Markets Matter: A Glance into the Spyware Industry

EXECUTIVE SUMMARY

The Intellexa Consortium, a complex web of holding companies and vendors for spyware and related services, have been the subject of recent, extensive sanctions by the US Department of the Treasury and the focus of reporting by the European Investigative Collaborations among others. The Consortium represents a compelling example of spyware vendors in the context of the market in which they operate—one which helps facilitate the commercial sale of software driving both human rights and national security risk.1 This paper addresses an international policy effort among US partners and allies, led by the French and British governments, as well as a surge of US policy attention to address the proliferation of this spyware. This paper offers a case study of the Intellexa Consortium, based on public records and open source reporting, as an argument for policymakers to consider the wider network of investors and counterparties present in this market rather than constraining their focus on individual vendors. This consortium showcases many of the trends observed in how other spyware vendors organize, straddle jurisdictions, and create overlapping ownership structures. This paper argues that policymakers must approach the market as a whole, a large and complex but interlinked system, in designing future policy interventions against these vendors and their respective supply chains. In closing, the paper offers several tangible impacts and insights into this market, calling for greater transparency writ large, but also for increased attention into the individuals and investors that facilitate the proliferation of spyware.
Introduction

For decades, private companies have developed, sold, and maintained software to steal digital data from computing devices and sell it to others—eroding the notion that digital espionage is an activity limited to governments. Mobile phones and their operating systems have been an especially popular target as, in many ways, the devices are a slickly packaged espionage party pack of microphones, cameras, Global Positioning System (GPS), and cell network location transmitters, with the applications to obtain sensitive personal data like messaging and contacts. The customers for this software-enabled spying are myriad, including law enforcement, domestic security, and intelligence organizations across the globe. Spyware has garnered international attention due to some governments’ utilization of the software to violate human rights and for its use in internal surveillance and policing, as well as larger national security risk in transferring offensive cyber capabilities to states without means to provide lawful oversight and democratic input on their use.

In the decades that this spyware has been built and sold, profiles have been written about as many as a dozen vendors. Reports from companies like Google,2 Meta,3 civil society champions Amnesty International4 and the Citizen Lab5, and news outlets like Reuters6 and Forbes,7as well as the Atlantic Council,8have examined the behavior of these companies, the services they sell, and the corresponding harm that software can pose.

But absent from most of this analysis, save some at the edges of industry and academia, is an accurate picture of these vendors as a whole market—one in which firms conduct business under multiple names, work with investors across the globe, and where webs of interpersonal relationships underpin a shifting roster of corporate names and titles. These factors have hampered policy efforts to extract transparency from this market and limit the sale and use of spyware.

Figure 1: Groups Targeted by Spyware

Recently, the US government took policy action to target specific firms and several named individuals developing and selling this software. In March 2024, the Treasury Department sanctioned the Intellexa Consortium, profiled in more detail in this brief, following the listing of several vendors by the Department of Commerce in 20239Together with policy efforts like those in the UK- and French-led Pall Mall process10launched in February 2024 and the widely discussed but ultimately inconclusive PEGA Committee,11 which the European Parliament convened in 2023, there has been a sharp increase in interest from governments in the activities of this market and their potential for harm.

Policy that addresses these vendors and their major financial and supplier relationships within this market will be more impactful than targeting single vendors alone. To sharpen the emerging government efforts mentioned above, this paper presents a case study of the Intellexa Consortium and its investor and subsidiary ties as a prototype of analysis focusing on a vendor’s relationship to this wider spyware market, in addition to their own activities.

In the pages that follow, the paper offers some basic definitions and examines previously reported and open source information about the specific case of the Intellexa Consortium, which recent US Treasury actions highlighted. Sanctions are particularly useful in targeting individuals across multiple jurisdictions and companies, and this is the first time the US has used this policy lever against a spyware vendor.12 The case study summarizes the corporate entities, investors, and founders that make up this consortium along with key public business relationships and how those relationships have evolved over time. Finally, the paper highlights several features of the Intellexa Consortium organization and implications for policy.13 This is just one case study, but it demonstrates a model for what is possible in a more holistic analysis of the spyware market and the utility of that approach to policymakers, researchers, and advocates alike.

