When Edward Snowden leaked National Security Agency (NSA) documents more than a decade ago and exposed the breadth of U.S. government surveillance operations worldwide, the threat of invasive cyber capabilities was limited to a handful of state powers. Non-state actors lacked the technical capacity, infrastructure, and resources to replicate the NSA’s global dragnet. Since then, the threat landscape has changed significantly, and those limitations have eroded.
Today, a new generation of commercial actors has emerged, selling capabilities that rival and sometimes surpass state-level cyber tools. The instruments of modern surveillance—spyware, hack-for-hire services, and ad-based tracking—are far more surgical and sophisticated, and they are no longer confined to intelligence agencies. A global “cyber-mercenary” industry now sells these tools to governments, militaries, and private actors to monitor or track targeted individuals, networks, and populations with alarming precision and efficiency.
Firms like NSO Group, Intellexa, and Candiru provide bespoke surveillance software; hack-for-hire outfits in India and the Gulf offer intrusions-as-a-service; and data brokers aggregate vast amounts of digital data into actionable intelligence packages for anyone who can pay the price. In certain circumstances, these cyber capabilities are used in tandem with other state-directed means and methods of repression to commit physical or psychological violence against a civilian population that could rise to the threshold of crimes against humanity under the Rome Statute of the International Criminal Court (ICC).
The ICC is beginning to confront this reality. In its strategic plan 2023-2025, the Office of the Prosecutor (OTP) committed to building its technical capacity and, after a year of consultations and drafting, will soon publish its first policy on cyber-enabled crimes under the Rome Statute. These are important steps, but they will not succeed unless international lawyers understand how cyber operations work, and cybersecurity experts understand how to preserve and present evidence that meets international legal standards. This knowledge gap is especially critical when it comes to the commercial offensive cyber market. While many tools are legal and can be used for legitimate national security purposes, the combination of weak regulation, minimal oversight, and high profit incentives has led to widespread abuse, often intertwined with serious human rights violations.
This article aims to equip international criminal law practitioners with the context needed to recognize when advanced cyber capabilities are being used to commit, enable, or facilitate core international crimes.
Commercial Spyware and Cyber Offense as a Service
The commodification of advanced cyber tools now resembles the open arms market. Spyware like NSO Group’s Pegasus can remotely infiltrate smartphones, activate microphones and cameras, and extract private data without a trace. Hack-for-hire groups sell intrusions into email, encrypted messengers, and cloud storage accounts. Meanwhile, ad-based tracking enables the quiet mapping of social, political, or ethnic groups by harvesting location data from seemingly innocuous mobile applications.
What makes these developments especially alarming is the way they expand access to cyber capabilities once monopolized by states. For authoritarian governments or embattled regimes, there are ample opportunities to purchase cutting-edge surveillance tools, as evidenced by documented abuses in the Middle East, Africa, and Latin America. Much as private military contractors have been employed to supplement or obscure state violence, private cyber firms now enable governments to conduct offensive cyber operations with plausible deniability.
Enabling International Crimes at Speed and Scale
The most alarming risk is the integration of these digital tools into broader campaigns of violence. Consider a hypothetical example. An authoritarian regime acquires spyware from a commercial vendor. The spyware is deployed against an ethnic minority, mapping community leaders, religious figures, and activist groups. AI-driven analytics cross-reference intercepted communications with geolocation data from commercial trackers. Security services use this intelligence to orchestrate mass arrests, torture of leaders, and targeted killings.
In such a scenario, cyber tools function as the backbone of a campaign of persecution. The efficiency with which repression can be planned and executed—at scale, with precision targeting—raises the chilling possibility of digital tools enabling atrocities on par with other Rome Statute crimes.
This dynamic is not just theoretical. The Chinese government’s campaign against Uyghurs and other Turkic Muslim minorities in Xinjiang offers a concrete example of cyber-enabled repression at scale. According to investigations by the New York Times and Human Rights Watch published in 2019, Chinese authorities have deployed an Integrated Joint Operations Platform (IJOP)—a massive surveillance system that aggregates data from checkpoints, mobile phone scans, facial recognition cameras, and spyware forcibly installed on residents’ devices. The IJOP flagged “suspicious behavior,” such as using encrypted messaging apps, traveling abroad, or attending religious services, and then sent automated alerts to security services. Authorities reportedly then used this data to identify individuals for interrogation, arbitrary detention, or transfer to “re-education” camps. Reports by the Australian Strategic Policy Institute and Amnesty International further suggest the system’s predictive policing capabilities facilitated mass internments, amounting to persecution and other crimes under international law.
