Intermediaries Driving Global Spyware Market Expansion

CYBER RISK CYBERSECURITY OPERATIONS THREAT INTELLIGENCE VULNERABILITIES & THREATS NEWS Intermediaries Driving Global Spyware Market Expansion Third-party resellers and brokers foil transparency efforts and allow spyware to spread despite government restrictions, a study finds. Robert Lemos,Contributing Writer March 26, 2026 5 Min Read SOURCE: ANDRII YALANSKYI VIA SHUTTERSTOCK Efforts to shine a light on the activities of spyware vendors has grown more difficult because of the proliferation of intermediaries — the spyware resellers, exploit brokers, contractors, and partners that allow government and private entities to circumvent transparency laws and spyware restrictions, experts say. These intermediaries, which often can be governments in permissive states, have fueled the spread of spyware across the globe, according to a report from policy think tank Atlantic Council published on March 18. Atlantic Council researchers cited several examples, including a South African intermediary acting as a representative for Memento Labs to sell its Dante spyware to the local market, and a third-party firm reportedly helping Israeli firm Passitora sell its spyware product to Bangladesh, despite the two countries having no diplomatic relations and Bangladesh having banned imports from Israel. Related:At RSAC, the EU Leads While US Officials Are Sidelined The spread of intermediaries has in part driven the proliferation of spyware and have certainly made developments in the market harder to track and analyze, says Jen Roberts, associate director of the Cyber Statecraft Initiative at Atlantic Council and one of the authors of the report. "Intermediaries can drive down transparency efforts in the marketplace for offensive cyber capabilities like spyware by muddying supply chains and creating confusion for end buyers as to where a capability or component of a capability has come from," she says. "Intermediaries drive sales to countries regardless of size, but it is often countries that do not have robust technical capabilities in-house that seek them on the open market." Fueled by demand from governments for law enforcement investigations, espionage, and, in many cases, surveillance of political opponents and dissenters, the spyware ecosystem continues to grow. In 2025, for the first time, more zero-day exploits were attributed to commercial surveillance vendors than traditional state-sponsored groups, according to a March analysis by Google's Threat Intelligence Group.  Additionally, the US government made several moves in recent months, such as reactivating canceled contracts and removing sanctions, that appear have to smoothed the way for surveillance-tech vendors. Meanwhile, human rights activists, digital rights advocates, and security researchers continue to try to untangle the shadowy ecosystem. The Atlantic Council's latest report, part of its "Mythical Beasts" series on this ecosystem, found that intermediaries play a significant role in the proliferation of spyware while making the hacking tools more costly and the software supply chain more opaque. Related:Blame Game: Why Public Cyber Attribution Carries Risks Embracing the Shadows Commercial spyware allows nations that lack the ability to develop their own spyware to use the gray market software. By purchasing these hacking tools through hard-to-track intermediaries, sanctioned nations can get around export controls and sell or acquire the surveillance technology. In fact, third parties such as brokers and resellers "are the spyware market's operational backbone," says Collin Hogue-Spears, senior director of solution management at Black Duck, an application-security firm. "Their corporate structures exist specifically to make export controls irrelevant," he says. "The spyware market stopped being a vendor-to-government pipeline years ago. It has evolved into a modular supply chain where intermediaries fill every gap the buyer cannot fill alone: exploit engineering, operational training, deployment infrastructure, and most importantly, a legal paper trail that hides the origin."   Resellers, exploit brokers, and other firms act as intermediaries in the spyware supply chain. Source: Atlantic Council Julian-Ferdinand Vögele, a principal threat researcher at threat-intelligence firm Recorded Future, agrees. Intermediaries lower barriers to entry by easing procurement across borders and bundling tools with training and support, he says. Related:Why a 'Near-Miss' Database Is Key to Improving Information Sharing "Commercial spyware operates in the shadows by design," Vögele says. "Brokers and resellers enable its spread by connecting vendors and buyers, bundling tools with support or training, and expanding into new markets, while adding opacity, obscuring relationships, and leveraging jurisdictions." Intermediaries rely on personal connections and networking to generate business and conceal their dealings, says Roberts. "It's difficult to say which has the greatest impact on spyware today, as there remains a lot we cannot observe," she says. "That being said, resellers concern me a lot, because we've observed them bypass policy regulations set forth to regulate this market, like export controls and trade bans." Limits on Spyware Mostly Ineffectual In February 2024, the United Kingdom and France launched the Pall Mall Process, a multilateral diplomatic process for addressing the burgeoning market for spyware and hacking tools, and the irresponsible use of those tools. The effort brought together governments, private industry partners, and civil policy experts, after a growing number of cases of spyware being used against journalists, diplomats, politicians and activists. Some spyware makers have attempted to repair their public images as government pressure has mounted. For example, the notorious NSO Group said it established a "human rights compliance program," but critics are dubious of such claims. The Pall Mall Process is still an ongoing effort, says Atlantic Council's Roberts. Currently, the participants are hashing out an industry code of practice, so it may be a while longer before the results of the process can be evaluated, she says. For now, the Atlantic Council's report recommended that countries adhere to Know Your Vendor requirements, require certification for brokers and resellers, and improve the registries of brokers and resellers. The most important near-term requirement is that governments and the public gain some visibility into the spyware market, especially the role of intermediaries, Roberts says. "Transparency initiatives are key to regulating intermediaries and also the spyware industry more broadly," she says. "It is difficult to ultimately regulate what one cannot observe." About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Zambia's Updated Cyber Laws Prompt Surveillance Warnings by Robert Lemos, Contributing Writer APR 23, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE