The Shadow Economy: How Commercial Spyware Networks Exploit Global Investment Flows

The commercial spyware industry operates as a sophisticated shadow economy, where surveillance technologies designed to penetrate the most secure communication platforms find their way into the hands of authoritarian regimes and malicious actors. Recent court proceedings against NSO Group, which resulted in $168 million in punitive damages for targeting WhatsApp’s infrastructure, illuminate just the surface of this expanding marketplace. The ruling represents more than financial penalty—it exposes the systematic exploitation of digital infrastructure by commercial surveillance vendors operating across complex international networks.

The Atlantic Council’s updated “Mythical Beasts” research project reveals disturbing trends within this opaque market, tracking 561 entities across 46 countries from 1992 through 2024. This comprehensive analysis uncovers two particularly alarming developments: a dramatic surge in US-based investment funding controversial spyware operations, and the proliferation of broker networks that systematically obscure accountability mechanisms.

American Capital Fueling Global Surveillance Infrastructure

The most significant development within the commercial spyware ecosystem involves American investment patterns. Data analysis reveals that US-based investors now represent the largest funding source for spyware development globally—a dramatic shift from previous market dynamics where Israel held the top position.

Between 2023 and 2024, American investment entities operating in the spyware market increased from 11 to 31 active participants. This represents nearly triple the investment volume of the next three highest-investing nations combined. The implications extend far beyond market statistics, creating a fundamental contradiction within American foreign policy and national security frameworks.

These investment flows directly contradict established US government initiatives designed to constrain spyware proliferation. While American policymakers implement Entity List designations, impose targeted sanctions, and lead international diplomatic efforts to combat surveillance technology abuse, American capital simultaneously funds the infrastructure these policies aim to dismantle.

Strategic Investment Contradictions

Several high-profile investment cases highlight these policy contradictions. AE Industrial Partners invested in Paragon Solutions Ltd during late 2024, a company whose Graphite spyware platform was recently deployed by Italian authorities against human rights defenders and civil society organizations. Similarly, Integrity Partners channeled American capital into Saito Tech Ltd (Candiru), despite the company’s placement on the US Commerce Department’s Entity List since 2021.

The Candiru investment case demonstrates a critical enforcement gap within existing regulatory frameworks. American companies can apparently invest in organizations specifically designated for restriction, undermining the effectiveness of government-imposed constraints. This contradiction between private sector investment behavior and public policy objectives erodes American leadership credibility in global cybersecurity governance.

Broker Networks: The Invisible Architecture of Surveillance Markets

Commercial spyware distribution increasingly relies on sophisticated broker and reseller networks that operate as intermediary layers between technology developers and end-user customers. These entities serve multiple functions within the surveillance ecosystem: they obscure supply chain relationships, facilitate jurisdictional arbitrage, and enable market access across diverse regional territories.

The research identifies previously unknown broker networks operating within Mexico, where NSO Group’s Pegasus spyware was distributed through intermediary companies since at least 2011. Official Mexican government transparency documents reveal how these brokers created deliberately misleading contracts to hide both the surveillance products being sold and their actual vendor origins.

Systematic Opacity in Distribution Networks

These broker networks represent more than simple business intermediaries—they constitute systematic infrastructure designed to evade accountability and transparency mechanisms. By creating complex corporate structures across multiple jurisdictions, brokers make it virtually impossible for researchers, policymakers, or civil society organizations to trace the flow of surveillance technologies from development laboratories to deployment environments.

The research team identified only ten broker entities operating within Mexico alone, yet this likely represents a fraction of actual intermediary activity. The opaque nature of broker operations means that comprehensive mapping remains extremely difficult, requiring access to hacked datasets, government transparency initiatives, or innovative investigative techniques.

Market Concentration and Geographic Patterns

Despite evolving distribution mechanisms and investment patterns, fundamental geographic concentrations within the spyware industry remain consistent. Israel, India, and Italy continue to host disproportionate shares of surveillance technology development, while patterns of entrepreneurial recycling—where individuals move between companies while maintaining similar business relationships—persist across market segments.

Strategic jurisdiction hopping also remains a defining characteristic, with entities deliberately relocating operations to exploit regulatory gaps and enforcement limitations. Companies routinely establish subsidiaries in jurisdictions with limited corporate transparency requirements, making comprehensive oversight virtually impossible.

