Not One Government Has Been Convicted for Deploying Spyware on Its Own People

Key Takeaways

• Intellexa's founder was sentenced to eight years in prison for Greece's Predator spyware scandal. No government official has been charged.
• The EU's own PEGA inquiry found illegitimate spyware use in at least four member states. Its recommendations were non-binding, and the European Commission took no infringement action.
• At least 18 EU member states have been linked to commercial spyware purchases. The market is thriving, largely on public money.
• Every international institution with standing, including PACE, OHCHR, EDRi, and the European Parliament, has documented the problem and called for action. None of it has produced a single government conviction.

Government Spying Is the New Normal

Intellexa's founder Tal Dilian has just been convicted by a Greek court and sentenced to eight years in prison, and his response is to stand up and say he won't be a scapegoat, hinting rather strongly that the Mitsotakis government authorized everything his company did. The vendor is in the dock, the ministers who resigned over the scandal are at home, and the cover-up Dilian is alleging is more credible than the official account, because every single time this pattern has played out across Europe, the outcome has been the same.

The spying scandal at the center of this, sometimes called "Greek Watergate," involved the hacking of dozens of phones belonging to senior government ministers, opposition leaders, military officials, and journalists using Intellexa's Predator spyware.

Greece's national intelligence chief and a senior aide to Prime Minister Mitsotakis both resigned, while Dilian was convicted in February 2026 and is now appealing, saying he believes his conviction "could be part of a cover-up and even a crime" and that he's willing to share evidence with national and international regulators. No government officials have been charged so far.

The Scandal Pattern Repeats in Every Country That Looks

The European Parliament's PEGA committee spent over a year investigating. It interviewed more than 215 people, commissioned studies, and conducted fact-finding missions to Hungary, Spain, Greece, Cyprus, and Poland. What it found was illegitimate spyware use in at least four member states, Poland, Hungary, Greece, and Spain, with serious suspicions about Cyprus. Several governments cited national security to refuse comment entirely. Some provided no input at all.

Of course, those five aren't the full picture either. NSO Group itself confirmed to the PEGA committee that Pegasus was sold to at least 14 EU countries, and the number keeps growing. The broader list documented across the inquiry includes the Netherlands, Belgium, Germany, Malta, France, Ireland, Luxembourg, Italy, Austria, Bulgaria, Estonia, Lithuania, and Romania, some as confirmed purchasers, others as countries where spyware companies operated or export licenses were granted.

Italy is a good example of what that looks like in practice. Prosecutors confirmed that the phone of investigative journalist Francesco Cancellato was infected with Paragon's Graphite spyware, alongside two immigration activists, in what appears to have been a single coordinated campaign. The Italian government denied involvement, and the trail went cold.

When the committee concluded in May 2023, rapporteur Sophie In't Veld didn’t hold back: "Not one victim of spyware abuse has been awarded justice. Not one government has really been held accountable." PACE then urged five governments to investigate themselves, and, naturally, the investigations that followed were conducted by the same governments under investigation, which tells you roughly everything about how seriously this was taken.

The pattern extends well beyond the EU's borders, too. In December 2025, RSF revealed that Belarus had physically installed ResidentBat spyware on a journalist's phone during a KGB interrogation. Security forces observed the journalist's PIN entry, retrieved the device, and installed the spyware while the journalist was being questioned in another room.

In Brazil, a declassified Federal Police report confirmed that Bolsonaro's administration ran a "parallel ABIN" network that illegally surveilled RSF, judges, lawmakers, and others perceived as critics, with no judicial authorization whatsoever. And in the USA? Well, ICE is now deploying zero-click spyware under a $2 million Paragon contract, citing compliance with the exact executive order that originally caused the deployment to be paused.

The Market Thriving on Public Money and Zero Red Lines

Even though it may sound like something out of a spy thriller, the commercial spyware industry isn't a fringe operation run by rogue actors. It is a well-capitalized market with government clients, public procurement contracts, and prices that reflect how much states are willing to pay. 

According to EDRi's Spyware Document Pool, a single iPhone zero-click exploit runs between $5 and $7 million via brokers. Android exploits cost up to $5 million. WhatsApp and iMessage exploits run $3 to $5 million each.

In 2024, Google's Threat Analysis Group found that 20 of the 25 vulnerabilities discovered in Android and Gmail products had already been weaponized by spyware vendors before Google found them. The industry is simply buying vulnerabilities first and exploiting them while the rest of us are exposed.

Meanwhile, EU governments have consistently rejected binding legislation in favor of voluntary frameworks like the Pall Mall Process. The European Commission has argued that compliance is for member states to self-enforce, which, given that the member states are the ones buying the spyware, is a position that requires a certain commitment to pretending the problem doesn't exist.

The OHCHR warned in 2022 that tools like Pegasus could "affect the essence of the right to privacy." The UN Human Rights Council adopted its first resolution expressing concern over commercial spyware in October 2024. Three years after the warning, a non-binding resolution.

What "Accountability" Actually Looks Like

RSF's 2025 press freedom predators are distinguished by their increased use of technology to suppress journalism, and the direction of travel is clearly headed toward more sophisticated, more normalized, more legally insulated surveillance. RSF itself was targeted by a Callisto group cyberattack in March 2025, attributed to actors reportedly linked to Russia's FSB.

Yet, the infrastructure that makes state surveillance possible doesn't disappear when a scandal breaks. It only gets upgraded, and PACE, PEGA, OHCHR, and EDRi have all documented this problem in detail and issued calls for action. The response has been non-binding resolutions, voluntary frameworks, and one convicted vendor who is now claiming he was set up by the government that hired him.

Greece's conviction of Dilian is being reported as a landmark moment, the first criminal conviction of a spyware executive in the EU. And in a narrow sense, it is. In every other sense, it is a demonstration of how the accountability structure is designed to work: the vendor absorbs the legal consequence, and the state that commissioned the surveillance is left untouched.

EDRi's assessment of the broader situation is straightforward: "Victims lack effective remedies, and commercial vendors operate with complete impunity." The PEGA recommendations were not converted into binding law, and the European Commission declined to take infringement action against any member state. The committee's own rapporteur noted that the Commission is anxious to preserve relations with national governments and defers to them on self-compliance.

And so, the question of whether European institutions are willing to treat state surveillance as the crime it is, rather than as a governance embarrassment to be managed through committee reports, is one that those institutions have been answering consistently for four years. They just keep hoping nobody notices the answer.