Terms of Debate

This section offers definitions for some key terms as applied in this work and present in many others as a way of scoping the analysis. Policymaking around spyware has suffered in the past due to unclear terminology and inconsistent definitions. Recognizing the significant energy present across international policymaking efforts like the Pall Mall process, this section seeks to better specify terms of an ongoing debate. The authors submit these terms as analytically useful to the purpose, concise, and sufficiently rigorous so as to capture much of the discussion happening in the seams and gaps between both policymaking and information security research communities.

Spyware

Spyware is a type of malware14 that facilitates unauthorized remote access to an internet-enabled target device for purposes of surveillance or data extraction. Spyware is sometimes referred to as “commercial intrusion [or] surveillance software,” with effectively the same meaning. Spyware works without willing consent of the target or anyone with access to their device; thus, this paper does not consider the market for so-called ‘stalkerware,’ which generally requires interaction from a spouse, partner, or someone else with access to a user’s device. This definition also excludes software that never gains access to a target device, such as surveillance technologies that collect information on data moving between devices over wire (i.e., packet inspection or ‘sniffing’) or wireless connections. This definition also excludes hardware such as mobile intercept devices known as IMSI-catchers, or any product requiring physical access to a target device such as forensics tools.15

This definition is limited, by design, to disentangle the lumping of various other surveillance toolsets into the definition of spyware. 16 Hardware devices require physical device access that adheres to jurisdiction-specific regulations. Passive surveillance technologies intercept and monitor communications using a broad set of tools, often in some combination of hardware and software technologies and frequently without requirement for preexisting knowledge of a target.17

“Commercial” Spyware?

The term spyware often becomes a proxy debate for the scope of policy. Varying definitions attempt to embed conditions as to the source or legitimacy of these software. The debate over what constitutes a legitimate use, and the channel to acquire spyware is ongoing. To avoid confusion in both analysis and policy—the authors do not embed the term “commercial” in this definition (e.g. “commercial spyware,” more on this below). Spyware defines a set of technical capabilities, wherever those might be acquired. Policy addressing the “market” for spyware necessarily supposes a commercial source rather than those developed within government organizations.

Vendor

A spyware vendor is a commercial entity that develops, supports, and sells spyware to an end user. This development and support can include vulnerability research and exploit development, malware payload development, technical command and control, operational management, and training and support, but need not include all.18 To limit discussion of spyware vendors to only those offering ‘end-to-end’ capabilities would risk obscuring critical commercial relationships significant to this discussion, as will become clear in the Intellexa Consortium case below.

Holding Company

Several of the vendors in the Intellexa Consortium are part of one or several holding companies. A holding company is a type of business entity whose sole purpose is to own a controlling interest in other companies.19 These companies control subsidiaries. Rather than produce a good or supply a service, the functionality of a holding company is often tied to its ownership of its subsidiaries.20
Supplier

A supplier sells a component or service in support of a spyware service to other suppliers and vendors but does not develop or operate a spyware service or work directly with end users. In common parlance, vendors can be suppliers. Here the authors focus suppliers on those firms enabling the activity of spyware vendors but without any capacity to build or sell comparable surveillance services. For example, a supplier might sell a vulnerability or a subscription of exploits to a spyware vendor or establish a service relationship. A supplier helps with the operation of a service rather than providing that service directly. Suppliers are a crucial but often underlooked part of this market. Those vendors that cannot develop some part of a spyware service in-house—most often the regular supply of software exploits needed for continued access to major operating systems—look to procure these capabilities from a supplier, which can help drive proliferation of spyware through an even more diverse market.

A Question of Scope

The definition of spyware offered here does not describe the full scope of the case study to follow. While this paper is concerned with the Intellexa Consortium and its sale of spyware, this collection of firms includes several that sell services complementary to spyware to steal credentials and surveil wireless networks. The case study of the Intellexa Consortium here is motivated by the sale and use of spyware, but does not necessarily limit its consideration of vendors and suppliers of that product.

A related, and important, issue of scope is the particular policy problem that the spyware market presents. As we have noted in previous work, “The proliferation of offensive cyber capabilities (OCC)—the combination of tools, vulnerabilities, and skills, including technical, organizational, and individual capacities used to conduct offensive cyber operations—presents an expanding set of risks to states and challenges commitments to protect openness, security, and stability in cyberspace. The profusion of commercial OCC vendors, left unregulated and ill-observed, poses national security and human rights risks. For states that have strong OCC programs, proliferation of spyware to state adversaries or certain non-state actors can be a threat to immediate security interests, long term intelligence advantage, and the feasibility of mounting an effective defense on behalf of less capable private companies and vulnerable populations. The acquisition of OCC by a current or potential adversary makes them more capable.21

Many human rights violations associated with OCC occur in the context of their use for national security purposes (e.g., by state intelligence agencies). This dichotomy illustrates the diverse set of risks that the proliferation of OCC pose. These risks include what Lin and Trachtman term “vertical” uses (by states against their own populations) and “diagonal” uses (against the population of other states, including diaspora).22 In some cases, these capabilities are deployed intentionally, through commercial transactions or disclosure, and in other cases without intention; for example, the ‘breakout’ of “capabilities like EternalBlue, allegedly engineered by the United States, have already been used by the Russian, North Korean, and Chinese governments.” 23

This piece focuses on a subset of these capabilities, spyware, through a case study within the spyware market. That focus does not suggest that harm from the use of spyware is derived from their commercial sale or development outside government institutions. The commercial vendors of spyware may be the more unpredictable and less constrained source of intentional proliferation today, but they are far from the only source of harm and insecurity. Policy that seeks only to mitigate harms from the commercial sale of these capabilities risks ignoring its wider harms from a variety of sources. Commercial sale is a poor proxy for ‘responsible’ or ‘mature’ use of offensive cyber capabilities and history has shown that this market is only one, intentional part of this wider proliferation problem. Pinning policy activity on an assumption that states that can develop their own capabilities are deemed ‘responsible,’ and those that must resort to the open market are not, risks undermining even well-intentioned policy despite what it might offer in crafting consensus at home or abroad.

Intellexa: Behind the Music

How do these terms work in practice and what does a spyware vendor look like in 2024? This section reviews the case of Intellexa Consortium, a group of companies that has reportedly sold spyware to customers in Armenia, Colombia, Côte d’Ivoire, Egypt, Germany, Greece, Oman, the Philippines, Saudi Arabia, Serbia, and Vietnam, in addition to other countries “around the globe.”24, 25, 26 The service has also been used to covertly surveil US government officials, journalists, and policy experts.27

The Intellexa Consortium is made up of two main groups, Intellexa Group and Intellexa Alliance. Intellexa Group is comprised of four known subcompanies, each of which specializes to complement one another, and houses the developer of the consortium’s spyware. The Intellexa Alliance is a partnership between the Intellexa Group and the Nexa Group, a cluster of five other companies.

Figure 2: Chart of the Intellexa Consortium and Subsequent Groupings

The phrase “Intellexa Consortium” is an analytical term that researchers and policymakers28 have used to describe this collection of companies with close ties, apparent commercial partnerships, and comingled owners. Although both Intellexa Group and Intellexa Alliance are part of the Intellexa Consortium, neither are registered legal entities in any of the jurisdictions surveyed for this paper. Meanwhile, known entities that bear Intellexa’s name, Intellexa S.A. is registered in Greece,29 and Intellexa Limited is registered in the British Virgin Islands30 and Ireland.31 Part of what makes Intellexa Group unusual is this collection of customer-facing support and marketing to amplify the reach and efficacy of their services. The corporate infrastructure of Intellexa Group is configured similarly and some of these companies share common ownership. For example, Tal Dilian founded both WS WiSpear Systems Limited and Intellexa S.A. and operated the two firms simultaneously.32

Each of the Intellexa Group companies have a business relationship with many other entities in the group and many share the “Intellexa” name in some fashion. Intellexa Group, with or through one of the companies in the cluster, is responsible for the sale and support of the Predator spyware service.33 Predator is a spyware service engineered to infiltrate, monitor, and steal data from a target device. Predator installation occurs via “zero-click” or “one-click” infections. One form of zero-click infection takes place when a victim’s mobile browser secretly redirects to a malicious website.34 Alternatively, one-click infections require that victims unknowingly click on a malicious link, such as an article posted to X (formerly Twitter), which the user believed to be a legitimate website.35 After installation, Predator provides remote access to monitor the target device, manipulate local microphones and cameras, and extract data, including files, messages, and location information. Predator has been sold to states that have used it to commit human rights abuses.36

Intellexa Group is also part of the broader Intellexa Alliance, in partnership with Nexa Group, a consortium of four known different companies.

