FinFisher and NSO Group: The Real Business of Selling Surveillance

The idea that a company will sell any government the power to read your phone sounds paranoid. It is a product catalogue.

Contents

In August 2016, a human-rights defender in the United Arab Emirates named Ahmed Mansoor received a text message on his iPhone. It promised “new secrets” about detainees tortured in UAE prisons, and it carried a link. Mansoor had been arrested, beaten and surveilled before, and the message made him suspicious rather than curious. Instead of tapping the link, he forwarded it to researchers at Citizen Lab, a group at the University of Toronto that studies digital threats to civil society. What they found, when they and the security firm Lookout took the link apart, was among the most valuable pieces of malicious software ever documented: a chain of three previously unknown flaws in Apple’s iPhone that, had Mansoor tapped, would have silently jailbroken his phone and turned it into a live microphone, camera and message log — all from a single click. The tool had a name. It was called Pegasus, and it was for sale.

The industry that really exists

Advertisement

The temptation is to treat “a company that sells governments the ability to hack any phone” as a thriller premise. It is a market sector, with vendors, brochures, trade fairs and price lists, and the evidence for it is not whispered — it is forensic, published, and in places sits in court filings and leaked corporate archives.

Two firms became the emblems of the trade. The older was FinFisher, also branded FinSpy, developed by a British-German outfit, Gamma Group, and later a spun-off German company. FinFisher sold intrusion software to law-enforcement and intelligence agencies — spyware that could take over a target’s computer or phone, log keystrokes, switch on the webcam, and siphon files. What made it undeniable was a leak. In 2014 an anonymous hacker calling themselves “PhineasFisher” broke into Gamma’s own network and dumped roughly forty gigabytes of internal material: brochures, price lists, support tickets, and a client list. The documents showed the product being marketed and sold, and researchers matched its command-and-control servers to installations in dozens of countries, including states with grim human-rights records. Years later, in 2022, the German company behind FinFisher filed for insolvency amid a criminal investigation into whether it had exported the spyware to Turkey without the required licence. The catalogue was real because the catalogue itself had been published.

The younger and far more consequential firm was NSO Group, an Israeli company founded in 2010, whose flagship was Pegasus. NSO’s pitch was that it sold only to vetted government agencies, only for fighting terrorism and serious crime, and that it could not itself see how clients used the tool. What Pegasus could do, once installed, was close to total: read messages even inside encrypted apps like WhatsApp and Signal (by grabbing them on the screen, after decryption), track location, record calls, and activate the microphone and camera. Its prize capability was the “zero-click” exploit — an infection that required no mistake by the victim at all. Where the message sent to Mansoor still needed a tap, later Pegasus chains could infect a phone through a missed WhatsApp call or a silently delivered iMessage, leaving the target no defensive move to make.

NSO was never the only firm in this trade, and naming only the famous two flatters the rest with obscurity. A cluster of vendors — an Italian company called Hacking Team, breached and dumped in 2015 much as Gamma had been; a firm called Candiru, sanctioned alongside NSO; the makers of a tool named Predator, sold by an alliance operating out of North Macedonia and elsewhere — filled the same catalogue with variations on the same product. When one company was exposed, sanctioned or driven under, its engineers and its exploits tended to migrate to the next. The market behaved like a market, routing around damage, because the demand on the government side never went away. That resilience is part of why forensic researchers describe the work as weeding rather than winning: pull one plant and another roots in the same soil.

The record of how this was used is not speculation. Citizen Lab, Amnesty International’s Security Lab, and the journalism consortium behind the 2021 “Pegasus Project” documented case after case in which the spyware turned up on the phones of journalists, lawyers, opposition politicians and activists — the very people its makers had promised it would never be turned against. Forensic analysis identified Pegasus on the phones of people connected to the murdered Saudi journalist Jamal Khashoggi. It was found on the devices of Mexican reporters and anti-corruption campaigners, of Indian journalists and opposition figures, of Catalan politicians, of staff at the European Commission. In 2019 WhatsApp sued NSO in a US federal court, alleging Pegasus had been pushed to some 1,400 users through a flaw in its call function — a lawsuit that, years later, produced a jury verdict against NSO. In 2021 the United States government placed NSO on the Commerce Department’s Entity List, its trade blacklist, finding the company had supplied spyware used to target officials, journalists and activists. A company selling phone-hacking to governments was not a fever dream. It was a business the US government formally sanctioned for what its customers did with the product.

How the trade stayed deniable

The interesting part is not that the tools exist — the leaks and forensics settle that — but how an entire industry operated for years in a space that let everyone deny responsibility. The structure was almost designed to diffuse blame.

