The Lawfare Podcast
Ep: Lawfare Daily – The State of the Spyware Industry
With guests Jen Roberts and Sarah Graham
Host: Justin Sherman
Date: October 9, 2025
Overview
This episode dives deep into the state of the global spyware industry, drawing on the recently published Atlantic Council report, "Mythical Beasts: Diving into the Depths of the Global Spyware Market," co-authored by Jen Roberts and Sarah Graham. The conversation explores how the spyware industry operates, recent market trends, the role of US and international investors, the emergence of brokers and resellers, and the resulting policy and national security challenges for the United States.
Key Discussion Points & Insights
1. What Is Spyware and Why Does It Matter?
- Definition:
Spyware is software that facilitates unauthorized remote access to an Internet-enabled device for surveillance or data extraction."Spyware is software that facilitates unauthorized remote access to an Internet-enabled target device for the purpose of surveillance or data extraction."
— Jen Roberts (06:23) - Scope:
- At least 80 out of 195 countries have procured commercial spyware.
- Over half of all zero-day exploits (previously unknown vulnerabilities) are used by spyware vendors ([06:23]).
- Spyware is increasingly invasive, potentially accessing all data and functions of a target device.
2. Market Structure: Demand, Supply Chain, and Key Players
- Who Buys Spyware:
- States lacking in-house offensive cyber capabilities or not wanting to risk exposing their own tools ([08:55]).
- Use cases: National security, surveillance, data extraction.
- Supply Chain Mapping:
- The report documents 561 entities in the spyware “ecosystem”—vendors, suppliers, investors, partners, subsidiaries, individuals ([10:13]).
- Notable vendors include Paragon, Cognite, and Candiru.
3. Major Recent Developments
A. Surge in US Investment
- Spike in 2024 US Investors:
- From 5 (2023) to 24 (2024) active US spyware investors ([12:48]).
- Many are investing in mature, high-profile international vendors.
- Policy Contradiction:
- Despite US policy efforts (sanctions, visa restrictions, export controls), investment activity has significantly increased ([12:48], [15:06]).
- Example:
"AE Industrial Partners invested in Paragon Solutions...which was recently entangled in a scandal with the Italian government..."
— Jen Roberts (13:40) - The entity list regulates exports, not investments ([15:06]).
B. Rise of Brokers and Resellers
- Definitions:
- Broker: Facilitates deals between buyer and vendor.
- Reseller: Buys and resells products, sometimes opening up regional access ([17:14]).
- Findings:
- Number of identified brokers/resellers increased from 2 to 9 ([19:59]).
- These intermediaries can inflate prices, introduce more risk into the supply chain, and facilitate global proliferation ([19:59]).
"Reporting suggests that brokers and resellers really perhaps distort the price of capabilities and the exploits they rely on. And this could really drive up costs and...introduce more risks to the entire supply chain..."
— Sarah Graham (03:28), [19:59]
4. Thematic Industry Characteristics
The report highlights six persistent industry features, focusing here on a few:
A. Geographic Clustering: The "Three I's"
- Jurisdictions:
Israel, Italy, India are home to a disproportionately high share of vendors, investors, and suppliers ([29:24]).- Possible reasons include talent pools, permissive regulatory environments, and regional specializations.
"These countries might just have a larger scale of highly skilled workers...It could be because of defense structures...or permissive environments that allow sort of companies to have less regulation from the state..."
— Jen Roberts (29:24)- For Italy in particular: Longstanding presence and benefits of EU market access ([32:36]).
B. Strategic Jurisdiction Hopping
- Definition:
Vendors set up subsidiaries or partners in target jurisdictions to facilitate market entry, regulatory arbitrage, or access to new buyers ([34:22]).- Example: Israeli vendor Quadream established a Cyprus-based supplier to access the EU market ([34:22]).
C. Corporate Renaming and Obfuscation
- Trend:
Entities frequently change names or shift their corporate structures to avoid scrutiny or negative press.- Example: Candiru changed its name annually between 2016-2020 ([35:58]).
"Candiru changed its name annually. It's now called Stacio Tech Ltd...which makes it really difficult for researchers and policymakers to keep track..."
— Jen Roberts (35:58)
5. Broader Implications & Policy Considerations
A. US National Security and Policy Gaps
- Direct Threats:
- Spyware is a counterintelligence risk, targeting US officials and citizens at home and abroad ([37:59]).
- Example: US Congress members’ phones infected with Predator spyware (2023); Apple notified US officials targeted by Pegasus (2021).
- Policy-Industry Disconnect:
- Existing US policy (sanctions, joint statements, international coordination) is not yet aligned with US-based investment trends in spyware ([40:12]).
"There's a disconnection between US policy and US Investment...it's quite concerning because that doesn't fit the picture of what US Policy is sort of going in the direction of."
— Jen Roberts (40:45)
B. International Engagement
- Multilateral Efforts:
- US works with numerous allies via joint statements and the Pall Mall process to counter spyware proliferation ([42:21]).
- Focus should intensify on major hubs—Israel, Italy, India.
C. Market Stability and Future Outlook
- Trends Remain Consistent:
- Despite growth and diversification, key structural trends hold steady, making the market fairly predictable for now ([44:41]).
- This consistency can aid ongoing policy efforts and research.
"We're seeing consistency in that behavior, which is at least a positive thing for researchers and policymakers and other partners to be able to understand a somewhat sort of stable snapshot..."
— Sarah Graham (44:41)
Notable Quotes & Memorable Moments
-
On the Reality of Spyware’s Reach:
“It can gain, oftentimes without any user interaction, access to your applications, your search history, calls, your texts, photos, locations, microphones, recording geographic data, anything that you can sort of think of spyware sort of captures once it’s on your device.”
— Jen Roberts (07:50) -
On the Investment-Policy Disconnect:
"What we're seeing here is both a contradiction and a critical enforcement gap between US Policy and US Investment."
— Jen Roberts (14:00) -
On the Threat to US National Security:
"For years, spyware has been utilized to target American officials and citizens both at home and abroad... So these capabilities are being utilized against Americans. They are a counterintelligence risk for American security.”
— Jen Roberts (38:20)
Important Timestamps for Key Segments
- [03:28] – Risks introduced by brokers and resellers
- [06:23 - 08:22] – Defining spyware, market reach, and severity
- [10:13 - 11:45] – Dataset expansion to 561 entities, notable vendors
- [12:48 - 15:06] – US investment surge, contradictions with US policy
- [17:14 - 19:59] – Brokers and Resellers: definitions, impact, increase
- [29:24 - 33:58] – Geographic concentration ("Three I's"), country-by-country dynamics
- [34:22 - 35:58] – Jurisdiction hopping and identity changes
- [37:59] – Implications for US national security
- [44:41] – Consistencies in market trends and future policymaking considerations
Final Takeaways
- The spyware industry is expanding, dynamic, and remains a challenge for oversight due to its complexity, international nature, and the involvement of diverse actors.
- US investments in spyware are growing, even as policymakers attempt to restrict global proliferation, revealing critical policy gaps.
- The market’s relatively stable trends present an opportunity for more effective policy action and international coordination.
- Heightened coordination with allies, stronger investor due diligence, and renewed attention to enforcement gaps are essential for addressing both national security threats and broader human rights concerns.
End of Summary