Figure 3: Known Companies and Groupings that Comprise the Intellexa Alliance

Reporting has often conflated these two separate clusters, identifying them as a unified entity instead of the set Intellexa Group and superset Intellexa Alliance (together with Nexa Group). This distinction is important as it helps to disentangle the complicated corporate structure and create more effective policy that targets specific clusters. The overlapping corporate structures found here are an extreme example of otherwise common trends found throughout the spyware market covering more than thirty firms with similarly named subsidiaries and nested investor and partner relationships. The figure below highlights features of the Intellexa Group and the Intellexa Alliance to clarify the operations of each association and recommend policy actions based on emerging market phenomena.

Intellexa Group

Figure 4: Known Companies and Groupings of Intellexa Group

Intellexa Group’s story starts with its founder Tal Dilian. Dilian was sanctioned by the US Treasury Department in March 2024 and so discussed here as a prominent entity of interest to the US policy community. Tracing Dilian’s career trajectory helps parse through the complex and convoluted structure of the Intellexa Group.

Dilian, a former commander of the Israel Defense Forces Intelligence Corps’ Unit 81,Unit 81 focuses on developing innovative cyber technologies that provide specific functionality for IDF operations.37 is the founder of several companies that operate or have operated in the spyware market. The first such firm was established in 2010; Circles Solutions Ltd is based in Cyprus and uses Single System 7 vulnerabilities for geolocation with phone numbers as the preferred device identifier, a useful complement to vendors selling spyware targeting mobile phones.38 In 2014, Dilian sold Circles Solutions Ltd to Francisco Partners, a private equity firm based in the United States. From 2014 to 2019, Francisco Partners also held an “indirect controlling interest” of another spyware vendor, NSO Group.39, 40 , 41 As part of its acquisition, Circles Solutions Ltd became a subsidiary of NSO Group.42, 43

Before completing the $130 million sale of Circles to Francisco Partners, Dilian founded WS WiSpear Systems Limited in 2013.44WS WiSpear Systems Limited specialized in intercepting target Wi-Fi signals and extracting passwords and communications at long range.45 In 2018, WS WiSpear Systems Limited acquired the year-old spyware vendor Cytrox AD, based in North Macedonia.46 Cytrox AD is notable as the original vendor of Predator spyware, the service that would be popularized and sold by Intellexa Group.

In 2018, Dilian began to organize what analysts would later come to term Intellexa Group—to include WS WiSpear Systems Limited (since renamed Passitora Ltd),47 Cytrox AD, and adding Senpai Technologies Ltd the following year.48 Senpai Technologies Ltd is an Israel-based company, specializing in open-source intelligence and in analyzing data from phones infected by spyware.49This left Intellexa Group with three complimentary offerings for any surveillance-minded government: Cytrox AD’s Predator spyware service, WS WiSpear Systems Limited’s Wifi-intercept and password-extraction technology, and Senpai Technologies Ltd’s data exploitation and open-source research tools.

Two years later, in 2020, Intellexa Group expanded to add Intellexa S.A. (previously known as Intellexa Single Member SA).50 Intellexa S.A.’s role within this consortium remained unclear until recently, with a corporate registry specifying no more than “computer systems design and related services.”51 In March 2024 however, the US Treasury Department described Intellexa S.A. as the primary channel through which Intellexa Group sells Predator spyware.52 A global network of investors supports Intellm exa, and many companies within Intellexa Group’s investor base also have personal connections to Dilian. Aliada Group, based in the British Virgin Islands,53 has Dilian listed as a shareholder 54 and in 2018 became the majority stakeholder in WS WiSpear Systems Limited,55 which would go on to acquire Cytrox AD.56 In 2020, Miros Development Group Inc., based in the British Virgin Islands, purchased Aliada Group.57 That same year, Miros Development Group Inc. was purchased by Thalestris Limited, a company based in Ireland.58 , 59 The director of Thalestris Limited, Sara Hamou, is Dilian’s ex-wife and an offshore specialist.60

