NSO Group

Company background

NSO Group is an Israeli-based company which develops and sells spyware technology. It is majority owned by Novalpina Capital, a European private equity firm. In the past few years, investigations into NSO Group have revealed some information about the company’s operations. A non-exhaustive list of resources follows:

• Motherboard, “Meet NSO Group, The New Big Player in the Government Spyware Business” (24 August 2016)
• Forbes, “Everything We Know About NSO Group: The Professional Spies Who Hacked iPhones With a Single Text” (25 August 2016)
• Motherboard, “Government Hackers Caught Using Unprecedented iPhone Spy Tool” (25 August 2016)
• New York Times, “How Spy Tech Firms Let Governments See Everything on a Smartphone” (3 September 2016)
• Motherboard, “They Got ‘Everything’: Inside a Demo of NSO Group’s Powerful iPhone Malware” (20 September 2018)
• Haaretz, “Revealed: Israel’s Cyber-spy Industry Helps World Dictators Hunt Dissidents and Gays” (20 October 2018)
• Haaretz, “Revealed: Israeli Cyber Firm Negotiated Advanced Attack Capabilities With Saudis, Haaretz Reveals” (25 November 2018)
• NWA, “Israeli Firm Denies Its Spyware Aided in Writer’s Killing” (4 December 2018)
• Washington Post, “How a Chilling Saudi Cyberwar Ensnared Jamal Khashoggi” (7 December 2018)
• Washington Post, “Washington must wake up to the abuse of software that kills” (12 December 2018)
• Washington Post, “Covert Saudi Outreach to Israel Sputters After Journalist’s Murder” (18 December 2018)
• Yedioth Ahronot, “Weaving a cyber web” (11 January 2019)
• CNN, “How a hacked phone may have led killers to Khashoggi” (13 January 2019)
• Washington Post, “Mexican privacy watchdog criticizes government over spyware” (20 February 2019)
• Fast Company, “Israeli cyberattack firm woos investors amid a human rights firestorm” (9 March 2019)
• 60 Minutes, “CEO of Israeli Spyware-Maker on Fighting Terror, Khashoggi Murder, and Saudi Arabia” (24 March 2019)
• Financial Times, “Israeli group’s spyware ‘offers keys to Big Tech’s cloud” (18 July 2019)
• Access Now, “From India to Rwanda, the victims of NSO Group’s WhatsApp hacking speak out” (17 December 2020)
• The Guardian, “Pegasus Project” (2021)

Citizen Lab reports on NSO Group and Pegasus spyware

The Citizen Lab has studied NSO Group and the deployment of Pegasus spyware against civil society activists, journalists, scientists, and politicians in a number of reports available here.

Citizen Lab communications to NSO Group and funders

The Citizen Lab has sent numerous communications to NSO Group about the human rights and corporate social responsibility implications of its business practices:

• Citizen Lab, Letter to Blackstone Group regarding potential NSO Group acquisition (25 July 2017) (open letter concerning the human rights concerns and risks of the acquisition)
• Citizen Lab, Letter to Francisco Partners (12 February 2018) (open letter concerning apparent use of Sandvine/Procera Networks Deep Packet Inspection (DPI) devices to deliver nation-state malware in Turkey and indirectly into Syria) and Francisco Partners, Email response to Citizen Lab letter dated 12 February 2018 (20 February 2018)
• Citizen Lab, Letter to Francisco Partners (29 May 2018) (follow up on Sandvine use in Turkey and Syria)
• Citizen Lab, Letter to NSO Group (13 September 2018) (open letter on Pegasus spyware operations in 45 countries) and NSO Group, Statement (17 September 2018)
• Citizen Lab, Letter to Francisco Partners (1 November 2018) (open letter on continued abuse of Pegasus technology)
• Citizen Lab, Letter to NSO Group (24 November 2018) (open letter on continued abuse of Pegasus technology in Mexico)
• Citizen Lab, Letter to Novalpina Capital (18 February 2019) (open letter on involvement of purchase of NSO Group) and Novalpina Capital, Response to Citizen Lab letter dated 18 February 2019 (1 March 2019)
• Citizen Lab, Letter to Novalpina Capital (6 March 2019) (continued correspondence on involvement in NSO acquisition) and Novalpina Capital, Response to Citizen Lab letter dated 6 March 2019 (15 May 2019)
• Citizen Lab, Letter to South Yorkshire Pensions Authority (24 May 2019) (open letter on Novalpina Capital investment fund) and South Yorkshire Pensions Authority, Response to Citizen Lab letter dated 24 May 2019 (24 May 2019)
• Citizen Lab, Letter to Novalpina Capital (18 June 2019) (open letter regarding Novalpina’s statement on UN Guiding Principles)
• Citizen Lab, Letter to South Yorkshire Pensions Authority (4 July 2019) (follow up letter to South Yorkshire Pensions Authority on investment in Novalpina Capital and NSO Group) and South Yorkshire Pensions Authority, Response to Citizen Lab letter dated 4 July 2019 (5 July 2019)
• Citizen Lab, Letter to South Yorkshire Pensions Authority (8 July 2020) (follow up letter, asking for their response in light of recent research regarding the continued abusive deployment of NSO Group’s surveillance technology) and South Yorkshire Pensions Authority, Response to Citizen Lab letter dated 8 July 2020 (9 July 2020)
• NSO Group, Letter to the Citizen Lab (23 December 2020) (response to the Great iPwn report) and Citizen Lab, Response to NSO letter dated 23 December 2020 (11 January 2021)
• NSO Group, Letter to the Citizen Lab (18 February 2021) (continued correspondence on the Great iPwn report) and Citizen Lab, Response to NSO letter dated 18 February 2021 (27 April 2021)
• NSO Group, Letter to the Citizen Lab (4 May 2021) (continued correspondence on the Great iPwn report)
• NSO Group, Letter to the Citizen Lab (18 February 2021) (continued correspondence on the Great iPwn report) and Citizen Lab, Response to NSO letter dated 18 February 2021 (27 April 2021) (and citing a joint letter from a number of human rights organizations to NSO dated 27 April 2021)
• NSO Group, Letter to the Citizen Lab (4 May 2021) (continued correspondence on the Great iPwn report) and Citizen Lab, Response to NSO letter dated 4 May 2021 (17 May 2021)

Litigation against or implicating NSO Group

Proceedings

Gamma Group

Company background

Gamma Group describes itself as an international manufacturer of surveillance and monitoring systems with technical sales offices in Europe, Asia, the Middle East, and Africa. It provides advanced technical surveillance, monitoring solutions, and advanced government training, as well as international consultancy to National and State Intelligence Departments and Law Enforcement Agencies. Gamma Group manufactured and sold a line of spyware products known as FinFisher/FinSpy. As with NSO Group, investigations into this company have provided some insight into its operations. A non-exhaustive list of resources follows:

• Electronic Frontier Foundation, “Spy Tech Companies & Their Authoritarian Customers, Part I: FinFisher and Amesys” (16 February 2012)
• Electronic Frontier Foundation, “Elusive FinFisher Spyware Identified and Analyzed” (25 July 2012)
• Motherboard, “Mobile Trojans Read Their Head, Repressive Governments Go For Their Checkbooks” (8 September 2012)

The Citizen Lab has studied Gamma Group and the deployment of FinFisher/FinSpy in several reports.

