Skip to Content
MIT Technology Review

The man who built a spyware empire says it’s time to come out of the shadows

Shalev Hulio, co-founder and CEO of NSO, says his industry is full of companies trying to avoid scrutiny.

NSO headquartersNSO headquartersMs Tech | Source: AP Photo/Daniella Cheslow, File

Shalev Hulio wants to explain himself.

Normally, silence and secrecy are inherent in the spy business. For nine full years, Hulio never talked publicly about his billion-dollar hacking company—even when his hacking tools were linked to scandal or he was accused of being complicit in human rights abuses around the world. Lately, though, he’s speaking up.

“People don’t understand how intelligence works,” Hulio tells me over a video call from Tel Aviv. “It’s not easy. It’s not pleasant. Intelligence is a shitty business full of ethical dilemmas.”

The business he leads, NSO Group, is the world’s most notorious spyware company. It’s at the center of a booming international industry in which high-tech firms find software vulnerabilities, develop exploits, and sell malware to governments. The Israeli-headquartered company has been linked to high-profile incidents including the murder of Jamal Khashoggi and spying against politicians in Spain.

Ten years after founding the company, he made the rare decision to speak about NSO Group, the intelligence industry, and what transparency could look like for spyware companies. This, he says, is the most important thing the industry can do now: “We’ve been accused, with good reason, of not being transparent enough.”

Culture of silence

Formerly a search-and-rescue commander in Israel’s military and then an entrepreneur focused on technology that remotely accessed smartphones, Hulio has said he founded NSO Group in 2010 at the urging of European intelligence agencies. Back then, NSO marketed itself as a state-of-the-art cyberwarfare firm.

It entered the global spotlight in 2016 when Ahmed Mansoor, a human rights activist in the United Arab Emirates, received what’s been called the most famous text message of all time. Researchers say it was a sophisticated phishing lure sent by a government; it contained a link that, if clicked, would have taken over Mansoor’s phone with spyware. Experts at Citizen Lab, a research group at the University of Toronto, analyzed the link and pointed to Pegasus, NSO’s flagship product. The revelation led to a great deal of scrutiny of the company, but NSO remained silent. (Mansoor is currently serving a decade-long prison sentence for insulting the monarchy—a dictator’s description of his work to further human rights.)

That response was partly a function of the company’s ownership at the time. In 2014, NSO had been bought for around $100 million by the American private equity firm Francisco Partners, which had a strict no-press policy that Hulio says led to a harmful culture of silence.

“No interviews—we couldn’t talk to journalists except to say no comment, no comment, no comment,” he says. “It created lots of bad things for us, because every time we were accused of abuse, we had no comment.”

This, he says, was a mistake to be avoided in the future by companies like NSO—which last year was sold for $1 billion to the European private equity firm Novalpina and the original founders, including Hulio himself.

“The industry should be more transparent,” Hulio says. “Each company should be much more accountable for who they sell to, who are the customers, what is the end use for each customer.”

In fact, the text sent to Mansoor proved to be a blessing in disguise for investigators. Mansoor, who had already been targeted by surveillance for many years, was suspicious and didn’t click the poisoned link. Instead, he shared it with experts. But these days the hacking industry is increasingly using more advanced techniques that keep their activities as unobtrusive as possible—including so-called “zero-click” techniques that infect targets without their taking any action at all. WhatsApp is suing NSO Group for hacking the app to silently infect phones. Targets in Morocco have reportedly experienced “network injection” hacks that raise no alarm, require no cooperation from the victim, and leave little trace.

“Each [spyware] company should be much more accountable for who they sell to, who are the customers, what is the end use for each customer.”

 “The pitch from hacking companies is that criminals and terrorists are going dark because of encryption and states need an ability to chase them down their dark hole,” says John Scott-Railton, a senior researcher at Citizen Lab. “Increasingly, at the high end, companies selling these techniques are the ones going dark. It’s not just WhatsApp. We’ve seen sales of vulnerabilities against iMessage, [telephone software] SS7 as a delivery for zero-click vulnerabilities, and a lot of network injection. Because of this, it’s almost impossible for us to get visibility of the scale of the problem. We can only guess at scale. We only know some players. The market is growing, but we lack a lot of information about abuses.”

It was never an easy job to understand the full scope of the hacker-for-hire industry. Now the techniques and indicators investigators have long relied on as clues are becoming rarer, quieter, and more difficult to spot. The stealthy new arsenal makes it extraordinarily difficult to hold hacking companies and intelligence agencies accountable when human rights abuses occur.

Perhaps surprisingly, Hulio agrees emphatically that the hacking industry is going dark. When I ask him if the industry is taking enough steps toward transparency and accountability, he shakes his head and points a finger at his competitors:

“Actually, I think it’s the other way around. The industry is going away from regulation. I see companies trying to hide activity and hide what they’re doing. It’s damaging the industry.”

