Risky Bulletin – Srsly Risky Biz: Small Beer Surveillance Firms Escape Crackdown, for now
Podcast: Risky Bulletin (Srsly Risky Biz)
Date: October 16, 2025
Hosts: Amberly Jack & Tom Uran
Episode Overview
This episode dives into evolving threats and policy developments in the realm of cybersecurity surveillance, with a focus on overlooked “small beer” surveillance companies like Jakarta-based First Wap. Host Amberly Jack and policy editor Tom Uran analyze recent investigations into these firms, discuss consequences for major spyware players such as NSO Group, and explore the changing nature of hacking competitions in China. The discussions highlight regulatory gaps, unintended consequences of enforcement actions, and emerging state involvement in cybersecurity.
Key Discussion Points and Insights
1. Small Surveillance Firms Flying Under the Radar ([00:52]–[09:34])
-
Feature Story: First Wap & Altamides
- Background: First Wap is a Jakarta-based company, founded by Europeans, initially as an SMS company but quickly pivoted to surveillance, offering access to SS7 vulnerabilities.
- SS7 Vulnerabilities ([01:30]):
- These are flaws in the telecom protocol used to set up calls and transmit messages.
- First Wap exploited these for location tracking and interception of calls/texts, including two-factor authentication codes ("we can easily get into WhatsApp").
- Discovery and Reporting: Reporters at Lighthouse Reports uncovered seven years of First Wap’s surveillance data (1.5 million pings) ([01:30]-[04:57]).
- Targets included: Americans (Erik Prince, Anne Wojcicki, Raytheon execs, telecom/cybersecurity employees), Hollywood figures (Jared Leto), EU businesspeople.
- Quote:
"There's an interesting overlap with Hollywood in this story and some of the other ones as well I wrote about this week."
— Tom Uran ([05:02]) - Surveillance firms typically avoid U.S. citizens to not antagonize U.S. authorities, so these findings are significant ([03:30]).
-
Company Attitude & Ethics ([05:48]-[07:04]):
- Undercover Lighthouse reporters posed as shady clients, and First Wap’s sales executive was “very forward leaning,” indicating a willingness to help clients surveil activists and other questionable targets.
- First Wap formally claims everything they do is legal, but their actions and language suggest otherwise.
- Quote:
“While talking to the undercover reporters, this guy seemed to kind of promote his business by saying, well, all these other spyware companies that are getting media attention have ethical principles. Now we don’t.”
— Amberly Jack ([06:47]) - Crackdowns on big names (NSO Group, etc.) push fringe companies further underground, where they use intermediaries to distance themselves from direct abuses.
-
On Ongoing Regulation and Threats ([07:04]-[09:34]):
- Media and government attention have curbed some abuses, but less-known firms remain unchecked.
- SS7's legacy issues mean no technical fix is imminent.
- Quote:
“Basically the people who are buying it are trying to use it for the same sorts of purposes. And they're just flying under the radar at this point.”
— Tom Uran ([08:15])
2. The Dramatic Fall (and Partial Rescue) of NSO Group ([10:31]–[15:43])
-
NSO Group’s Plummeting Value ([10:31]-[12:01]):
- NSO Group, once valued at $1B post-2019 buyout, is now being acquired for “tens of millions.”
- Quote:
“That's like a massive, like, you know, lighting dollar bills on fire.”
— Tom Uran ([11:49]) - Fallout traced to scandals over misuse and government sanctions.
-
Private US Acquisition & Its Implications ([12:01]-[14:23]):
- New investor: a Hollywood producer (Simons), previously tried to buy NSO for more, now buys at the “absolute bottom.”
- Could private U.S. ownership force more responsible operations? Tom suggests greater management attention may make a positive difference, but time will tell.
- Quote:
“I think US investment in spyware is probably a good thing because they've got all these incentives now to make sure that they're not misused.”
— Tom Uran ([12:47])
-
Toxic PR and Social Fallout ([14:54]-[15:43]):
- Past investors’ reputations suffered (e.g., spouse of an investor resigning from an arts trust board) due to negative press, suggesting “even though it's like money and it feels like you're divorced and separated from it. If the press gets bad enough, it still has ramifications for the people funding it.” ([15:35])
3. China’s State-Driven Hacking Competitions ([15:43]–[19:46])
-
Shift from Transparency to State Control ([15:43]-[17:40]):
- The Chinese hacking competition scene, once public and transparent (Tianfu Cup), now replaced by the opaque state-run Matrix Cup.
- Founder of Chihu360 and Matrix Cup chair explicitly says goal is to ensure discoveries are used domestically for state benefit ([17:37]-[18:39]).
- Quote:
"He explicitly set up the Matrix cup to do that for China and he said the results will stay in China and be used for the state to defend cybersecurity."
— Tom Uran ([17:33])
-
Irony and Evolution:
- Chinese organizers claim Western competitions were covertly siphoning off vulnerabilities for intelligence agencies -- something Tom dismisses for the West but notes Matrix Cup does explicitly.
- Now, Chinese State gets first (or only) look at vulnerabilities, restricting international exchange.
- Details about exploits are now “relatively opaque,” with little transparency about vulnerabilities or targets ([19:03]).
- Quote:
"Those hacking competitions were like somewhat normal in that they were transparent and you would see the results and you would see the targets. And now they're quite opaque."
— Tom Uran ([19:11])
Notable Quotes & Memorable Moments
- “If you’ve got a service that relies on receiving a two-factor code, we can help you break into that. And including things like WhatsApp, they say, yeah, we, we can easily get into WhatsApp. I don't know if that's true…”
— Tom Uran ([02:45]) - “What really struck me about that is exactly that figure, tens of millions of dollars. Because at one point NSO Group was at least notionally worth a billion dollars… that's like a massive, like, you know, lighting dollar bills on fire.”
— Tom Uran ([10:46], [11:49]) - “Even though it's like money and it feels like you're divorced and separated from it. If the press gets bad enough, it still has ramifications for the people funding it.”
— Tom Uran ([15:35]) - “He explicitly set up the Matrix cup to do that for China and he said the results will stay in China and be used for the state to defend cybersecurity.”
— Tom Uran ([17:33])
Timestamps for Key Segments
- [00:52] — Intro to First Wap, SS7 exploitation, and ethical vacuum in small surveillance firms
- [05:02] — Hollywood crossover in surveillance targets
- [06:47] — Sales tactics: "We have no ethical principles"
- [08:15] — Crackdowns’ consequences: smaller firms thrive in the shadows
- [10:31] — NSO Group buyout, plummeting value, and market impact
- [12:47] — Speculation on US private investors shaping spyware industry
- [15:35] — Social costs of bad PR for spyware investors
- [16:13] — Overview of China’s Matrix Cup and changing hacking competition landscape
- [19:11] — Loss of transparency and state appropriation of vulnerabilities
Summary
This episode exposes the persistent risks posed by lesser-known surveillance service providers, despite industry crackdowns on larger companies like NSO Group. While regulatory and media scrutiny has forced some actors to adopt “ethical principles,” a new breed of opportunistic firms continues to exploit legacy infrastructure like SS7, often with minimal oversight. Meanwhile, NSO’s dramatic decline in value signals the perils of negative attention and sanctions in the spyware sector. On the international stage, China’s transformation of hacking competitions into state-controlled talent and exploit pipelines reflects the shifting balance of power and transparency in global cybersecurity. Listeners are left with an uneasy sense that, while the faces of abuse may change, the underlying vulnerabilities—and demand for such services—persist.