Intellexa Group distributes corporate ownership through an ecosystem of holding companies. Holding companies are developed to control subsidiaries. Cytrox AD is known to be held by:

Cytrox Holdings ZRT, based in Hungary 
Cytrox EMEA Ltd (renamed Balinese Ltd in 2019), based in Israel, and,  
Cytrox Software Ltd (renamed Peterbald Ltd in 2019), also based in Israel.61 

These holding companies may serve to protect the assets and owners within Intellexa Group. Other known limited liability companies bearing the same name of Intellexa also exist in Ireland and the British Virgin Islands as Intellexa Limited. Intellexa S.A. is held by:

Intellexa Limited based in the British Virgin Islands62

Intellexa Limited based in Ireland.63

The structure of these holding companies may have been intended to protect assets in the core service provider companies—WS WiSpear Systems Limited, Cytrox AD, and Senpai Technologies Ltd, as well as Dilian and other investors in the Intellexa Group companies.64, 65

Intellexa Alliance

Announced in 2019,66 the Intellexa Alliance was a partnership between the entities that comprise Intellexa Group and those of the Nexa Group.67The precise corporate structure of the alliance is murky, and the nature of the relationship remains unknown, although one prominent research outlet has described it as akin to the Star Alliance partnership of airlines.68 Nexa Group is also used to describe a group of companies that markets a set of products under one name but is not a legal entity itself;. It is comprised of Nexa Technologies (France), Nexa Technologies CZ s.r.o. (Czech Republic), Advanced Middle East Systems Fz llc (United Arab Emirates), Serpikom (France), and Trovicor FZ (United Arab Emirates).

Figure 5: Known Companies and Groupings of Nexa Group

Several key moments provide starting points for analysis of the Nexa Group. In 2012, Nexa Technologies was established as a spin-off of the interception business established by Amesys in France.69 Founded in 2004, Amesys developed and sold its signature Eagle surveillance technology to the former regime of Muammar Gaddafi in Libya.70 Eagle expanded traditional techniques by allowing for the surveillance of internet traffic running to an entire country. To implement such a system, Amesys set up “two high-bandwidth ‘mirrors’” that copied this traffic into a searchable database for use by government security services.71 This traffic included voice over Internet Protocol (VoIP) conversations, email, and online chatroom postings.72 Rather than selecting a few targets to surveil, Eagle allowed the Gaddafi regime to learn about any and all anti-regime activities and discussions taking place over a variety of communications systems.73

Bull Group SA (France) bought Amesys in 2010. A year later, the International Federation for Human Rights (FIDH) and the Human Rights League (France) filed a civil party complaint against Amesys and Amesys company executives for “complicity in acts of torture” due to the Libyan government’s use of Amesys technologies.74 However, the court did not approve the opening of an investigation into this matter until 2013, at which point Nexa Technologies had been established to take over Eagle, Amesys’ main interception product.

In 2013, two Nexa Group companies were established: Nexa Technologies in France, which took over the development of Eagle surveillance system, and Advanced Middle East Systems in the United Arab Emirates to function as a sales branch for Nexa Technologies products.75 Nexa Technologies CZ was founded in 2015 as a research and development arm of the company with a particular focus on cryptography.76 Nexa Technologies built upon Eagle to produce and sell its successor product, Cerebro, to governments in Egypt, Kazakhstan, Qatar, Singapore, and the United Arab Emirates.77 In 2019, Boss Industries, the parent company of Nexa Group, acquired Trovicor fz/Trovicor Intelligence, a competing company in the interception technology space. Like its predecessor Amesys, in 2021, Nexa Technologies found itself under indictment for “complicity in acts of torture and of enforced disappearances” based on the Egyptian government’s use of Cerebro technologies against its citizens.I78

Nexa Group companies underwent several name changes over the years. As early as 2019, Boss Industries likely held ownership of Nexa Group companies including Nexa Technologies (France), Nexa Technologies CZ, Advanced Middle East Systems (United Arab Emirates), Trovicor fz/Trovicor Intelligence (United Arab Emirates), and Serpikom (France).79 In 2021, ChapsVision acquired Nexa Technologies France.80 The government-facing branch of ChapsVision now purports to build “a sovereign cyber intelligence and cyber security solution, dedicated to the defence, intelligence and security markets”.81 As of 2022, Nexa Technologies CZ operates under the name Setco Technology Solutions, and as of 2023, Nexa Technologies (France) operates under the name RB 42.82

