![[The Roads of Surveillance]: Investigation into the Global Market for Spyware / [Episode 0]](https://incyber.org//wp-content/uploads/2025/12/incyber-news-cyber-investigation-1920x735.png)
The Roads of Surveillance: Investigation into the Global Market for Spyware / Episode 0
Snowden’s revelations in 2013 brought mass surveillance practices into the spotlight and contributed to the widespread adoption of end-to-end encryption. A more targeted form of surveillance then developed, creating a new layer in an already opaque and paradoxically structured market. Private companies of all sizes provide states with cutting-edge technology that is deployed across several complementary segments. From mass intelligence gathering (SIGINT) to surgical infiltration, the introductory episode of our series offers a deep dive into the heart of this grey economy, which is essential for identifying targets of interest.
Cyber-surveillance: Decoding a Shady, Yet Structured, Market
A bombshell for the Italian government at the end of January 2025: journalists received an alert on their smartphones from Apple, notifying them that they had been spied on using state-sponsored software. Overwhelming evidence revealed that the software Graphite, developed by the Israeli company Paragon, was used by the Italian state and several of its agencies — the ACN (National Cybersecurity Agency), the AISI (domestic intelligence service, equivalent to the DGSI) and the AISE (external intelligence, equivalent to the DGSE) — to monitor citizens.
While journalists are among the identified targets concerned, recent information reveals that professionals in the banking and finance sector have also been monitored. This escalating scandal even led to a Senate report on the use of this software. The case illustrates the rise of an increasingly widespread practice: targeted surveillance, whose abuses are causing concern even in the highest European institutions. Beyond the scandal, the Italian affair underscores a reality: surveillance has become a market in its own right. Behind every piece of spyware, there is a chain of companies, contracts, and cross-cutting interests that far exceed national borders.
In 2013, the Snowden affair revealed the staggering scope of mass surveillance implemented by state intelligence agencies. These programs relied primarily on collecting metadata (who communicates with whom, when, and where), intercepting unencrypted communications, and widespread wiretapping. However, the resonance of these revelations paradoxically accelerated the technical response: the massive generalization of encryption. Today, whether through HTTPS (for web browsing) or, crucially, the end-to-end encryption enforced by applications like WhatsApp, Signal, or Telegram, the majority of exchanges have become unintelligible on the network. The weak link is no longer the communication line, but the terminal itself.
The sole reliance on the old strategy of ‘listening to everyone, all the time’ has become obsolete for accessing content. It has become necessary for authorities and intelligence agencies to resort to a more targeted form of surveillance. This situation has fostered the structuring of a cyber-surveillance market, consisting of several segments (intrusion software, SIGINT, 0-day vulnerabilities, etc.) which are sometimes complementary, as suggested by Crofton Black, an investigative journalist at LightHouse Reports and author of numerous investigations into surveillance, including one on the company FirstWap: “In the media, expensive tools are often the only ones taken seriously, because of their potential power. In reality, their use may be much rarer than we think, with the vast majority of surveillance operations carried out through other means.” This scandal is not an isolated accident: it illustrates a fundamental trend that emerged more than a decade ago.
Our series, ‘The Roads of Surveillance: Investigation into the Global Market for Spyware,’ invites you to explore this flourishing and opaque, yet nonetheless structured, market.
From Global Wiretapping to Target Mapping
Despite Edward Snowden’s revelations and the widespread adoption of end-to-end encryption, mass surveillance is far from over. Often called SIGINT (Signal Intelligence), it focuses on acquiring information on a large scale, particularly the contextual information surrounding each communication (referred to as ‘metadata’): who is talking to whom, when, and from where. These tools are not effective for reading encrypted content, but they are the essential starting point for mapping and identifying targets of interest.
And for this, nothing is better than an arsenal of sophisticated interception tools, often integrated into communication infrastructures. The most commonly used tools are interception systems operating via satellites or submarine cables, where communications transit. The collection of telecommunications data via DPI (Deep Packet Inspection) is also practiced: this is a technology that allows the content of all data passing over the internet to be opened and read, and not just the destination addresses. Finally, it is also possible to use metadata analysis platforms. This system collects, organizes, and studies information ‘about’ communications, without reading the actual content, in order to draw up profiles and identify interaction patterns.
Who are the architects of this massive collection? The SIGINT segment remains, by nature and historical investment, the exclusive domain of a handful of superpowers—those intelligence agencies (such as the NSA for the United States, the DGSE for France, or the GCHQ for the United Kingdom) that maintain control over global listening infrastructures. Even if tools are developed internally, a few major specialized companies (General Dynamics Mission Systems, Inc., BAE Systems plc, Parsons Corporation, or Airbus Defence & Space) offer increasingly innovative solutions to states for carrying out this mass surveillance.