Dodging transparency

By contrast, Hulio claims, NSO is trying to reverse course under its new ownership. Although it is facing the high-profile WhatsApp lawsuit and dozens of allegations of abuse of Pegasus, Hulio insists the company is evolving. The fact that he’s talking to journalists at all is one obvious change, he says, and so are the new self-governance policies and a public commitment to adhere to the United Nations Human Rights Guidelines. How much the talk translates to reality is still an open question: three days after the company announced a new human rights policy in 2019, researchers from Amnesty International say, Pegasus was used to hack Moroccan journalist Omar Radi.

But Hulio suggests that his rivals are dodging transparency and accountability by moving their businesses or finding havens to operate from.

“They’re opening companies in countries where you don’t have regulation mechanisms, in Latin America, Europe, the Asia Pacific region—where regulation is very weak, so you can export to countries that you cannot export to from Israel or other places in Europe,” he explains. “I see companies trying to hide activity by changing the name of the company over and over again. Or through mechanisms like building research and development in one site, sales cycle to a different company, deployment through a third company, so you cannot trace who is doing what.”

"Just like there are countries that act as tax shelters, there are countries that act as export regulation shelters. Those countries need global mechanisms of regulation."

That may be true, but NSO Group itself goes by a string of other names, including Q Cyber Technologies in Israel and OSY Technologies in Luxembourg. It has a North American wing called Westbridge. Its employees are spread out internationally. Israeli media have reported on company’s links to shell companies and byzantine deals. Over the years, it has operated a confusing network of other companies around the world, and this corporate maze has made it nearly impossible to understand its dealings and actions—a crucial task when hacking tools can be abused by authoritarian governments with devastating consequences.

So what would accountability look like? When NSO Group first appeared, the Wassenaar Arrangement, a crucial arms export control agreement between 42 countries, had no cyber dimension. Israel had no cyber export law. Now Israel’s Ministry of Defense is governed by the country’s Defense Export Control Law—NSO Group has reportedly never been denied an export license—but on a global scale, the hacking industry remains largely hidden, opaque, and unaccountable despite its growing power and capabilities.

“There are loopholes,” Hulio says. “Not all countries are part of the Wassenaar agreement. I truly think it’s very hard to do something international. Obviously international is a great idea, but just like there are countries that act as tax shelters, there are countries that act as export regulation shelters. Those countries need global mechanisms of regulation.”

Who is in the crosshairs?

Dozens of abuses by users of NSO’s technology have been alleged since the Mansoor incident first pointed a spotlight at the company. When such allegations are made, NSO begins an investigation. If accounts conflict, NSO can demand logs that reveal targets. More often than not, Hulio says, the customer will say that the allegations against it are true, the targeting is real—but that their actions were legal under local law and the contract they signed. That leaves it up to NSO and the customer to hash out whether the targeting is indeed legitimate.

Much of the criticism directed at NSO Group comes when researchers say Pegasus is used against lawyers, human rights activists, journalists, and politicians. But Hulio says the context can justify such actions—that these people can be legitimate surveillance targets as long as the law is followed. He points to events surrounding the capture in 2014 of the Mexican drug lord Joaquín “El Chapo” Guzmán. Although it has never confirmed it publicly, NSO Group has privately touted its role in the operation for years.

“Chapo ran away from prison,” Hulio says. “People like Chapo or [ISIS leader Omar Bakr] al-Baghdadi don’t carry smartphones. When Chapo escaped, they thought he probably eventually will call his lawyer, so let’s try to intercept the lawyer. The lawyer is not a bad person—and I’m not saying we were involved. The lawyer by himself is not a suspect of criminal activity, but El Chapo, who is a criminal, is going to call his lawyer, and the only way to catch him is to intercept his lawyer.”

It’s the kind of case that’s easy to make. Murderous drug lord, extreme police action, front-page mugshots. But most allegations of misuse don’t resemble the El Chapo case. Gulf nations have repeatedly been accused of using Pegasus to target political opposition, resulting later in trumped-up charges for offending royal families or the like.

Hulio says that often NSO is accused of work that other spyware companies are responsible for.

“We ask very tough questions when we sell a system, but I’m not sure everyone is doing that,” he says. “I have no problem sitting in front of the minister of defense of a country, or the head of police, or of the secret service, and asking: What is the use? What’s the target? What is the mission? What are the investigations? What is the process you use? How do you analyze the data? Who needs to approve each target? What is the law in your specific country—how does it work? Questions a lot of companies really don’t care about. They have a deal—they want to sell. They will sell it because it’s good money for them.”

We’ve gone full circle, arriving back in a thick tangle of secrecy. Money is flowing, abuses keep happening, and the hacking tools are proliferating: no one disputes that.

But who is accountable when brutal authoritarians get their hands on cutting-edge spyware to use against opponents? An already shadowy world is getting darker, and answers are becoming harder to come by.