For more than a decade, sophisticated government spyware has been used to break into the phones of journalists and human rights activists across multiple regions, turning everyday devices into surveillance tools. Victims have described not only the fear of unseen monitoring, but also the real-world intimidation and harassment that can follow when private communications are exposed.
A small nonprofit team at the center of spyware investigations
Around the world, governments have repeatedly been linked to spyware operations targeting civil society. Reporting has pointed to cases involving law enforcement and intelligence services in Ethiopia, Greece, Hungary, India, Mexico, Poland, Saudi Arabia, and the United Arab Emirates, among others, where high-end phone spyware has allegedly been used against journalists and activists. In extreme cases, some victims have faced violence, including incidents where targeted individuals were later murdered.
As these threats expanded, a specialized group of digital security experts emerged as a key point of support for people who suspect their devices have been compromised. The team—about a dozen people, mostly based in Costa Rica, Manila, and Tunisia, among other locations—works for the New York-headquartered nonprofit Access Now through its Digital Security Helpline. Their role is unusually practical: they help journalists, human rights defenders, and dissidents respond when they believe they have been hacked, including by “mercenary spyware” sold by companies such as NSO Group, Intellexa, and Paragon.
Why spyware victims need a rapid-response service
Spyware cases are difficult to verify from the outside. Modern mobile spyware can exploit vulnerabilities without user interaction, leaving little visible evidence. Many victims only learn they may be targeted after receiving a warning from a platform provider—or after noticing subtle anomalies that could have innocent explanations. That uncertainty can be destabilizing, particularly for people whose work already places them at risk.
Hassen Selmi, who leads the incident response team at Access Now’s helpline, described the service as a round-the-clock resource for civil society and journalists dealing with cybersecurity incidents. The aim is to offer help at the moment it is needed—before panic or confusion leads a victim to take steps that might worsen their exposure or destroy valuable forensic evidence.
In practice, the “human layer” matters as much as the technical one. Victims may be anxious, unfamiliar with digital forensics, or working under threat. They often need someone who can explain what a warning means, what actions are safe, and what actions could be risky. Selmi emphasized that having someone interpret a threat notification and walk a person through next steps can be a significant relief.
How Apple threat notifications funnel cases to Access Now
One reason the helpline has become so central is that Apple has, for years, directed users who receive “threat notification” alerts—warnings that they have been targeted by mercenary spyware—to Access Now’s investigators. Digital rights experts who have worked on spyware cases have argued that Apple’s approach is generally the right one, even if it can look, at a glance, like a trillion-dollar company passing responsibility to a small nonprofit team.
Selmi characterized Apple’s inclusion of Access Now in these notifications as a major milestone for the helpline. The referral pathway matters because it gives targeted individuals somewhere credible to turn immediately—especially when a victim does not know whether the warning is serious, what “mercenary spyware” means, or how to respond without compromising their personal safety.
The scale: about 1,000 suspected spyware cases a year
As spyware tools spread globally and awareness of the helpline has grown, the team’s workload has expanded. Selmi and his colleagues now review about 1,000 cases of suspected government spyware attacks per year. Mohammed Al-Maskati, the helpline’s director, said that roughly half of those reports become full investigations, and only about 5% of the investigated cases—around 25—result in a confirmed spyware infection.
The numbers highlight two realities at once:
- Spyware targeting is widespread enough that many people fear they may be victims, especially in higher-risk fields like journalism and human rights work.
- Confirmation is hard, and not every suspicion turns out to be a verified compromise, even when fear is understandable.
Selmi noted that back in 2014, when he began doing this work, Access Now was investigating around 20 suspected spyware cases per month—far fewer than today’s volume.
A lean global operation built around time zones
Despite the increase in requests, the helpline’s staffing has not grown dramatically. Selmi said that in the earlier years there were three or four people working in each key time zone—Costa Rica, Manila, and Tunisia—so someone could be online throughout the day. The team remains relatively small today, with fewer than 15 people working for the helpline.
Because spyware cases tend to cluster in specific regions, the helpline has expanded its presence where demand is highest. Selmi said the organization now has more staff in Europe, the Middle East, North Africa, and the sub-Saharan region, reflecting where spyware investigations frequently originate.
Why case volumes are rising
Selmi attributed the increase in suspected spyware reports to several factors:
- Greater visibility: as the helpline becomes better known, more people reach out.
- Spyware’s global expansion: as government spyware becomes more available, potential abuse increases.
- Outreach to at-risk communities: proactive engagement can uncover cases that might not otherwise be reported.
