New Research: Click, Load, Kill: A Look into the Cyberweapon Industry in the WANA Region

One of today’s most dangerous violators of personal privacy is the commercial spyware industry—made up of vendors that design, market, and/or sell spyware to entities across the world. 

These profit-seeking vendors sell intrusive surveillance tools to governments around the globe, under the guise of fighting crime and tracking bad actors. In reality, much of the commercial spyware business unfolds between corporate companies and authoritarian regimes seeking to persecute their political dissidents and human rights advocates. In other cases, they are deployed to target rights advocates and journalists across adversary countries. 

Despite the infamy some spyware variants—like NSO Group’s Pegasus—have earned over the past decade, governments across the world have continued to be caught using (or suspected of using) spyware. The Carnegie Endowment for International Peace notes that over a third of all countries purchased spyware or similar technologies between 2011 and 2023. Nearly all states within the WANA region have been exposed as likely using spyware.

In this research report, SMEX investigates West Asia and North Africa’s major purveyors of spyware.

About the Research

Researching commercial spyware vendors (CSVs) and their products is inherently difficult due to the secretive nature of spyware vendors. Because they primarily sell to state actors and are subject to export controls in many countries, CSVs typically operate with secrecy and have intentionally complex corporate relationships. Thus, not much is known about which vendors operate where.

Building on the work of Steven Feldstein and Brian Kot at the Carnegie Endowment for International Peace, this report catalogues what CSVs are active in the WANA region—a region whose governments have a rich history of purchasing spyware products. One way to estimate CSV activity is by looking at what vendors’ spyware is operating in the wild and attributable to governments in the region. To do so, this paper looks at publicly available information, news sources, court documents, data leaks, and corporate records to catalogue spyware activity in the region. 

Key Findings

Based upon SMEX’s analysis, the data suggests that NSO Group, Cytrox/Intellexa, Cellebrite, and Saito Tech/Candiru operate the most in the region. Moreover, CSVs based out of- or linked to Israel seem to dominate the WANA market. Previously, however, vendors like the Italy-based Hacking Team (now Memento Labs) were favorites among regional governments. Lastly, the United Arab Emirates and Saudi Arabia were implicated the most in reported spyware incidents since 2011.

Throughout the bulk of the report, SMEX details the corporate structure, marketing, premier products, and prominent attacks associated with the four top CSVs observed in the region. In doing so, the research hopes to add novel contributions to the public’s understanding of spyware incidents in the WANA region, all four CSVs’ corporate structure and current activity, their modes of operation, and their human toll through interviews SMEX has conducted. This report is the first attempt by the authors’ knowledge at cataloguing spyware incidents in the WANA region in addition to Feldstein and Kot. 

We found that NSO Group, Cytrox (Intellexa), Cellebrite, and Saito Tech (formerly Candiru)—all linked to Israel—dominate operations. This research provides an up-to-date record of all four commercial spyware vendors’ (CSVs) corporate structure and current activity, their modes of operation, and the human toll of spyware through interviews SMEX has conducted. 

Key Contribution

  • This is the first major report updating the corporate structure of NSO Group Technologies since 2021 and Intellexa Alliance corporate structures since 2024, and the first to formally map the corporate structures of Cellebrite and Saito Tech ever.
  • It is the first to catalog spyware incidents in the region, though researchers Steven Feldstein and Brian Kot cataloged spyware incidents globally last in 2023.

SMEX continues to call on all countries to immediately stop purchasing and using spyware, and for all CSVs to stop selling surveillance technology immediately. Given CSVs are unlikely to stop selling their lucrative products, this call to action is not enough. Civil society members and human rights defenders should take active steps to protect themselves online, including using end-to-end encrypted communications, using unique and complex passwords, using Virtual Private Networks (VPNs), and using password managers.

This research was conducted by SMEX in collaboration with FIND and with support from Access Now.SMEX is a nonprofit dedicated to safeguarding human rights in digital spaces across West Asia and North Africa. We advocate for safe and uncensored access to the internet, mobile services, and networked spaces for people in the region and the diasporaFIND (Financial Investigations for Non-Profit Design) is a UK-based not-for-profit that uses rigorous financial investigations to support civil society in demanding accountability. Their work helps uncover how money, companies, business networks, and facilitators contribute to human rights abuses, environmental damage, war crimes, digital authoritarianism, and other international harms. Access Now is a global non-profit founded in 2009 that works to defend and extend the digital rights of people and communities at risk.

Click here to read and download the research!

SAI-Research-PDFThe post New Research: Click, Load, Kill: A Look into the Cyberweapon Industry in the WANA Region appeared first on SMEX.