This massive collection of metadata is the strategic compass: it extracts from the ambient noise the context necessary for qualifying targets and becomes the sole argument validating the colossal investment and surgical operation of targeted infiltration.
When Surveillance Becomes Pinpoint Accurate
Pegasus, Predator, Galileo… Intrusion software has been regularly in the media spotlight for several years, and the names of some of them are known to the general public. While these names have made headlines, the market for commercial intrusion tools is not new. It truly emerged in the early 2000s, when companies, often stemming from the defense or intelligence sectors, began selling ‘lawful interception‘ solutions to help states face the early challenges of the Internet. This segment is the core of the modern grey economy, made indispensable by encryption.
The software attack lies in the ability to transform the target’s device—computer, smartphone… their most personal tool—into a permanent spy, surgically infected by the injection of a discreet payload. The main objective is to bypass encryption to gain access to content, imperceptibly to the target. It aims to achieve full access to the operating system (files, encrypted messages, microphone, camera) before the user sends or receives data, thus ensuring maximum intelligence effectiveness. In this way, the smartphone, meant to protect the user, is turned against them: it transforms into a permanent and undetectable listening post, coldly intercepting raw data the very moment it is processed by the system.
This power of infiltration, which is worth its strategic weight in gold, is not widely distributed: it is jealously guarded by a small number of high-tech private companies that have transformed targeted intrusion into an oligopoly that is as discreet as it is lucrative. Palantir, NSO Group, Intellexa… These controversial and discreet companies all rely on the same economic model: the sale of very expensive licenses for a limited number of targets. This structure of price and exclusivity guarantees considerable margins for the suppliers and allows states, the primary clients of these technologies, to acquire an infiltration capability that their own agencies would struggle to develop alone.
Henceforth, this technological black box is no longer an option, but a necessity: this opaque and highly strategic market has established itself as an essential financial pillar in the intelligence and security budgets of nations.
0-Days: The Vulnerabilities Worth Gold
At the heart of this economy lies a singular, invisible, and volatile resource: the 0-day vulnerability, a flaw that has not yet been discovered by the software vendor. It constitutes the strategic and most lucrative raw material of the intrusion market, while also forming its own market segment.
These flaws are essential to the functioning of most spyware. Due to the predominant use of certain software and operating systems, a single vulnerability can enable the targeting of thousands, or even millions, of people worldwide. This is how a very lucrative business has developed around the research and sale of these vulnerabilities.
Ironically, it is thanks to ‘flaws’ that light is shed on the opacity of this market. In 2015, the Italian spyware vendor Hacking Team (now known as Memento Labs) was the victim of a data leak concerning some of the company’s mailboxes. This made it possible to learn more about the purchasing and reselling of 0-days, activities characterized by a certain opacity and lack of regulation. The value of a 0-day is directly linked to its rarity, the popularity of the targeted system (iOS and Android being the most costly and sought-after), and the sophistication of the attack it enables (for example, a zero-click attack—one that requires no interaction from the target—is more valuable than an attack requiring user interaction).
To turn a simple coding error into a sophisticated intelligence weapon, the 0-day market has organized itself into an obscure supply chain, structured around three links essential for the vulnerability’s discretion and monetization. Everything begins upstream with independent researchers or R&D teams who discover the software flaws. In the middle, exploit brokers act as a mask of opacity, buying the 0-days to resell them to the highest bidder. The last link consists of spyware vendors (NSO, Paragon, etc.) who industrialize the exploit by integrating it into their products. The cycle is closed by funding: whether through these vendors or by direct purchase, this obscure and lucrative market, which monetizes insecurity, is entirely funded by states.
This market is intrinsically parallel and hidden, which requires great caution in transactions. These take place via cryptocurrencies or stolen credit cards in order to protect the identity of the buyers. The categorical imperative of this market is the permanence of technical secrecy: only the non-disclosure of the flaw guarantees the absolute discretion and implacable offensive power of the spyware.
OSINT: The Dark and Bright Side of Open Intelligence
If targeted intrusion is the sidearm, Open-Source Intelligence (OSINT) is the operation’s cartographer: this practice provides the essential narrative context that guides the surveillance effort, validating hypotheses and transforming a simple piece of metadata into a priority target. This practice focuses on the collection and analysis of all legally accessible or public information. It is not limited to the world of cyber-surveillance, as it is widely used in journalism and competitive intelligence.
It is a true investigative process based on rigorous methodology, combining specialized tools, analysis techniques, and critical thinking. It is used to enrich a target’s profile, verify the authenticity of information, and, above all, to identify potential attack vectors (email addresses, devices used, relationships) before validating the commitment of a costly and intrusive resource like a 0-day.
