Bright blue fiber optic cables radiating outward against a dark background, suggesting digital communications infrastructure.

TL;DR: A handful of Israeli companies (NSO Group, Cellebrite, Paragon, Candiru, the now-dead QuaDream, Intellexa-adjacent firms) sit at the center of the global commercial spyware industry. That is not a slur. It is documented by Citizen Lab, Amnesty Tech, the Pegasus Project consortium, the Israeli State Comptroller, and US Commerce Department sanctions. There are real structural reasons for it: mandatory military service, the Unit 8200 alumni pipeline, light export-licensing oversight at the Defense Export Control Agency, and successive governments using spyware exports as diplomatic currency. Every one of those facts is a criticism of decisions made by specific officials in specific governments, most aggressively the current Netanyahu coalition. None of it is a criticism of "Israelis" as a group, and none of it is a criticism of Jews anywhere. This piece walks the line: ruthlessly clear about the surveillance story, equally clear about where legitimate criticism ends and bigotry begins.

A Note Before We Start

This article is about surveillance technology. That is our beat. It is not about whether Israel should exist, about the 1948 founding, about the West Bank, about Zionism as an ideology, or about who should run the place. Reasonable people disagree, sometimes furiously, on all of that. None of it is what we cover.

We cover Pegasus on a journalist's phone. We cover Cellebrite plugged into a phone at a US border. We cover an AI targeting system that human operators rubber-stamp in 20 seconds. We cover export licenses signed by ministers. That is a narrower lens, and we are going to stay inside it.

The reason this article exists at all is that the surveillance story keeps getting collapsed into things it is not, either by people who want to use real Israeli surveillance abuses as cover to attack Jews generally, or by people who want to wave away documented surveillance abuses because criticism makes them uncomfortable. Both moves get in the way of seeing what is actually happening. So we are going to name the actual actors, the actual contracts, the actual reports, and the actual political decisions behind them.

The Companies, Without the Polemic

Six names do most of the work in this story. Get them straight and the rest follows.

  • NSO Group. Makes Pegasus, the zero-click smartphone implant. A leaked target list surfaced in 2021 with 50,000 phone numbers, including roughly 180 journalists across 20 countries, hundreds of politicians, human rights defenders, and heads of state [1]. Placed on the US Commerce Department's Entity List in November 2021 for enabling "transnational repression" [2]. Lost a $167 million jury verdict to WhatsApp/Meta in 2025 (since reduced on appeal). Sold to a US investor group led by Hollywood producer Robert Simonds in October 2025, but operations remain in Israel under Defense Ministry oversight [3].
  • Cellebrite. Sells the Universal Forensic Extraction Device (UFED), the box law enforcement uses to crack into smartphones. Federal contracts keep expanding: ICE and Homeland Security Investigations are pursuing a five-year indefinite-delivery indefinite-quantity contract with a $100 million ceiling [4]. Used by police in 150+ countries.
  • Paragon Solutions. Makes Graphite, a Pegasus competitor. Citizen Lab confirmed forensic infection of journalists including Italy's Ciro Pellegrino, and the Italian government admitted using it against two activists. Apple patched the underlying zero-click vulnerability (CVE-2025-43200) in iOS 18.3.1 [5].
  • Candiru. Another Israeli zero-day spyware vendor. Sanctioned alongside NSO by the US in November 2021 [2].
  • QuaDream. Sold the REIGN spyware to governments including Hungary, the UAE, Mexico, and Singapore. Shut down in April 2023 within days of coordinated reports from Citizen Lab and Microsoft Threat Intelligence exposing its operations [6].
  • Intellexa / Cytrox / Passitora. A surveillance "alliance" founded by former Israeli military intelligence commander Tal Dilian, operating through Cyprus and other jurisdictions. Sells the Predator spyware. Convictions secured in Greece's "Predatorgate" scandal. A 2024 joint Haaretz and Amnesty International investigation traced Israeli surveillance technology and spyware sales to Indonesia (a country with which Israel has no diplomatic relations) and other markets [7].

These are not random Israeli companies. They cluster. They share founders, employees, investors, and exit routes. They almost all trace back through one institution.

