Mythical Beasts: Diving into the depths of the global spyware market

Introduction

Lurking in the murky depths of the global marketplace for offensive cyber capabilities sits a particularly dangerous capability—spyware. Spyware’s danger stems from its acute contribution to human rights abuses and national security risks. Most recently, NSO Group, a notorious spyware vendor known to have contributed to the surveillance of journalists, diplomats, and civil society actors across the globe, was fined $168 million in punitive damages by a US court for targeting WhatsApp’s infrastructure with Pegasus spyware. This most recent case reasserts the threat of spyware proliferation to national security and human rights. These risks and harms, coupled with a lack of market transparency, demand ongoing attention to the market’s structure and how actors circumvent accountability.

As highlighted in the 2024 report by the ’s Cyber Statecraft Initiative, Mythical Beasts and where to find them: Mapping the global spyware market and its threats to national security and human rights, spyware vendors often operate in complex networks of holding companies, investors, suppliers, and partners to obfuscate their business operations, making it difficult for policymakers to curb the misuse and proliferation of these capabilities.

The Mythical Beasts dataset helped expose the global market for spyware through 2023. Since then, there has been significant global policy action to combat the proliferation and misuse of spyware tools—for example, the Pall Mall diplomatic initiative, sanctions on key individuals and organizations, and visa restrictions. Given these vital policy developments, the authors sought to assess how the global spyware market has developed and changed since the first edition of the Mythical Beasts project. Public and private sector momentum to address the market necessitated an empirical update to the dataset, as well as an inquiry into how the spyware market has evolved through 2024.

Therefore, in this update, the authors evaluated whether the 435 entities present in the original dataset were operational in 2024, updating the data accordingly. In this report, the authors also sought to uncover any historical entities not previously identified in the first Mythical Beasts report (i.e., looking further back than 2024). And lastly, they identified new entities entering the market during 2024. Findings in the second edition of this project, Mythical Beasts: Diving into the depths of the global spyware market, constitute the best possible sample of data that the authors have been able to gather. That data should be treated as a snapshot of the market through to 2024 (as opposed to representing the spyware market in its entirety). Nonetheless, it is a critical window into the market. These findings demonstrate that the global market for spyware is growing and evolving, presenting new challenges to policymakers to curb the proliferation and misuse stemming from it.

In total, this edition of the Mythical Beasts project 2025 surveys 561 entities across forty-six countries from 1992 to 2024. One hundred and thirty new entities were identified and added to the dataset, of which forty-three are new entities established in 2024. A few highlights of this new data include:

1. The addition of twenty US-based investors.
2. The addition of seven partners that were identified as resellers/brokers.
3. The addition of three countries: Japan, Malaysia, and Panama.
4. The addition of two holding companies, fifty-five individuals, thirty-four investors, eighteen partners, seven subsidiaries, ten suppliers, and four vendors.

Critical developments

Based on the updated sample, two critical developments were identified. This article reflects on the implications of those developments for future research and policy action.

First, the authors found that the number of US-based investors in spyware has notably increased in the past year, when compared with the sample size of the spyware market captured in the first Mythical Beasts project. In the first edition, the United States was the second-largest investor in the spyware market, following Israel. In that edition, twelve investors were observed to be domiciled within the United States—whereas in this second edition, twenty new US-based investors were observed investing in the spyware industry in 2024. This indicates a significant increase of US-based investments in spyware in 2024, catapulting the United States to being the largest investor in this sample of the spyware market. This is significant in scale, as US-based investment from 2023 to 2024 largely outpaced that of other major investing countries observed in the first dataset, including Italy, Israel, and the United Kingdom. It is also significant in the disparity it points to—the visible enforcement gap between the flow of US dollars and US policy initiatives. Despite numerous US policy actions, such as the addition of spyware vendors on the Entity List, and the broader global leadership role that the United States has played through imposing sanctions and diplomatic engagement, US investments continue to fund the very entities that US policymakers are making an effort to combat.

