Surveying the Global Spyware Market

The Atlantic Council has published its second annual report: “Mythical Beasts: Diving into the depths of the global spyware market.”

Too much good detail to summarize, but here are two items:

First, the authors found that the number of US-based investors in spyware has notably increased in the past year, when compared with the sample size of the spyware market captured in the first Mythical Beasts project. In the first edition, the United States was the second-largest investor in the spyware market, following Israel. In that edition, twelve investors were observed to be domiciled within the United States—­whereas in this second edition, twenty new US-based investors were observed investing in the spyware industry in 2024. This indicates a significant increase of US-based investments in spyware in 2024, catapulting the United States to being the largest investor in this sample of the spyware market. This is significant in scale, as US-based investment from 2023 to 2024 largely outpaced that of other major investing countries observed in the first dataset, including Italy, Israel, and the United Kingdom. It is also significant in the disparity it points to ­the visible enforcement gap between the flow of US dollars and US policy initiatives. Despite numerous US policy actions, such as the addition of spyware vendors on the Entity List, and the broader global leadership role that the United States has played through imposing sanctions and diplomatic engagement, US investments continue to fund the very entities that US policymakers are making an effort to combat.

Second, the authors elaborated on the central role that resellers and brokers play in the spyware market, while being a notably under-researched set of actors. These entities act as intermediaries, obscuring the connections between vendors, suppliers, and buyers. Oftentimes, intermediaries connect vendors to new regional markets. Their presence in the dataset is almost assuredly underrepresented given the opaque nature of brokers and resellers, making corporate structures and jurisdictional arbitrage more complex and challenging to disentangle. While their uptick in the second edition of the Mythical Beasts project may be the result of a wider, more extensive data-collection effort, there is less reporting on resellers and brokers, and these entities are not systematically understood. As observed in the first report, the activities of these suppliers and brokers represent a critical information gap for advocates of a more effective policy rooted in national security and human rights. These discoveries help bring into sharper focus the state of the spyware market and the wider cyber-proliferation space, and reaffirm the need to research and surface these actors that otherwise undermine the transparency and accountability efforts by state and non-state actors as they relate to the spyware market.

Really good work. Read the whole thing.

Tags: ,

Posted on September 19, 2025 at 7:01 AM3 Comments

Comments

Wannabe Techguy September 19, 2025 12:01 PM

“US investments continue to fund the very entities that US policymakers are making an effort to combat.”
A form of “Security Theater”?

Clive Robinson September 19, 2025 2:33 PM

@ Bruce, ALL,

With regards,

“Second, the authors elaborated on the central role that resellers and brokers play in the spyware market, while being a notably under-researched set of actors.”

To some of us this is not a surprise as our past comments will show.

One underlying fundamental to this is very poor US legislation, that despite protest going back well into the past century has not been addressed by US legislators for “some magic reason”. The result of which is that the data about entities is effectively stolen from them without recompense and is then used to create significant harm for profit. The scary thing is the entities being stolen from as a group include rather more than,

1, All people legal and natural.
2, All organisations and associations.
3, All entities electronic or computational.
4, All entities in communication.

And the only restrictions on collection that might be considered are for “US entities” against certain US Government agencies…

In fact an inspection of the way this works shows that the US Government is in fact a beneficiary of this, as there is the loop hole in prosecution that basically says that if the collecting entities, traders and others “make it available to the USG, then they won’t get prosecuted”.

Perhaps more interestingly this is only possible because the US is effectively “The Spider at the center of the web”.

The rest of the International Governmental entities are unhappy about this to say the least.

More than a decade ago a UN congress in Doha had many representations to split up or in other ways perform “Balkanization of the Internet”.

The 2014 ITU World Conference was a fairly fraught occasion and it became clear that most of the World nation representatives were against the US in effect “Controlling the Internet”.

Since then, increasing numbers of nations have been, and are pulling away in various ways. Not least being the increase in “Great Firewalls” and DNS and IP Address blocking etc. And why the likes of “Hell on Rusk’s” seen as “US surveillance and control from above” via “Starlink” etc are being seen with much deep suspicion. Further it’s rumoured that “subsea cable cutting” is likewise part of this “national ire” and potential “first strike” acts of war.

With little doubt US legislators see the US as being the “One Ring” of the Internet and do not want to loose the value of this, thus won’t do what is necessary to clean things up.

Nor for that matter will the UK and other “Five Eyes” supranational SigInt agencies who all see themselves as above their national elected governments thus above their citizens wishes…

This gets to be seen further down the computing stack with manipulation of “International Standards Committees” such that surveillance of all types are more easily carried out.

This battle for Data Comms supremacy gets seen in all sorts of places including the US War against 5G and the “loony two tunes conspiracies” pushed. [We can see a new one being started over “Bluetooth in China Goods”, how far it will progress will depend on how the echo chambers etc can be stoked up].

KC September 20, 2025 5:59 PM

My favorite spyware name change sequence is ‘Appin Technology Ltd.’ to ‘Mobile Online Order Management Private Limited’ to ‘Chemieast Engineering’ to ‘Sunkissed Organic Farms.’

It’s what some might call a Fox in Socks.

It appears there have been previous blog comments on Appin, an Indian company, here and here.

Of the five policy recommendations, instituting “Know Your Vendor” requirements seems critical to ensure government clients know whether their supply chain includes firms on the restricted entity lists.

The fifth recommendation, providing more protection against SLAPP suits, traces 2024 EC rules in facilitating the early dismissal of claims and the recovery of defendant costs.

All of the policy recommendations are good. As are the areas for future work.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.