What happens when someone reports a suspected spyware hack
The helpline follows a structured process designed for both speed and care. When an individual contacts the team, investigators first acknowledge receipt, then check whether the person falls within Access Now’s mandate. The helpline is designed for civil society—people like journalists, activists, and dissidents—rather than, for example, business executives or lawmakers.
Triage and prioritization
After the initial screening, investigators assess the situation through triage. If a case is prioritized, the team asks targeted questions to determine what evidence might exist and how to collect it safely. For example, they may ask:
- Why the person believes they were targeted (especially when there was no platform notification).
- What device the person uses, which affects what data can be gathered and what analysis is feasible.
Remote checks, then deeper forensic analysis
Following an initial, limited device check conducted remotely over the internet, the team may request additional data for more comprehensive analysis. In some cases, that can include a full device backup, enabling investigators to examine artifacts for signs of intrusion.
Selmi explained that the helpline maintains defined processes for detecting known exploit types used over the last five years. In other words, when a particular hacking technique is documented in the wider security community, the helpline works to establish a repeatable method for checking whether that exploit’s fingerprints appear in a victim’s data. Selmi added that the team develops an understanding of what patterns look “normal” on a device—and what patterns appear suspicious.
Support that goes beyond technical forensics
A key part of the helpline’s work is communication. Access Now relies on handlers who manage contact with the person seeking help and who often speak the victim’s language. Those handlers can provide guidance on practical steps—such as whether it may be safer to switch to another device—and help victims think through precautions appropriate to their circumstances.
Selmi stressed that each case is different and that response work must account for personal context. A journalist’s needs may differ from a human rights defender’s, and cultural factors can shape how victims communicate, what risks they face, and what support is useful. Selmi argued that more research and more people—not only technical specialists—are needed to better serve victims dealing with the stress and complexity of spyware targeting.
Scaling help through CiviCERT
As spyware incidents have become more geographically dispersed, Access Now has also supported similar investigative teams in other regions by sharing documentation, expertise, and tools. Selmi said this work is organized through CiviCERT, a coalition and global network of organizations that assist civil society members who believe they may have been targeted with spyware.
Selmi said the network helps connect victims with people who can understand their local context and communicate in their language—an important factor when time is critical and victims may be under pressure. The goal is that, regardless of where someone lives, they can reach trained responders who can listen, advise, and, when possible, investigate.
The bigger picture: why this work matters
Spyware is not only a technical threat; it is also a pressure tool used against people who hold power to account. When a device is compromised, sources can be exposed, sensitive plans can be anticipated, and personal relationships can be mapped. Even the suspicion of infection can chill speech and disrupt reporting or advocacy.
The helpline’s annual figures also underline how narrow the window can be between “possible targeting” and “confirmed infection.” With only a small percentage of investigations resulting in confirmation, the work demands restraint and rigor—taking every report seriously without jumping to conclusions, and protecting victims’ safety and privacy throughout the process.
Conclusion
Access Now’s Digital Security Helpline operates as a rare 24/7, civil-society-focused incident response service for suspected government spyware attacks. By combining triage, forensic workflows, and victim-centered guidance—along with partnerships through CiviCERT—the team helps at-risk individuals navigate some of the most invasive digital threats in the modern world.
This article is based on reporting originally published by TechCrunch.
Related Articles
- Targeted by Government Spyware? What to Do After an Apple, Google, or WhatsApp Warning
- Federal Judge Blocks Attempt to Deport Imran Ahmed, CEO of Center for Countering Digital Hate
- Sauron hires former Sonos product chief as CEO and pushes its “super premium” home security launch to 2026
Based on reporting originally published by TechCrunch. See the sources section below.
Sources
- TechCrunch
- https://www.vice.com/en/article/ethiopia-allegedly-used-spyware-against-us-based-journalists-again/
- https://www.bbc.com/news/articles/ced56p5l2wwo
- https://www.theguardian.com/world/2022/jan/28/hungarian-journalists-targeted-with-pegasus-spyware-to-sue-state
- https://www.washingtonpost.com/world/2023/10/31/india-phone-hacking-apple/
- https://www.theguardian.com/world/2022/oct/04/mexico-nso-spyware-journalists-human-rights-hacked-pegasus
- https://www.theguardian.com/world/2021/jul/18/nso-spyware-used-to-target-family-of-jamal-khashoggi-leaked-data-shows-saudis-pegasus
- https://www.vice.com/en/article/government-hackers-iphone-hacking-jailbreak-nso-group/
- https://www.nytimes.com/2018/12/02/world/middleeast/saudi-khashoggi-spyware-israel.html
- https://www.theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto
- http://accessnow.org/help/
- https://www.youtube.com/watch?v=Obk5T6kS0WY&t=292s
- https://www.civicert.org/
