Despite a recent historic legal victory, the fight against commercial spyware may be trending in the wrong direction.
Spyware vendors over the past several years have been hit with economic sanctions, expensive lawsuits, increasing pressure, and even bans by governments, which provided some hope to security researchers and digital rights advocates that the industry was on its heels. Spyware, experts say, threatens not only journalists, human rights activists, and government officials who are frequently targeted in attacks, but also negatively impacts cybersecurity overall, as their zero-day exploits can be used by other threat actors for wider attacks.
Arguably, the brightest sign yet in the fight against the spyware industry was last month’s conviction of four individuals, including Tal Dilian, founder of the spyware firm Intellexa, in the Predatorgate scandal. A Greek court found Dilian and three others guilty of several criminal charges stemming from Predator spyware attacks on political candidates and journalists, which were discovered in 2022.
Recent developments in the US, however, may have dampened those hopes, at least temporarily. Perhaps the most notable of these came in September with a report that US Immigration and Customs Enforcement (ICE) had reactivated its contract with Paragon Solutions, an Israeli company known for its “Graphite” Android spyware. ICE initially signed the contract with Paragon in 2024 but it was later paused amid concerns that it violated former President Joe Biden’s 2023 executive order prohibiting federal government workers from using spyware.
Other events have sparked concern among spyware opponents, from the US Treasury Department’s unexpected removal of sanctions, changes in corporate ownership of major spyware vendors, and, of course, more brazen attacks. They’ve cast a shadow over the Predatorgate convictions and have spyware opponents feeling uneasy about the state of their fight in 2026.
“I don’t want to sound too negative because this is certainly something to build on,” says Rebecca White, a researcher with Amnesty International’s Security Lab. “But it’s pretty grim right now.”
Isolated Incidents or a Shift in US Policy?
The reactivation of the Paragon Solutions contract alarmed many and was denounced by organizations such as the Electronic Frontier Foundation (EFF), Access Now, other technology and civil society organizations, and US lawmakers. EFF senior staff technologist Cooper Quintin called the move “extremely troubling,” noting that the company’s Graphite had been used in attacks on Italian journalists and political activists.
“Without strong legal guardrails, there is a risk that the malware will be misused in a similar manner by the US government,” Quintin wrote in a statement.
The Paragon contract wasn’t the only troubling move by the US government. In late December, the Treasury Department unexpectedly lifted sanctions against three Intellexa executives: Sara Hamou (ex-spouse of Dilian), Merom Hapraz, and Andrea Gambazzi. The three were among several other individuals and corporate entities that were sanctioned by the Treasury’s Office of Foreign Assets Control (OFAC) in 2024 under aggressive actions by the Biden administration.
Those sanctions were an important step in the fight against spyware, according to Michael De Dora, US policy manager at Access Now, because they included visa restrictions for the individuals. Civil society organizations had spent a considerable amount of time and effort over the years lobbying for such measures, working with lawmakers and government officials to inform them about the dangers of spyware as well as the complex web of corporate entities that many vendors use to obscure their operations and true ownership.
But without warning, Treasury lifted some of those sanctions, with no explanation. “We were all shocked when they were removed,” De Dora says. “When it comes to spyware and the US government, I’m in the camp of very concerned right now, though we’re not at a place yet where everything is getting rolled back.”
Other spyware opponents were also taken aback by the lifting of sanctions, and they’ve hit dead ends trying to get answers. “There’s no transparency into why this occurred or what’s happening there,” says Maria Villegas Bravo, counsel at the Electronic Privacy Information Center (EPIC).
What’s perhaps more troubling is the fact that Hamou was convicted in the Predatorgate trial in Greece just weeks after her sanctions were lifted. Villegas Bravo wonders why the US government let Hamou off the hook if a criminal court in Greece found her guilty of hacking. “What evidence was the US government working with on that decision?”
Dark Reading contacted the Treasury Department for comment, but it did not respond at press time.
Intellexa could not be reached for comment. The company’s Intellexa.com domain appears to have been abandoned along with associated email addresses.
A big part of the problem, according to De Dora, is that there are fewer people in the federal government that understand the commercial spyware issue. “Under Trump, a lot of federal agencies have been hollowed out and the people that have focused on technology issues have been moved out and not been replaced,” he says.
Spyware Under New Ownership
Another concerning trend for spyware opponents involves changes in corporate ownership for two of the best known spyware firms, both founded by former Israeli military and intelligence personnel. In 2024, Paragon was acquired by AE Industrial Partners, a private equity firm based in Florida, for approximately $500 million. And last October, a group of US investors led by Hollywood producer Robert Simonds purchased NSO Group for an undisclosed amount.
