The smartphone was sold as personal liberation. A tool of autonomy, encrypted by mathematics, secured by design, a private space in the hand. It became something else. It became a geopolitical endpoint, the most intimate sensor ever deployed at scale, and the transformation was not announced. It was licensed.
Consider the form the intrusion takes, because the form is the whole story. A journalist receives, one ordinary morning, a notification from the maker of his phone warning that he may have been targeted by state-sponsored attackers. He had clicked nothing. He had opened nothing. There was no suspicious link, no careless attachment, no moment of error to scold himself for. The exploit required no action on his part at all, because it was a zero-click, an attack that compromises a device through the mere fact of its being on, reachable, addressable. The same mechanism has been found on the phones of investigative reporters in Mexico, dissidents in the Gulf, opposition politicians in Europe and India. Different countries, different political systems, the same technical instrument, exported under government license. That last detail is the one that moves the story off the front page and into the Manifest's territory, because it means this is not a hacking narrative. It is a procurement narrative. The most invasive surveillance capability ever built is not stolen or smuggled. It is sold, by licensed firms, to vetted state clients, through a supply chain that looks less like organized crime than like the defense industry, because that is what it is.
The industrialization of intrusion
The firm whose product became the symbol of this market, NSO Group, was founded in Israel in 2010 by veterans of Unit 8200, the signals-intelligence corps that is Israel's equivalent of the American National Security Agency. Its flagship tool, Pegasus, was marketed in the language the entire industry speaks, as a lawful intercept solution, a means for legitimate governments to combat terrorism and organized crime in an age when criminals and terrorists hide inside encrypted messaging apps. The euphemism is worth pausing on, because it does the heavy lifting. Lawful intercept frames the most powerful spying tool on earth as a wiretap with paperwork, a routine investigative aid, and the framing is what makes the export licenses signable.
The technical achievement underneath the euphemism is real and it is the reason the old protections failed. Pegasus did not break the encryption that secures messaging apps. It bypassed it. By exploiting flaws in the operating systems of iPhones and Android phones, it gained access to the device itself, before a message was encrypted or after it was decrypted, and from inside the endpoint the encryption was simply irrelevant. The padlock icon was still there, still true, still protecting the message in transit, and it protected nothing, because the attacker was already standing at the point of departure, reading the screen over the user's shoulder from the inside. Encryption protects the journey. The zero-click occupies the origin.
And every sale of it was, by Israeli law, an act of state. Each Pegasus export required approval from the Defense Export Control Agency of Israel's Ministry of Defense, which means each sale was reviewed in a diplomatic and strategic context, weighed as a foreign-policy decision. A licensed sale of Pegasus to a foreign government was not a private transaction that the state happened to permit. It was an instrument of Israeli statecraft, a favor extended or withheld, and the buyers understood it as such. The capability was commercial. The decision to grant it was sovereign.
The list of fifty thousand
The scale of what that market had quietly built became public on a single day. In July 2021 a consortium of more than eighty journalists across seventeen news organizations, coordinated by the Paris non-profit Forbidden Stories with forensic support from Amnesty International's Security Lab, published the Pegasus Project, built around a leaked list of more than fifty thousand phone numbers that had been selected as potential targets by NSO's government clients since 2016.
The number must be stated precisely, because the precision is the discipline. The fifty thousand were not fifty thousand confirmed infections. They were numbers of interest, selected by clients, and forensic examination could be run only on a subset of the actual phones, where it confirmed Pegasus traces on dozens. NSO has always disputed the relevance of the list and called the figure exaggerated. Hold all of that. What survived every caveat was still staggering. Among the selected numbers were more than a hundred and eighty journalists across two dozen countries, along with hundreds of politicians and officials, human rights defenders, lawyers, diplomats, and the personal phone numbers linked to heads of state, including a sitting president of France. A commercial product, sold for fighting terrorists, had been pointed by its government customers at the reporters, the opposition, and the rival leaders those governments wished to watch. The marketing said terrorism and crime. The target list said journalism and dissent, and the gap between the two is the gap this entire subject lives in.
