Third-party resellers and brokers foil transparency efforts and allow spyware to spread despite government restrictions, a study finds.
Efforts to shine a light on the activities of spyware vendors has grown more difficult because of the proliferation of intermediaries — the spyware resellers, exploit brokers, contractors, and partners that allow government and private entities to circumvent transparency laws and spyware restrictions, experts say.
These intermediaries, which often can be governments in permissive states, have fueled the spread of spyware across the globe, according to a report from policy think tank Atlantic Council published on March 18. Atlantic Council researchers cited several examples, including a South African intermediary acting as a representative for Memento Labs to sell its Dante spyware to the local market, and a third-party firm reportedly helping Israeli firm Passitora sell its spyware product to Bangladesh, despite the two countries having no diplomatic relations and Bangladesh having banned imports from Israel.
The spread of intermediaries has in part driven the proliferation of spyware and have certainly made developments in the market harder to track and analyze, says Jen Roberts, associate director of the Cyber Statecraft Initiative at Atlantic Council and one of the authors of the report.
"Intermediaries can drive down transparency efforts in the marketplace for offensive cyber capabilities like spyware by muddying supply chains and creating confusion for end buyers as to where a capability or component of a capability has come from," she says. "Intermediaries drive sales to countries regardless of size, but it is often countries that do not have robust technical capabilities in-house that seek them on the open market."
Fueled by demand from governments for law enforcement investigations, espionage, and, in many cases, surveillance of political opponents and dissenters, the spyware ecosystem continues to grow. In 2025, for the first time, more zero-day exploits were attributed to commercial surveillance vendors than traditional state-sponsored groups, according to a March analysis by Google's Threat Intelligence Group.
Additionally, the US government made several moves in recent months, such as reactivating canceled contracts and removing sanctions, that appear have to smoothed the way for surveillance-tech vendors.
Meanwhile, human rights activists, digital rights advocates, and security researchers continue to try to untangle the shadowy ecosystem. The Atlantic Council's latest report, part of its "Mythical Beasts" series on this ecosystem, found that intermediaries play a significant role in the proliferation of spyware while making the hacking tools more costly and the software supply chain more opaque.
"Their corporate structures exist specifically to make export controls irrelevant," he says. "The spyware market stopped being a vendor-to-government pipeline years ago. It has evolved into a modular supply chain where intermediaries fill every gap the buyer cannot fill alone: exploit engineering, operational training, deployment infrastructure, and most importantly, a legal paper trail that hides the origin."
Resellers, exploit brokers, and other firms act as intermediaries in the spyware supply chain. Source: Atlantic Council
Julian-Ferdinand Vögele, a principal threat researcher at threat-intelligence firm Recorded Future, agrees. Intermediaries lower barriers to entry by easing procurement across borders and bundling tools with training and support, he says.
"Commercial spyware operates in the shadows by design," Vögele says. "Brokers and resellers enable its spread by connecting vendors and buyers, bundling tools with support or training, and expanding into new markets, while adding opacity, obscuring relationships, and leveraging jurisdictions."
Intermediaries rely on personal connections and networking to generate business and conceal their dealings, says Roberts.
"It's difficult to say which has the greatest impact on spyware today, as there remains a lot we cannot observe," she says. "That being said, resellers concern me a lot, because we've observed them bypass policy regulations set forth to regulate this market, like export controls and trade bans."
Some spyware makers have attempted to repair their public images as government pressure has mounted. For example, the notorious NSO Group said it established a "human rights compliance program," but critics are dubious of such claims.
The Pall Mall Process is still an ongoing effort, says Atlantic Council's Roberts. Currently, the participants are hashing out an industry code of practice, so it may be a while longer before the results of the process can be evaluated, she says. For now, the Atlantic Council's report recommended that countries adhere to Know Your Vendor requirements, require certification for brokers and resellers, and improve the registries of brokers and resellers.
The most important near-term requirement is that governments and the public gain some visibility into the spyware market, especially the role of intermediaries, Roberts says. "Transparency initiatives are key to regulating intermediaries and also the spyware industry more broadly," she says. "It is difficult to ultimately regulate what one cannot observe."
Efforts to shine a light on the activities of spyware vendors has grown more difficult because of the proliferation of intermediaries — the spyware resellers, exploit brokers, contractors, and partners that allow government and private entities to circumvent transparency laws and spyware restrictions, experts say.