NSO Group is the most infamous of the commercial spyware vendors, as its Pegasus spyware was tied to the abduction and murder of journalist and political activist Jamal Khashoggi in 2018. More recently, Meta won a high-profile lawsuit against the company over hacking WhatsApp to distribute Pegasus, though the initial $167 million award in punitive damages was later reduced to just $4 million.
The NSO Group acquisition was particularly notable for spyware opponents. After all, why would any investors want to purchase an apparently toxic asset that had been battered by sanctions, lawsuits, and government bans?
The answer may be deceptively simple. “I think NSO Group saw what happened with Paragon and took it as a sign,” Villegas Bravo says, noting that the US government reactivated Paragon’s contract following the sale to AE Industrial Partners. Dark Reading contacted AE Industrial Partners for comment, but the company did not respond at press time.
De Dora agrees, adding that NSO Group lobbied extremely hard to get off the sanctions list, and the sale to a US investor group is “obviously part of that.”
Google’s recent report on zero-day vulnerability attacks in 2025 showed commercial spyware vendors exploited the most flaws last year. SOURCE: Google
Spyware opponents fear those lobbying efforts may eventually achieve success. Following the NSO Group’s acquisition, the company named as its chairman David Friedman, the former US ambassador to Israel under Trump and who previously served as the president’s bankruptcy lawyer. Additionally, NSO Group released a transparency report in January in which Friedman promised “a renewed focus on accountability in an increasingly complex global environment.”
However, Villegas Bravo says the report is “more of a propaganda document” that made broad pledges but offered few details about substantial changes to their operations or strategy and failed to address past human rights violations and cyberattacks.
The removal of NSO Group sanctions represents a red line not only for civil society organizations but some lawmakers as well. Spyware opponents are quick to point out that Pegasus spyware has been found on the devices of US government officials, and despite NSO’s pledges, its activity hasn’t changed.
Natalia Krapiva, senior tech legal counsel at Access Now, tells Dark Reading that her organization is still seeing a high volume of Pegasus activity through victim reports from as well as third-party research.
“NSO Group is still very active. They haven’t learned their lesson,” she says. “We’ve seen this movie already. I hope the policy makers aren’t just buying this because they published a transparency report and have a new CEO.”
Dark Reading contacted NSO Group for comment but the company did not respond at press time.
An Uncertain Future in the Fight Against Spyware
Commercial spyware continues to be a major cybersecurity threat in 2026. In a report last week on zero-day vulnerability exploitation, Google Threat Intelligence Group (GTIG) warned that commercial surveillance vendors (CSVs) had further reduced barriers to zero-days. “For the first time since we began tracking zero-day exploitation, we attributed more zero-days to CSVs than to traditional state-sponsored cyber espionage groups,” the GTIG team said in the report.
Additionally, the US Cybersecurity and Infrastructure Security Agency issued a rare warning in November 2025 regarding spyware attacks that were being distributed through mobile messaging services. And while spyware vendors have repeatedly denied that they have little visibility into how customers use their technology, emerging evidence continues to show they have considerable control over where and how their products are deployed.
Spyware vendors have long maintained their products are used by governments for law enforcement and national security purposes, but they’ve failed to address how, for example, members of US Congress were targeted in Predator attacks. Villegas Bravo notes that while some government officials and lawmakers have acknowledged the serious national security threat posed by spyware, it’s still been an uphill battle.
A major question looming for spyware opponents is what the Trump administration’s policy is regarding spyware. Opponents note that some of the early progress against spyware was made during the president’s first administration. The second administration, however, has been a different story.
White says the US government used to lead the fight against spyware, but that position has slipped. In addition to Paragon’s contract reactivation and a sanctions-free Intellexa, the Trump administration’s embrace of surveillance tech companies like Palantir has caused deep concern for organizations like Amnesty International.
De Dora says that while some good policies are still in place and NSO Group is still on sanctions lists, the current Trump administration “doesn’t see spyware as a problem.”
“They clearly don’t have a problem engaging in contracts with problematic companies that specialize in surveillance technology and spyware, and they have no problem deploying it,” he says. “You’re also seeing the administration take no additional action against spyware.”
While Villegas Bravo took a more optimistic view in a report she co-authored for EPIC in November 2025, titled “The Fight to Protect Our Phones: A Multi-Prong Approach to Spyware Reform,” recent events have her “very concerned.”
White says that if the US has quietly shifted its spyware policy and plans to embrace these vendors, organizations like Amnesty International will work more closely with other governments in the European Union and other regions that have maintained a stronger stance against the threat. For now, spyware opponents will attempt to build off the Predatorgate convictions as best they can.
“The industry was acting with total impunity before, and this shows that there are consequences,” White says. “It shows it takes political will and an independent judiciary to hold these companies accountable.”