Second, the authors elaborated on the central role that resellers and brokers play in the spyware market, while being a notably under-researched set of actors. These entities act as intermediaries, obscuring the connections between vendors, suppliers, and buyers. Oftentimes, intermediaries connect vendors to new regional markets. Their presence in the dataset is almost assuredly underrepresented given the opaque nature of brokers and resellers, making corporate structures and jurisdictional arbitrage more complex and challenging to disentangle. While their uptick in the second edition of the Mythical Beasts project may be the result of a wider, more extensive data-collection effort, there is less reporting on resellers and brokers, and these entities are not systematically understood. As observed in the first report, the activities of these suppliers and brokers represent a critical information gap for advocates of a more effective policy rooted in national security and human rights. These discoveries help bring into sharper focus the state of the spyware market and the wider cyber-proliferation space, and reaffirm the need to research and surface these actors that otherwise undermine the transparency and accountability efforts by state and non-state actors as they relate to the spyware market.

This update also includes a reflection on the trends in the first Mythical Beasts report and an overview of methodological approaches, updates, and challenges. It concludes with brief commentary on necessary transparency efforts for this marketplace.

2024 key findings in full

Two major developments have occurred within this sample of the spyware market over the past year. First, the number of US-based investors in spyware now comprise the largest share of market investment which was not the case in our previous sample of the spyware market. Second, resellers and brokers now are key actors in the spyware market—comprising more sample market share than previously demonstrated—and oftentimes are under-observed and not readily addressed in current policy deliberations. New data and analysis illustrate the role these partners have not only in connecting entities across the marketplace but also in obscuring relationships.

The number of US-based investors in spyware is increasing

When compared with the initial sample of the spyware market, the number of US-based investors in spyware has increased significantly. These investors are directing their dollars to some of the most controversial and prolific vendors in the spyware market, including Israeli spyware vendors that have sold to customers that utilize these capabilities to suppress human rights and compromise national security. For example, US dollars have directly contributed to spyware that has targeted US personnel and officials in allied governments. Figure 1 highlights the changes in the largest investors in the spyware market from the first Mythical Beasts version to this update.

Figure 1: Comparison of investor-to-vendor flow by jurisdiction in the first and second Mythical Beasts versions. 

And this is happening at an alarming rate. In this update, the number of US-based entities in the sample that invested in spyware increased from eleven to thirty-one. All these investors reportedly invested in spyware companies this past year, indicating an increase of US-based investment in 2024. The figure below compares this entity increase with the other significant investors in the global market for spyware over time:

Figure 2: The number of active investors in the market each year

Further, the quantity of US-based entities investing in the spyware market is three times greater than in the next three-highest countries with the most investors. Rapidly increasing investment into this technology is concerning, as it effectively undermines recent, concerted US government efforts to constrain the spyware market including policies to combat proliferation by issuing entity listings, sanctions, visa restrictions, a joint statement, and executive order. In the current geopolitical context, the jurisdictions to which US dollars are flowing is also concerning. US-based investment into spyware is happening in parallel to a conflict between Israel and Hamas in the Middle East, where some of these technologies have been utilized in the past. These technologies have already appeared in the Israel-Iran conflict.

Furthermore, these dollars are not going to rights-respecting vendors that could shape the global market for good. Rather, these investments fund some of the most prolific rights-abusing vendors operating within this market. One notable example of a new US-based investment in spyware includes AE Industrial Partners, which invested in Paragon Solutions Ltd in late 2024. Paragon Solutions is an Israel-domiciled spyware vendor of Graphite and has a US based subsidiary Paragon Solutions US. Recently, the Italian government used Graphite to surveil human rights defenders and other members of civil society. In early 2025, the American company Integrity Partners invested in Saito Tech Ltd (Candiru), which has been on the US Commerce Department’s Entity List since 2021. This new investment demonstrates both a contradiction and a critical enforcement gap: an American company is able to invest in an organization on the US Entity List, undermining the very measures that the US government has put in place to constrain spyware vendors in the first place. This contradiction between US industry investment and US policymaking must be addressed—or it will continue to uphold the very market that the US government is trying to combat, eroding US leadership on this issue.