Unit 8200, Without the Mystique

Unit 8200 is the Israeli military's signals intelligence corps. Roughly the size and remit of an NSA division, sitting inside a country with mandatory military service and a population smaller than New Jersey. If you are a smart 18-year-old who tests well on math and computer science in Israel, the army actively recruits you into 8200. You serve, typically, three to five years. You learn cryptography, network exploitation, mobile platform internals, and operational tradecraft, at a level and on a scale that almost no civilian education provides anywhere.

Then you get out, around age 22 or 23, with a security clearance, a peer network of similarly trained engineers, and zero student debt. The companies above were largely founded by people who walked exactly that path. NSO's Shalev Hulio. Cellebrite's earliest engineering benches. Candiru's founding team. The Intellexa orbit. This is not a conspiracy. It is a labor pipeline, and it is on the public record [8].

The reason it matters for the surveillance story is structural:

  • The same skill set that intercepts a foreign militant's WhatsApp messages is the skill set that intercepts a Mexican journalist's WhatsApp messages.
  • The Israeli state has historically treated the cyber-industrial sector as a strategic asset: economically (this is roughly 15% of GDP), militarily (the IDF benefits from staying close to private R&D), and diplomatically (more on that below).
  • Civilian-product exports go through the Defense Ministry's Defense Export Controls Agency (DECA), which means the government is the licensor of the global spyware trade for these vendors.

This last part is the one most people miss. NSO does not sell Pegasus to Saudi Arabia without a Defense Ministry permission slip. Cellebrite does not sell UFED to a foreign police force without one either. The licensing is the policy lever. The licensing is where politicians have agency. The licensing is what is being criticized when serious journalists criticize "Israeli surveillance exports."

The Diplomacy Layer: Spyware as Soft Power

Here is the part that makes the surveillance story a foreign-policy story. Reporting from the New York Times, Haaretz, and Middle East Eye established that during the Netanyahu governments, Pegasus license approvals tracked (sometimes nearly one-for-one) with countries Israel was trying to warm relations with [9].

  • Nearly every Arab state that signed onto the 2020 Abraham Accords (UAE, Bahrain, Morocco) had Pegasus or got it.
  • Saudi Arabia's Pegasus license was reportedly renewed after a direct call from Crown Prince Mohammed bin Salman to Netanyahu, in exchange for opening Saudi airspace to Israeli aviation. NSO had initially refused. Netanyahu reportedly pressured the company [9].
  • Mexico, Hungary, Poland, India: Pegasus sales correlated with diplomatic warming.

That is what people mean when they talk about "Pegasus diplomacy." It is a specific accusation about specific decisions made by a specific prime minister and specific defense ministers. It is not an accusation about Israeli citizens, who in many cases were horrified to read about it in their own newspapers.

The Domestic Scandal Israelis Investigated Themselves

One of the loudest critics of how Pegasus has been deployed is the Israeli government, auditing the Israeli government. In 2022, the Israeli business paper Calcalist reported that Israel's own police had used Pegasus against Israeli citizens, including protest organizers, mayors, and the son of then-Prime Minister Netanyahu, with no warrants. State Comptroller Matanyahu Englman opened a formal audit [10].

His final report, completed in 2023 and made public afterward, called the police's conduct between 2015 and 2021 "prohibited, serious, and offensive." It found Pegasus had been used "hundreds of times without legal review and approval." It found procedures had been bypassed, sometimes manually, "neutralizing technological safeguards" [10].

The Association for Civil Rights in Israel (ACRI), sometimes called the ACLU of Israel, has been petitioning the Israeli courts for years against police surveillance practices, against Pegasus deployment in Palestinian territories, and against facial-recognition rollouts at checkpoints [11]. Haaretz has run a continuous investigative beat on the surveillance export industry for the better part of a decade. +972 Magazine and Local Call, both Israeli outlets, broke the Lavender and "Where's Daddy?" stories about Gaza targeting [12].