Unlike the other market segments of cyber-surveillance, OSINT operates in the open: it is a visible, largely fragmented, and burgeoning market, where competition fuels a myriad of platforms and software specializing in the aggregation of public data (from social media, forums, online databases, and the dark web), digital trace analysis, facial recognition, and behavioral analysis. This toolkit is produced by an ecosystem of SMEs and startups that monetize access to data, its cleaning, and its correlation.
These companies do not sell intelligence, but the methodology: they provide agencies with the capability to quickly and legally extract relevant information. Their activity is therefore crucial for standardizing investigation processes and maintaining constant vigilance over the informational space.
Surveillance Without a Screen: When the Field Becomes the Network
Even before exploiting a software vulnerability, it is often necessary to locate or engage the target device via its physical environment, a task handled by the geolocation and initial access segment. This segment emerged in the early 2000s with the appearance of IMSI-Catchers (Stingrays), designed to precisely locate target devices by simulating a fake cellular tower.
Although the adoption of encryption (3G/4G) has limited their capacity for direct eavesdropping, their role has become more strategic. They now act as the essential physical-digital bridge, providing the crucial network access for the surgical injection of targeted intrusion software.
This market for physical-digital engagement is historically dominated by an archetypal product: the IMSI-Catcher, the most famous embodiment of which is the Stingray from the American company L3Harris Technologies. It is to this category of objects what Kleenex is to tissues: so famous that it has become a common noun to designate the entire category. Beyond this leader, many SMEs are active in the development of this technology, with three main hubs to note in Germany, Israel, and the United Kingdom.
The hardware and software required for the implementation of these tools, particularly IMSI-Catchers, are quite accessible to the general public and are widely used by law enforcement. At DEF CON in Las Vegas in 2010, cybersecurity researcher Chris Paget demonstrated that it was possible to build an IMSI-catcher using generic hardware for the sum of $1,500. Furthermore, in 2023, scammers hid IMSI-catchers in the trunk of a car to siphon the phone numbers of tens of thousands of Parisians. The goal of the operation was to send phishing messages to the captured numbers, inviting victims to disclose their bank details. This affair proves the accessibility of this tool and its use by civil actors for cybercriminal purposes.
Intelligence is not limited to cell towers: for more discreet and granular tracking in urban environments, analysts exploit the passive emissions from our devices. These Wi-Fi and Bluetooth signal analysis systems turn the simple connection scans from our devices into persistent tracking tools. Since every device emits a unique MAC (Media Access Control) address, it is possible to create a digital fingerprint and trace a target’s movement from one street to the next or from a public place to a private building. Competition is fierce for this type of tool, with many small, discreet companies active in the field.
To ensure the precision of engagement, geolocation is not limited to terrestrial signals: this segment ultimately integrates geospatial intelligence (GEOINT) and imagery, offering visual validation of the target’s position. These systems are often used to confirm the physical location before deploying initial access means in the field. Airbus Defence & Space offers tools that fit this category, as do startups like GEO4I.
Reconstructing the Evidence: The Final Stage of the Cycle
Once the intrusion operation or physical seizure is successful, the battle shifts to the lab: this essential segment consists of forensic and extraction tools capable of unlocking and analyzing the target device, even when turned off, to extract the evidence. In a judicial context, the goal of using them is the extraction of data that can serve as evidence. They also make it possible to collect elements to reconstruct the chronology of criminal or terrorist activities.
The landscape of forensic analysis actors is dual: it comprises both defense giants capable of integrating complete forensic solutions and specialized companies that focus on technical prowess, such as expert unlocking of mobile devices. Large groups have positioned themselves in this segment, such as Thales, for example. They integrate forensic analysis capabilities into their intelligence service offerings for their state clients. Among the data extraction specialists are smaller players, such as the Israeli company Cellebrite, considered a leader in this field with its product called UFED. The Swedish company MSAB and the American company Oxygen Forensics can also be considered major players. Finally, certain companies offer forensic analysis and evidence management platforms. This is the case with the Australian company Nuix and the Canadian company Magnet Forensics.
As the use of these tools is primarily linked to criminal investigations or counter-terrorism efforts, the main clients are state-affiliated: national and local law enforcement, intelligence services and security agencies, and regulatory and anti-fraud bodies. However, these tools can also be of interest to private clients: law firms or companies needing to conduct internal investigations following a data breach or a dispute involving digital evidence. They use the same tools to guarantee the integrity and admissibility of their analyses. Some of these tools can therefore be acquired, to a certain extent, by private forensic laboratories or cybersecurity consulting firms.