These intermediaries, which often can be governments in permissive states, have fueled the spread of spyware across the globe, according to a report from policy think tank Atlantic Council published on March 18. Atlantic Council researchers cited several examples, including a South African intermediary acting as a representative for Memento Labs to sell its Dante spyware to the local market, and a third-party firm reportedly helping Israeli firm Passitora sell its spyware product to Bangladesh, despite the two countries having no diplomatic relations and Bangladesh having banned imports from Israel.
The spread of intermediaries has in part driven the proliferation of spyware and have certainly made developments in the market harder to track and analyze, says Jen Roberts, associate director of the Cyber Statecraft Initiative at Atlantic Council and one of the authors of the report.
"Intermediaries can drive down transparency efforts in the marketplace for offensive cyber capabilities like spyware by muddying supply chains and creating confusion for end buyers as to where a capability or component of a capability has come from," she says. "Intermediaries drive sales to countries regardless of size, but it is often countries that do not have robust technical capabilities in-house that seek them on the open market."
Fueled by demand from governments for law enforcement investigations, espionage, and, in many cases, surveillance of political opponents and dissenters, the spyware ecosystem continues to grow. In 2025, for the first time, more zero-day exploits were attributed to commercial surveillance vendors than traditional state-sponsored groups, according to a March analysis by Google's Threat Intelligence Group.
Additionally, the US government made several moves in recent months, such as reactivating canceled contracts and removing sanctions, that appear have to smoothed the way for surveillance-tech vendors.
Meanwhile, human rights activists, digital rights advocates, and security researchers continue to try to untangle the shadowy ecosystem. The Atlantic Council's latest report, part of its "Mythical Beasts" series on this ecosystem, found that intermediaries play a significant role in the proliferation of spyware while making the hacking tools more costly and the software supply chain more opaque.
Embracing the Shadows
Commercial spyware allows nations that lack the ability to develop their own spyware to use the gray market software. By purchasing these hacking tools through hard-to-track intermediaries, sanctioned nations can get around export controls and sell or acquire the surveillance technology. In fact, third parties such as brokers and resellers "are the spyware market's operational backbone," says Collin Hogue-Spears, senior director of solution management at Black Duck, an application-security firm."Their corporate structures exist specifically to make export controls irrelevant," he says. "The spyware market stopped being a vendor-to-government pipeline years ago. It has evolved into a modular supply chain where intermediaries fill every gap the buyer cannot fill alone: exploit engineering, operational training, deployment infrastructure, and most importantly, a legal paper trail that hides the origin."
Resellers, exploit brokers, and other firms act as intermediaries in the spyware supply chain. Source: Atlantic Council
Julian-Ferdinand Vögele, a principal threat researcher at threat-intelligence firm Recorded Future, agrees. Intermediaries lower barriers to entry by easing procurement across borders and bundling tools with training and support, he says.
"Commercial spyware operates in the shadows by design," Vögele says. "Brokers and resellers enable its spread by connecting vendors and buyers, bundling tools with support or training, and expanding into new markets, while adding opacity, obscuring relationships, and leveraging jurisdictions."
Intermediaries rely on personal connections and networking to generate business and conceal their dealings, says Roberts.
"It's difficult to say which has the greatest impact on spyware today, as there remains a lot we cannot observe," she says. "That being said, resellers concern me a lot, because we've observed them bypass policy regulations set forth to regulate this market, like export controls and trade bans."
Limits on Spyware Mostly Ineffectual
In February 2024, the United Kingdom and France launched the Pall Mall Process, a multilateral diplomatic process for addressing the burgeoning market for spyware and hacking tools, and the irresponsible use of those tools. The effort brought together governments, private industry partners, and civil policy experts, after a growing number of cases of spyware being used against journalists, diplomats, politicians and activists.Some spyware makers have attempted to repair their public images as government pressure has mounted. For example, the notorious NSO Group said it established a "human rights compliance program," but critics are dubious of such claims.
The Pall Mall Process is still an ongoing effort, says Atlantic Council's Roberts. Currently, the participants are hashing out an industry code of practice, so it may be a while longer before the results of the process can be evaluated, she says. For now, the Atlantic Council's report recommended that countries adhere to Know Your Vendor requirements, require certification for brokers and resellers, and improve the registries of brokers and resellers.
The most important near-term requirement is that governments and the public gain some visibility into the spyware market, especially the role of intermediaries, Roberts says. "Transparency initiatives are key to regulating intermediaries and also the spyware industry more broadly," she says. "It is difficult to ultimately regulate what one cannot observe."