Commercial Spyware Opponents Fear US Policy Shifting

THREAT INTELLIGENCE CYBER RISK ENDPOINT SECURITY CYBERATTACKS & DATA BREACHES NEWS Commercial Spyware Opponents Fear US Policy Shifting Rescinded sanctions and reactivated contracts have created confusion about the Trump administration's spyware policy and where it draws the line. Rob Wright,Senior News Director,Dark Reading March 12, 2026 9 Min Read SOURCE: EDDIE GERALD VIA ALAMY STOCK PHOTO Despite a recent historic legal victory, the fight against commercial spyware may be trending in the wrong direction. Spyware vendors over the past several years have been hit with economic sanctions, expensive lawsuits, increasing pressure, and even bans by governments, which provided some hope to security researchers and digital rights advocates that the industry was on its heels. Spyware, experts say, threatens not only journalists, human rights activists, and government officials who are frequently targeted in attacks, but also negatively impacts cybersecurity overall, as their zero-day exploits can be used by other threat actors for wider attacks. Arguably, the brightest sign yet in the fight against the spyware industry was last month's conviction of four individuals, including Tal Dilian, founder of the spyware firm Intellexa, in the Predatorgate scandal. A Greek court found Dilian and three others guilty of several criminal charges stemming from Predator spyware attacks on political candidates and journalists, which were discovered in 2022. Related:Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026 Recent developments in the US, however, may have dampened those hopes, at least temporarily. Perhaps the most notable of these came in September with a report that US Immigration and Customs Enforcement (ICE) had reactivated its contract with Paragon Solutions, an Israeli company known for its "Graphite" Android spyware. ICE initially signed the contract with Paragon in 2024 but it was later paused amid concerns that it violated former President Joe Biden's 2023 executive order prohibiting federal government workers from using spyware. Other events have sparked concern among spyware opponents, from the US Treasury Department's unexpected removal of sanctions, changes in corporate ownership of major spyware vendors, and, of course, more brazen attacks. They've cast a shadow over the Predatorgate convictions and have spyware opponents feeling uneasy about the state of their fight in 2026. "I don't want to sound too negative because this is certainly something to build on," says Rebecca White, a researcher with Amnesty International's Security Lab. "But it's pretty grim right now." Isolated Incidents or a Shift in US Policy? The reactivation of the Paragon Solutions contract alarmed many and was denounced by organizations such as the Electronic Frontier Foundation (EFF), Access Now, other technology and civil society organizations, and US lawmakers. EFF senior staff technologist Cooper Quintin called the move "extremely troubling," noting that the company's Graphite had been used in attacks on Italian journalists and political activists.  Related:Attackers Abuse LiveChat to Phish Credit Card, Personal Data "Without strong legal guardrails, there is a risk that the malware will be misused in a similar manner by the US government," Quintin wrote in a statement. The Paragon contract wasn't the only troubling move by the US government. In late December, the Treasury Department unexpectedly lifted sanctions against three Intellexa executives: Sara Hamou (ex-spouse of Dilian), Merom Hapraz, and Andrea Gambazzi. The three were among several other individuals and corporate entities that were sanctioned by the Treasury's Office of Foreign Assets Control (OFAC) in 2024 under aggressive actions by the Biden administration. Those sanctions were an important step in the fight against spyware, according to Michael De Dora, US policy manager at Access Now, because they included visa restrictions for the individuals. Civil society organizations had spent a considerable amount of time and effort over the years lobbying for such measures, working with lawmakers and government officials to inform them about the dangers of spyware as well as the complex web of corporate entities that many vendors use to obscure their operations and true ownership.  Related:The Data Gap: Why Nonprofit Cyber Incidents Go Underreported But without warning, Treasury lifted some of those sanctions, with no explanation. "We were all shocked when they were removed," De Dora says. "When it comes to spyware and the US government, I'm in the camp of very concerned right now, though we're not at a place yet where everything is getting rolled back." Other spyware opponents were also taken aback by the lifting of sanctions, and they've hit dead ends trying to get answers. "There's no transparency into why this occurred or what's happening there," says Maria Villegas Bravo, counsel at the Electronic Privacy Information Center (EPIC). What's perhaps more troubling is the fact that Hamou was convicted in the Predatorgate trial in Greece just weeks after her sanctions were lifted. Villegas Bravo wonders why the US government let Hamou off the hook if a criminal court in Greece found her guilty of hacking. "What evidence was the US government working with on that decision?" Dark Reading contacted the Treasury Department for comment, but it did not respond at press time. Intellexa could not be reached for comment. The company's Intellexa.com domain appears to have been abandoned along with associated email addresses. A big part of the problem, according to De Dora, is that there are fewer people in the federal government that understand the commercial spyware issue. "Under Trump, a lot of federal agencies have been hollowed out and the people that have focused on technology issues have been moved out and not been replaced," he says. Spyware Under New Ownership Another concerning trend for spyware opponents involves changes in corporate ownership for two of the best known spyware firms, both founded by former Israeli military and intelligence personnel. In 2024, Paragon was acquired by AE Industrial Partners, a private equity firm based in Florida, for approximately $500 million. And last October, a group of US investors led by Hollywood producer Robert Simonds purchased NSO Group for an