Inside the Rise of Phone Spyware and the Hands-Free Police State
It starts with a faint chime at 3:17 a.m.—a notification that never seems to show up again. The apartment is still, save for the buzz of a ceiling fan slicing the thick San Salvador air. Carlos Martínez sits up, not fully awake, but alert in a way his body has learned over time. It’s the third time this month.
Later, forensic analysts at Citizen Lab will confirm it was Pegasus. Not a phishing link. Not a tap mistake. A zero-click exploit that required nothing from him at all. The kind of digital infection that leaves no fingerprint, only an aftertaste. For nearly nine months, while reporting on El Salvador’s negotiations with gangs, his iPhone belonged to someone else.
“Hackers entered our phones as if they were their own.”
San Salvador, 2025
The surveillance wasn’t localized. It wasn’t even targeted in any traditional sense. What began as a covert toolset for state-level actors has now matured into an open market—mercenary spyware, custom-built to bypass encryption, resist detection, and operate silently at scale.
Back in Israel, inside boardrooms and booths at security expos, the brochures don’t hide the ambition.
In its brochure, NSO Group puts it plainly. Pegasus requires no clicks. It can install silently, over the air, and operate completely undetected. It can “activate the microphone,” “retrieve messages and photos,” and “view and operate” the phone in real time. The encryption that guards messages in apps like Signal and WhatsApp? Irrelevant, says NSO, because “the rest is done automatically by the system.”¹
The technology behind these exploits is dazzling in a way that recalls 20th-century illusions of magic.