From Hollywood to Pegasus: how American money conquered the spyware industry
The surveillance business has matured into a $12 billion sector. Its biggest backers are now American—even as American policy tries to shut it down
Robert Simonds made his fortune producing Happy Gilmore and Billy Madison. In October 2025, he bought something rather different: NSO Group, the Israeli firm whose Pegasus spyware has been found on the phones of murdered journalists, imprisoned dissidents, and at least a dozen American diplomats. The US Commerce Department blacklisted the company in 2021. Now a Hollywood producer owns it.
John Scott-Railton has investigated NSO for a decade from his post at the University of Toronto's Citizen Lab. His assessment of the acquisition was blunt. "NSO is a company with a long history of going against American interests and supporting the hacking of American officials," he told TechCrunch. "In what world can such a person be trusted to properly oversee a company like NSO Group?"
This world, apparently. The Simonds deal was not a quirk but a signal. American capital has flooded into the business of watching people, and the flood is accelerating.
Follow the money
The Atlantic Council tracks the commercial spyware market through a project called "Mythical Beasts." Its 2025 report counts 561 entities across 46 countries—and reveals a shift that should trouble anyone who assumed American policy constrained American behaviour. In 2023, twelve US-based investors had stakes in surveillance firms. By the end of 2024, that number had nearly tripled. Twenty new American investors entered the market in a single year, vaulting the United States past Israel to become the industry's largest financial backer.
The numbers tell only part of the story. Consider who is buying what. Integrity Partners, a US investment firm, acquired Candiru for up to $30 million in early 2025. Candiru makes spyware that has been found targeting journalists in the Middle East and politicians across Europe. It has been on the US Commerce Department's Entity List since 2021—meaning American companies face restrictions on trading with it. But the Entity List constrains commerce, not capital. Nothing prevented Americans from buying the company outright.
AE Industrial Partners invested in Paragon Solutions in late 2024. Within months, Italian journalists discovered Paragon's Graphite spyware had been deployed against them. Immigration and Customs Enforcement had already signed a contract with Paragon; the Biden administration paused it under an executive order restricting government use of foreign spyware. The Trump administration lifted the pause. The contradiction is not accidental. It is structural.
The franchise that cannot be shut down
Sanctions against individual companies have failed to slow the industry's growth. Forty-three new surveillance entities were established in 2024. The global market now exceeds $12 billion. At least 74 governments have purchased commercial spyware. Why does pressure on specific firms produce expansion rather than contraction?
Because the surveillance business does not work like other industries. It operates as a knowledge franchise. The product is not software but expertise, and expertise travels with people.
The Surveillance Watch database, an interactive map maintained by privacy researchers, traces these migrations. Udi Doenyas, technical director at Patternz, previously architected NSO's Pegasus. Alexey Levin, chief technology officer at Palm Beach Networks, worked at both NSO and Candiru before relocating to Barcelona to build a new spyware firm. Blue Ocean, based in Singapore, is run by a former executive of a company NSO's founders established. The personnel circulate. The knowledge multiplies.
When NSO faces lawsuits and sanctions, its trained staff disperse to Paragon, Patternz, Palm Beach, and dozens of smaller operations. Each carries the ability to build zero-click exploits and evade detection. You cannot sanction a skillset.
The corporate name-changing reflects this dispersal. Equus Technologies became Merlinx after exposure in 2017. Candiru has been Grindavik, DF Associates, Taveta, and Saito Tech. Security researcher Bruce Schneier highlighted one sequence that captures the absurdity: Appin Technology Ltd. became Mobile Online Order Management Private Limited, then Chemieast Engineering, then Sunkissed Organic Farms. The shells change. The capabilities persist.
Your ads are watching you
The most significant recent development requires no hacking at all. A new breed of surveillance vendor has emerged that harvests the data companies already collect to target advertisements—a technique researchers call ADINT, for advertising-based intelligence.
Every smartphone carries a Mobile Advertising ID. Thousands of apps share this identifier with advertising networks, along with location data, to enable targeted ads. Patternz, founded by executives from an Israeli defence contractor and a digital advertising firm, aggregates this stream. The company can track individuals in real time, build comprehensive profiles, and alert operators when targets reach specific locations. No zero-click exploit. No warrant. Looser export controls than traditional surveillance tools.
How much data leaks through this channel became vivid in November 2025, when journalists from netzpolitik.org published the "Databroker Files." They had obtained 278 million location pings from Belgium covering a few weeks in 2024 and 2025. Within the data: 9,600 pings from 543 devices inside NATO headquarters. 5,800 from 756 devices at the European Parliament. 2,000 from 264 devices at the European Commission. Each record linked to a unique identifier, enabling reconstruction of where officials work, live, travel, and whom they meet.