This matters because it is the answer to a question worth asking out loud: if the Israeli surveillance industry is a problem, why aren't Israelis upset about it? Many of them are. The people doing the most rigorous reporting on this beat are Israeli journalists. The people filing the lawsuits are Israeli lawyers. The institution that issued the most damning audit of Pegasus misuse is an Israeli statutory body. Pretending those voices do not exist is its own form of erasure.

The Gaza Targeting Story, Handled Carefully

In April 2024, +972 and Local Call published an investigation by Israeli journalist Yuval Abraham detailing two AI systems used by the IDF in Gaza: "Lavender," which generated a database of 37,000 Palestinian men flagged as suspected Hamas or PIJ operatives, and "Where's Daddy?," which tracked them to their homes [12]. According to the reporting, sourced to six Israeli intelligence officers, human reviewers spent on average 20 seconds approving each Lavender target, essentially confirming the target was male. The system was understood internally to be wrong roughly 10% of the time.

That is a surveillance story. It is also a story about military targeting, civilian deaths, and the ethics of automated kill lists. We are not equipped to litigate the law of armed conflict here. What we can say, on our beat: when a state builds a population-scale identification and tracking system and then routes its outputs to lethal strikes with seconds of human review, the surveillance infrastructure itself is doing moral work that surveillance infrastructure should not do. That is true whether the operator is the IDF, the US military, the Russian military, or any other.

The reporting is contested. The IDF has denied parts of the characterization. The journalists stand by it. The Guardian, the Washington Post, and Democracy Now! have all confirmed and republished significant portions. Take it as serious, ongoing, contested investigative reporting: not as settled fact, but not as fringe either.

One thing that should not need saying but does: the human stakes here are real on every side. Israeli hostages still being held. Palestinian civilians killed in numbers that should stop anyone who is paying attention. Displaced people from communities that no longer exist. None of that is abstract, and a surveillance-policy article is not the place to settle any of it. But pretending the people on the wrong end of these systems are not people is its own failure, and we are not going to do that either.

Where Legitimate Criticism Ends and Antisemitism Begins

This is the part most coverage skips, so we are not going to.

Legitimate criticism of Israeli surveillance policy looks like this:

  • "The Israeli Ministry of Defense approved an export license to a country with a record of targeting journalists. That was a bad decision and the minister who signed it should answer for it."
  • "NSO Group's corporate structure makes accountability difficult, and the Israeli government's protection of NSO during diplomatic disputes is documented in court filings."
  • "Cellebrite's contracts with ICE enable warrantless device searches at the US border. That is a problem regardless of where Cellebrite is headquartered."
  • "The Israeli State Comptroller found the Israeli police used Pegasus illegally hundreds of times. Accountability has been thin."
  • "The Lavender system, as reported by +972 and Local Call, raises serious questions about the use of automated targeting."

Each of those sentences names a decision-maker, a decision, or a documented finding. Each is falsifiable. Each could appear in Haaretz tomorrow morning, and often does.

Antisemitism dressed up as criticism looks different. The warning signs, drawn from both the IHRA Working Definition and the Jerusalem Declaration on Antisemitism (two reference documents that disagree on edge cases but overlap on the core) [13][14]:

  • Dual-loyalty framing. Asking whether American Jews, or Jewish employees at tech companies, are "really" loyal to the US versus Israel. This is a centuries-old smear and the Israeli government's actions do not change that [15].
  • Collective guilt. Holding "the Jews" or "Jewish people" responsible for decisions made by an Israeli prime minister, defense minister, or military commander. Holding every Israeli citizen responsible for those decisions. Most Israelis did not vote for the current coalition. Many actively oppose it. Even most who do vote for the governing parties are not personally responsible for NSO licensing decisions.
  • Conspiracy framing. "The Jews control the surveillance industry." No. A specific group of Israeli companies, founded by a specific population of Unit 8200 alumni, licensed by a specific government ministry, dominates a specific market segment. That is a sociological and policy fact. Substituting "Jews" for that specific chain of actors is bigotry and also just wrong.
  • The "Zionists" slippage. Watch for arguments that start about "the Israeli government," slide into "Zionists," and end up about "Jews" (often within the same paragraph). That slippage is the tell.
  • The uniqueness fallacy. Treating Israel as uniquely irredeemable on surveillance while ignoring comparable behavior by other states. The US sells surveillance technology globally. The UK, France, Germany, Italy, and China all export spyware-adjacent capabilities. Russia and China run mass domestic surveillance regimes that dwarf anything Israel does at home. Singling out Israel as the only deserving target of criticism, when its behavior is comparable to peer states, is selective in a way that often (not always) reveals something other than principled concern.
  • Targeting Jewish institutions globally. Synagogues, Hillels, Jewish federations, kosher restaurants: these are not extensions of the Israeli Ministry of Defense. Treating them as such is bigotry.

