Commercial Spyware Outpaces Every Regulatory Framework

Teixeira Candido, a prominent journalist in Angola, had been covering government corruption for years when his phone quietly became a surveillance device. It was May 2024. Amnesty International's Security Lab would later confirm that Candido's handset had been infected with Predator, the flagship spyware product of the Intellexa consortium, a commercial surveillance vendor based in Europe and the Middle East. The infection lasted only a few days, but in that window the software could have exfiltrated every message, every photograph, every location ping the device had ever recorded. Candido had no way to know. His phone gave him no indicator light, no warning dialogue, no sign at all that his camera and microphone had been remotable by a paying customer.

Candido's case, reported by Reuters in February 2026, is not an outlier. It is the steady-state output of an industry that has outgrown every regulatory container built to hold it. Commercial cyber intrusion capabilities, or CCICs, began as a boutique trade serving a handful of intelligence agencies. They are now a sprawling, fragmented global market in which dozens of vendors sell full-stack surveillance to any government willing to pay, often with few enforceable restrictions on who gets targeted or what happens to the data afterward. A growing body of research maps this ecosystem, but mapping it has not slowed it down.

In early May 2026, researchers Allison Pytlak and Gatra Priyandita published an assessment in The Strategist, the analysis platform of the Australian Strategic Policy Institute, arguing that the market for CCICs "is moving faster than the frameworks designed to govern it." What began, they wrote, as a "niche ecosystem of surveillance vendors has evolved into a sprawling, fragmented industry." Their focus was the Indo-Pacific, a region where regulatory competition among states could either become the first meaningful brake on the spyware trade or its newest accelerator.

The technical capabilities of these tools have advanced far beyond what the public conversation about "spyware" tends to assume. In February 2026, security researcher Bill Toulas reported for BleepingComputer that Intellexa's Predator spyware had developed the ability to hook into iOS's SpringBoard, the process that manages the iPhone home screen, in order to suppress the green and orange indicator dots that Apple designed precisely to alert users when their camera or microphone is active. Predator does not need to exploit a new iOS vulnerability to pull this off; it leverages legitimate system functions, rerouting the indicators so that a device under active surveillance appears dormant. The user sees nothing. The operator sees everything.

This is the architecture that matters. A phone infected with Predator becomes a roving surveillance station: microphones, cameras, GPS, messaging apps, contacts, calendars, browser history, all streamed to a command-and-control server operated by the government customer, or, in some configurations, to Intellexa itself. In December 2025, researchers told reporters that Intellexa had maintained direct remote access to the surveillance systems of its government clients, meaning company employees could, in principle, view the intercepted data of people whose phones had been compromised by those governments. The vendor was not merely selling the tool. It was positioned inside the surveillance pipeline, able to see the harvest.

The policy response to this industry has lurched between confrontation and accommodation, sometimes within the same calendar year. Under the Biden administration, the US Treasury Department sanctioned multiple individuals and entities tied to Intellexa and NSO Group, the Israeli maker of Pegasus, designating them under counterterrorism and human-rights-abuse authorities. The European Union placed export controls on dual-use surveillance technologies. In December 2024, a US federal judge handed WhatsApp a historic legal victory against NSO Group, finding the company liable for exploiting the messaging platform to deliver Pegasus to roughly 1,400 users, including journalists, diplomats, and human rights defenders.

But the momentum has shifted. In March 2026, Dark Reading reported that opponents of commercial spyware were increasingly concerned about a reversal in Washington. "Despite a recent historic legal victory, the fight against commercial spyware may be trending in the wrong direction," the outlet noted, cataloguing how spyware vendors "over the past several years have been hit with economic sanctions" but were now seeing those constraints loosen. The shift was not speculative: by January 2026, the Trump administration had cleared a trio of individuals who had been sanctioned for involvement with the Intellexa consortium, according to reporting that circulated widely in the information security press.

The removal of those designations matters because sanctions have been the primary tool Western governments have wielded against an industry that operates across jurisdictions deliberately chosen for their regulatory weakness. Intellexa, for instance, has structured itself as a consortium of entities registered in Ireland, Cyprus, the British Virgin Islands, and Israel, with operational presences in Greece and North Macedonia. A sanctions regime requires constant maintenance; lifting designations, even quietly, signals to the market that the period of maximum pressure has passed. It also signals something to governments in the Indo-Pacific, where the ASPI researchers argue the next chapter of the spyware story will be written.

The Geography of Impunity

The Indo-Pacific is not merely a region where spyware happens to be sold. It is where the regulatory vacuum is most visible and most consequential. Pytlak and Priyandita note that countries in Southeast Asia and the Pacific Islands are increasingly both consumers and targets of commercial surveillance tools, often acquired through opaque procurement processes with no legislative oversight. The vendors, meanwhile, are expanding their sales operations in the region directly. A government in Bangkok or Manila that buys Predator or a Pegasus-class tool today faces almost no binding international constraint on how it uses the software, whom it targets, or what happens to the data afterward.