Litigation against or implicating Gamma Group

Jurisdiction	Date started	Status	Proceedings
UK	2018	Ongoing	Lawsuit brought by Bahraini activists in the UK against Gamma. Bahraini activists have started a legal action against Gamma alleging that the company was involved in the sale of spyware products to the Bahraini government knowing they would be used to crack down on protests during the Arab spring. The claimants say that they were targeted with the FinFisher/FinSpy program, which was manufactured in the UK and sold to the Bahraini government. They also accuse Gamma of providing training to Bahraini government officials on how to correctly use the software, along with technical support and software updates. All allege that the Bahraini government attacked their computers while they were in the UK. The claimants say they were targeted in relation to their pro-democracy campaigning during the Arab spring. Hassan Mushaima, one of the claimants, was jailed for life in 2011 by a military court in Bahrain. In February 2023, the High Court found that the claim could proceed despite Bahrain’s argument that state immunity applied. In 2024, Bahrain appealed this decision. In October 2024, the UK Court of Appeal held in favor of the claimants and dismissed Bahrain’s appeal, concluding that the state could not benefit from sovereign immunity under the State Immunity Act 1978 with respect to the alleged use of FinFisher spyware. The claimants are represented by Leigh Day.
US	2014	Affirmed dismissal by District Court	Doe v. Federal Democratic Republic of Ethiopia, 851 F.3d 7 (D.C. Cir. 2017), reh’g denied, 2017 U.S. App. LEXIS 10084 (D.C. Cir. June 6, 2017) The Electronic Frontier Foundation (EFF) filed a lawsuit in federal court in Washington, D.C. alleging that the government of Ethiopia, using FinFisher/FinSpy, illegally wiretapped and invaded the privacy of EFF’s client, a U.S. citizen on U.S. soil. The United States Court of Appeals for the District of Columbia Circuit ultimately concluded in March 2017 that Ethiopia was immune from suit absent an exception under the Foreign Sovereign Immunities Act, which did not arise here. In response to the decision, EFF argued that the court had “held that foreign governments are free to spy on, injure, or even kill Americans in their own homes–as long as they do so by remote control” and that the decision was “extremely dangerous for cybersecurity.” Under this holding, there is no legal recourse if a foreign government “hacks into your car and drives it off the road, targets you for a drone strike, or even sends a virus to your pacemaker, as long as the government planned the attack on foreign soil.” For further analysis of this decision, see Lawfare and Motherboard.

Formal complaints against Gamma Group

Jurisdiction	Date started	Status	Proceedings
OECD National Contact Points (NCPs) in UK & Germany	2013	OECD NCPs issued decisions	OECD complaints by human rights groups against Gamma and Trovicor in UK and Germany. In 2013, Privacy International, Reporters Without Borders, Bahrain Watch, the Business Center for Human Rights, and the ECCHR filed a formal complaint with the UK National Contact Point for the OECD, as well as the equivalent German Contact Point, against Gamma and Trovicor. The UK Contact Point accepted the complaint for consideration against Gamma. In 2014, the UK Contact Point determined that Gamma was in violation of human rights guidelines. The German Contact Point refused to investigate the allegations and was only willing to continue with mediation in relation to Trovicor’s risk management.
UK	2012	Judicial review granted	Privacy International complaint against HM Revenue and Customs (HMRC) in the UK. Privacy International began investigating Gamma and the export of FinFisher/FinSpy spyware. After discovering that Gamma’s FinSpy was subject to the UK export control regime and that Gamma had only submitted a Control List Classification enquiry asking the government whether or not it needed an export license for the product in July 2012, Privacy International submitted a dossier of evidence against Gamma to HMRC and called for an investigation. HMRC is responsible for overseeing the enforcement of export regulations in the UK. HMRC refused to provide any details regarding any investigation into Gamma’s export practices, arguing that it was statutorily barred from doing so. In May 2013, Privacy International filed for judicial review of HMRC’s decision. In May 2014, the Administrative Court declared that HMRC acted unlawfully and “irrationally” in issuing blanket refusals into the status of any investigation into the potentially illegal export of FinFisher. The court quashed HMRC’s decision and ordered it to consider Privacy International’s request again.
Germany	2014	Denied	Privacy International and the European Center for Constitutional and Human Rights criminal complaint against Gamma in Germany. In October 2014, Privacy International and the European Center for Constitutional and Human Rights submitted a criminal complaint calling for an investigation into Gamma in Munich, Germany. In December 2014, public prosecution authorities in Munich decided not to launch investigatory proceedings against Gamma’s employees.

FinFisher

FinFisher GmbH is a Munich-based company that describes itself as having “the mission to provide first-class cyber solutions and knowledge for successful operations against organized crime.” The FinFisher spyware kit was previously said to have been produced by Gamma Group. FinFisher GmbH was formed sometime in 2013 and Gamma Group alleges that it stopped selling the product as of 2012.