Resellers and brokers are a critical and under-researched part of this market

The second Mythical Beasts project also observes a greater presence of spyware resellers and brokers within the marketplace, highlighting their often-overlooked role as “critical enablers” of spyware and its abuse. These entities, referred to generally under the category of “partners” in the database, act as crucial intermediaries by obscuring supply chains, evading observation through complex corporate structures or jurisdictional arbitrage, and connecting vendors with new regional markets. Further, there is a lack of effective policy response to curb the influence and dealings of these entities. As previously mentioned, the second edition of the Mythical Beasts project sought to do three things: 1) bring current years of activity on previously observed entities; 2) collect information on entities that fit this project’s methodology but were not observed in the first edition of Mythical Beasts; and 3) capture entities entering this updated sample of the global spyware market in 2024. The second aim, in particular, is where resellers and brokers come into view. While not observed in the previous dataset, they are now identified based off missed or newly available historical detail.

This update identifies ten entities serving as resellers or brokers of spyware products in Mexico alone. Official Mexican government documents released as part of a transparency effort reveal that NSO Group’s Pegasus was sold through these intermediaries to buyers within the Mexican government. In this case, the resellers appeared to have created misleading contracts to obscure both the genuine products and services being sold and the original vendor, NSO Group. This set of brokers and resellers was not captured in the first Mythical Beasts dataset, although they have been operational since at least 2011. In the first report, only two entities were identified as resellers: RCS Labs and VasTech. In these cases, their involvement only came to light through rich hacked and leaked data from Hacking Team, the Italian spyware vendor now operating as Memento Labs. Similarly, evidence revealing the network of NSO resellers in Mexico has emerged through multiple channels including hacked and leaked data, some official documents released by subsequent Mexican administrations as part of transparency efforts, and research tracing highly networked individuals to these entities. Based on these observations, the authors determined that high-quality evidence of their existence is sparse beyond hacked and leaked data, internal state transparency and accountability initiatives, and innovative research techniques.

These resellers and brokers remain under-researched, and likely under-represented in the Mythical Beasts database, for a number of reasons. Yet this challenge to document brokers and resellers highlights their crucial role in the market. These entities obfuscate the links between vendors, suppliers, and buyers, making transparency in the spyware market ever harder to achieve, in understanding the origins, uses (or abuses), and ultimately the customers of spyware. Additionally, brokers and resellers distort the prices of capabilities and the exploits they rely on, constituting an important but understudied driving force in how the market operates. Despite this importance, brokers and resellers are not a current feature of policy responses in the United States or in international policy deliberations. Without first bringing them into view within the marketplace and, second, constraining their behavior through policy responses, brokers and resellers can undermine transparency and accountability efforts by state and non-state actors with respect to the spyware market.

Evaluating the six trends from the first Mythical Beasts edition to the second

The first Mythical Beasts project addressed a gap in contemporary public analysis on spyware proliferation, documenting a sample of the global supply chain of this market. The first edition of the report unveiled a dataset of 435 entities within the global spyware market from 1992 to 2023 and categorized them based on business relationships with one another. Six defining characteristics of the spyware market emerged from this analysis:

1. A disproportionate geographic concentration of entities in Israel, India, and Italy
2. Recurring entrepreneurship
3. Partnerships between spyware and hardware surveillance vendors
4. Efforts to change names and shift corporate structures
5. Strategic jurisdictional hopping
6. The global mobilization of capital

Of note, the second edition of the Mythical Beasts project found that all six of these trends identified in the first edition of the project held relatively constant through 2024. This consistency should not be overlooked; the global spyware market is evolving in observable and definable ways, which gives an advantage to those seeking to combat its misuse and proliferation. This predictability creates opportunities to develop and implement impactful actions to address consistent trends. The first edition of the Mythical Beasts report has informed threat assessments, congressional hearings, resourcing, and further reporting; its policy recommendations have been included in codes of conduct for states. Given that the market observed in the first edition is consistent in the second edition’s findings, policymakers seeking to implement change can confidently refer to the recommendations outlined in the first report for options to address these trends, and also utilize this second edition for an in-depth look into aspects of the spyware market that are ripe for continued research and new policy development.

Methodological approaches and challenges

Overview

The first dataset from 2024 provides a snapshot of the market, illustrating trends and patterns within the spyware ecosystem. The data is limited to entities for which there is a public record (such as national corporate registries) and for which public information (e.g., through reputable reporting from civil society investigations) links the vendor to the development or sale of spyware or its components.

