dissidents

It is of little surprise that human rights defenders, activists and dissidents are the most frequently targeted group given the repressive governments who have purchased spyware technology.

Omar Abdulaziz

Omar Abdulaziz is a prominent pro-democracy Saudi activist who resides in Canada.

According to a lawsuit filed by Abdulaziz, the Saudi royal court allegedly had access to Jamal Khashoggi’s digital communications with Abdulaziz as they’d installed NSO’s spyware on his cellphone.^[27]

The exploit was later confirmed with “high confidence” by research group Citizen Lab.^[28] They identified the end user as an operator linked to the government of Saudi Arabia. The spyware attack on Abdulaziz took place in summer of 2018, just months prior to the assassination of Khashoggi in the Saudi consulate in Istanbul.

Maati Monjib and Abdessadak El Bouchattaoui

Two human rights defenders from Morocco were reportedly targeted with NSO Group’s Pegasus spyware, according to a 2019 report by Amnesty International.^[29] The findings detail the two victims as Maati Monjib, a historian and activist advocating for freedom of expression, and Abdessadak El Bouchattaoui, a human rights lawyer, both of whom have a history of persecution by the state.^[30]^[31]

Political Figures

Political figures have frequently found themselves entangled in cyber-espionage campaigns in countries were political debate is stifled or seen as a threat to the authoritarian status quo.

Faustin Rukundo, Frank Ntwali & Placide Kayumba

Three prominent Rwandan opposition party members were revealed to have been targeted with NSO Group’s Pegasus spyware, according to a 2019 Financial Times report.^[32]

Rukundo and Ntwali are both members of the of the Rwanda National Congress, an exiled opposition group, while Kayumba is a Belgium-based member of Rwanda’s FDU-Inkingi opposition coalition, whose members have been subject to an extensive intimidation campaign.^[33]

Roger Torrent

Roger Torrent and at least two other pro-independence Catalan politicians were reportedly targeted with NSO’s Pegasus spyware in what was believed to be the first use of spyware to target a political figure in a European democracy.^[34]

The Spanish Interior Ministry, National Police and Civil Guard claim that they never hired the services of the NSO Group, while the Spanish Intelligence agency commented that it “always acts in clear accordance with the law”.^[35]

Journalists

Journalists are frequently targeted due to their role criticizing governments with poor human rights records.

“The reckless and abusive use of commercial spyware to target journalists, their associates, and their families adds to the numerous and growing risks that journalists worldwide now face,” said Ron Deibert of Citizen Lab.

“Thanks to companies like NSO Group, unscrupulous dictators and autocrats now have a powerful tool to aid in their sinister aims to stifle dissent and quell controversial reporting.”^[36]

Ben Hubbard

In 2018, New York Times correspondent Ben Hubbard received a suspicious text message.^[37]

He was working and reporting from Saudi Arabia when he received a text that read, “Ben Hubbard and the story of the Saudi royal family.”

Later, researchers at Citizen Lab determined that the text included an exploit link for Pegasus. He was the first American journalist to have been targeted with the technology. Fortunately, Hubbard did not open the link and was therefore not affected.

Alejandro Santos

In January 2020, it was reported that the Colombian military had purchased an invasive spyware tool from Mollitiam Industries, a Spanish cyberintelligence firm.^[38]

The company was listed as one of Reporters Without Borders’ 20/2020 list of press freedom’s digital predators after it was alleged the military have used the tool to “spy on supreme court judges, politicians, journalists and journalists’ sources”.^[39] The targets are said to include Alejandro Santos, the editor of the news magazine, Semana.

Methodology

We analyzed close to 100 documents, news articles and reports published since 2015 documenting the spyware manufacturer, suspected end user and all available information regarding the targets. We used rankings from the Economist Intelligence Unit and Freedom House to provide further analysis of both vendor country and the regime type of those purchasing the technology.

Access the The Global Spyware Market Index raw data on this Google Sheet.

The authors of all our investigations abide by the journalists’ code of conduct.

References

^{[1] https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=24736 ↩}

^{[2] https://www.amnesty.org/en/latest/news/2021/03/new-eu-dual-use-regulation-agreement-a-missed-opportunity-to-stop-exports-of-surveillance-tools-to-repressive-regimes/ ↩}

^{[3] https://www.telegraph.co.uk/technology/2020/01/24/terrifying-power-reach-unregulated-12bn-spyware-industry/ ↩}

^{[4] https://privacyinternational.org/blog/1522/six-things-we-know-latest-finfisher-documents ↩}

^{[5] https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/ ↩}

^{[6] https://rsf.org/sites/default/files/rsf_germany_pressrelease_finfisher_spyware.pdf ↩}

^{[7] https://www.business-humanrights.org/en/latest-news/police-carry-out-raids-linked-to-german-spyware-firm-finfisher/ ↩}

^{[8] https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/ ↩}

^{[9] https://web.archive.org/web/20190409205521/https://www.alaraby.co.uk/file/get/4749a75b-fc46-4917-85d3-7f8b41d4b34a ↩}

^{[10] https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls ↩}

^{[11] https://www.vice.com/en/article/3da5qj/government-hackers-iphone-hacking-jailbreak-nso-group ↩}

^{[12] https://www.vice.com/en/article/wnxpjm/nso-group-new-big-player-in-government-spyware ↩}

^{[13] https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/ ↩}

^{[14] https://www.washingtonpost.com/opinions/2019/10/29/why-whatsapp-is-pushing-back-nso-group-hacking/ ↩}

^{[15] https://apnews.com/article/3ae2108f1edc42eca950b5000d4d3fc8 ↩}

^{[16] https://www.reuters.com/investigates/special-report/usa-spying-karma/ ↩}

^{[17] https://www.nytimes.com/2016/05/30/technology/governments-turn-to-commercial-spyware-to-intimidate-dissidents.html ↩}

^{[18] https://www.nytimes.com/2018/08/31/world/middleeast/hacking-united-arab-emirates-nso-group.html ↩}

^{[19] https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ ↩}

^{[20] https://www.aljazeera.com/news/2018/9/1/uae-used-israeli-spyware-to-target-qatari-emir-saudi-prince ↩}

^{[21] https://www.reuters.com/investigates/special-report/usa-spying-raven/ ↩}

^{[22] https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html ↩}

^{[23] https://www.theguardian.com/world/2020/dec/07/mexico-cartels-drugs-spying-corruption ↩}

^{[24] https://www.hrw.org/world-report/2021/country-chapters/morocco/western-sahara ↩}

^{[25] https://privacyinternational.org/blog/1394/facing-truth-hacking-team-leak-confirms-moroccan-government-use-spyware ↩}

^{[26] https://www.amnesty.org/en/latest/news/2020/06/nso-spyware-used-against-moroccan-journalist/ ↩}

^{[27] https://www.nytimes.com/2018/12/02/world/middleeast/saudi-khashoggi-spyware-israel.html ↩}

^{[28] https://citizenlab.ca/2018/10/the-kingdom-came-to-canada-how-saudi-linked-digital-espionage-reached-canadian-soil/ ↩}

^{[29] https://www.amnesty.org/en/latest/research/2019/10/morocco-human-rights-defenders-targeted-with-nso-groups-spyware/ ↩}

^{[30] https://cpj.org/2021/01/moroccan-journalist-maati-monjib-sentenced-to-1-year-in-prison/ ↩}

^{[31] https://www.accessnow.org/moroccos-hirak-movement-has-gone-quiet-but-the-crackdown-on-independent-media-continues/ ↩}

^{[32] https://www.ft.com/content/d9127eae-f99d-11e9-98fd-4d6c20050229 ↩}

^{[33] https://www.hrw.org/world-report/2020/country-chapters/rwanda ↩}

^{[34] https://www.theguardian.com/world/2020/jul/13/phone-of-top-catalan-politician-targeted-by-government-grade-spyware ↩}

^{[35] https://english.elpais.com/spanish_news/2020-07-15/spyware-attack-on-catalan-leaders-cellphones-triggers-political-storm-in-spain.html ↩}

^{[36] https://deibert.citizenlab.ca/2018/11/mexico-spyware-nso-redux/ ↩}

^{[37] https://www.nytimes.com/2020/01/28/reader-center/phone-hacking-saudi-arabia.html ↩}

^{[38] https://www.semana.com/nacion/articulo/persecucion-espionaje-y-amenazas-a-periodistas-de-la-revista-semana/647890/ ↩}

^{[39] https://rsf.org/en/news/rsf-unveils-202020-list-press-freedoms-digital-predators ↩}