A trace that respects no borders
Surveillance with commercial software leaves, unlike almost any other abuse of power, a technical trace. An infected phone retains marks that labs like the University of Toronto’s Citizen Lab, or Amnesty International’s Security Lab, can analyse and peer-review. Diálogo Ciudadano’s tracker gathers only cases with that kind of verification —forensic or judicial—, not mere suspicions. And on expanding it beyond Ibero-America, the result is unmistakable: twenty-two documented cases in twelve countries on four continents, from Mexico to Thailand, from Poland to the United Arab Emirates.
This piece is not the tracker —that lives as a database, with its map and its event catalogue—. It is the reading of the pattern that emerges when all the cases are placed on one map. And that pattern matters because it dismantles a comfortable idea: that mercenary spyware is a problem of faraway regimes. It is not.
The pattern: Israeli software, civilian victims
The first thing that stands out on ordering the cases is their uniformity. The software is, overwhelmingly, Israeli: NSO Group’s Pegasus appears in the vast majority of cases, occasionally complemented by Candiru, the Intellexa consortium’s Predator and Paragon’s Graphite. And the victims almost always belong to the same categories.
| Victim profile | Presence in the cases | Reading |
|---|---|---|
| Journalists | Majority of cases | The number-one recurring target |
| Activists and rights defenders | Very frequent | Organized civil society |
| Political opponents | Frequent | Electoral use of spyware |
| Lawyers | Present | Surveillance of strategic litigation |
The tool is sold, per its makers, to pursue “terrorism and serious crime.” The infected phones that forensic investigation documents belong, again and again, to those who inconvenience power. That is the gap the tracker measures: the distance between the software’s declared use and its documented use.
The cases that change the scale of the problem
If the tracker’s first version focused on Ibero-America —Mexico with six cases, Spain with four, Colombia, El Salvador, Panama—, its expansion to the rest of the world confirms the phenomenon knows no geography.
| Country | Emblematic case | Verification |
|---|---|---|
| Poland | Opposition senator Krzysztof Brejza, hacked 33 times in the 2019 campaign | Citizen Lab + Amnesty |
| Thailand | GeckoSpy operation: 30+ pro-democracy activists infected | Citizen Lab |
| United Arab Emirates | Activist Ahmed Mansoor, one of the world’s first targets (2016) | Citizen Lab + Lookout |
| Saudi Arabia | Pegasus in Jamal Khashoggi’s circle before his murder | Citizen Lab |
| Hungary | Journalists infected, confirmed by the Pegasus Project | Forbidden Stories + Amnesty |
The Polish case is especially grave for where it happens: a Senate commission later concluded the 2019 elections were unfair due to the software’s use, inside the European Union. And the Saudi case is the darkest: Citizen Lab found Pegasus in Khashoggi’s circle —on his confidant’s phone and, later, on his wife’s— in the months before his murder in the Istanbul consulate. It is the starkest proof that mercenary surveillance is not an abstract privacy matter: it can be the prelude to violence.
The gap between surveillance and attribution
There is a second, more subtle gap that the tracker records carefully: the distance between proving a phone was infected and proving who ordered it. Forensic analysis can confirm with very high certainty that a device has Pegasus. Attributing that infection to a specific government is harder, because NSO Group says it sells only to states but does not reveal which ones.
That is why the tracker classifies each case by its operator-attribution confidence level —high, medium, circumstantial, strong-circumstantial, unknown— and does not merge “there is Pegasus on this phone” with “this government put it there.” That discipline is what separates a dataset usable in due diligence or litigation from an unsupported accusation.
Why it is infrastructure, not denunciation
Tracking commercial spyware as a structured database —case, country, tool, maker, number of confirmed victims, sector, attribution level, source— serves anyone needing to compare and verify. A digital-rights NGO, a firm litigating against a maker, an investigative journalist, a corporate security team or a surveillance-technology export regulator need exactly this: verified, geolocated cases, with their source and confidence level.
The tracker’s world map lets you see incidence by country at a glance and, on clicking each country, jump to the specific case and its reference. The value lies not in the outrage, but in the traceability: being able to go from “spyware in Poland” to “senator Brejza, 33 infections, 2019, Citizen Lab and Amnesty verification, elections declared unfair by a Senate commission.” That chain is what turns documented surveillance into actionable knowledge.
Methodology note
The tracker gathers only cases with forensic verification (device analysis by Citizen Lab, Amnesty International or equivalent organisations) or judicial verification. A country’s absence from the map means the absence of verifiable public investigation, not the absence of surveillance. Each case documents the tool, the maker, the number of confirmed victims and the confidence level with which it is attributed to an operator. A distinction is drawn between confirmation of the infection and attribution of the operator. This is a sensitive topic: if surveillance affects you personally, organisations such as Access Now offer specialised helplines. Diálogo Ciudadano does not provide legal advice; this tracker is informational infrastructure.