undisclosed amount. NSO Group is the most infamous of the commercial spyware vendors, as its Pegasus spyware was tied to the abduction and murder of journalist and political activist Jamal Khashoggi in 2018. More recently, Meta won a high-profile lawsuit against the company over hacking WhatsApp to distribute Pegasus, though the initial $167 million award in punitive damages was later reduced to just $4 million. The NSO Group acquisition was particularly notable for spyware opponents. After all, why would any investors want to purchase an apparently toxic asset that had been battered by sanctions, lawsuits, and government bans? The answer may be deceptively simple. "I think NSO Group saw what happened with Paragon and took it as a sign," Villegas Bravo says, noting that the US government reactivated Paragon's contract following the sale to AE Industrial Partners. Dark Reading contacted AE Industrial Partners for comment, but the company did not respond at press time. De Dora agrees, adding that NSO Group lobbied extremely hard to get off the sanctions list, and the sale to a US investor group is "obviously part of that."   Google's recent report on zero-day vulnerability attacks in 2025 showed commercial spyware vendors exploited the most flaws last year. SOURCE: Google Spyware opponents fear those lobbying efforts may eventually achieve success. Following the NSO Group's acquisition, the company named as its chairman David Friedman, the former US ambassador to Israel under Trump and who previously served as the president's bankruptcy lawyer. Additionally, NSO Group released a transparency report in January in which Friedman promised "a renewed focus on accountability in an increasingly complex global environment." However, Villegas Bravo says the report is "more of a propaganda document" that made broad pledges but offered few details about substantial changes to their operations or strategy and failed to address past human rights violations and cyberattacks. The removal of NSO Group sanctions represents a red line not only for civil society organizations but some lawmakers as well. Spyware opponents are quick to point out that Pegasus spyware has been found on the devices of US government officials, and despite NSO's pledges, its activity hasn't changed. Natalia Krapiva, senior tech legal counsel at Access Now, tells Dark Reading that her organization is still seeing a high volume of Pegasus activity through victim reports from as well as third-party research. "NSO Group is still very active. They haven't learned their lesson," she says. "We've seen this movie already. I hope the policy makers aren't just buying this because they published a transparency report and have a new CEO." Dark Reading contacted NSO Group for comment but the company did not respond at press time. An Uncertain Future in the Fight Against Spyware Commercial spyware continues to be a major cybersecurity threat in 2026. In a report last week on zero-day vulnerability exploitation, Google Threat Intelligence Group (GTIG) warned that commercial surveillance vendors (CSVs) had further reduced barriers to zero-days. "For the first time since we began tracking zero-day exploitation, we attributed more zero-days to CSVs than to traditional state-sponsored cyber espionage groups," the GTIG team said in the report. Additionally, the US Cybersecurity and Infrastructure Security Agency issued a rare warning in November 2025 regarding spyware attacks that were being distributed through mobile messaging services. And while spyware vendors have repeatedly denied that they have little visibility into how customers use their technology, emerging evidence continues to show they have considerable control over where and how their products are deployed. Spyware vendors have long maintained their products are used by governments for law enforcement and national security purposes, but they've failed to address how, for example, members of US Congress were targeted in Predator attacks. Villegas Bravo notes that while some government officials and lawmakers have acknowledged the serious national security threat posed by spyware, it's still been an uphill battle. A major question looming for spyware opponents is what the Trump administration's policy is regarding spyware. Opponents note that some of the early progress against spyware was made during the president's first administration. The second administration, however, has been a different story. White says the US government used to lead the fight against spyware, but that position has slipped. In addition to Paragon's contract reactivation and a sanctions-free Intellexa, the Trump administration's embrace of surveillance tech companies like Palantir has caused deep concern for organizations like Amnesty International. De Dora says that while some good policies are still in place and NSO Group is still on sanctions lists, the current Trump administration "doesn't see spyware as a problem." "They clearly don't have a problem engaging in contracts with problematic companies that specialize in surveillance technology and spyware, and they have no problem deploying it," he says. "You're also seeing the administration take no additional action against spyware." While Villegas Bravo took a more optimistic view in a report she co-authored for EPIC in November 2025, titled "The Fight to Protect Our Phones: A Multi-Prong Approach to Spyware Reform," recent events have her "very concerned." White says that if the US has quietly shifted its spyware policy and plans to embrace these vendors, organizations like Amnesty International will work more closely with other governments in the European Union and other regions that have maintained a stronger stance against the threat. For now, spyware opponents will attempt to build off the Predatorgate convictions as best they can. "The industry was acting with total impunity before, and this shows that there are consequences," White says. "It shows it takes political will and an independent judiciary to hold these companies accountable." About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Iran Exploits Cyber Domain to Aid Kinetic Strikes by Robert Lemos, Contributing Writer NOV 26, 2025 THREAT INTELLIGENCE Human Digital Twins Could Give Attackers a Dangerous Advantage by Arielle Waldman JUL 21, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE