U.S. sanctioned NSO Group in 2021. By 2025, 4 successor firms had filled the same market. Here is the chain.

In July 2021, journalists at 17 newspapers received the same leaked database: 50,000 phone numbers selected for surveillance by NSO Group customers using the Pegasus product [1]. One of the names was Cecilio Pineda Birto, a Mexican freelance investigative reporter. His phone had been targeted weeks before two gunmen on a motorcycle shot him at a car wash in the state of Guerrero. He was 38.

Four months after that database went public, the United States Commerce Department added NSO Group to its Entity List [2], a designation that makes it effectively illegal for U.S. companies to sell technology to a sanctioned firm. The press releases at the time framed it as a structural blow to the commercial-spyware industry. NSO’s Israeli rival Candiru, the Russian firm Positive Technologies, and a Singapore-based broker were added to the same list in the same filing [2]. The headlines wrote themselves.

Four years on, the buyer governments documented as Pegasus customers in 2021 [1], Mexico, Saudi Arabia, the United Arab Emirates, Hungary, India, Morocco, and Azerbaijan among others, have continued to acquire mobile-device exploitation capabilities. They are buying it from a reshuffled cluster of vendors with different names, mostly headquartered in different jurisdictions, often staffed by the same people [1][3][6]. The product survived. The corporate identities at the top of it changed. Citizen Lab at the University of Toronto, Amnesty International’s Security Lab, and the European Parliament’s PEGA committee have documented who replaced NSO Group as the dominant supplier, and who is buying from the replacements [3][4][6]. The story is the chain.

The Official Story

The commercial-spyware industry’s stated purpose, presented uniformly by every vendor in the category, is the support of lawful national-security and law-enforcement investigations against terrorism, organized crime, and child sexual exploitation. The vendors describe their products as exclusively sold to vetted government customers under end-use licensing agreements that prohibit deployment against journalists, civil society, or political opposition. The industry argument is that the products fill a legitimate capability gap created by end-to-end encryption on mobile devices, which has rendered traditional lawful-intercept methods inadequate.

The technical record assembled by Citizen Lab and Amnesty International across more than a decade of forensic analysis tells a different story [6]. Pegasus, Predator, and the related products have been documented deployed against journalists in at least 11 countries, against political opposition in at least 14 countries, against members of civil-society organizations in at least 9 countries, and in several cases against attorneys representing dissidents and against family members of murdered journalists [1][3][4]. The end-use licensing agreements the vendors describe have not, in the public record, prevented any of those deployments.

Follow the Money

The financial mechanics of commercial spyware work in three layers.

The vendor develops and maintains exploit chains, the technical means by which the spyware compromises a target device. These exploits are perishable; once the device manufacturer (Apple, Google, Samsung) discovers and patches the underlying vulnerability, the exploit chain stops working. Vendors maintain capability by buying new exploits from a global market of independent vulnerability researchers, by funding internal exploit development, and by contracting brokerage firms that aggregate vulnerabilities and resell them.

The vendor sells access to the spyware platform to government customers under multi-year contracts. Contract values documented in public reporting range from approximately $5 million to $50 million annually depending on country, scale, and capability tier [3][4]. The contracts include exploit-chain refreshes when the underlying vulnerabilities are patched, technical support, and operator training.

The government customer deploys the spyware through its national-security or interior-ministry channels. Targeting decisions are made internally by the customer; the vendor’s stated role ends at the contract. The PEGA committee report documented that several EU member states deployed Pegasus or equivalent products against opposition politicians, journalists, and lawyers without judicial oversight commensurate with the intrusiveness of the deployment [4].

The product the customer is paying for is not a piece of software. It is sustained access to a target’s device, refreshed against patch cycles, supported through operational deployment, and structured to leave minimal forensic evidence on the target. That access is the unit the contracts price.

The Network

The vendor cluster that has emerged in the years following the 2021 NSO Entity List action overlaps substantially with the cluster that existed before the action. Several of the post-2021 vendors trace, through corporate ownership, key personnel, or technical lineage, back to firms that had operated in the same market a decade earlier [3]. The corporate restructures took, on average, less than a year between sanction action and the successor firm appearing in customer contracts.

The Intellexa Alliance, an interlocking set of vendors developing and selling the Predator product, was the subject of a 2023 Amnesty International / European Investigative Collaborations joint investigation [3]. The investigation documented Intellexa-affiliated entities incorporated in Greece, Cyprus, Ireland, Hungary, North Macedonia, and the British Virgin Islands. The corporate structure was designed to allow contracts to be signed from whichever jurisdiction was most permissive for the customer government and least likely to attract regulatory scrutiny in the customer’s home jurisdiction. In March 2024, the U.S. Treasury Department’s Office of Foreign Assets Control sanctioned the Intellexa founder and several Intellexa-affiliated entities under Executive Order 13694 for their role in the development and operation of the Predator commercial spyware [5].

Other firms identified by Citizen Lab and Amnesty as active in the post-NSO market include Cytrox, the original developer of Predator before its absorption into the Intellexa Alliance; QuaDream, an Israeli vendor that ceased operations in mid-2023 after Citizen Lab and Microsoft published forensic analysis of its Reign product; and Paragon Solutions, an Israeli vendor that emerged in 2024 with a product targeting messaging-app exploitation and that has been documented as having sold to U.S. and European customers [6].

What Was Buried

The PEGA committee final report, adopted by the European Parliament in June 2023, concluded that several EU member states, naming Hungary, Poland, Greece, Spain, and Cyprus, had used commercial spyware in ways inconsistent with EU law and human-rights standards [4]. The report’s recommendations called for a moratorium on the use of commercial spyware within the EU until a regulatory framework was in place. The European Commission proceeded to do nothing about it. The member states named in the report did not, as of late 2025, withdraw from their existing contracts with commercial-spyware vendors [4]. The recommendation, the contracts, and the surveillance all coexist.

The U.S. response has been more aggressive than the EU response in form, with Entity List actions and OFAC sanctions, but the practical effect on the global market has been limited [2][5]. Sanctioned vendors are restructured, renamed, or replaced by adjacent firms with different incorporation paperwork. The buyer governments continue to procure capability. The market does not shrink; its corporate organization changes.

The Stakes Now

The commercial-spyware market is a study in how a regulatory action against a specific corporate identity does not address a market that exists because of demand from a class of customers, in this case sovereign-state governments with operational requirements that mass-market consumer encryption has rendered otherwise difficult. As long as the demand exists, the supply reorganizes around regulatory boundaries rather than ceasing.

The same dynamic visible in how foreign-lobbying firms reshuffled after high-profile clients became toxic operates in the spyware market, with sanctions actions playing the role that headlines play in the lobbying market. Both produce the appearance of structural change while the underlying demand and capability persist.

The One Thing That Matters

If the United States, the European Union, and the OECD member states adopted and enforced a coordinated moratorium on commercial-spyware procurement by member-state governments, the market would not survive. The vendors do not have meaningful private-sector demand. Their capability development costs and exploit-acquisition costs are predicated on the multi-year, multi-million-dollar contracts that only governments fund [3][4]. A sustained demand-side restriction would close the market in the same way demand-side restrictions close arms-export markets, which is the regulatory category commercial spyware most closely resembles.

The supply-side approach the U.S. has pursued, sanctioning specific corporate identities while leaving the customer governments untouched, has produced four years of evidence that it does not [2][5]. Each sanction is followed by a successor firm. The customers, including allied governments, continue procuring [4]. The mobile-exploitation industry survives because the demand survives. The vendors are interchangeable. The targets are not.