Formal complaints against FinFisher

Jurisdiction	Date started	Status	Proceedings
Germany	2019	Ongoing	Criminal complaint made by Gesellschaft für Freiheitsrechte e.V., Reporters Without Borders Germany, the European Center for Constitutional and Human Rights, and Netzpolitik.org against the CEO of FinFisher GmbH and related entities. The organizations argued that the Munich-based companies sold the FinSpy spyware to Turkey without an export license and that this assisted in the surveillance of opposition members and journalists by the Turkish government. Public prosecutors in Munich reportedly opened an investigation. On October 14, 2020, DW reported that “German Customs Investigation Bureau (ZKA) searched 15 residential and business premises in Germany and abroad last week with connections to the Munich-based surveillance software firm FinFisher.” On May 22, 2023, it was announced that German prosecutors indicted four former FinFisher CEOs on the basis that they sold their surveillance technology to Turkey without the necessary approvals. In March 2022, FinFisher ceased business operations and filed for insolvency.

Amesys

Company background

Amesys (renamed Nexa Technologies) is a French company that makes communications equipment and other related equipment for aerospace, defence, marine, energy, and the telecommunications industry, including surveillance equipment. A non-exhaustive list of resources on this company follows:

• Electronic Frontier Foundation, “Spy Tech Companies & Their Authoritarian Customers, Part I: FinFisher and Amesys” (16 February 2012)
• Le Monde, “Après la Libye de Kadhafi, Amesys a vendu son système de surveillance à l’Égypte de Sissi” (5 July 2017)
• France Inter, “Amesys: qui est ce marchand d’armes numériques français?” (5 July 2017)
• Business & Human Rights Centre, Amesys lawsuit (re: Libya)

Litigation against or implicating Amesys

Jurisdiction	Date started	Status	Proceedings
France	2017	Ongoing	Criminal investigation into Amesys and the sale of surveillance equipment to Egypt. In November 2017, the International Federation for Human Rights (FIDH) and the Ligue française des droits de l’Homme (LDH), with support from the Cairo Institute for Human Rights Studies (CIHRS), requested an investigation into the sale of surveillance equipment by this French company to Egypt and the potential role of this equipment in widespread oppression under the Al Sissi regime in Egypt. In December 2017, the Paris Prosecutor acknowledged the gravity of the allegations, giving Egyptian victims the opportunity to become civil parties to the case and testify in France as well as enable FIDH and LDH to become civil parties. In June 2021, four Amesys and Nexa Technologies executives were indicted by investigating judges of the crimes against humanity and war crimes unit of the Paris Judicial Court for complicity in torture in the Libyan portion of the investigation and complicity in torture and enforced disappearance in the Egyptian portion. These indictments arose out of this 2017 complaint, as well as the 2011 complaint described below.
France	2011	Ongoing	Criminal investigation into Amesys and the sale of surveillance equipment to Libya. In October 2011, FIDH and LDH filed a complaint alleging the complicity of Amesys and its executive managers in acts of torture for having signed and executed a commercial agreement for the provision of surveillance technology to the Libyan regime in 2007. In May 2012, a formal criminal investigation was opened in France. After subsequent litigation over this decision to open an investigation, in January 2013, the Chamber of Criminal Investigation of the Court of Appeal upheld the initial order to open the investigation. In June 2021, four Amesys and Nexa Technologies executives were indicted by investigating judges of the crimes against humanity and war crimes unit of the Paris Judicial Court for complicity in torture in the Libyan portion of the investigation and complicity in torture and enforced disappearance in the Egyptian portion. These indictments arose out of this 2017 complaint, as well as the 2011 complaint described below. These indictments arose out of this complaint, as well as the 2011 complaint described above.

Qosmos

Company background

Qosmos is a French technology company that specializes in Deep Packet Inspection-based IP classification and network intelligence technology. A non-exhaustive list of resources on this company follows:

• Reuters, “France investigates tech firm accused of aiding Syria” (26 July 2012)
• Business and Human Rights Centre, Qosmos investigation (re: Syria)

Litigation against or implicating Qosmos

Jurisdiction	Date started	Status	Proceedings
France	2012	Dismissed	Criminal investigation into Qosmos and sale of equipment to Syria. FIDH and LDH filed a criminal complaint before a Paris court urging for an investigation into the involvement of French companies supplying surveillance equipment to Bashar El-Assad’s Syrian government. The complaint named Qosmos, a French company, in particular alleging that it is complicit in human rights abuses, including torture, by the Syrian government by providing it with surveillance equipment. In April 2014, a full judicial investigation was brought against Qosmos by the Paris Court for complicity in torture. In April 2015, an investigative judge declared Qosmos an “assisted witness.” In December 2020, a Paris judge dismissed the case due to insufficient evidence to establish causal link between surveillance equipment and acts of torture and crimes against humanity by the Syrian regime.