Vendors are included if they 1) publicly advertised products or services that match the above definition of spyware, 2) were described as selling the same products through public reporting in the media or by civil society researchers, or 3) showed evidence of the products through court records, leaks, or similar internal documentation. As part of this search process, the team gathered records on entities associated with each vendor, including investors, suppliers, and holding companies. In all cases for which data is available, the dataset includes vendor activities from the start of operation until 2023, or until records indicate that the vendor’s registration had ceased in a jurisdiction.

Updates

The first dataset has been updated in two meaningful ways.

First, for any entity in operation until 2023, the authors sought evidence for either activity in 2024 or termination of registration. The sources of public information varied but largely stemmed from different forms of corporate registration and records. In cases where evidence of activity in 2024 was absent, and no evidence pointed to dissolution or termination in a jurisdiction, the activity was updated to 2024. While some evidence points to activity in 2025, the authors uniformly restricted the update to 2024 given varied tax and corporate reporting deadlines by jurisdiction.

Second, the dataset includes 130 new entities. The entities are varied—including new vendors and their associated investors, and previously undiscovered or undisclosed information on preexisting entities. Information on key individuals—lead developers, directors, senior leaders, and shareholders, among others—was also recorded, including movement of these individuals between entities. As previously mentioned, some of the new entities in this update were undiscovered in the initial Mythical Beasts dataset but had been operational prior to 2024. The authors only recently uncovered their connection to a spyware vendor and suppliers, as information connecting them to an entity was previously limited. Some of these formerly undiscovered entities are registered in jurisdictions including Malaysia and Panama, while others are both newly connected as of 2024 and domiciled in a jurisdiction new to the dataset, as in the case of Sompo Cyber Security’s new partnership with Cognyte in Japan. This is noteworthy because Japan is a signatory of the Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware.

Altogether, the dataset now includes 561 entities present in the spyware market between 1992 and 2024. These entries are largely categorized according to the first Mythical Beast edition definitions, with some notable developments in the partner categorization. Here, the criteria of “partner” has been changed in two ways. As discussed in the key findings section, more evidence of resellers and brokers of spyware products was discovered—a critical and oftentimes missed element of the market. Given the variety of forms or relationships these entities may take, the authors broadly categorized them under the partner definition. Second, the partner category has been shrunk and there is a new entity type called “alumni” which accounts for shared staff and investors into another cybersecurity company but without public evidence of shared business or similar products to the origin company. This reflects an observed pattern of serial entrepreneurship noted in the original report including companies like Candiru. For example, if a founder of a spyware company goes and establishes alongside former spyware employees a company wholly unrelated to cybersecurity, that company would not be included in the alumni definition.

Challenges

Researchers continually face challenges in using open-source materials and encounter barriers to transparently reporting on the spyware market. In the first edition of this report, policy recommendations focused on increasing market transparency. Two of these recommendations highlighted the need to improve government-run corporate registries and to audit and publish export licenses. The Mythical Beasts research continues to rely on high-quality, accessible government databases to identify vendors and draw connections between entities. However, to be a source of truth, registries must be comprehensive and available to the public, such as those in Czechia and the United Kingdom. These registries show the full history of a company, including name changes, officers, and investment histories. However, most registries are not high-quality, with some providing little to no information whatsoever. For example, registries in Israel, India, the British Virgin Islands, the United Arab Emirates, and Mexico provide only limited or no information. Consequently, quality research into entities domiciled in these states is limited, and these states are likely more appealing to entities that seek to evade scrutiny.

The authors also continued to encounter anomalies. For example, Coretech Security Services Limited, a supplier incorporated in the United Kingdom in 2020, is not to be confused by the prior name of another supplier operating in the United Kingdom: Airis Security Technologies Inc., formerly known as Coretech Security Limited. Both Coretech Security Services Limited and Airis Security Technologies Inc. share overlap in personnel, including Alexander Church and Adrian Oldfield. Intelligence Online also reports that these companies share overlapping financial structure, diverging only to whom they sell, be it strictly UK government customers for Coretech Security Services Limited and Five Eyes countries for Airis Security Technologies Inc. While the overlap in personnel and notably similar naming conventions could be an attempt to create brand continuity between businesses, it also may suggest more evasive tactics. As observed in the first Mythical Beasts edition with the trend of shifting vendor identities, entities often change legal names and even shift entire corporate structures to obscure their identity and, potentially, manage the impact of negative reporting. Whatever the motivation behind these naming conventions and business structures, even robust corporate registries can sometimes be difficult to piece together to create a clear picture, which presents a significant challenge to researchers and policymakers who hope to gain a better understanding of the market’s mechanics.

