The Mythical Beasts project addresses a meaningful gap in contemporary public analysis on spyware proliferation, pulling back the curtain on the connections between 435 entities across forty-two countries in the global spyware market. These vendors exist in a web of relationships with investors, holding companies, partners, and individuals often domiciled in different jurisdictions.
This dataset represents a meaningful sample of the market for spyware vendors, but it is not a complete record and this report can only speak to trends and patterns within this data, not the market as a whole. The data is confined to entities for which there is a public record (i.e. registered businesses) and for which public information links the vendor to the development or sale of spyware or its components.
To develop a list of vendors, the authors started by creating an initial “most visible” list of those with the widest public exposure from the use of their wares, relying principally on public reporting from Amnesty International, Citizen Lab, and the Carnegie Endowment for International Peace, as well as public reporting from a variety of news outlets. This initial set of vendors was the starting point for searching public corporate registries and a mix of public and private-sector corporate databases to profile each company in greater depth and find additional connections.
All the vendors identified through this process were included if they 1) publicly advertised products or services that matched the above definition of spyware, 2) were described as selling the same products by public reporting in the media or by civil society researchers, or 3) showed evidence of the products through court records, leaks, or similar internal documentation. As part of this search process, the team gathered records on subsidiaries and branches associated with each vendor, their publicly disclosed investors, and, where possible, named suppliers.
Each entity identified in this process was identified by at least two different open sources. In all cases for which data is available, the dataset includes vendor activities from the start of operation until 2023, or until records indicate that the vendor’s registration had ceased in a jurisdiction. The sources of public information on both firms’ activities and their organization varied but largely stemmed from different forms of corporate registration, records, and transaction data.