Today, the People’s Republic of China (PRC) and Chinese enterprises are exporting their surveillance platform and tools around the world. Chinese companies like Geedge Networks sell internet censorship and surveillance technology, while other companies like Hikvision and Dahua Technology sell video surveillance hardware. As Wired journalist, Zeyi Yang, aptly explains, Chinese technology companies now provide “digital authoritarianism as a service.”
This example illustrates how cyber capabilities can be central to a widespread and systematic attack on a civilian population. Far from being isolated surveillance devices, tools like spyware, biometric databases, and predictive algorithms can become instruments of persecution—directly enabling crimes that fall within the Rome Statute’s jurisdiction. More importantly, it demonstrates the growing trend of commercialization of government surveillance technologies and presents the dangerous prospect of its rapid spread to other states and, potentially, non-state actors.
The Appeal to Authoritarians
While spyware and other surveillance technologies offer promising applications for advancing national security and public safety initiatives by good faith actors operating under legal regimes, their risk of abuse by bad actors cannot be ignored. Authoritarian states and fragile democracies with authoritarian tendencies are particularly drawn to these tools. Advanced spyware allows regimes to consolidate control by neutralizing political rivals and silencing critics. Unlike conventional weapons, these tools can be used covertly, without attracting the same level of international scrutiny or sanctions.
Moreover, the economic incentives are powerful, dangerously aligning market forces with authoritarian demands. Cyber-mercenary firms stand to profit immensely by selling to regimes willing to pay top dollar for tools that help maintain political survival. The parallels to the global arms trade are stark. Just as private arms dealers have prolonged conflicts in Africa and the Middle East by supplying militias with arms, private cyber actors now supply digital tools of repression to authoritarian governments aiming to suppress dissent.
Over the past decade, a handful of cases have come to light. DarkMatter’s “Project Raven” in the UAE employed former U.S. intelligence operatives to surveil thousands of journalists and dissidents with zero-click exploits (exploits designed to work without user interaction). Several employees later admitted to U.S. authorities that they exported unauthorized defense services. Around the same time, Italy’s Hacking Team sold its Remote Control System spyware to Sudan, Ethiopia, and other countries, despite clear risks of abuse. A 2015 leak revealed contracts, exploit purchases, and client support to multiple countries with poor human rights records. More recently, NSO Group’s Pegasus has been traced on the phones of journalists, activists, and associates of Jamal Khashoggi, while hack-for-hire firms like BellTroX and CyberRoot, documented by Citizen Lab, have targeted journalists, activists, and corporations globally. Finally, advertising intelligence (ADINT) firms like Anomaly Six and Voyager Labs exploit ad-based tracking to monitor entire populations, as demonstrated on CIA and NSA agents who could be unmasked by these tools.
From Surveillance to Persecution
The Rome Statute was drafted in 1998, long before spyware or mass data analytics reshaped the landscape of state repression. Yet its provisions are broad enough to capture cyber-enabled crimes, provided prosecutors and investigators recognize the functional equivalence between digital and physical means of persecution.
Article 7 of the Rome Statute defines crimes against humanity to include persecution, imprisonment, torture, enforced disappearance, and “other inhumane acts” intentionally causing great suffering or serious injury. Persecution is defined as “the intentional and severe deprivation of fundamental rights contrary to international law by reason of the identity of the group or collectivity.”
In practice, this means that if spyware and digital monitoring tools are systematically deployed to target dissidents, journalists, human rights defenders, or ethnic communities, they could facilitate the commission of the crime against humanity of persecution. Digital tools themselves may not kill, but they enable repression that results in arbitrary detention, torture, and mass atrocities. For example, spyware used to geolocate activists or intercept planning meetings can facilitate arrests, killings, or enforced disappearances.
The Chinese government’s campaign in Xinjiang demonstrates how surveillance technologies can operationalize persecution. The IJOP did not merely collect information; it deprived Uyghurs of their rights to liberty, privacy, and freedom of religion by designating ordinary activities—such as downloading WhatsApp or attending prayer at a mosque—as suspicious. The system’s automated alerts triggered interrogations, detentions, and transfers into “re-education” camps. In this way, the digital infrastructure itself became a mechanism of persecution. Victims of Xinjiang’s mass surveillance have described the constant monitoring and predictive policing as causing severe psychological harm, akin to permanent intimidation and humiliation.
More concerningly, the situation in China is not a one-off. There are a growing number of examples from Bahrain to Mexico to Gaza and throughout Europe in which mercenary spyware, coupled with physical detention, torture, and extrajudicial killings, creates a system to enable persecution and other constituent acts of crimes against humanity.