The cases that anchor that gap are documented, and they span the whole spectrum of regime types, which is the point. In Mexico, the phones of the investigative journalist Carmen Aristegui and members of her newsroom were linked to Pegasus targeting while they reported on high-level corruption. In Hungary, an avowed European Union member state, forensic analysis tied Pegasus to the phones of journalists during a period of political tension. In India, examinations connected it to the devices of opposition figures amid a parliamentary fight. And around the 2018 murder of the Saudi journalist Jamal Khashoggi, forensic work found Pegasus on the phone of his fiancée in the days after his death and on devices of people close to him, though the firm denies its technology was used against Khashoggi himself, and the documented claim is the careful one, that those around him were targeted. Hold the variety of those governments in mind. A democracy, a struggling democracy, an authoritarian monarchy, all reaching for the identical tool against the identical category of target. The constant across them is not ideology. It is demand. The same need, the need to see inside the communications of the people one fears, recurs across every kind of state, and a market had finally been built to supply it.
The case that named the price
What it costs to be caught is the test of whether a market is really constrained, and the clearest measure came from the courts. In 2019 NSO had exploited a vulnerability in WhatsApp to deliver Pegasus to roughly fourteen hundred users in a single campaign, among them journalists and human rights defenders, and WhatsApp's owner sued. The case ground on for years until, in December 2024, a federal judge in California found NSO liable, ruling that it had violated American computer-fraud law, and in May 2025 a jury returned a verdict that made headlines around the world: a few hundred thousand dollars in compensatory damages and a hundred and sixty-seven million in punitive damages against the spyware firm.
For a moment it looked like a reckoning. Then the architecture did what the architecture does. By October 2025 the judge had cut the punitive award from a hundred and sixty-seven million to roughly four million dollars, on the constitutional ground that the larger figure was excessive, leaving a permanent injunction barring NSO from attacking WhatsApp but reducing the financial penalty by more than ninety-seven per cent. The landmark verdict, the one that was supposed to prove that the industry could be held to account, shrank in five months to a sum a firm of this kind could regard as a cost of doing business. The injunction was real and it mattered. But the headline number that had signaled consequence dissolved into a rounding error, and the lesson the industry could safely draw was the one it has drawn every time: exposure is survivable, and the penalty, when it finally arrives, is smaller than the capability is worth.
The other great platform sued too, and its retreat is even more telling. In November 2021 Apple filed its own suit against NSO over the zero-click exploit it called FORCEDENTRY, the iMessage attack that NSO had delivered through more than a hundred fake Apple accounts. Then, in September 2024, Apple moved to dismiss its own case, the one it had brought, because it had concluded that pressing it forward risked exposing its own threat-intelligence methods to NSO and to the other vendors watching the litigation, and that the disclosure could do more harm than the case could do good. Sit with what that means. The most valuable company in the world, with every resource and every incentive to win, chose to abandon its lawsuit against the firm that had attacked its users, because the act of fighting in open court threatened to reveal more than the fight was worth. When even the trillion-dollar platform calculates that the safer move is to walk away, the asymmetry is plain. The vendors can be sued and survive it. The plaintiffs, even the largest on earth, find that the fight itself carries a cost the defendant does not bear.
The boundary a government drew, and then crossed
The sharpest evidence that this is architecture and not scandal is what the most powerful state in the world did, and then undid. In November 2021 the United States Commerce Department added NSO Group, along with the Israeli firm Candiru, to its Entity List, the export blacklist reserved for actors judged to operate contrary to the national security or foreign policy interests of the United States. The finding was blunt: these firms had supplied spyware used to target journalists, activists, and officials, and to enable transnational repression. It was the strongest action any government had taken, a formal declaration that a allied country's licensed export was a threat to American interests.
Watch what happened next, because it is the whole mechanism in one sequence. A year earlier, in 2022, the American defense contractor L3Harris had pursued a deal to buy NSO's hacking tools, a purchase that elements of US intelligence had quietly supported, until the White House warned that the acquisition posed a serious counterintelligence risk and the talks collapsed once they were exposed. NSO then spent years in financial distress, hollowed out by the blacklist, restructured around hundreds of millions in debt held by its creditors. And in late 2025, the firm was acquired by a United States-led group of investors, passing into American ownership while it was still sitting on the American blacklist. Read that twice. The government that had declared the company a national-security threat did not dismantle it. Its own investors bought it, and the firm that could not be sold to an American defense contractor in 2022 because the deal was too dangerous was sold to American investors in 2025 while formally designated as dangerous. The blacklist did not end the capability. It depressed the price, waited out the scandal, and delivered the asset, cheaper, into friendlier hands. That is not the failure of enforcement. It is enforcement functioning as a market correction.
