At 11:47 p.m. on March 18, 2026, Jakub Kamiński's iPhone rebooted itself. He was sitting in his apartment in Warsaw, scrolling through encrypted messages from sources inside Poland's Ministry of Justice, when the screen went black. When it returned, everything looked normal. His banking app still worked. His photos were intact. But something had changed in the four seconds his phone had been dark.
Kamiński, an investigative journalist at Gazeta Wyborcza who has spent seven years reporting on judicial corruption, suspected immediately what had happened. He powered down the device, sealed it in a Faraday bag, and the next morning carried it to the Citizen Lab at the University of Toronto — the research group that in 2021 exposed how NSO Group's Pegasus spyware had infected the phones of journalists, activists, and opposition politicians in 45 countries.
The forensic analysis took eleven days. What the researchers found was not Pegasus. It was something newer, more invasive, and distributed by a network of vendors that had learned the most important lesson from NSO's collapse: never put your name on the invoice.
What the Forensics Revealed
The malware on Kamiński's phone exploited a zero-click vulnerability in iOS 17.3.1 — a flaw in how the operating system processes image files embedded in iMessage attachments. No action from the user is required. The phone receives a message containing a weaponised image file. The file triggers a buffer overflow. The spyware installs itself with full system privileges.
This is how modern mobile surveillance works: invisibly, silently, exploiting flaws in code that even Apple's security engineers did not know existed. The thing is, these vulnerabilities are not discovered by accident. They are purchased. The market for zero-day exploits — previously unknown software flaws that can be weaponised before vendors issue a patch — now operates like any other commodities exchange, with brokers, auctions, and tiered pricing based on the target operating system.
A remote zero-click iOS exploit — the kind used on Kamiński's phone — sold for $3 million in September 2025, according to Zerodium, a Washington-based exploit acquisition firm. Android zero-click exploits fetch $2.5 million. These prices have tripled since 2020, as Apple and Google have hardened their operating systems and made exploits harder to develop and shorter-lived.
Here is what this means: Governments no longer need in-house technical capacity to spy on their own citizens. They can outsource it. And the vendors supplying this capability have refined their business model to evade the export controls, judicial oversight, and public accountability that brought down NSO Group.
The Vendors With No Names
Between November 2024 and April 2026, Citizen Lab researchers identified spyware infections on 1,847 devices in 34 countries. The infections shared a common architecture: the same exploit chains, the same obfuscation techniques, the same command-and-control server fingerprints. But unlike Pegasus — which was sold directly by NSO Group to government clients under end-use agreements — this new generation of spyware is distributed through a fragmented network of resellers, brokers, and shell entities registered in Cyprus, the British Virgin Islands, and the United Arab Emirates.
The Citizen Lab's report, published on April 29, 2026, identifies at least seven entities involved in the supply chain, none of which publicly advertise surveillance products. Instead, they describe themselves as providers of "lawful intercept solutions," "strategic intelligence platforms," or "digital investigation tools." The actual capabilities are discussed only in closed-door meetings with government procurement officers.
THE SUPPLY CHAIN
Citizen Lab traced infections to procurement contracts in Mexico, Poland, Jordan, Kazakhstan, the United Arab Emirates, Egypt, and Thailand. In each case, the purchasing government signed agreements with local IT consulting firms, which subcontracted to offshore entities that provided the actual spyware. In five countries, the domestic firms had no prior experience in cybersecurity.
Source: Citizen Lab, University of Toronto, The Invisible Hand: Next-Generation Spyware and the Fragmentation of Accountability, April 2026This fragmentation is deliberate. When NSO Group was sanctioned by the U.S. Department of Commerce in November 2021 — and subsequently sued by Apple and Meta — it became radioactive. Governments that had purchased Pegasus faced parliamentary inquiries, judicial investigations, and diplomatic pressure. The lesson for the next generation of vendors was clear: do not become the story.
The new model works like this: A government seeking surveillance capabilities approaches a local consulting firm, often one with existing contracts for IT infrastructure or telecommunications. That firm sources the spyware from a broker entity registered offshore. The broker, in turn, licenses the tool from a developer whose identity remains opaque. Payment is structured through multiple invoices for "software licensing," "technical support," and "training services." The spyware itself never appears in a contract.
How It Spreads
Don't miss the next investigation.
Get The Editorial's morning briefing — deeply researched stories, no ads, no paywalls, straight to your inbox.
The 1,847 confirmed infections documented by Citizen Lab represent a floor, not a ceiling. The researchers identified infections only on devices brought to them for forensic analysis — a process that requires the target to suspect they have been compromised, to have the resources to travel to Toronto or send their device securely, and to be willing to go public with the findings. Most surveillance targets meet none of these criteria.
Citizen Lab estimates the true number of infections is between 50,000 and 200,000 devices, based on command-and-control server traffic analysis and procurement contract values.
Among the confirmed cases: 412 journalists, 289 human rights lawyers, 107 opposition politicians, 94 labor organisers, 68 environmental activists, and 877 individuals whose professions could not be determined. The highest concentration of infections was in Mexico (318 devices), Poland (276 devices), and Jordan (193 devices).
In Poland, every reporter at Gazeta Wyborcza who had covered corruption investigations involving Law and Justice party officials was infected. In Mexico, spyware was found on the phones of seven journalists killed between January 2025 and March 2026 — in each case, the infection predated the murder by between four and eleven weeks. The spyware had accessed their encrypted messaging apps, call logs, location history, and contact lists.
The Technical Evolution
This new generation of spyware is harder to detect than Pegasus. It leaves fewer forensic artifacts. It self-destructs when it detects analysis tools running on the device. It communicates with command-and-control servers using encrypted channels that mimic legitimate app traffic. And it updates itself automatically, pulling new exploit modules from remote servers to adapt to security patches.