Conclusion: The current state of the spyware market and policy

The global market for spyware continues to persist and evolve. With new data on the state of the spyware market in 2024, the authors found that: 1) US-based investors continue to disproportionately fund these capabilities, undermining important US government action on spyware; and 2) resellers and brokers are vital enablers in the proliferation and misuse of this market, operating in the shadows but do not form part of the response to constrain spyware. These findings underscore the tensions in this marketplace and the need for stronger transparency and accountability mechanisms. In particular, the direction of US investment to Israeli spyware vendors, some of which are the most controversial and prolific in the marketplace, raises concern particularly during a more intense period of geopolitical volatility and outright geopolitical conflict, where states’ use of offensive cyber capabilities for intelligence collection or reconnaissance will be heightened.

Policy should continue to evolve alongside the spyware market, rising to meet the challenges of an evolving landscape. For instance, an underexplored policy lever within the US toolkit is better understanding of and efforts to tackle US investment into this industry. The current US dollars funding entity-listed vendors undermines US-led policy efforts to better shape this market. By developing a baseline understanding of outbound investments, strengthening disclosure requirements, and providing support to US investors in conducting due diligence, the United States can continue to lead in curbing the misuse and proliferation of the market for spyware. Further, researchers can seek to better understand the mechanics of resellers and brokers within this marketplace in order to shed more transparency on the murkiest corners of this ecosystem that drive proliferation and misuse of these capabilities.

While the global market for spyware has evolved in several ways, it has also held consistent in others. Concentrations of entities in specific jurisdictions, serial entrepreneurs, partnerships between hardware surveillance vendors, and strategic jurisdiction hopping all remain present and relatively consistent within this dataset update. This gives policymakers an advantage. The market is not evolving at a pace to which action to combat its misuse and proliferation cannot keep up. The Mythical Beasts project seeks to inject systematic, empirical data into this market. At the same time, it is vital that policymakers continue to enact changes that better shape and constrain this market.

Jen Roberts is an Associate Director with the ’s Cyber Statecraft Initiative. She primarily works on CSI’s Proliferation of Offensive Cyber Capabilities and Combating Cybercrime work. Jen also helps support the Cyber 9/12 Strategy Challenge and is passionate about how the United States with its allies and partners, especially in the Indo-Pacific, can cooperate in the cyber domain. Jen holds an MA in International Relations and Economics from Johns Hopkins University’s School of Advanced International Studies (SAIS) where she concentrated in Strategic Studies. She also attained her BA in International Studies from American University’s School of International Service.

Sarah Graham is a research consultant to the ’s Cyber Statecraft Initiative. Sarah’s research investigates the evolving relationship between digital technologies, policy, and society. She is an incoming EU Schuman Fulbright Fellow. Her work spans academia, NGOs, and industry. Sarah is a graduate of the University of St Andrews (Scotland) and of New York University.

Nitansha Bansal is an assistant director with the Cyber Statecraft Initiative (CSI), part of the Tech Programs. In this role, her research focuses on the proliferation of offensive cyber capabilities, including spyware and its policy implications for human rights and national security, and open source software security. She also supports the capacity building efforts of CSI, and runs the Congressional Cyber and Digital Policy Program. Prior to joining the Council, Nitansha worked with government and think tanks in India on technology policy. She holds a masters in public administration from Columbia University’s School of International and Public Affairs where she concentrated on cybersecurity and business risk, social media policy, and data analysis.

Disclaimer on sources

More information: All sources for this dataset are open-source and were publicly available at the time of writing. For more on the kinds of data used in this project, see here. We are aware that some links have broken or been removed, and a handful of sources have been taken down in the wake of court orders. We are unable to replace, or host, copyrighted material. For any questions on sourcing, please email cyber@atlanticcouncil.org.

The ’s Cyber Statecraft Initiative, part of the Technology Programs, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

Related Experts:
Jen Roberts and
Nitansha Bansal