Corporate Structure Evolution

The research documents systematic efforts by spyware vendors to obscure their operations through name changes, corporate restructuring, and strategic relocations. These patterns suggest coordinated efforts to manage reputational damage and evade regulatory constraints rather than simple business evolution.

One particularly complex case involves multiple UK-based entities with overlapping personnel and similar naming conventions: Coretech Security Services Limited and Airis Security Technologies Inc. (formerly Coretech Security Limited). Both companies share key personnel including Alexander Church and Adrian Oldfield, yet target different customer segments—UK government clients versus Five Eyes alliance partners.

Investment Flows During Geopolitical Instability

American investment in Israeli spyware capabilities occurs during a period of heightened Middle Eastern geopolitical volatility, where surveillance technologies have already appeared within the Israel-Iran conflict dynamic. This timing raises additional concerns about how commercial spyware capabilities might be leveraged during active conflicts or intelligence operations.

The concentration of American capital within Israeli spyware companies creates potential complications for US strategic relationships and intelligence operations. When American-funded surveillance technologies are deployed against US personnel, diplomatic officials, or allied government targets, it creates operational security risks and diplomatic complications that traditional policy frameworks struggle to address.

Research Methodology and Data Limitations

The updated dataset represents the most comprehensive public analysis of commercial spyware networks currently available, yet significant limitations remain. The research relies entirely on open-source materials and public records, meaning that entities operating with sophisticated operational security measures likely evade detection entirely.

Government corporate registries vary dramatically in quality and accessibility. While countries like the Czech Republic and United Kingdom maintain comprehensive, publicly accessible databases showing complete corporate histories, registries in Israel, India, the British Virgin Islands, United Arab Emirates, and Mexico provide minimal or no information. This disparity creates natural havens for entities seeking to avoid scrutiny.

Policy Implications and Strategic Responses

The persistence and evolution of commercial spyware markets demand sophisticated policy responses that address both investment flows and distribution mechanisms. Current approaches focus primarily on vendor entities while neglecting the financial infrastructure and broker networks that enable market operations.

Investment Oversight Mechanisms

American policymakers must develop comprehensive frameworks for monitoring and restricting outbound investments that fund surveillance technology development. This requires establishing baseline understanding of investment flows, strengthening disclosure requirements for private equity and venture capital firms, and providing due diligence support for investors who may unknowingly fund problematic capabilities.

The current enforcement gap allowing American investment in Entity List-designated companies represents a fundamental weakness in existing regulatory approaches. Closing this gap requires coordination between Treasury, Commerce, and State Department authorities to ensure consistent policy implementation.

Broker Network Disruption

Addressing broker and reseller networks requires innovative approaches that go beyond traditional vendor-focused restrictions. These entities operate specifically to evade existing oversight mechanisms, meaning that conventional regulatory approaches often prove ineffective.

Potential strategies include enhanced beneficial ownership reporting requirements, cross-border information sharing agreements, and targeted sanctions against identified broker networks. However, the opaque nature of these operations means that detection and disruption will remain ongoing challenges.

Strategic Recommendations for Policymakers

The evolving commercial spyware landscape requires adaptive policy responses that anticipate market evolution rather than simply reacting to disclosed activities. Several strategic approaches could enhance current constraint efforts:

• Enhanced transparency requirements for corporate registries would improve researchers’ and policymakers’ ability to trace entity relationships across jurisdictions. International cooperation to standardize beneficial ownership reporting could close existing regulatory gaps that enable jurisdictional arbitrage.

• Investment oversight mechanisms should include mandatory due diligence requirements for technology sector investments, particularly those involving cybersecurity or surveillance capabilities. Creating clear guidelines for identifying problematic investments would help prevent American capital from undermining US policy objectives.

• Diplomatic engagement should expand beyond vendor-focused initiatives to address the broader ecosystem of investors, brokers, and enablers that sustain commercial spyware markets. This requires building international consensus around comprehensive approaches that address market infrastructure rather than individual companies.

The commercial spyware market continues expanding and evolving, driven by sophisticated networks of investors, developers, brokers, and customers operating across complex international jurisdictions. While market patterns remain relatively predictable—offering policymakers opportunities for effective intervention—the scale and sophistication of these operations continue growing. American leadership in addressing this challenge requires confronting the fundamental contradiction between private investment flows and public policy objectives while developing innovative approaches to disrupt the broker networks that enable systematic accountability evasion.