DarkMatter

Company background

DarkMatter is an Emirati cybersecurity firm. In 2019, Reuters published a detailed investigation into the company and an Emirati government surveillance program called “Project Raven,” which was moved to DarkMatter in 2016. Reuters described how American contractors were used to undertake surveillance on behalf of the Emirati regime through DarkMatter. 

• Reuters, “Inside the UAE’s Secret Hacking Team of American Mercenaries” (30 January 2019)
• Washington Post, “Three former U.S. intelligence operatives admit to working as ‘hackers-for-hire’ for UAE” (15 September 2021) 

Litigation against or implicating DarkMatter

Jurisdiction	Date started	Status	Proceedings
US	2021	Ongoing	Loujain AlHathloul, a Saudi human rights activist, filed an action against DarkMatter in the US District Court for the District of Oregon. The lawsuit is supported by the Electronic Frontier Foundation, and alleges that DarkMatter and three of its former executives illegally hacked into AlHathloul’s phone to secretly track communications and her location.
US	2020	Ongoing	Ghada Oueiss, a journalist with Al Jazeera, filed a lawsuit against DarkMatter (as well as a number of other defendants, including Saudi and Emirati princes) in the United States District Court for the Southern District of Florida. Oueiss alleges an unlawful “hack and leak” operation against her, which was “spearheaded by the crown princes of Saudi Arabia and the United Arab Emirates…and their co-conspirators in the U.S. and elsewhere.” In March 2022, the US District Court for the Southern District of Florida dismissed the case. In April 2022, Oueiss appealed to the US Court of Appeals for the Eleventh Circuit.
US	2021	Closed	In September 2021, the US Department of Justice announced that three former US intelligence community and military personnel officials agreed to pay over $1.68 million to resolve criminal charges that arose from providing hacking-related services to a foreign government. The individuals were known to have worked for DarkMatter.

WiSpear

Company background

WiSpear is a Cyprus-based company which provides “end-to-end WiFi surveillance solutions” and was founded by Tal Dilian (Dilian previously owned another surveillance company, Circles, which he then sold to NSO Group). WiSpear came into the public spotlight after several articles in Forbes where Dilian provided details regarding the company’s controversial “spy van,” described as “a car full of next-generation snooping kit that can infect Apple and Google phones from as far away as 500 metres.”

• Forbes, “The $5 Million Surveillance Car That Hacks iPhones From 500 Meters” (25 June 2018).
• Forbes, “A Multimillionaire Surveillance Dealer Steps Out of the Shadows… And his $9 Million WhatsApp Hacking Van” (5 August 2019).

Litigation against or implicating WiSpear

Jurisdiction	Date started	Status	Proceedings
Cyprus	2019 to 2021	Closed	After Dilian gave an interview to Forbes about WiSpear’s “spy van”, the local authorities opened a police investigation against Dilian and two other individuals, as well as the company itself. In November 2021, the Attorney-General announced that it was dropping charges against the individual defendants. That same month, the Office of the Commissioner for Personal Data Protection in Cyprus announced that WiSpear would pay a fine of $1 million euros for GDPR-related violations in relation to the “spy van” case.

 

Cytrox

Company background

Cytrox reportedly started as a North Macedonian start-up company, although a review of corporate registry documents showed that it appears to have a corporate presence in Israel and Hungary. The company is part of the “Intellexa alliance,” which is a marketing label for a range of mercenary spyware vendors that emerged in 2019. Cytrox business activities have been described as providing governments with an “operational cyber solution” that includes gathering information from devices and cloud services.

