When the head of the United Kingdom’s National Cyber Security Centre took the stage at CYBERUK 2026 this April, he did not mince words. Richard Horne, CEO of the NCSC, the defensive arm of Britain’s GCHQ intelligence agency, told attendees that commercial spyware capable of silently extracting data from a target’s phone has spread to roughly 100 countries, a figure that would have been unthinkable a decade ago when such tools were the exclusive province of a handful of major intelligence powers.
“The market for commercial cyber tools … is expanding the threat to the UK and our allies,” Horne said during his keynote address, warning that “hacking-as-a-service” vendors have lowered the technical barrier so sharply that governments with no homegrown cyber capability can now purchase turnkey phone-hacking operations. The speech marked the most senior on-the-record UK government statement to date linking the commercial spyware trade to a widening circle of state buyers.
A booming market with few guardrails
The NCSC had already laid the groundwork for Horne’s remarks in a detailed assessment on commercial cyber proliferation. That document draws a distinction between two categories of concern: “commercial spyware,” which lets a buyer silently harvest messages, photos, location data, and microphone audio from a target’s device, and “hacking-as-a-service,” a business model in which private vendors conduct intrusions on a client government’s behalf.
The assessment concludes that commercial spyware has already been deployed against journalists, political dissidents, and government officials “at scale,” a judgment the NCSC treats as a confirmed pattern rather than a collection of isolated incidents. For context, the agency’s analytic judgments are informed by classified intelligence, so the public cannot independently verify every underlying data point. But the conclusion aligns closely with years of forensic work by organizations outside government.
Canada’s Citizen Lab, based at the University of Toronto, has documented infections by NSO Group’s Pegasus spyware on the phones of dozens of named individuals across multiple continents. Amnesty International’s Security Lab provided independent forensic confirmation for the 2021 Pegasus Project, a collaborative investigation by more than 80 journalists that revealed how the tool had been used to target reporters, lawyers, and heads of state. Those case-by-case findings give granular, verifiable weight to the NCSC’s broader institutional warning.
Why the number keeps climbing
The commercial spyware industry markets its products as tools for combating terrorism and serious organized crime. NSO Group, the most prominent vendor, has repeatedly said Pegasus is sold only to vetted government clients for lawful purposes. But the documented record tells a different story. Forensic evidence has linked Pegasus infections to the phones of journalists in Mexico, Hungary, India, and Morocco, among other countries, as well as to members of the European Parliament and senior officials in Spain, France, and the UK itself.
That pattern of misuse has not slowed the market. New vendors have emerged to fill demand, and some operate from jurisdictions with minimal export oversight. The NCSC assessment notes that the barrier to entry for buyers has dropped: a government no longer needs to build a signals intelligence apparatus from scratch when it can simply license one.
The precise count of 100 nations carries important caveats. No publicly available NCSC document lists the specific countries that have acquired these tools, and no binding international framework currently tracks commercial spyware transfers with the rigor applied to conventional arms exports. Readers should treat the figure as a directional warning from a credible intelligence agency rather than a census-grade inventory. Still, even a conservative reading suggests the pool of governments capable of targeting an individual’s phone has expanded far beyond the traditional Five Eyes and their closest allies.
Policy responses are lagging behind
Governments have begun to respond, though slowly. In 2023, the United States added NSO Group and the lesser-known firm Candiru to its Commerce Department entity list, restricting American companies from supplying them with technology. The Biden administration also issued an executive order barring US government agencies from using commercial spyware that poses counterintelligence or security risks. A coalition of more than a dozen nations, including the UK, France, and Canada, signed a joint statement committing to curb the misuse of these tools.
In February 2024, the UK and France co-launched the Pall Mall Process, a diplomatic initiative aimed at establishing international guidelines for the responsible use of commercial cyber intrusion capabilities. As of April 2026, however, the process has not yet produced enforceable rules, and participation remains voluntary. No UN-level regulatory mechanism tracks spyware sales the way the Arms Trade Treaty covers conventional weapons.
That governance gap is central to the NCSC’s concern. Export controls exist in some seller countries, but enforcement is uneven, and the global nature of the market means a vendor blocked in one jurisdiction can relocate or restructure. The tension between the industry’s stated purpose and its documented effects remains unresolved.
What individuals at risk can do now
For people whose work or activism places them in the crosshairs of state surveillance, the NCSC’s warning carries a practical edge. The spread of commercial spyware means that a reporter covering corruption in a mid-sized country now faces potential targeting by tools once reserved for tracking high-value terrorism suspects.
Security researchers recommend several immediate steps: keep device operating systems and apps updated, since many spyware exploits target known vulnerabilities that patches have already fixed; use end-to-end encrypted messaging apps for sensitive communications; and enable the lockdown modes offered by Apple and Google, which restrict device functionality but significantly shrink the attack surface. None of these measures guarantee protection against a zero-click exploit deployed by a well-funded operator, but they raise the cost of an attack and reduce the odds of a successful compromise.
The NCSC’s reporting portal also provides a channel for individuals and organizations in the UK to report suspected compromises, feeding information back into the agency’s threat tracking.
Horne’s message at CYBERUK 2026 was blunt: the commercial spyware market is growing faster than the rules designed to contain it. Whether governments can close that gap before the next wave of vendors enters the market may determine how many more journalists, activists, and diplomats find their most private communications in someone else’s hands.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
