When journalists, human rights defenders, lawyers or policymakers get a chilling alert that their phone has been breached by Pegasus — sophisticated spyware developed by an Israeli company and sold to governments worldwide — this newsroom is there to help. A division of the nonprofit Access Now, it has become a kind of global triage center for suspected government hacking, translating panic into a plan and raw device data into evidence.
The mandate of the helpline is straightforward, and urgent: to investigate suspected infections related to mercenary tools like NSO Group’s Pegasus, Intellexa’s Predator or other high-end implants currently peddled in a thriving commercial surveillance market.
With team members spread across Costa Rica, Manila, Tunisia and hubs closer to the perpetual hotspots, they ensure follow-the-sun coverage for reporters, activists and lawyers who don’t have time on their side.
Independent researchers say the service is filling an important void. For senior investigators at the University of Toronto’s Citizen Lab who have tracked Pegasus and Predator for years, the helpline is a critical first stop for potential targets, which serves as a link between a scary notification and an intensive forensic process.
Inside the Helpline’s Forensics and Response Process
The workflow starts with calm, methodical triage. Handlers collect context and risk details, and guide the at-risk user through safe steps to gather evidence. Investigators ask for device logs or, if necessary and justified, entire encrypted backups. On iPhones, they parse sysdiagnose logs and crash traces believed to contain artifacts of zero-click exploits; on Android, they scrutinize system partitions and app telemetry for unusual connections or privilege escalations.
The team cross-references domains, certificates and network indicators against threat intelligence databases compiled by civil society partners, such as Citizen Lab and Amnesty International’s Security Lab, a co-developer of Mobile Verification Toolkit, used in many high-risk investigations. I will remind you that, for every exploit family we’ve seen in the past five years, analysts keep playbooks: things to look for, timelines to rewind, mistakes not to make.
Chain-of-custody and harm-reduction concepts guide their work. The helpline advises treating a device as personally owned and separable, rather than wiping it to factory settings; get an interim handset and back up data securely for any remediation. Communication occurs in the victim’s preferred language whenever possible, and sensitive discoveries are communicated with a minimum of technical jargon so that targets can make educated decisions.
A Surge Fueled by State Malware and Commercial Spyware
As awareness has grown and commercial spyware adds to the volume of cases, caseloads have soared. Helpline leadership says the team now evaluates about 1,000 suspected government spyware cases a year. About half go on to deeper investigation and some 5 percent are substantiated compromises — low in terms of percentage, but the damage done is exponentially higher. A decade ago, the team would manage fewer than 20 suspected cases per month; now, its inbox never rests.
Referrals from tech platforms have largely dried up. When Apple sends out its threat notifications to suspected victims of mercenary spyware, it refers most recipients to civil society responders like Access Now. Warnings from Google’s Threat Analysis Group and messaging platforms like WhatsApp have helped surface cases faster, giving defenders a small window to capture ephemeral forensic traces.
Research by groups like Citizen Lab and Amnesty, as well as media partnerships such as the Pegasus Project, has linked state-grade spyware to workings in dozens of countries. Infections have been recorded in contexts that range from Mexico’s anti-corruption community to reporters caught in the fallout of Greece’s Predator scandal and dissidents inside the Gulf. The formula is the same: zero-click exploits weaponize messaging or calling features, silently take over control, and then sweep through calls, messages, photos, microphones and cameras.
Human Impact and Mitigation Steps for Targeted Users
For the individuals on the other side of the helpline, though, it is existential. Digital intrusion often comes with smear campaigns, arrests, monitored travel or physical intimidation. Even where there is no confirmed infection, the process leaves targets with safer workflows — air-gapped devices, updated operating systems, vetted virtual private networks, hardened backups and practices for sensitive field work.
The team also advises organizations on broader risk models: how to handle leaked documents, conduct secure interviews, cross borders and provide business continuity if a device is seized. Those basics may lack the glamour of zero-days, but they steadily narrow exposure in the environments where local recourse is minimal.
Building a Global Shield Through Civil Society Networks
The helpline is part of CiviCERT, a network of response teams for civil society. Investigators use that coalition to exchange methodologies, indicators of compromise and training materials with overseas partners in places where language or legal measures might stand in the way of getting access to support. Its effect is to create a dispersed shield: speedier detection, more credible public attributions and greater pressure on vendors and states.
Momentum is slowly shifting. Regulatory scrutiny has increased, with lawmakers in Europe investigating abuses of spyware and a number of governments curtailing business with notorious vendors. Platform defenses have gotten better — sandboxing and exploit mitigations have raised costs for attackers — but the most skilled adversaries still find ways in. That’s why the helpline’s mix of speed, forensic caution and trauma-awareness is as essential as it ever was.
If You Get a Spyware Alert: Immediate Steps to Take
If you receive a spyware alert, act carefully and preserve potential evidence while seeking expert help. Consider the following:
- Do not factory-reset your device.
- Preserve evidence by turning on a strong passcode and keeping the phone away from sensitive accounts.
- Seek advice from a credible civil society helpline or digital rights organization.
- Update your system, consider switching to a clean temporary device, and take notes on what you observed.
- Even if you don’t have a case, you will walk away more secure.
In a time when a single message can silently crack the front door of a newsroom, the unheralded work of this small team extends far beyond its head count. Not only are they finding infections — they’re also shrinking the room for evading responsibility.
