Predaxia Research

Surveillance Tools Open Database

Mercenary spyware, mobile forensics, network surveillance. Documented vendors, sourced victims, traceable sanctions. No speculation, no advocacy, no affiliation.

35Tools tracked
19Vendor countries
200+Documented victims
8Active OFAC sanctions
Last updatedMay 2026Maintained byPredaxia ResearchLicenseFree to cite with attribution

Where the industry is based

Vendor concentration. Israel hosts eleven of the 35 tracked tools. The United States, Western Europe and China account for most of the remainder. Hover any marker for details.

Israel11 vendors
North Macedonia1 vendor
Italy2 vendors
United Kingdom1 vendor
Germany1 vendor
Spain1 vendor
Hungary1 vendor
Ireland1 vendor
Greece1 vendor
United States8 vendors
Canada1 vendor
Sweden1 vendor
Russia1 vendor
France2 vendors
China2 vendors
Japan1 vendor
Poland1 vendor
UAE1 vendor
South Africa1 vendor

Why this database exists

Citizen Lab publishes individual forensic reports. Amnesty Security Lab tracks specific vendors. Forbidden Stories led the Pegasus Project. Each effort is essential, but no single resource maps the commercial surveillance industry as a whole, with consistent confidence scoring and cross-vendor comparison.

This database is that resource. Every entry is sourced to court documents, Treasury sanctions, peer-reviewed forensic research, or multi-source investigative reporting. Every claim that cannot be verified through these channels is explicitly marked. Predaxia takes no position on national security policy. The mission is documentation, not advocacy.

Tier S, Mercenary spyware and mobile forensics

Pegasus

5

NSO Group · Israel

Mercenary spyware deployed by 14+ governments against journalists, activists and dissidents. Zero-click iOS and Android exploitation.

ActiveUS Entity ListCourt ruling 2024

Predator

5

Intellexa Consortium · North Macedonia / Israel

Mercenary spyware run by a sanctioned web of shell companies. Used against journalists, MEPs, US lawmakers and human rights defenders.

ActiveOFAC sanctions 2024

Cellebrite UFED

5

Cellebrite DI · Israel

Mobile forensics suite used by 2,800+ US government agencies. Capabilities documented through 2024 leaks and Marines contract disclosure.

Active2024 leak confirmed

Paragon Graphite

5

Paragon Solutions · Israel / US

Spyware focused on encrypted messaging apps. WhatsApp notified ~90 targets in 2025. Italian prosecutors confirmed forensic infection of journalists.

ActiveAE Industrial 2024Italy 2026

QuaDream / Reign

5

QuaDream Ltd · Israel

iOS zero-click spyware (ENDOFDAYS exploit) using invisible iCloud calendar invites. Operators identified in 10 countries before company shutdown.

Defunct 2023

Candiru / DevilsTongue

5

Candiru Ltd · Israel

Windows spyware capable of decrypting Signal messages and stealing browser data. Used in CatalanGate, Hungary TISZA party, and 100+ documented victims.

ActiveUS Entity List

Hermit

4

RCS Lab / Cy4Gate · Italy

Modular Android and iOS spyware deployed in Kazakhstan and Italy. Disclosed by Google TAG and Lookout. Distributed with help from victim ISPs.

ActiveCy4Gate 2022

FinSpy / FinFisher

4

Gamma Group · UK / Germany

Long-running surveillance suite. Customers included Egypt, Bahrain, Bangladesh, Ethiopia, Saudi Arabia. Company filed insolvency in 2022 after German prosecution.

Insolvent 2022UK court 2024

Heliconia

3

Variston IT · Spain

Browser exploitation framework targeting Chrome, Firefox and Defender. Disclosed by Google TAG. Company shutting down in 2024.

Defunct 2024

Operation Triangulation

3

Unattributed · Disclosed by Kaspersky

iOS zero-click chain (CVE-2023-32434, CVE-2023-32435, CVE-2023-38606) deployed against Kaspersky Lab employees. One of the most sophisticated iOS attacks ever publicly documented.

Patched 2023

Memento Labs

5

Memento Labs (ex-Hacking Team) · Italy

Italian mercenary spyware vendor (RCS Galileo, Da Vinci). 2015 internal leak exposed contracts with Sudan, Ethiopia, Saudi Arabia, UAE, Mexico and others. Rebranded 2019 after InTheCyber acquisition.

Active (rebranded)2015 internal leakCitizen Lab forensic

DarkMatter / Project Raven

5

DarkMatter Group · United Arab Emirates

UAE state-aligned cyber operation exposed by Reuters in January 2019. Karma iOS zero-click used against Ahmed Mansoor, Rori Donaghy and US citizens. DOJ deferred prosecution agreement 2021.

Active (rebranded)Project Raven 2019DOJ DPA 2021

Toka

3

Toka Cyber · Israel

Israeli IoT-exploitation vendor founded by former PM Ehud Barak and ex-IDF Cyber Command head Yaron Rosen. Smart cameras, connected vehicles, smart home. Forbes investigations 2021-2022.