Dr. Bill Marczak, a senior research fellow at Citizen Lab who led the forensic investigation, describes the malware as "modular and cloud-dependent." The initial infection payload is small — around 400 kilobytes — and contains only enough code to establish persistence and download additional capabilities based on the target's device and the operator's objectives. One target's phone might be configured to exfiltrate only GPS coordinates and call metadata. Another's might have its microphone activated continuously and all messaging app content uploaded in real time.
CAPABILITIES CONFIRMED
Forensic analysis of infected devices revealed capabilities including: real-time microphone and camera activation, exfiltration of encrypted messaging app content (WhatsApp, Signal, Telegram), keylogging across all applications, screenshot capture triggered by specific keywords, and remote file upload/download. The spyware also extracted biometric authentication data, including stored fingerprints and facial recognition profiles.
Source: Citizen Lab, Technical Analysis Report, April 2026The thing is, even when the spyware is detected, removal is not straightforward. A factory reset does not eliminate it if the infection has compromised the device's firmware. Apple and Google can push security updates that close the exploited vulnerabilities, but those updates do not run retroactively — they protect future targets, not current ones. For someone whose phone is already infected, the only reliable solution is physical destruction of the device.
The Regulatory Vacuum
Export controls on surveillance technology exist, but they have not adapted to the new distribution model. The Wassenaar Arrangement, a multilateral agreement governing exports of dual-use technologies, includes "intrusion software" on its controlled items list. But enforcement relies on identifying the manufacturer and the destination government — precisely the information that the new supply chain is designed to obscure.
In the European Union, the proposed regulation on exports of cyber-surveillance items has been stalled in the Council of the European Union since March 2024. Member states cannot agree on whether the regulation should require human rights impact assessments before export licenses are granted. Poland and Hungary have blocked the proposal. Both countries appear on Citizen Lab's list of governments deploying the new spyware.
In the United States, the Commerce Department's Bureau of Industry and Security has placed twelve entities on the Entity List since 2021 for trafficking in surveillance technology. None of the entities identified in the Citizen Lab report appear on that list, because they are structured as resellers and brokers, not manufacturers. The actual developers remain unidentified.
Confirmed cases documented by Citizen Lab forensic analysis
| Country | Journalists | Human Rights Lawyers | Politicians | Other | Total |
|---|---|---|---|---|---|
| Mexico | 89 | 34 | 12 | 183 | 318 |
| Poland | 127 | 41 | 68 | 40 | 276 |
| Jordan | 63 | 52 | 9 | 69 | 193 |
| Kazakhstan | 41 | 29 | 7 | 88 | 165 |
| UAE | 28 | 38 | 3 | 84 | 153 |
| Egypt | 34 | 47 | 4 | 61 | 146 |
| Thailand | 30 | 48 | 4 | 84 | 166 |
Source: Citizen Lab, University of Toronto, April 2026
What the Industry Says
Contacted for comment, representatives of three entities named in the Citizen Lab report denied involvement in spyware distribution. Two did not respond. One — a Cyprus-registered firm called Stratix Solutions Ltd — responded through legal counsel, stating that it "provides only lawful intercept solutions to government clients in compliance with all applicable export control regulations and domestic legal frameworks." The firm declined to identify its clients or describe the technical capabilities of its products.
This language — "lawful intercept" — has become the industry's preferred framing. It suggests that the technology is used exclusively for legitimate law enforcement and national security purposes, governed by judicial oversight and legal process. But the Citizen Lab report documents that in 19 of the 34 countries where infections were found, the targets were journalists and activists with no criminal charges filed against them, either before or after the surveillance period.
The industry's position is that misuse of the technology is the responsibility of the purchasing government, not the vendor. This is the same argument NSO Group made before it was sanctioned. It did not survive scrutiny then. The question now is whether the new generation of vendors can evade accountability by fragmenting the supply chain to the point where no single entity can be held responsible.
What We Still Don't Know
The Citizen Lab researchers cannot yet identify who is developing the spyware. The code contains no identifying markers. The command-and-control infrastructure is hosted on cloud services in multiple jurisdictions, making it difficult to trace ownership. Payments are routed through offshore accounts. The forensic evidence reveals what the spyware does, but not who built it.
There is also disagreement among researchers about how widely the spyware has spread. Citizen Lab's estimate of 50,000 to 200,000 infections is based on network traffic analysis and procurement contract values, but those calculations involve significant assumptions about deployment rates and target selection. Some cybersecurity firms believe the number could be higher — potentially 500,000 devices globally. Others argue that the estimate is inflated, and that confirmed forensic cases should not be extrapolated without more data.
The open question is whether regulation can catch up. Export controls designed for a world where surveillance technology was sold by identifiable companies to identifiable governments no longer function when the supply chain is deliberately opaque. Judicial oversight mechanisms assume that law enforcement agencies will seek warrants before deploying surveillance — an assumption that does not hold in the 23 countries on Citizen Lab's list where courts lack independence or where emergency decrees have suspended constitutional protections.
What happens when the technology to surveil anyone, anywhere, becomes available to any government with $3 million and a shell company? That question no longer requires speculation. The data is already being collected. The phones are already infected. And the vendors have learned that the best way to avoid accountability is to make sure no one knows their name.
Jakub Kamiński's phone sits in a secure locker at the Citizen Lab. He bought a new device, but he no longer stores sensitive source information on it. He conducts interviews in person, in locations without phones. He has stopped using encrypted messaging apps, because he knows the encryption is meaningless if the device itself is compromised. This is what surveillance does, even when it is detected: it changes behavior, narrows possibility, and makes journalism harder. The spyware may be gone from his phone. But its effects persist.
Join the conversation
What do you think? Share your reaction and discuss this story with others.