Nexa Technologies’ integrated hardware-software surveillance product might well have complemented the Intellexa Group companies’ spyware and related service offerings. Nexa’s Cerebro allowed for the passive surveillance of entire populations. Cerebro collects massive amounts of communications data to identify potential targets for enhanced surveillance scrutiny. Once Cerebro identifies a target, Intellexa could deploy Predator spyware to infect that individual’s device to collect more intimate data.

Intellexa Consortium- Interaction with Suppliers and Customers

Some spyware vendors rely primarily on procuring their vulnerabilities and exploits from third-party suppliers,83 while others, like NSO Group, balance procuring these tools from the market with their own in-house research and development.84 Intellexa Group companies appear to source exploits to support the Predator spyware with enough speed to maintain an eight-figure price point for the product, suggesting both in-house and third-party suppliers for exploits and vulnerability information.85Suppliers from which the Intellexa Group purchases vulnerabilities and exploits is not publicly available.

The Intellexa Consortium has faced scrutiny for where and to whom they have sold their wares. In 2007, a known member of the Intellexa Alliance, Nexa Technologies (France)—operating at the time as Amesys—sold its surveillance hardware to Libya. In 2011 and again in 2014, the International Federation for Human Rights and the Human Rights League filed complaints against Nexa Technologies for complicity in acts of torture from the sale of this technology.86 87

In 2022, the Guardian newspaper revealed that Predator spyware had been used to monitor individuals across Greek politics through the Greek intelligence service.88 Most recently, Intellexa Group companies have been accused of selling Predator to a customer aligned with government interests in Vietnam.89 In 2021, the civil society group Citizen Lab also reported “likely customers” of Predator in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.90

Recent Policy Action on Spyware

In 2022, in response to the investigative findings of the Pegasus Project, an international investigative journalism initiative, the European Parliament set up the PEGA Committee to investigate the misuse of surveillance spyware including the NSO Group’s Pegasus and similar spyware services.91 The committee concluded that European Union governments abused spyware services, lacked necessary safeguards to prevent misuse, and in one jurisdiction the government even facilitated the heedless export of spyware technologies to authoritarian regimes.92 Despite the committee’s recommendations, the EU has not adopted any legislation as a bloc to curb the development or sale of spyware. In March 2023, the United States first proposed to block the US government agencies’ operational use of “commercial spyware.” Under Executive Order 14093, the Biden administration prohibited the operational use of commercial spyware that presents a significant threat to national security.93 Four months later, the US Department of Commerce added four Intellexa Group companies to its Entity List alongside other spyware vendors NSO Group and Candiru, to curb these firms’ ability to obtain commodities, software, and technology needed to develop spyware surveillance tools.94 The move targeted four entities: Intellexa S.A., Cytrox AD Holdings ZRT, Intellexa Limited (Ireland), and Cytrox AD (North Macedonia) because they were “trafficking cyber exploits … used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide.” 95

In 2024, the US Department of Treasury Office of Foreign Assets Control levied sanctions against several of the entities listed in the 2023 Commerce action, while adding three more.96 Ultimately Treasury sanctioned Tal Dilian, Sara Hamou, Intellexa S.A., Intellexa Limited, Cytrox AD, Cytrox Holdings Crt, and Thalestris Limited.97 So far, US actions have not included at least five additional entities within the Intellexa Group, Balinese Ltd (formerly Cytrox AD Software Ltd), Peterbald Ltd (formerly Cytrox AD EMEA Ltd), Passitora Ltd (formerly WS WiSpear Systems Limited), and Senpai Technologies Ltd, as well as the British Virgin Islands-domiciled Intellexa Limited.