The industry, not the firm
None of this is about one company, and treating it as the NSO story is the mistake the industry most wants observers to make, because a single villain can be blacklisted while the structure continues. NSO had rivals, chief among them the Intellexa consortium, founded by another former Israeli intelligence officer, whose Predator spyware did to its targets what Pegasus did to theirs. In 2022 Predator surfaced at the heart of a scandal in Greece, where it was found on the phone of an investigative journalist and aimed at an opposition party leader who was also a member of the European Parliament, alongside surveillance by the Greek intelligence service, and the affair forced the resignation of the intelligence chief and of the prime minister's own nephew and chief of staff. By early 2026 it had produced criminal convictions. In Spain, a 2022 forensic investigation found that some sixty-five figures in the Catalan independence movement, politicians, lawyers, and activists, had been targeted with Pegasus or Candiru, in what became known as CatalanGate, with strong circumstantial signs of a state nexus though no conclusive attribution.
And here the pattern of enforcement-as-theater repeats with the rivals. In 2024 the United States Treasury sanctioned the Intellexa consortium and its founder and several associates, the strongest financial action ever taken against a commercial spyware maker. Then, at the turn of 2026, the United States lifted the sanctions on three of those Intellexa-linked executives, citing their petitions and claimed separation from the consortium, while leaving the founder designated. The sanctions arrived as a landmark and were partly rolled back within two years. A subject that produced resignations, convictions, blacklists, and sanctions across four democracies should, by the logic of accountability, be a subject in retreat. It is not. The firms restructure, the executives are delisted, the ownership changes hands, and the capability persists, because every actor with the power to end it is also a potential customer for it.
The supply chain of open doors
Underneath the firms sits the raw material, and the raw material exposes the deepest conflict of interest in the whole system. A zero-click exploit depends on an undisclosed flaw, a zero-day, a vulnerability the manufacturer does not yet know exists. Every such flaw has two possible futures: it can be disclosed to the manufacturer and patched, closing the door for everyone, or it can be kept secret and monetized, held open for whoever holds it. A market exists to make that second choice pay. Brokers buy high-end exploit chains for sums that have reached into the millions, a working zero-click attack on a current iPhone being one of the most valuable single pieces of software in the world, and they resell them to government and corporate clients. The most visible of these brokers published a price list: bounties of up to two million dollars for a zero-click compromise of a current iPhone and up to two and a half million for the equivalent on Android, with seven figures on offer for remote exploits of the major messaging apps. Read those numbers as what they are. They are the market setting a price on the difference between a flaw being fixed and a flaw being kept open, and the price is high enough that, for any vulnerability valuable enough, the incentive runs powerfully toward silence. A researcher who finds a serious zero-click flaw faces a choice between reporting it for a modest reward or a word of thanks, and selling it for a sum that can change a life, and the structure of the market is built to make the second choice rational.
The conflict is that the governments buying these capabilities are the same governments responsible for the public's security against them. The United States operates a formal process, with the National Security Agency at its center, to decide for each vulnerability its agencies discover whether to disclose it so it can be fixed or retain it for offensive use. Choosing to retain a flaw extends the life of the very weakness that the same government's defensive arm is meant to be eliminating. That decision is not an oversight or an accident. It is policy, made deliberately, weighing the intelligence value of a door left open against the risk to everyone who walks through it unknowing. The supply chain that results looks exactly like defense logistics, a chain of researchers, brokers, vendors, export authorities, and government clients, each link reinforcing the next, and at the top of it states are simultaneously the largest buyers of intrusion and the guarantors of the security that intrusion defeats.
Spyware as foreign-policy currency
Return to the fact that every Pegasus sale was an act of Israeli statecraft, because it generalizes into one of the most important and least visible features of this market: licensed spyware is a form of diplomatic currency. An approval deepens an alliance. A denial signals distance. The technical support that comes with the product embeds the seller's personnel and the seller's leverage inside the buyer's security apparatus. A government that grants a favored partner access to a tool like Pegasus has done something more intimate and more binding than selling it weapons, because it has given it the ability to see, and made that ability dependent on a relationship that can be revoked.
