Mar 07, 2026 · 5 min read
Spyware Companies Now Exploit More Zero Days Than China and Russia Combined—Google Just Proved It
Google's threat intelligence team tracked 90 zero day vulnerabilities exploited in the wild in 2025. For the first time, private spyware makers outpaced every government on earth.
The Surveillance Industry Has a New Leader
Google's Threat Intelligence Group published its annual review of zero day exploitation on March 5, 2026, and it contains a historic shift. For the first time since Google began tracking this data, commercial surveillance vendors were attributed to more zero day exploits than traditional state sponsored hacking groups.
Out of 42 zero days that Google was able to attribute to a specific actor, 15 came from commercial spyware companies like NSO Group, Intellexa, Negg Group, and Cy4Gate. Another 3 were classified as "likely" commercial surveillance vendor activity. State sponsored espionage groups, by comparison, accounted for 12, with 3 more labeled "likely" government backed.
In plain terms: the private companies that sell hacking tools to governments are now discovering and exploiting more software vulnerabilities than the governments themselves.
90 Zero Days in One Year
The total count for 2025 was 90 exploited zero day vulnerabilities, up from 78 in 2024 but below the 2023 peak of 100. While the year to year fluctuation suggests the trend is not consistently accelerating, the number remains strikingly high. Each of these 90 vulnerabilities represents a flaw that attackers found and weaponized before the software maker knew it existed.
Google itself was the second most targeted vendor with 11 zero days, behind only Microsoft. Apple followed with 8. But the more revealing pattern is not which companies were hit. It is who was doing the hitting.
Who Is Buying These Exploits
Commercial surveillance vendors operate in a legal gray zone. Companies like NSO Group and Intellexa sell their exploit capabilities to government agencies and law enforcement clients, ostensibly for lawful intelligence gathering and fighting crime. But the tools keep turning up on the phones of journalists, human rights activists, opposition politicians, and protest organizers.
The 2025 data shows this industry is growing, not shrinking, despite years of sanctions, lawsuits, and public outcry. NSO Group has been sanctioned by the United States since 2021. Intellexa's founders were sentenced to prison in Greece in early 2026. Yet the overall rate of commercial exploitation has climbed.
As Google's researchers noted, this reflects "a slow but sure movement" toward greater commercial exploitation. Shutting down one vendor has not stopped the market. New firms appear to fill the gap.
Enterprises Are the Primary Target
Nearly half of all 2025 zero days, 43 out of 90, targeted enterprise software and infrastructure. That is 48% of the total, up from 46% in 2024. The most targeted category was security and networking devices: firewalls, VPN appliances, and edge devices from companies like Cisco, Fortinet, Ivanti, and VMware.
There were 21 zero days targeting security and networking products alone. Another 14 hit edge devices like routers, switches, and gateways. The irony is hard to miss: the devices organizations deploy to protect their networks are the same ones attackers are most aggressively targeting.
China backed groups like UNC5221 and UNC3886 remained the most prolific state actors, focusing heavily on security appliances and edge devices. At least 7 of the 12 state attributed zero days came from Chinese groups, continuing a pattern of persistent access to strategic targets through network infrastructure.
North Korea Disappeared from the List
One striking data point in the 2025 report: North Korea was attributed zero exploited zero days, down from 5 in 2024. The drop is dramatic, though researchers caution that it may reflect changes in attribution confidence rather than a genuine reduction in capability. North Korean hackers have increasingly turned to cryptocurrency theft and ransomware operations, which may require fewer zero days than traditional espionage.
Financially motivated cybercriminals, meanwhile, were responsible for 9 attributed zero days. The remaining unattributed 48 exploits represent a significant intelligence gap. Nearly half of all zero days in 2025 could not be tied to a specific group.
What This Means for Everyone
The commercialization of zero day exploitation has consequences that extend far beyond the security industry. When private companies compete to discover and hoard software vulnerabilities, the entire ecosystem becomes less safe. Every vulnerability stockpiled for a spyware client is one that remains unpatched for everyone else.
For individuals, the practical risk is that the same exploit chains used to hack a journalist's phone in one country can be repurposed against anyone. The tools do not discriminate. And as long as governments are willing to pay for them, the market will keep expanding.
The 2025 data makes one thing clear: regulation has not kept pace with the commercial surveillance industry. Sanctions and prosecutions are necessary but insufficient. Until the economic incentives change, the companies that sell hacking tools will continue outpacing the governments that were supposed to be the only ones with this kind of capability.