“Lurking in the murky depths of the global marketplace for offensive cyber capabilities sits a particularly dangerous capability—spyware,” warns the Atlantic Council, a Washington, DC-based organization that promotes transatlantic cooperation and global economic prosperity.
The number of US-based entities investing in the spyware market is three times greater than in the next three-highest countries with the most investors, according to a report published by the Atlantic Council on September 10: Mythical Beasts: Diving into the depths of the global spyware market.
Although originally developed to provide online advertisers with information concerning customer’s shopping habits, spyware software is now extensively used for stealing information and storing Internet users’ movements on the Web, and has become a dangerous weapon in the world of international espionage. Its capability to sit inside any organization’s IT system, secretly filching confidential data, also poses a major threat to companies across all sectors.
For example, NSO Group, a notorious spyware vendor known to have contributed to the surveillance of journalists, diplomats, and civil society actors across the globe, was recently fined $168 million in punitive damages by a US court for targeting the widely-used communication platform WhatsApp’s infrastructure with Pegasus spyware. The rapidly rising level of investment in spyware developers runs counter to the US government’s effort to curb the growing threat.
“This contradiction between US industry investment and US policymaking must be addressed—or it will continue to uphold the very market that the US government is trying to combat,” warns the Atlantic Council’s report.
The Atlantic Council surveyed 561 spyware entities across forty-six countries from 1992 to 2024. One hundred and thirty new entities were identified, of which forty-three are new entities established in 2024 alone. This includes 20 new US-based major investors in the contentious software.
Governments face a daunting challenge
In early 2025, an American company, Integrity Partners, invested in Saito Tech (Candiru), which has been on the US Commerce Department’s Entity List since 2021. This demonstrates that an American company was able to invest in an organization on the US Entity List for Malicious Cyber Activities, thereby undermining the very measures that the US government has put in place to constrain spyware vendors. But governments face a daunting challenge when trying to counter the threat.
According to the Atlantic Council: “Spyware vendors often operate in complex networks of holding companies, investors, suppliers, and partners to obfuscate their business operations, making it difficult for policymakers to curb the misuse and proliferation of these capabilities.”
