The Spyware Company That Hacked Journalists Wants Into the US Market—Here's Their "Proof" They've Changed

On January 8, 2026, the Israeli company behind Pegasus spyware published what it called a "2025 Transparency and Responsibility Report." The timing was not coincidental. NSO is mounting an aggressive campaign to enter the US market—and to escape the Commerce Department's Entity List that has blocked its access to American technology since 2021.

There's just one problem: the report that's supposed to prove NSO has reformed contains no actual proof.

What the Report Doesn't Say

"I expected data and specifics," John Scott-Railton, a senior researcher at Citizen Lab, told TechCrunch. "There's nothing here that allows outsiders to verify NSO's claims."

The report omits basic accountability metrics that any genuine transparency effort would include: how many potential customers NSO rejected, how many existing customers it investigated for abuse, how many it suspended, and how many it terminated. These numbers exist. NSO simply chose not to share them.

Natalia Krapiva, senior tech-legal counsel at Access Now, was blunt: "NSO is clearly on a campaign to get removed from the U.S. Entity List and one of the key things they need to show is that they have dramatically changed as a company since they were listed."

The report, she noted, shows no such thing.

New Owners, Familiar Playbook

What has changed is NSO's ownership and leadership. US investors have acquired control of the company. David Friedman—former US ambassador to Israel under Trump—was appointed executive chairman. CEO Yaron Shohat stepped down, and cofounder Omri Lavie left the board.

"When NSO's products are in the right hands within the right countries, the world is a far safer place," Friedman wrote in the report. Notably absent: any mention of which countries NSO currently operates in, or any acknowledgment of documented abuses by past clients.

The leadership shuffle appears designed to give NSO an American face for American regulators. And the timing suggests optimism within the company that political winds have shifted. In December 2025, the Trump administration lifted sanctions on executives from Intellexa, a rival spyware firm. The industry is watching closely.

Why NSO Was Blacklisted

The Commerce Department added NSO to the Entity List in November 2021 for a specific reason: enabling human rights violations around the world.

The evidence was overwhelming. The Pegasus Project—a collaboration of more than 80 journalists from 17 media organizations, coordinated by Forbidden Stories with technical support from Amnesty International—had revealed the scale of the problem just months earlier.

At the heart of the investigation was a leaked list of more than 50,000 phone numbers reportedly targeted by Pegasus and its government clients. Forensic analysis confirmed infections and attempted penetrations on dozens of devices.

The targets included at least 180 journalists in 20 countries. In India alone, at least 40 journalists from nearly every major media outlet were selected for potential targeting. In Mexico, at least 25 journalists. In Azerbaijan, more than 40. In El Salvador, 22 employees of a single news outlet—El Faro—had their phones infiltrated over 16 months.

The client list read like a roster of authoritarian regimes: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, Togo, and the United Arab Emirates.

What Pegasus Actually Does

Pegasus is not ordinary spyware. It exploits zero click vulnerabilities—meaning targets don't need to click anything to be infected. Once installed, it can extract virtually everything: emails, messages, photos, contacts, location history, and call records. It can activate microphones and cameras without any indication. It can access encrypted messaging apps like Signal and WhatsApp.

For journalists, this is catastrophic. Source protection becomes impossible when your phone is a surveillance device. For activists and dissidents, it can be life threatening.

The consequences have been documented. The spyware has been linked to the surveillance of journalists who were later imprisoned or killed. It has been used to monitor political opponents, human rights lawyers, and even heads of state.

The Governance Problem

A January 2026 analysis in Lawfare identified three fundamental challenges in regulating commercial spyware.

First, market opacity. Most spyware companies are privately held with minimal public disclosure. Annual industry revenue remains unknown.

Second, governments play a dual role—they are simultaneously the buyers, the users, the regulators, and often the home countries of spyware developers. This creates obvious conflicts of interest.

Third, legitimate use arguments. Governments claim spyware addresses real law enforcement needs, particularly for accessing encrypted communications. This complicates straightforward bans.

NSO has long exploited these dynamics, positioning itself as a tool for fighting terrorism and crime while disclaiming responsibility for how clients actually use its products.

What Comes Next

The Entity List designation has been devastating for NSO. It cuts off access to US technology and partners—a crippling blow for any high end surveillance vendor.

Whether the new administration will reverse course remains unclear. But the transparency report signals NSO's strategy: rebrand, restaff with American faces, and hope that claims of reform will be enough.

Critics aren't buying it. "There's nothing here," Scott-Railton said of the report.

For journalists, activists, and anyone whose work depends on secure communications, the stakes are clear. A company with a documented history of enabling surveillance of reporters wants access to the world's largest technology market. Its proof of reform is a document with no data.

That should concern everyone who believes accountability requires more than a press release.