Meet the Team That Investigates When Journalists And Activists Get Hacked With Government Spyware

Spyware Investigations: Inside the Digital Frontline

Spyware investigations are now the primary defense for journalists and activists facing sophisticated government-led hacking. As cyberattacks from groups like NSO Group and Intellexa rise, organizations like Access Now’s Digital Security Helpline provide 24/7 technical support and incident response. This article explores how these digital first responders detect mercenary malware, protect high-risk targets in countries like Mexico and Greece, and help victims navigate the terrifying reality of state-sponsored surveillance in 2025.

Credit: Clint Patterson/Unsplash

The Rise of State-Sponsored Spyware Investigations

For over a decade, the landscape of global surveillance has shifted from traditional wiretapping to invisible, "zero-click" mobile intrusions. Governments in nations ranging from Hungary and India to Ethiopia and the UAE have increasingly deployed high-end mercenary spyware to silence dissent. These tools don't just steal emails; they turn a victim's phone into a 24/7 tracking device, capable of activating microphones and cameras without a trace. Because these attacks often precede real-world violence, harassment, or even assassination, the need for rapid-response spyware investigations has become a matter of life and death for members of the free press and human rights defenders.

Access Now: The Global Hub for Digital Security

At the heart of this shadow war is a dedicated team of a dozen digital security experts operating under the banner of Access Now. While headquartered in New York, the team is strategically decentralized, with investigators stationed in Costa Rica, Manila, and Tunisia to ensure global coverage. This group manages the Digital Security Helpline, a specialized unit designed to be the first point of contact for anyone suspecting a compromise. By maintaining a 24/7 presence, they ensure that a journalist in a high-risk zone can receive technical guidance the moment a suspicious link appears or a device begins behaving erratically, bridging the gap between technical vulnerability and physical safety.

Navigating Modern Spyware Detection and Response

The core mission of these investigators is to offer a specialized shield against "mercenary spyware"—software developed by private companies like NSO Group, Intellexa, or Paragon and sold to government clients. Hassen Selmi, the lead of the incident response team at the Helpline, notes that the service is designed to be a comprehensive safety net for civil society. When a user reaches out, the team conducts a deep-dive forensic analysis to determine if a breach has occurred. This process is grueling and technical, as modern spyware is designed to self-destruct or hide deep within a phone’s operating system, making professional spyware investigations the only way to confirm an intrusion with certainty.

Why the Digital Security Helpline is a Frontline Resource

The importance of the Helpline cannot be overstated in an era where cyber-threats are becoming more democratized and harder to track. Bill Marczak, a senior researcher at the University of Toronto’s Citizen Lab—one of the world's most respected authorities on digital surveillance—describes Access Now as a "frontline resource." While research labs often focus on the macro-trends of state hacking, the Helpline focuses on the human element. They provide the immediate, hands-on support required to stabilize a victim’s digital life, ensuring that the evidence of the hack is preserved while the user’s sensitive data and contacts are immediately moved to a secure environment.

Apple Threat Notifications and the Investigation Funnel

In recent years, the visibility of these attacks has increased thanks to "threat notifications" from tech giants like Apple. When the iPhone maker detects that a user has been targeted by state-sponsored attackers, it triggers an automated alert to the victim. However, receiving such a notification can be a traumatizing and confusing experience for a non-technical person. To address this, Apple has long directed these high-risk users to Access Now’s investigators. This partnership has turned the Helpline into a critical funnel, transforming a vague automated warning into a comprehensive spyware investigation that helps the victim understand exactly what happened and how to move forward.

The Human Impact of Professional Incident Response

Beyond the technical forensics, the work of the Helpline is deeply psychological. Hassen Selmi highlights that the first step in an investigation is often simply explaining the situation to a panicked user. Victims often feel a profound sense of violation, knowing that their private conversations and locations have been monitored by powerful state actors. Having a human expert who can walk them through the technicalities—explaining how the spyware works and what it likely accessed—provides a sense of agency in an otherwise helpless situation. These investigations serve as both a technical audit and a form of digital crisis counseling, helping activists regain their footing.

Forensics in the Era of Zero-Click Exploits

The technical challenge facing investigators in 2025 is the prevalence of "zero-click" exploits, which require no interaction from the user to infect a device. This makes traditional advice, like "don't click on suspicious links," virtually obsolete for high-risk targets. In these cases, spyware investigations involve analyzing system logs and network traffic to find the minute footprints left behind by the malware. The Access Now team stays ahead of the curve by collaborating with a global network of researchers, ensuring they have the latest signatures for the world’s most elusive surveillance tools, which is essential for protecting the integrity of democratic movements worldwide.

Combating the Global Trade of Mercenary Malware

The work of investigating these hacks also feeds into a larger effort to hold spyware companies accountable. Every confirmed case of an NSO Group or Intellexa infection provides data that can be used in legal challenges, policy advocacy, and international sanctions. By documenting the misuse of these tools against journalists and dissidents, the Digital Security Helpline helps build the evidence base needed to prove that mercenary spyware is frequently used for human rights abuses rather than its stated goal of fighting terrorism or crime. Each investigation is a brick in the wall being built to regulate an industry that has operated in the shadows for far too long.

Supporting Vulnerable Communities in Hostile Environments

The geographic diversity of the Access Now team is a deliberate strategy to support users in various cultural and political contexts. Whether it’s an activist in Mexico or a human rights lawyer in Greece, the team provides localized understanding that is crucial during a crisis. These investigators understand the specific threats posed by local police and intelligence agencies, allowing them to tailor their security advice to the specific risks of the region. This localized expertise ensures that spyware investigations are not just technically accurate, but also culturally and politically relevant to the person whose life may be at risk.

The Future of Digital Protection for Civil Society

Looking ahead, the battle between state-sponsored hackers and digital defenders is only intensifying. As spyware becomes more affordable and accessible to more regimes, the demand for expert investigations will continue to outpace the available resources. Organizations like Access Now are continuously scaling their operations, seeking to automate some parts of the detection process while maintaining the high-touch human interaction that defines their service. The goal is to create a world where no journalist or activist has to face a government-backed cyberattack alone, ensuring that the "digital frontline" remains manned by experts committed to the freedom of information.

How to Seek Help and Stay Digitally Resilient

For those working in high-risk professions, the advice from the frontline is clear: vigilance is key, but professional support is a necessity. If you receive a threat notification or notice suspicious activity on your device, reaching out to a verified spyware investigation team is the most important step you can take. While the threats are sophisticated, the global community of digital defenders is more connected than ever. By utilizing resources like the Digital Security Helpline, individuals can turn a moment of extreme vulnerability into a coordinated defense, protecting not just their own data, but the vital work they do for society at large.