What makes this currency so valuable is that it is invisible. A military base is a visible commitment, photographed by satellites, debated in parliaments, resented by neighbors. An exported exploit chain leaves no footprint at all. Its presence in a country's intelligence service is operational and unseen, a capability that simply appears in the hands of an ally and can simply disappear if the alliance cools. Influence of the old kind ran through territory, through the stationing of forces and the drawing of borders. This influence runs through telemetry, through who can read whose phones and on whose sufferance, and it is exercised in a register that no public can observe and few legislatures can reach. The state that exports the capability acquires a quiet hold over the state that depends on it, and the dependency is the deeper transaction, larger than the money that changes hands. The product is surveillance. The thing actually being sold is leverage.
When surveillance becomes ambient
The other force reshaping this market is the one reshaping everything, automation, and it changes the surveillance not in kind but in scale. Classic interception was surgical and expensive: a specific target, a specific warrant, a specific analyst listening. The integration of machine learning into the offensive toolkit removes that friction. Models map the social graphs pulled from infected devices, identifying who matters by who is connected to whom. Language processing sorts the harvested messages by theme. Behavioral analytics flag emerging patterns across whole populations of intercepted data. Intrusion becomes data ingestion, the ingestion trains the models, and the models refine the selection of the next targets, and at each turn the marginal cost of watching one more person falls.
What was once surgical becomes scalable, and the change in degree becomes a change in nature. When watching a single dissident required a team and a budget, surveillance was rationed by its own expense, and the rationing was a kind of protection. When automation drives the cost of an additional target toward zero, the discipline that scarcity imposed disappears, and surveillance becomes ambient, a default condition of being connected rather than a deliberate act aimed at a chosen few. The endpoint in every pocket becomes a universal sensor, and the question shifts from whom the state has decided to watch to whom it has decided not to, which is a far smaller and far more frightening list. The zero-click gave the watchers the door. Automation gives them the scale to walk through every door at once.
The managed reckoning
Every exposure of this system has produced the same institutional response, and the consistency is itself the finding. In 2022 the European Parliament convened a committee of inquiry into spyware, the PEGA committee, which spent more than a year documenting abuse across Poland, Hungary, Greece, and Spain, and concluded in 2023 with recommendations for oversight, transparency, and a conditions-based framework. It did not call for prohibition. In 2023 the American president signed an executive order restricting the United States government's own operational use of commercial spyware judged to pose security risks, and gathered an initial group of eleven states behind a joint statement against spyware proliferation, a coalition that grew to roughly twenty over the following year. That order, too, restricted use; it did not ban the industry, and the coalition committed its members to controls and safeguards, not to abolition. Even the most determined international response treated the capability as something to be disciplined and kept, the way one regulates an arms trade rather than the way one bans a weapon, and the choice of model is the tell. A capability that states agree to govern collectively is a capability they have collectively decided to retain.
Set the responses beside the abuses they answered and the shape is unmistakable. Documented targeting of journalists and elected officials inside democracies produced regulatory refinement, not abolition. The institutional reflex, every time, was to govern the capability rather than to end it, and governance is a form of permanence, because you do not build oversight regimes around things you intend to eliminate. You build them around things you intend to keep. Exposure triggers adjustment. The infrastructure remains. Each transition in the history of surveillance, from the copper wiretap that required physical access to the cable, to the encrypted message that defeated the wiretap, to the zero-click that defeated the encryption, was debated when it arrived and normalized once it stayed. Exposure, regulation, continuation, in that order, every time, and what distinguishes this stage of it is only ubiquity, because the access point is no longer a cable in a junction box. It is the device in every pocket on earth.
The privatization of a state monopoly
Step back far enough and the deepest thing this market represents comes into view, and it is the thing that places it in the Manifest's central subject. The capability to surveil a population's most intimate communications at scale was, for most of the modern era, the exclusive monopoly of a tiny number of superpower intelligence agencies, the American NSA and its few peers, built over decades at the cost of billions, guarded as the crown jewels of state power. That monopoly is over. The same capability is now a commercial product, developed by private firms, sold under export license, available to any government able to pay and to pass the licensing politics, which is a far larger set of governments than ever held the capability before. What was once the monopoly of a few states is now the product of a few firms, and what was once a state secret is now an export license.
This is the privatization of a sovereign function, and it has the structure the Manifest finds wherever a public power migrates into private hands. A capacity that once defined the state, the capacity to see inside its rivals and its citizens, has been unbundled from the state, manufactured commercially, and sold back to states, including small and poor and abusive ones, as a product. Sovereignty, in the domain of communication, is no longer something a country simply possesses over its own territory. It is layered and transactional. A government's ability to watch its own dissidents may now depend on an exploit chain developed in another country and approved for export by a third country's defense ministry, which means the perimeter of national power has shifted from the border to the codebase, from geography to telemetry. The state that can read its enemies' phones is powerful. The firm that sells the reading, and the ministry that licenses the sale, are the powers behind that power, and most citizens will never see the arrangement, because the whole point of a zero-click is that there is nothing to see. They will update their devices and trust the padlock. The frontier moved quietly. It did not retreat.