The IHRA definition and the Jerusalem Declaration disagree about where exactly to draw certain lines, particularly around criticism of Zionism as an ideology, and around BDS-style advocacy [13][14]. Reasonable people, including reasonable Jewish people, disagree about those edges. We are not going to resolve that here. What we are saying is that the items in the list above are inside the overlapping core that both definitions, and most thoughtful observers on both sides of the IHRA-vs-JDA argument, would call out as antisemitic.

The Other Failure Mode: Denialism

It would be dishonest to write the section above without also writing this one.

There is a parallel failure that needs naming. When organized "pro-Israel" advocacy responds to documented surveillance abuses by:

  • Pretending Pegasus was not used to target Khashoggi's circle (it was, per Citizen Lab forensic analysis).
  • Pretending the Israeli police did not use Pegasus illegally against Israeli citizens (the Israeli State Comptroller found they did).
  • Pretending the Lavender reporting is fabricated (the journalists sourced it to six named-but-anonymized intelligence officers; the work has been republished by major Western outlets and partially corroborated).
  • Calling any journalist who covers this beat an antisemite, regardless of the substance of their reporting.

...that is also a failure mode. It makes honest accountability impossible. It actively damages the case for taking real antisemitism seriously, because it cries wolf and burns through credibility. And it protects the specific officials and specific companies whose decisions caused the documented harms.

Both moves (weaponizing surveillance abuses to attack Jews, and denying surveillance abuses to defend a government) share a structure. Both refuse to let the facts be the facts. Both make it harder for the next journalist, the next reservist who refuses orders, the next ACRI petition, the next Citizen Lab report to land cleanly.

What the Current Israeli Government Has Specifically Done

To be concrete about whose decisions we are actually criticizing:

  • At DECA's 16th annual conference in November 2025, the ministry announced it would "reduce policy constraints and streamline licensing timeframes," explicit policy to make exports easier, not harder [16].
  • The Defense Ministry approved the October 2025 sale of NSO Group to a US investor group, while retaining Israeli regulatory oversight, preserving the firm's ability to operate from Israel under the same licensing regime that critics have called too permissive for years [3].
  • Successive Netanyahu coalitions have lobbied the US Commerce Department to remove NSO from the Entity List [3].
  • The same coalitions presided over the Gulf normalization period during which Pegasus licensing tracked diplomatic outreach [9].

These are policy choices. They were made by named people in named offices. They can be reversed by future Israeli governments, and Israeli civil society is actively pushing for that.

How to Protect Yourself, Regardless of Who Made the Tool

The privacy advice does not change based on the nationality of the vendor. Pegasus, Graphite, Predator, FinFisher (German), and any future entrant all attack the same surfaces. If you are a journalist, a dissident, an activist, a lawyer with sensitive clients, or a senior corporate target:

  • Turn iOS Lockdown Mode on. Settings → Privacy & Security → Lockdown Mode. It breaks some functionality. It has measurably blunted several known mercenary-spyware exploit chains.
  • On Android, consider GrapheneOS on a Pixel device. Real hardening, not theater.
  • Reboot daily. Many implants are not persistent across reboots. This is cheap and helps.
  • Patch immediately. Citizen Lab's Paragon disclosure (CVE-2025-43200) was patched in iOS 18.3.1. The window between patch release and your install is the attacker's window.
  • Run Amnesty's Mobile Verification Toolkit (MVT) if you have reason to think you have been targeted. It is the same forensic tool used by the Pegasus Project [1].
  • Faraday bag for travel. Particularly when crossing borders where Cellebrite extractions are routine, including the US.
  • Use Signal with disappearing messages. E2E encryption does not stop endpoint compromise but it raises the cost.
  • If you are very high-risk: separate devices for sensitive work, no SIM linked to your real identity, and operational training. There are nonprofits that will help with this for free.