The vendors said they merely sold a tool to sovereign governments and could not be held answerable for misuse, the way a gunmaker disclaims a shooting. The governments buying it operated under intelligence secrecy and rarely admitted to owning the software at all; asked whether they had targeted a journalist, they said nothing, because saying nothing is what intelligence services do. The sales themselves were frequently licensed as defence exports, wrapped in the classification that surrounds arms deals, so the transactions lived in a regulated but invisible channel. Each party could point at another. The maker pointed at the customer; the customer pointed at its lawful authority; the export sat behind a licence no journalist could read.

What broke that arrangement was not disclosure by any of the responsible parties. It was, as with the Snowden archive, outside evidence forced into the open — here by a peculiar quirk of the technology. Spyware leaves traces. To exfiltrate data it must talk to servers, and those servers can be fingerprinted and mapped from the internet. To infect a phone it must exploit it, and a careful forensic examiner can find the residue — process crashes, orphaned files, network records — long after the operator thinks the tool has cleaned up. Citizen Lab built much of its case by scanning the internet for the tell-tale infrastructure of these products and matching it to victims. The industry’s deniability rested on the assumption that the surveillance would be invisible. It turned out to be visible to anyone patient and skilled enough to look, and a small community of researchers made looking their life’s work. That is the recurring shape of these stories: the covert stays covert only until someone outside the arrangement refuses to stop examining the evidence.

The fork: from real weapon to magic curse

Here the sourced record meets its mythologising, and the correction matters because the myth breeds the wrong kind of fear. The reality is grave: a well-resourced client with Pegasus could, against a specific chosen target, achieve near-total compromise of a modern phone, sometimes with no user action at all. Concede that fully — it is genuinely alarming, and it happened to real people who paid for it with prison, exile and, in the Khashoggi orbit, worse.

But the folklore inflates a targeted, expensive, carefully husbanded weapon into an ambient curse hanging over everyone. In the mythologised telling, “they can hack any phone” becomes “they are hacking everyone’s phone,” and the technology acquires a flavour of omnipotence it does not possess. The real economics cut against that. Zero-click exploit chains are among the most expensive artefacts in the digital world; the vulnerabilities they rely on are rare, and every time one is discovered and patched — as Apple and others repeatedly patched the flaws Citizen Lab reported — the weapon built on it dies and must be rebuilt at enormous cost. That is why these tools were aimed, deliberately and sparingly, at high-value individuals rather than sprayed across the population. Mass, indiscriminate infection would burn the very exploits that made the product valuable. The weapon was precise for the same reason a rare poison is used a drop at a time.

Confusing the two versions has a cost. If you believe your ordinary phone is already compromised by an invisible omnipotent adversary, the rational response is despair, and despair is useless. The accurate picture supports something better: these tools are real and dangerous, they are aimed at particular people for particular reasons, they can be detected by forensic examination, the vulnerabilities they exploit can be closed, and the companies that sell them can be sued, sanctioned and driven toward insolvency — all of which has now happened. The distinction between a targeted weapon and an ambient curse is the difference between a fight you can join and a doom you can only mourn.

What the market is really about

Behind the technology sits an old and mundane truth: repression has always been a supply chain. Governments that wanted to watch their enemies have always bought the means from someone, and the surveillance industry simply industrialised and privatised a service states used to build in-house. The trade fair where Pegasus and FinSpy were marketed — the discreet ISS World conferences, nicknamed the “Wiretappers’ Ball” — is the same commerce that once sold tapping equipment and, before that, the informer’s fee. What changed was the reach. A single tool could now turn the most intimate object a person owns, the phone in their pocket that holds their messages, their location and their microphone, into an instrument pointed back at them.

That is why these firms drew the fury they did, and why the deniability that shielded them for so long felt like such a betrayal when it cracked. It is one thing to suspect that a state might listen; it is another to learn that the listening was a licensed export, sold by a company with a sales team, deployed against a reporter or a dissident who had done nothing but their job, and covered by everyone involved until a researcher in Toronto found the residue on a phone. The pattern belongs to the same family as the older documented abuses this desk keeps returning to, from COINTELPRO onward — the machinery of watching turned against the people the machinery was supposed to serve.

The suspicion that someone, somewhere, will sell any government the power to reach into your private life was, for years, the kind of thing that marked a person as paranoid. It turns out to have been a description of a market. The correction the evidence asks for is not to relax — the tools are real and the victims are real — but to see the thing accurately: an expensive, precise, detectable weapon, sold in the daylight of a trade fair and used in the dark, and answerable, in the end, to nothing more magical than a researcher who refused to look away from a suspicious text message.

Advertisement
Advertisement
Wren
Written by Wren

vo.rs's investigator of belief. Wren traces where our strangest stories come from — the conspiracy theories, hoaxes, urban legends and stubborn myths — following how each one spreads, why it sticks, and what real history lies tangled underneath. Every piece takes the believer seriously and ends on understanding.