The infrastructure that stayed
Return to the journalist and his ordinary morning. He replaced the device. The vulnerability that compromised it was eventually found and patched, the specific exploit retired. And none of it mattered to the system, because while his phone was being cleaned, engineers were searching for the next flaw, export officials were reviewing the next license applications, and procurement committees were authorizing the next classified budgets. The capability did not depend on that one exploit, or that one firm, or that one country's blacklist. It is an industry, with a supply chain and a regulatory regime and a customer base of states, and it persists not because it escaped the law but because it moved through the law, licensed at every step.
That is the defining feature of the zero-click empire, and the reason it is so easy to misread as a series of scandals rather than as a structure. It is not clandestine chaos. It is regulated capability. It is not an accident. It is architecture. The verdicts shrink, the sanctions reverse, the blacklisted firm is bought by the blacklisting country's own investors, and through all of it the door stays open by design, because every government with the authority to close it would rather hold the key. The device in your hand is no longer merely personal technology. It is a geopolitical endpoint, a sensor in a global apparatus that was assembled in full view, through committees and export agencies and procurement contracts, and that almost no one watched being built. The transformation was not declared. It was licensed, line by line, and the licenses are still being signed.
Evidence Map
Facts, interpretations, forecasts, and disconfirming signals.
Core claim. Commercial spyware (NSO's Pegasus, Intellexa's Predator, Candiru, and others) represents the privatization of a capability once monopolized by a few superpower intelligence agencies: state-grade mass surveillance, now developed by private firms, sold under government export license, and available to many states. It persists not by evading the law but by moving through it, and the recurring official response is governance rather than abolition.
Evidence level. Facts (high, documented): NSO founded 2010 by Unit 8200 veterans; Pegasus as a licensed "lawful intercept" zero-click tool requiring approval from Israel's Defense Export Control Agency; the Pegasus Project (July 2021), a consortium of 80+ journalists across 17 outlets with Forbidden Stories and Amnesty, built on a list of 50,000+ numbers of interest (not confirmed infections), including journalists, officials, and heads of state; the November 2021 US Entity List blacklisting of NSO and Candiru; WhatsApp v. NSO (2019 attack on ~1,400 users; liability December 2024; May 2025 jury award of ~$167M punitive, reduced to ~$4M with a permanent injunction in October 2025); Apple v. NSO (filed November 2021, voluntarily dismissed by Apple September 2024 to protect threat-intelligence methods); the Predatorgate scandal in Greece (2022, resignations, convictions by 2026); US Treasury sanctions on Intellexa/Tal Dilian (2024), partially lifted on three executives at the turn of 2026; CatalanGate (2022, ~65 targets); the EU PEGA committee (2023, oversight not prohibition); the US executive order restricting government spyware use (2023); the L3Harris acquisition collapse (2022) and NSO's acquisition by US-led investors (late 2025) while still on the Entity List; the zero-day market and the US Vulnerabilities Equities Process. Interpretation (medium, marked): the reading of these as one privatization-of-sovereignty architecture; "exposure, regulation, continuation" as the system's pattern; enforcement functioning as a market correction. Bounded, not overstated: the Khashoggi link is to targeting of his associates and fiancée, with NSO denying use against him personally; the CatalanGate state nexus is circumstantial, not conclusively attributed; the 50,000 figure is numbers of interest, not infections.
What would confirm this. Continued persistence of the industry through scandal; further deprecation of penalties (reduced awards, reversed sanctions, ownership transfers); regulatory responses that govern rather than prohibit; the spread of the capability to more states.
What would disprove this. An enforcement action that actually ends a major vendor's capability rather than relocating it; a binding international prohibition rather than an oversight framework; evidence that the capability is in fact contracting under pressure rather than restructuring and continuing.
Watchlist. NSO's post-acquisition operations under US ownership; the trajectory of the Intellexa sanctions reversals; new entrants replacing blacklisted firms; whether any jurisdiction moves from oversight to prohibition; the migration of zero-click capability into AI-assisted targeting.
