Skip to content

Commercial Surveillance Vendor Market

Commercial spyware sold to governments occupies the extreme end of the grayware spectrum: technically legal under the laws of the selling country, marketed as law enforcement tools, but routinely deployed against journalists, dissidents, and opposition politicians. These vendors' Android implants are the most sophisticated malware in the wild.

Vendors and Pricing

Vendor Product Pricing Status Source
NSO Group (Israel) Pegasus $500K setup + $650K per 10 targets; Ghana deployment: $8M US Entity List (Nov 2021) Commerce Dept.
Intellexa/Cytrox Predator EUR 8-13.6M per deployment US Entity List (Jul 2023), Treasury sanctions (Mar + Sep 2024) Treasury
Candiru (Israel) DevilsTongue Unknown US Entity List (Nov 2021) Kaspersky
QuaDream (Israel) REIGN Unknown Shut down Apr 2023 after Citizen Lab/Microsoft exposure Citizen Lab
Paragon (Israel) Graphite Unknown Active; severed Italian government contract after exposure Citizen Lab
Variston IT (Spain) Heliconia Unknown Exposed by Google TAG Nov 2022 Chrome, Firefox, Windows Defender exploits
RCS Lab (Italy) Hermit Unknown Active Lookout

Sales are typically limited to a single phone country code prefix, with additional countries available for extra fees. Annual maintenance runs 17-22% of the system cost.

International Response

The Pall Mall Process (February 2024): 35 nations convened at Lancaster House, London, establishing guiding principles on commercial spyware. A Code of Practice was agreed in April 2025. US Entity List additions have had limited practical impact -- Intellexa continued operations despite sanctions. Paragon's January 2025 WhatsApp zero-click campaign targeting ~90 accounts (including journalists) occurred while the company was ostensibly "responsible" under its own ethical framework.