India: Shiva’s Eye in the Empire of “Spyware-as-a-Service”

In 2021, a collaborative investigation by 17 international media outlets revealed that a list of 50,000 numbers worldwide had been targeted by Pegasus spyware, created by the Israeli company NSO Group. Within this list, approximately 300 Indian numbers were identified, belonging to a diverse range of profiles: journalists, lawyers, politicians, public figures, and even members of the Dalai Lama’s inner circle.

While NSO maintains that it only sells its products to states, the Indian government dismissed the investigation as a ‘conspiracy’ against Indian democracy and refused to cooperate with the technical committee established by the Supreme Court. Its goal? To shed full light on the matter. To this day, the issue remains a major point of contention in the political landscape of Modi’s India.

India is now the most connected country in the world, with over a billion smartphones in use. This makes it a vast, real-world laboratory for commercial spyware. And while India utilizes foreign technologies, it has also become a major player in this opaque and controversial market: it is now reportedly the world’s third-largest supplier (following Israel and Italy, which together form the so-called ‘3i’), accounting for 5.88% of known companies.

Mass Surveillance: A Vast and Complex System in India

India did not become a player in the spyware market overnight. The British colonial era laid the groundwork for a mass surveillance system that continues to fuel the demand for spyware in India today. In the 19th century, British police developed a preventive policing model based on surveillance techniques, aimed at averting both crime and any form of rebellion from the Indian population. In 1885, with the advent of more sophisticated communication technologies, the Indian Telegraph Act was passed; Section 5 of this law grants the government the power to intercept communications in the event of a public emergency. This law remains in effect, having undergone several adaptations to keep pace with technological progress. The mass surveillance system also relies legally on the Information Technology Act of 2000. Considered its backbone, this text—originally designed to promote e-commerce—has evolved into a powerful tool for data control following successive amendments. Although the Supreme Court declared privacy a fundamental right in 2017, state agencies continue to benefit from broad exemptions.

This mass surveillance is clearly visible on the ground. Cities such as Hyderabad, Delhi, and Indore rank among the most surveilled in the world. Hyderabad, for instance, has one of the highest ratios of cameras per inhabitant outside of China (83.32 cameras per 1,000 people in 2023). Surveillance and law enforcement actors do not hesitate to employ cutting-edge tools. The Indian police are particularly fond of facial recognition technologies, which were notably used to monitor protesters in 2019.

Furthermore, the government has carried out an extensive ‘documentation’ of the population. It implemented Aadhaar, the world’s largest biometric database, which stores the sensitive information of 1.1 billion citizens (fingerprints, iris scans, ID photos, etc.). While this database was created to modernize administration, its critics fear that the data could be used by government agencies in a way that undermines individual liberties.

The Indian government has supported several programs dedicated to interception, such as the Central Monitoring System (CMS)—a centralized system that allows government agencies to listen to calls and monitor SMS and internet traffic without going through service providers’ servers. In the same vein, it has also enabled the development of NATGRID (an intelligence network that cross-references dozens of databases, including tax records, travel logs, banking, and criminal records, to profile citizens) and DRDO NETRA (a tool that scans internet traffic, such as emails, social media, and Skype, in real-time to detect specific security-related keywords).

In 2025, the Modi government’s interception projects took a step further in terms of intrusiveness. The administration sought to mandate smartphone manufacturers to pre-install a government app, Sanchar Saathi, providing access to call logs, device memory, and the camera. This functionality is reminiscent of the ‘one-click’ spyware we previously described in the fourth episode of our series on Italy. Following Apple and Google’s refusal to comply with the rule, the initiative was ultimately abandoned, but it clearly illustrates the Indian government’s surveillance ambitions while explaining its reliance on commercial spyware.

An Active Client in the Global Spyware Market

Returning to the Pegasus affair: the Indian government has not admitted to purchasing the Pegasus license, despite technical evidence of its use discovered by experts at Amnesty International. However, various journalistic investigations—alongside others conducted by NGOs and cyber threat intelligence firms—suggest that India is an active client in the commercial spyware market. The Indian state appears to have diversified its spyware acquisitions since 2020:

Source : Surveillance Watch, Amnesty International 

In response to this consumption of intrusive solutions, India has decided to develop its local production. In 2014, the Indian government launched the ‘Make in India‘ initiative under the leadership of Narendra Modi. This national program aims to transform India into a global design and manufacturing hub by helping companies grow and fostering innovation across 25 strategic sectors. Since its inception, the program has become the central pillar of India’s economic strategy, with plans to boost GDP growth and enhance the strategic autonomy of the Asian peninsula. This pillar benefits companies in the IT sector, and by extension, those developing offensive cybersecurity capabilities.

Cyber-Spy for Hire: The ‘Made in India’ Shadow Industry

Since the 1990s, India has established itself as a leader in IT expertise. It was therefore only natural for a cybersecurity ecosystem to flourish in the South Asian peninsula, now comprising over 400 companies. This market is projected to account for 5% of the global market by 2028. In 2023, it was valued at $6.6 billion, with a target of $13.6 billion by 2025. However, under the guise of ‘cybersecurity’ or ‘cyber intelligence,’ some firms do not hesitate to develop intrusive solutions.