The question of whose body produces the data, and whose business is buying it, becomes sharply concrete at this point. A journalist in Angola, a lawyer in Manila, a political opponent in Athens: all are generating the same kind of intimate digital exhaust that the spyware industry converts into a monetizable product. The phone does not know whether its owner is a legitimate intelligence target or a dissident being silenced. The vendor's licensing agreement does not reliably distinguish between the two, and the due diligence processes that vendors claim to operate have been repeatedly shown, by researchers at Amnesty International, Citizen Lab, and Access Now, to be perforated with exceptions and after-the-fact rationalizations.

Consent, in this stack, is a term that has been hollowed out. The person whose device is infected never consents. The telecommunications infrastructure that routes the infection never consented to being weaponized, though some carriers in the Middle East and Asia have been documented as active participants. Even the government customer's consent is often a legal fiction: procurement contracts for spyware are frequently classified or routed through shell entities, making parliamentary oversight impossible. The infection itself exploits zero-day vulnerabilities that the platform vendor, Apple or Google, has not yet discovered, meaning there is no patch to consent to installing.

What does accountability look like under these conditions? In the United States, the mechanism has been sanctions, a civil lawsuit and, periodically, export-control designations. But each of these tools requires political will to maintain. The Dark Reading analysis noted that even before the Trump administration's personnel changes, the Biden executive order on spyware, signed in March 2024, was being implemented unevenly across agencies, with some departments slow to compile the lists of prohibited vendors that the order required. The infrastructure of enforcement is brittle. It depends on a small number of committed officials and a thinner body of statutory authority than the scale of the problem demands.

The market for commercial cyber intrusion capabilities is moving faster than the frameworks designed to govern it., Allison Pytlak and Gatra Priyandita, The Strategist, Australian Strategic Policy Institute

The researchers and civil-society groups that have filled the monitoring gap are themselves under strain. Amnesty International's Security Lab, which identified the Candido infection, operates with a small team of forensic analysts who manually examine suspicious devices, extract indicators of compromise, and publish their findings in reports that governments often ignore. Citizen Lab at the University of Toronto maintains a similar operation. Both organizations have seen their work product cited in US sanctions designations, but the pipeline from forensic discovery to policy consequence is long and leaky. A spyware infection documented in 2024 may lead to sanctions in 2025, which may then be lifted in 2026, with no remedy ever reaching the person whose life was exposed.

The European Union's approach has been more structural, but only incrementally. The European Data Protection Board has issued guidance clarifying that spyware use by member states must comply with GDPR, and the European Court of Justice has ruled that indiscriminate data retention regimes violate fundamental rights. But EU member states themselves have been documented as customers of NSO Group and Intellexa; the distance between Brussels guidance and national procurement practices is measured in years. The European Commission has opened infringement proceedings against two member states over spyware use, but those proceedings move at a pace that the spyware market does not respect.

What to Verify for Yourself

Readers who want to understand whether their own device has been compromised can take several concrete steps, though none is foolproof. Apple's Lockdown Mode, introduced in iOS 16, hardens the device against the infection vectors that mercenary spyware typically exploits; Citizen Lab reported in early 2026 that no Lockdown Mode user had yet been documented as successfully infected. On Android, Google's Advanced Protection Program provides analogous hardening. The Amnesty International Security Lab maintains a public repository of indicators of compromise called the Mobile Verification Toolkit, which technically proficient users can run against a device backup. The Electronic Frontier Foundation publishes a regularly updated surveillance self-defense guide.

The regulatory horizon is not empty. In the Indo-Pacific, the ASPI researchers argue, the emergence of regional data-governance frameworks could provide a vehicle for spyware controls if member states choose to prioritize them. Japan and South Korea have been building domestic legal restrictions on the government use of commercial surveillance tools, though enforcement remains uneven. Australia, after sustained civil-society pressure, has begun examining the procurement of spyware by federal agencies through parliamentary channels. Each of these developments is fragile, contested, and reversible, but together they sketch the outline of a possible counter-architecture, one that would require sustained diplomatic and legislative commitment to become more than a sketch.

Teixeira Candido's phone was infected for only a few days, and he is still reporting. That is not a happy ending; it is a data point. The raw material of surveillance is the daily life of people who will never receive a notification, never see a sanction designation, and never testify before a parliamentary inquiry. The only meaningful metric for whether any of these frameworks is working is whether fewer of those phones light up, silently, in the dark. The next checkpoint to watch is whether the United States re-imposes the Intellexa designations it lifted and whether an Indo-Pacific nation becomes the first in the region to publicly refuse a spyware procurement on human-rights grounds. Neither has happened yet.