100 Countries Can Now Hack Your Phone, UK Intelligence Says—And the Targets Are No Longer Just Journalists

The Numbers Keep Growing

In 2023, UK intelligence estimated that 80 countries had procured commercial cyber intrusion tools. By April 2026, that figure has reached 100. The National Cyber Security Centre, part of the GCHQ signals intelligence agency, believes the commercial spyware industry doubles in size every ten years.

The tools in question include well known names like NSO Group's Pegasus and Paragon's Graphite, but also a growing number of lesser known vendors that sell similar capabilities to smaller nations. When the leaked DarkSword exploit toolkit surfaced earlier in 2026, it demonstrated that even mid tier intelligence services can now deploy sophisticated zero click attacks against iPhones and Android devices.

The Target List Has Changed

For years, the public narrative around commercial spyware focused on journalists, human rights defenders, and political opposition figures. Those groups remain primary targets. But UK intelligence officials noted at CYBERUK that the victimology has "expanded" to include bankers, wealthy businesspeople, and corporate executives.

This expansion is driven by economics. Governments that spend millions to acquire spyware capabilities do not limit their use to national security. Once the tool exists and the operators are trained, the same infrastructure gets deployed for economic espionage, corporate competitive intelligence, and personal surveillance by officials who control the agencies.

The implication is that the risk model has shifted. It is no longer accurate to think of commercial spyware as a threat limited to people in high risk categories. Anyone whose phone contains financially valuable information, trade secrets, legal strategies, or investment positions is now a plausible target.

What These Tools Can Do

Modern commercial spyware operates through zero click exploits, meaning the target does not need to open a link, download a file, or interact with a message. The spyware arrives silently through iMessage, WhatsApp, or other messaging services and gains full access to the device.

Once installed, these tools can:

• Read all messages, including those in encrypted apps like Signal and WhatsApp
• Access email accounts and read every message in the inbox
• Activate the microphone and camera without any visible indicator
• Track real time GPS location
• Extract stored passwords, photos, contacts, and calendar entries
• Intercept two factor authentication codes

The email access component is particularly significant. When spyware compromises a device, it does not just read the messages stored locally. It captures credentials for cloud email services, giving operators persistent access to the target's Gmail, Outlook, or corporate email even after the spyware itself is removed from the phone. This is why Apple's Lockdown Mode disables many of the features that spyware exploits, and why Apple says no iPhone in Lockdown Mode has ever been successfully compromised.

The UK's Own Record

NCSC chief Richard Horne used his CYBERUK address to warn that British companies are "failing to grasp the reality of today's world." He stated that the majority of nationally significant cyberattacks targeting the United Kingdom originate from foreign governments rather than cybercriminal gangs.

The UK's position on spyware regulation is complicated. The government is a signatory to the Pall Mall Process, an international agreement involving 25 nations that aims to address the irresponsible use of commercial spyware. But the UK also maintains its own surveillance capabilities, and critics have pointed out that the agreement contains no enforcement mechanism and no penalties for violating its voluntary commitments.

Meanwhile, the market continues to grow. Intelligence agencies have noted that when one spyware vendor is sanctioned or shut down, employees often move to new companies and rebuild similar tools under different names. The expertise does not disappear; it migrates.

The Pattern Across 2026

The NCSC's disclosure comes amid a steady stream of spyware incidents in 2026. Predator spyware was used to hack an Angolan journalist's phone on World Press Freedom Day. ICE admitted to using zero click spyware that can read encrypted messages. An Italian surveillance firm was caught distributing fake WhatsApp apps that took over entire phones. And Citizen Lab documented telecom level surveillance campaigns that track targets through their carriers.

Each of these incidents involves different vendors, different target countries, and different victims. But they share a common infrastructure: a commercial industry that sells intrusion capabilities to any government willing to pay, with minimal oversight and effectively no accountability when those tools are abused.

What You Can Do

For most people, the risk of being targeted by state sponsored spyware remains low. But "most people" is no longer everyone outside journalism and activism. If you handle sensitive financial, legal, or corporate information on your phone:

• Keep your phone updated. Most spyware exploits target known vulnerabilities that have already been patched. Delayed updates are the single largest risk factor
• Enable Lockdown Mode on iPhone. It disables many of the attack surfaces that spyware relies on, including certain iMessage features, shared albums, and USB connections
• Use disappearing messages. Even if spyware accesses your phone, messages that have already been deleted cannot be exfiltrated
• Separate sensitive accounts. Do not use the same phone for personal social media and corporate email. If the phone is compromised, everything on it is compromised
• Watch for Apple and Google threat notifications. Both companies send alerts when they detect state sponsored targeting. Take these notifications seriously
• Audit your email account activity. Check your Gmail or Outlook login history regularly for sessions from unfamiliar devices or locations