The datasets came as free samples. Data brokers seeking subscribers handed over the movements of EU officials and NATO personnel at no charge, to demonstrate their product.
When University of Washington researchers coined the term ADINT in 2017, they demonstrated that tracking an individual through advertising networks cost about $1,000. The precision targeting that enables such surveillance, they observed, was developed for legitimate business purposes. But each improvement in ad targeting inherently improves surveillance capability. The industries have converged. The infrastructure that shows you furniture ads when you search for couches can also track your movements through a city.
Accountability theatre
Exposures arrive regularly. Citizen Lab discovers journalists targeted with Paragon's spyware in Italy. Amnesty International documents mercenary spyware deployed against Serbian activists. WhatsApp wins $167 million from NSO for exploiting a vulnerability to deliver Pegasus. Forty-three new entities appear anyway. Why?
The Italian Paragon affair provides the template. In January 2025, WhatsApp notified approximately 90 users that Paragon had targeted their accounts, including journalists and civil society figures. On 6 February, the Italian government denied knowledge. That evening, The Guardian reported Paragon had cancelled contracts with two Italian customers. On 12 February, the minister confirmed Italy was a Paragon customer. The intelligence director admitted deploying Graphite multiple times. On 14 February, suspension pending investigation. On 19 February, officials declared they could not respond to parliament because undisclosed information was classified.
Denial, confirmation, suspension, classification. The sequence unfolded over two weeks. The journalists had already been surveilled. The damage was done before the theatre began.
This is not a failure of information; the abuses are exhaustively documented. It is a failure of will. Governments that condemn spyware at summits purchase it through procurement offices. The United States blacklisted NSO after discovering its tools had compromised American officials abroad—then reactivated Paragon's contract four years later. Democratic states sign reform agreements while their agencies buy surveillance services. The contradiction is not hypocrisy but structure: states want these capabilities even as they deplore their existence.
Defenders point to legitimate uses. Intelligence agencies need tools to track terrorists. Law enforcement benefits from forensic capabilities. Paragon marketed itself as ethically superior to NSO, with safeguards against abuse. The argument reflects real tensions—the same technologies that enable tracking journalists can locate kidnapping victims.
But the business model ensures abuse. Vendors profit by selling to any buyer. The technology cannot distinguish between a terrorist and a reporter once installed. Paragon's "safeguards" did not prevent its deployment against Italian journalists. The legitimate use case justifies the industry's existence; it cannot govern its operations.
The new normal
In April 2025, Ronald Deibert left every electronic device at home in Toronto. He flew to Illinois, took a taxi to a mall, and bought a fresh laptop and iPhone at the Apple Store. He travels on the assumption that he is watched—down to his precise location at any moment.
Deibert founded the Citizen Lab in 2001 and has directed it ever since. His organisation exposed the Saudi government's use of Pegasus against associates of Jamal Khashoggi before the journalist's murder. Black Cube operatives have targeted his researchers, attempting to discredit their work on NSO. The precautions are not paranoia. They are job requirements.
What Deibert's routine reveals is what normalisation means. Journalism becomes harder when sources assume their communications are monitored. Dissidents in exile cannot escape states that purchase commercial spyware. Attorney-client privilege offers no protection against zero-click exploits. The infrastructure of democratic accountability—investigative reporting, legal representation, whistleblowing—degrades when surveillance is universally available.
The shift is not merely quantitative. When surveillance was a nation-state capability, it demanded significant investment and carried diplomatic costs. Commercial spyware turns it into a service. When data brokers offer location tracking as a subscription, surveillance becomes as routine as running ads. The skills diffuse through personnel movement. The capital flows from conventional investors. The corporate forms look like ordinary technology companies, with venture funding, acquisition activity, pivots, rebrands—and now a Hollywood producer among the backers.
The researchers at Citizen Lab, Access Now, Amnesty International, and the growing network of security analysts continue their work. They find infections wherever they look. They provide evidence to courts and parliaments. But they are mapping expanding territory, not holding ground.
Legal challenges proceed slowly. Companies rebrand overnight. Export controls apply to named entities; knowledge travels in people's heads. Sanctions constrain trade but not investment. The surveillance industry has spent two decades learning to survive scrutiny. It has now found backers willing to fund its next phase.
Those backers, increasingly, hold American passports.