The report highlights the central role that these resellers and brokers play, stating that it is “a notably under-researched set of actors.” According to the report, “These entities act as intermediaries, obscuring the connections between vendors, suppliers, and buyers. Oftentimes, intermediaries connect vendors to new regional markets.”
“This creates an expanded and opaque spyware supply chain which makes corporate structures, jurisdictional arbitrage, and ultimately accountability measures a challenge to disentangle,” Sarah Graham, who coauthored the report, tells WIRED.
“Despite this, resellers and brokers are not a current feature of policy responses,” she says.
The study reveals the addition of three new countries linked to spyware activity—Japan, Malaysia, and Panama. Japan in particular is a signatory to international efforts to curb spyware abuse, including the Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware and the Pall Mall Process Code of Practice for States.
“The discovery of entities operating in new jurisdictions, like Japan, highlights potential conflicts of interest between international commitments and market dynamics,” Graham says.
Despite efforts by the Biden administration to constrain the spyware market through its executive order, trade and visa restrictions, and sanctions, the industry has continued to operate largely without restraint.
“US policymakers have systematically targeted the proliferation and misuse of spyware through robust policy action, but there is a critical gap between them and US investors—where US dollars continue to fund the very entities US policymakers are trying to combat,” says Atlantic Council’s Jen Roberts, who also worked on the report.
For example, spyware vendor Saito Tech (formerly Candiru), which has been on the US Commerce Department’s Entity List since 2021, saw new investment by US firm Integrity Partners in 2024. “[This] shows that signaling from the US government has not gone far enough to deter investment in this technology,” Roberts says.
In addition, there is limited public awareness that some of the money spent on this controversial technology may ultimately come from ordinary citizens’ own pockets.
In the case of AE Industrial Partners, investment performance reports show that the firm was backed by several US pension funds—among them the Contra Costa County Employees’ Retirement Association, Baltimore Fire & Police Retirement System, Houston Firefighters’ Relief and Retirement Fund, and the New Mexico Educational Retirement Board—providing cash that could help support the deal with Paragon, which could reach $900 million.
“This highlights the need for better understanding from both US government and the public— that the average American might not understand how their dollars are funding the proliferation and misuse of spyware,” says Roberts.
Crucially, the Trump administration’s policy in this space is not yet fully defined.
The Atlantic Council’s Roberts calls for further action to target US outbound investment and suggests broadening the scope of Executive Order 14105—which already requires notification of overseas investments in quantum technology, AI, semiconductors, and microelectronics—to also cover investment in spyware.
Some reports suggest that the administration may also be considering amendments to the Biden-era Executive Order 14093 that restricts government use of spyware.
In particular, it is crucial to maintain this executive order, which leverages US purchasing power to protect Americans against this technology, Roberts explains.
“US purchasing power is a significant tool in shaping and constraining the global market for spyware.”
Services Marketplace – Listings, Bookings & Reviews