• Haaretz, “‘Great Alarm’: First Detected Use of Mysterious Israeli Spyware on EU National” (April 2022)

Citizen Lab reports on Cytrox and Predator spyware

• The Citizen Lab, “Pegasus vs. Predator: Dissident’s Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware” (December 2021)

Litigation against or implicating Cytrox

Jurisdiction	Date started	Status	Proceedings
Greece	2023		Following complaints by several individuals, the Greek Data Protection Authority began to investigate the use of spyware in Greece (in particular, in relation to Predator) in 2022. In a press release dated July 20, 2023, the DPA confirmed that it had “established that attempts were made to install spyware on numerous mobile phone users in Greece” (translation using Google Translate). In 2024, the Greek Supreme Court prosecutor concluded, however, that “no evidence linking Greece’s National Intelligence Service, the police force or its anti-terrorism division to the use of Predator spyware, which opposition groups alleged was used against some government critics.” A number of groups have taken issue with the Prosecutor’s conclusions.
Europe	2023		The European Public Prosecutor’s Office has reportedly started an investigation into the illegal use of Predator spyware.
Greece	2023	Ongoing	Artemis Seaford, a dual American-Greek national, was infected with Predator spyware and has reportedly filed a lawsuit in Greece. She also filed a request with the Greek Authority for the Protection of the Privacy of Telecommunications asking them to ascertain whether the EYP, the Greek national intelligence services, wiretapped her device.
Greece	2022	Ongoing	Thanasis Koukakis, a Greek journalist whose device was infected with Predator spyware, has sued Intellexa in Greece (note that Cytrox is part of the Intellexa alliance). According to Haaretz, Koukakis has demanded a criminal investigation into the hacking. The lawsuit accuses Intellexa, Dilian (its CEO) and another shareholder, of “assisting in the breach of both EU and Greek laws.” In April 2025, a trial against Dilian and three others involved in the wiretapping of Koukakis and Seaford began in Athens. The four defendants are facing “misdemeanour charges for unlawfully accessing private communications systems and data” and violating privacy laws.
Greece	2022		Nikos Androulakis, a Greek politician and opposition leader, was targeted with Predator spyware. He has filed a suit in Greece in an attempt to get the authorities to investigate.

 

Paragon

Company background

Paragon is a company that produces a spyware known as Graphite. 

• Middle East Monitor, “Israeli Spyware Scandal: Paragon’s Graphite Used to Target Italian Journalists and Critics” (February 2025)
• The Guardian, “WhatsApp Says Journalists and Civil Society Members Were Targets of Israeli Spyware” (January 2025)
• The Guardian, “Activist alerts ICC to spyware attack while sharing Libya torture victims’ details” (March 2025)
• “Six additional countries identified as suspected Paragon spyware customers” (Cyberscoop)
• The Guardian, “Ontario’s provincial police force could be using Israeli spyware, report finds” (March 2025)
• TechCrunch, “Researchers name several countries as potential Paragon spyware customers” (March 2025)
• Bloomberg, “Paragon Spyware Tool Linked to Canadian Police, Watchdog Says” (March 2025)
• Amnesty International, “Europe: Paragon attacks highlight Europe’s growing spyware crisis” (March 2025)
• Euractiv, “Paragon scandal: Denmark and Cyprus potential spyware customers alongside Italy” (March 2025)

Citizen Lab reports on Paragon 

• “Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted” (June 2025)
• “Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations” (March 2025)

Citizen Lab communications to Paragon

• Citizen Lab, Letter to Paragon Solutions (June 10, 2025)
• Citizen Lab, Letter to Paragon Solutions (March 15, 2025), Response to Citizen Lab letter dated March 15, 2025 (March 17, 2025).

Litigation against or implicating Paragon

Jurisdiction	Date started	Status	Proceedings
Italy	2025	Concluded	The Italian government’s intelligence oversight committee confirmed that Paragon spyware was used to hack several activists. The committee’s report is available here.
Italy	2025	Ongoing	Two organizations in Italy, the Federazione Nazionale Stampa Italiana (FNSI) and the Order of Journalists, have announced that they are taking legal action with respect to the targeting of an Italian journalist with Paragon spyware. They are calling on the Rome Public Prosecutor’s Office to investigate.

* * *

If you have tips on additional litigation or formal complaints against digital surveillance companies not covered in this document, please email Siena Anstis: siena [at] citizenlab [dot] ca.