Thus, using the Surveillance Watch database, it has been possible to identify seven local players in the commercial spyware market: Aglaya, Appin/ApproachInfinite, BellTroX, ClearTrail, CyberRoot, Innefu Labs, and Leo Impact. Naturally, given that these types of companies operate with such discretion, it is certain that many more exist.

India is well-known as a hub for ‘hacking-for-hire,’ a business model where individuals or companies sell cyberattack services to third parties. This form of ‘cyber-mercenarism,’ combined with state mass surveillance practices, has provided fertile ground for the development of spyware. This can be explained by the intersection of several factors: a legal gray area regarding cyberattacks conducted abroad, a pool of skilled low-cost talent, and close ties between industry firms and political circles (notably in the case of the Kanwal brothers, founders of Appin, a pioneering company in the sector). Since cyberattacks are often commissioned to retrieve compromising information on a target, the use of spyware has become essential to meeting client demands.

Speaking of clientele, this is where the practices of Indian companies differ from their Israeli or Italian counterparts. While the latter focus on selling their technologies to governments and state agencies, Indian firms offer their solutions to anyone who can afford them. And that includes private individuals! The Indian industry has notably grown around ‘spouseware’—spyware designed for emotional harassment, particularly in the context of separations and contentious divorces. An investigation by Thomas Brewster for Forbes exposed Aglaya’s business practices: its national security products and its civilian products are technically identical. Or almost: only the price tag is different.

Indian software is no less sophisticated or effective than that marketed by Israeli and Italian firms. Their tools often aim for ‘Zero-Click’ deployment—where the target is infected without their knowledge, as no action is required on their part—but at a much lower cost than Israeli alternatives. Furthermore, most of these companies do not specialize solely in spyware; instead, they offer a full arsenal to bolster offensive capabilities with a total disregard for ethics, ranging from interception and facial recognition to the orchestration of disinformation campaigns.

While European and Israeli firms adopt a moderate tone when evocating their activities, Indian companies compete in their aggressiveness. They do not shy away from using highly transparent language in their brochures regarding the purpose of their solutions, leaning heavily into military jargon. For instance, Aglaya markets ‘cyber nukes’ claimed to be as powerful as nuclear attacks.

Local players offering their services worldwide

With this business model, it is clear that the purchase of these solutions quickly expanded beyond the Indian market. Thanks to the Surveillance Watch database, it has been possible to map out the countries where traces of Indian spyware usage have been identified:

Source : Surveillance Watch

Due to the secrecy surrounding state contracts, this inventory should be considered an underestimate, as it only accounts for software for which technical traces have been identified by cyber threat intelligence firms or whose use has been exposed by journalistic investigations. What is already observable is that Indian solutions are being utilized by countries considered democratic as well as by more authoritarian regimes.

As previously mentioned, Indian companies are not particularly discerning when it comes to their clientele, and they do not hesitate to sell highly sophisticated products to private individuals and businesses. In an investigation published in The Sunday Times in November 2022, Indian hacker Utkarsh Bhargava claimed to be capable of providing his clients with a Pegasus equivalent, the source code of which he discovered in 2019. A technical expert from Amnesty International, interviewed for the investigation, analyzed the code provided by Bhargava and confirmed that it was indeed a reverse-engineered version of the famous Israeli spyware. The report further detailed the hacker’s links to the company Appin, a firm notorious for supplying spyware worldwide.

Beyond revealing the offensive capabilities of Indian hackers, it demonstrates how a genuine illicit trade based on espionage has developed between firms like Appin, BellTroX, and CyberRoot and London-based companies of all kinds: corporate intelligence agencies, law firms, industrial sector companies, and more. This trade is built on three pillars: the outsourcing of legal risk (London firms bet on the fact that it will be more complex for British authorities to investigate and punish spyware use if it is carried out by foreign actors), the role of intermediaries (London corporate intelligence firms and private investigators act as a ‘buffer’ between the Indian companies and the end client), and LinkedIn (British firms use the social network to contact members of the Indian companies).

This system operates like an industrial supply chain. First, the London firm receives a mandate from a client: the corporate intelligence agency is tasked with finding information on a client’s competitor, or a law firm needs compromising evidence for a complex divorce. They then contact an Indian hacker, who may have been trained by or is currently working with an Indian company like Appin, CyberRoot, or BellTroX. The firm provides information regarding the target, allowing the hacker to craft an attack—often based on phishing and social engineering—to deploy spyware on the target’s phone or computer. Once access to the device is secured, the hacker generally does nothing with the data themselves; instead, they transfer the credentials or copies of emails to the British client.

Obviously, none of this comes for free. The cost of the operation varies depending on its complexity and the target. A few thousand pounds are enough for simple access to the victim’s emails. In the Sunday Times investigation, Indian hacker Utkarsh Bhargava specifies that he charges between $10,000 and $15,000 for complex missions—an affordable price for most major Western corporations! As the investigation only focused on London-based firms, one cannot help but think that other companies may also be turning to this ‘Spyware-as-a-Service’ market with total impunity.