How to Talk About This Without Doing Harm

If you are a reader who finds this topic difficult to discuss because you fear sliding into bigotry, that is a good instinct, and the answer is not silence. The answer is precision:

  • Name the actor. "NSO Group sold Pegasus to Saudi Arabia after a call from the Crown Prince to the Prime Minister." Not: "Israel sold spyware." Be more specific than the polemic version.
  • Cite the source. "According to Citizen Lab" or "according to the Israeli State Comptroller" is doing work. Anonymous-Twitter-thread "according to" is not.
  • Distinguish the government from the population. "The current Israeli government has loosened export controls" is a sentence about a coalition. "Israelis approve of spyware exports" is a sentence about 9.7 million people, most of whom have no opinion on DECA licensing because they are busy living their lives.
  • Distinguish the population from the diaspora. Jewish people in your country, your city, your workplace are not Israeli government employees. They have no operational role in any of this. Treating them as if they do is a smear with a long ugly history.
  • Apply the same standard to other states. If you find yourself enraged about Israeli spyware exports and indifferent about American, Chinese, German, Italian, or Russian ones, ask yourself why.

None of this means muting the criticism. Some of the criticism in this article is harsh. It should be, the conduct is harsh. It does mean the criticism has to land where it belongs.

Where This Goes Next

The picture in 2026 is shifting. NSO under US ownership, but Israeli operations and licensing. Paragon expanding through European clients. Cellebrite locked into expanding US federal contracts. DECA explicitly loosening, not tightening, oversight. Lavender reporting that has prompted Israeli reservist refusal letters but no formal change in doctrine.

What we will keep doing on this site: reporting the surveillance angle, naming the specific officials and the specific contracts, linking to primary sources, and refusing to let either bigots or apologists collapse this story into something it is not.

The pipeline is real. The companies are named. The decisions have authors. The people targeted are people. None of those facts require us to be careless about who we are blaming.

Related Reading on This Site

References

  1. Forbidden Stories: About the Pegasus Project (2021 consortium investigation, 50,000 target numbers).
  2. Washington Post: US sanctions NSO Group over Pegasus spyware (November 3, 2021, Commerce Entity List addition).
  3. TechCrunch: NSO Group confirms acquisition by US investors (October 10, 2025).
  4. FedScoop: DHS units to re-up contract with Cellebrite (ICE contract figures, 2025).
  5. Citizen Lab: Graphite Caught: First Forensic Confirmation of Paragon's iOS Mercenary Spyware (June 2025).
  6. Citizen Lab: Sweet QuaDreams: A First Look at QuaDream's Exploits, Victims, and Customers (April 2023; URL remapped 2026-07-06 from old 2023/04 path that returned 404).
  7. Haaretz: Investigation: Israeli surveillance technology and spyware sold to Indonesia, Bangladesh, Sudan (May 2024).
  8. Background on Unit 8200's alumni network and civilian-sector pipeline (overview; consult primary reporting from Reuters, FT, and Haaretz for specifics).
  9. Haaretz: Netanyahu used NSO's Pegasus for diplomacy (February 2022); see also Middle East Eye on the MBS-Netanyahu call.
  10. CTech: Comptroller confirms Calcalist's findings on police use of spyware without approval ("prohibited, serious, and offensive").
  11. Association for Civil Rights in Israel: Surveillance Law work.
  12. +972 Magazine: 'Lavender': The AI machine directing Israel's bombing spree in Gaza by Yuval Abraham (April 2024).
  13. IHRA Working Definition of Antisemitism.
  14. Jerusalem Declaration on Antisemitism.
  15. AJC: Dual Loyalty entry in #TranslateHate.
  16. Defence Industry Europe: Israel sets defence export priorities and licensing reforms at DECA (November 2025).