Liability Up the Supply Chain
The Rome Statute’s modes of liability under Articles 25 and 28 could capture responsibility throughout the offensive cyber supply chain. Direct perpetrators—state agents or contractors deploying spyware—may be prosecuted under Article 25(3)(a). Ordering, soliciting, or inducing under Article 25(3)(b) applies to officials who direct surveillance campaigns. Aiding and abetting under Article 25(3)(c) implicates corporate executives, engineers, or resellers who knowingly provide spyware or infrastructure that substantially contributes to persecution. Common-purpose liability under Article 25(3)(d) is especially relevant where multiple actors knowingly contribute to collective repression. Command responsibility under Article 28 applies to superiors who knew or should have known of abuses and failed to act. Spyware and mass surveillance systems could also be used to establish command responsibility for other crimes against humanity by proving that a state’s leadership was fully aware of its military or police force committing crimes against civilians and took no action to prevent it.
A very small, but growing body of corporate-lability proceedings shows how criminal courts may treat companies as accomplices to crimes against humanity when they knowingly provide substantial assistance that enables abuses. France is currently the most active forum, with two significant cases in recent years. In the case against cement company Lafarge SA, the Cour de cassation cleared the way for the corporate entity itself to face an indictment for complicity in crimes against humanity tied to alleged payments and support to ISIS in Syria. On Jan. 16, 2024, the court upheld the complicity indictment.
Parallel French cases against surveillance technology suppliers AMESYS and Nexa have resulted in indictments of company executives for complicity in torture linked to Libya and Egypt and were affirmed on appeal. Prosecutors have also tested complicity theories against surveillance vendors in an investigation of Qosmos in relation to Syria, but that case ended in a non-lieu, which is similar to an order of dismissal in the United States.
These initial examples chart a pathway for potential liability of spyware suppliers and other actors in the supply chain. For example, if a vendor like NSO Group continues supplying, maintaining, or customizing tools knowing that they are being used within a state policy to persecute journalists, dissidents, or human rights defenders, this assistance could be characterized as aiding and abetting persecution as a crime against humanity.
A Roadmap for Practitioners
For the Rome Statute to remain relevant, practitioners must understand how potential perpetrators will exploit offensive cyber capabilities to enable larger campaigns of violence, repression, or abuse of civilian populations. Identifying cyber-enabled persecution cases requires strong evidence for attribution and tracing the supply chain—mapping not only the direct perpetrators but also the vendors, resellers, and financiers who knowingly contribute. Preserving forensic evidence, contracts, and communications will be essential to meet ICC standards.
Given the ICC’s gravity requirement and limited resources, only a small number of cases will meet the requisite threshold. However, one ICC prosecution alone could have significant ripple effects in deterring this behavior. Even a symbolic case that punishes one individual perpetrator could be enough to scare cyber mercenary firms away from selling their products to potential abusers or, at the very least, incentive them to create safeguards against abuse Moreover, with the increasing popularity and impact of universal jurisdiction cases, in which Rome Statute crimes are prosecuted in domestic courts, as was the case in France, there are other avenues for accountability and levers to pull to deter bad behavior and incentive compliance.
Of course, complementary accountability mechanisms must also be pursued. Sanctions—such as U.S. and EU blacklisting of NSO Group and Candiru—help stigmatize and restrict abusive firms. Export controls, like the European Union’s Dual-Use Regulation, add another layer, though enforcement is uneven. Civil litigation, including WhatsApp’s and Apple’s lawsuits against NSO, creates additional avenues of accountability. Multilateral oversight, from U.N. special rapporteurs and human rights bodies, draws attention to systemic risks.
Only by combining Rome Statute prosecutions with these complementary measures can the international community build a robust framework for accountability.
Conclusion
The rise of the cyber-mercenary industry presents one of the most urgent challenges for international justice in the twenty-first century. Surveillance tools once monopolized by a handful of states are now widely available, enabling regimes to persecute civilian populations with unprecedented precision and efficacy.
The Rome Statute provides a flexible framework for addressing these threats in extreme cases, but its application must evolve. Just as landmines, cluster munitions, and chemical weapons prompted international regulation, digital tools capable of facilitating mass repression require legal attention and oversight.
Accountability cannot rest solely with the ICC. A whole-of-system response—sanctions, export controls, civil litigation, and multilateral oversight—must reinforce international criminal law. In the digital age, accountability requires more than condemning spyware scandals after the fact. It demands proactive strategies to ensure that those who deploy sophisticated cyber capabilities against civilians are held to account under the same principles that have long guided atrocity prevention. The stakes are not merely about privacy or surveillance—they are about preventing crimes against humanity in an era where repression is digital, globalized, and available to the highest bidder.