ActiveForbes disclosureEhud Barak co-founder

Tier A, Mobile forensics and network surveillance

GrayKey

5

Magnet Forensics · United States

Mobile passcode-bypass appliance used by US federal agencies and Five Eyes partners. Acquired by Magnet Forensics in March 2024.

ActiveMagnet acquisition 2024

MSAB XRY

4

Micro Systemation AB · Sweden

Mobile forensics suite documented in Belarus, Bangladesh and Myanmar deployments. Voluntary export suspensions since 2021.

ActiveRussia exit 2022

Magnet AXIOM

3

Magnet Forensics · Canada

Computer, mobile and cloud forensics platform. Taken private by Thoma Bravo in 2023. Acquired Grayshift in March 2024.

ActiveThoma Bravo 2023Grayshift 2024

Oxygen Forensic Detective

3

Oxygen Forensics · United States

Mobile and cloud forensics with strong social-media and IoT acquisition. Russian origin, US headquartered since 2015.

ActiveRussian roots

ElcomSoft

3

ElcomSoft Co. Ltd. · Russia

Long-standing Russian password-recovery and forensics vendor. Subject to the Sklyarov v. United States DMCA case in 2001.

ActiveEU Russia sanctions context

Sandvine PacketLogic

4

Sandvine · United States

Carrier-grade Deep Packet Inspection platform used by Egyptian operators to inject Predator spyware. Added to US Entity List February 2024.

ActiveUS Entity List 2024

Cognyte

4

Cognyte Software · Israel

Communications-intelligence and OSINT platform spun off from Verint in 2021. Named in the Meta Surveillance-for-Hire report.

ActiveMeta report 2021

Amesys / Eagle

4

Amesys / Nexa Technologies · France

French mass-surveillance vendor. Sold the Eagle system to Libya (2007-2011) and Cerebro to Egypt. Executives indicted in 2021.

ActiveFrench indictments 2021

Tier B, Facial recognition and biometrics

Tier C, Signals interception and IMSI

Tier D, Predictive analytics and OSINT

Palantir Gotham

4

Palantir Technologies · United States

Data-integration platform for intelligence and law-enforcement. ICE FALCON, US Army TITAN, UK NHS FDP. LAPD predictive policing terminated 2020.

ActiveICE FALCON deploymentNasdaq listing 2020

Voyager Labs

3

Voyager Labs · Israel

Social-media OSINT analytics. NYPD secret contract disclosed by Brennan and NYCLU 2021. Meta lawsuit filed January 2023 (CFAA, fake accounts).

ActiveMeta lawsuit 2023

Cobwebs Technologies

4

Cobwebs (PenLink) · Israel

Israeli OSINT and social-media monitoring vendor. ICE, NYPD, FBI customers per Brennan and NYCLU. Named in Meta Surveillance-for-Hire report 2021. Acquired by PenLink January 2023.

ActiveMeta report 2021PenLink acquisition 2023

Babel Street (Locate X)

4

Babel Street · United States

US commercial mobile-location intelligence vendor. DHS, IRS, ICE, US Marines customers without warrants per Wall Street Journal. ACLU and EFF litigation ongoing.

ActiveACLU litigationDHS / ICE contracts

Maltego

3

Maltego (ex-Paterva) · South Africa / Germany

Graph-based OSINT platform founded in Pretoria 2007 by Roelof Temmingh. Dual-use: heavy presence in investigative journalism (Bellingcat, OCCRP, ICIJ) and government forensics.

ActivePaterva founding 2007

ShotSpotter / SoundThinking

3

SoundThinking · United States

Acoustic surveillance via city-mounted sensor arrays. MacArthur Justice Center 2021: 89% false-positive rate in Chicago. Adam Toledo case 2021. Atlanta, Chicago and Charlotte terminated contracts.

ActiveMacArthur Justice report 2021Multiple city terminations

[ STDB :: INTAKE ]

Contribute

Submit a contribution

Spotted a missing tool, vendor change, court ruling, sanctions update, or factual correction. Every signal is reviewed against the same evidentiary standards as existing entries. Confidential channels available for sensitive material: Signal contact and Tor-based intake on request.

Open secure intake →

Confidence Score methodology

Each entry receives a 1 to 5 score reflecting the strength of public documentation behind it. The score is a measure of evidence, not severity.

  • 5/5Government or judicial sources, plus Citizen Lab or Amnesty Security Lab forensic confirmation, plus multi-source investigative reporting.
  • 4/5Citizen Lab or Amnesty Security Lab confirmation plus two or more independent press sources.
  • 3/5One reference source supplemented by press reporting.
  • 2/5Press-only documentation, multi-source convergent.
  • 1/5Single press leak, unverified attribution, contested claims.

Read full methodology

Contribute or correct

Predaxia Research welcomes corrections, new sources, and additions. Contributions are reviewed against the same evidentiary standards as the existing entries.

Submit a correctionView methodology

This database is maintained for journalists, lawyers, NGO researchers, security professionals and at-risk individuals. It does not constitute legal advice, threat intelligence subscription, or attribution by Predaxia. All sources are linked. All claims are marked by confidence level. Cite with attribution: Predaxia Research, Surveillance Tools Open Database, predaxia.com/surveillance-tools/.