Takeaways for Policy and Research

Each member company of the Intellexa Consortium sells spyware or ancillary surveillance support capabilities. The Intellexa Group offers a vertical integration of spyware targeting and delivery as well as information exploitation services. The Intellexa Alliance extends that integration to cover several major European jurisdictions. By bringing talent and complimentary services under an interlinked set of corporate partners, the Intellexa Consortium aggregates behaviors observed from other spyware vendors into a tighter, more robust cluster of entities.

This expansiveness of firms across various geographies allows the Intellexa Consortium to exploit jurisdictional arbitrage that can result in different regulatory treatment of the same transaction in different legal systems. Just like in the case of financial arbitrage, high costs are an impediment to arbitrage. In policy for spyware, high transaction costs could act as hindrance to leave a jurisdiction and high entry costs into a more favorable jurisdiction, thus inhibiting this activity in practice. Policymakers could achieve this by requiring more detailed disclosure of where companies intend to relocate when exiting a jurisdiction and their business purpose as well as strengthening business incorporation rules and laws to include more robust investigation of intended business activities of companies (and their beneficial owners, such as a recent change in US reporting rules).98

Media reporting about the Intellexa Consortium often reduces this sprawling group of companies to a single entity, which makes it difficult to identify the operating jurisdiction of that firm. Policymakers should also consider providing universal jurisdiction for cases of spyware with other like-minded states. Cyprus, the Czech Republic, France, Greece, Hungary, Ireland, Israel, and US99 already provide for universal jurisdiction over certain kinds of crimes, a fruitful existing coalition to pursue such a change.

Virtually no information exists to explain the business consequences of Intellexa Alliance “membership.” Policymakers cannot make sense of how to target parts or all of the alliance without clearly understanding the constraints of this relationship.

Efforts to improve transparency in, and limit the harms of, the spyware market are hobbled if they focus solely on transactions or individual vendors. The rich ties of influence over participants in this market are in their financial and organizational dependencies with others. Policymakers must consider a multipronged approach that incorporates action for not only vendors themselves, but also key subsidiaries, investors, suppliers, and individuals that make up this market. Ably demonstrated by the Intellexa Consortium, the ebb and flow of corporate relationships, constant name changes, and confusing business structures, not only makes it difficult to track what is happening behind the veil with a vendor, but makes policy strictly chasing vendors neglect other pieces of this puzzle.

Enhancing the transparency of this market would provide more accurate and timely information to policymakers. Proposals for governments to create know-your-vendor requirements for all those from whom they acquire spyware or related services would substantially benefit policymakers’ visibility into this market and these relationships. Better information about spyware vendor’s business structures would help drive precise regulatory activity and allow for improved awareness of jurisdictions providing a ready home for investors, or vendors, associated with particular harms.

This transparency would help realize more effective targets of enforcement as well. Vendors change, but individuals often move between them. Transparency about ownership will assist policymakers in regulating individuals associated with spyware vendors, their subsidiaries, as well as investors. The Intellexa Consortium highlights a vital detail in this picture, where individuals who cultivate businesses around spyware will be repeat players in the market. Tal Dilian was founder of Circles Solutions (now under the NSO Group umbrella) and WS WiSpear Systems Limited (the majority stakeholder in Cytrox AD), along with creating the Intellexa Group. Enhancing transparency in this market will help policymakers find and fix on critical individuals within this market rather than only playing whack a mole with corporate registries.

A final potential benefit of this improved transparency is the prospect for efficient regulation of investors. While vendors’ jurisdictions might sometimes be outside the reach of proactive states, publicly known investors in spyware companies appear, at present, to be concentrated in geographies with government interest in intervention against the spyware market, notably the US and UK. For example, while the Intellexa Consortium operates largely within the European Union as a vendor, several of its holding companies and investors are based in the continental United States and the British Virgin Islands. More widely, a 2021 report from Amnesty International found that out of the 50 largest venture capital firms and three start up accelerators worldwide, only one had any sort of due diligence processes for human rights.100

The case of the Intellexa Consortium is curious for the internal complexity of these firms’ relationships and the potential these business relationships hold for policymakers, researchers, and advocates working to limit the harms of the spyware market. The case is an example of the value that a market perspective can hold as well as the analytic challenges posed by contemporary research into these vendors and their activities. The prospects for policy in this domain are bright and for the first time in more than a decade hold the potential for material change in the shape and impact of the spyware market. We remain hopeful that potential will be realized.