Alliance for Peacebuilding

View Original

Here’s The 101 On Cyber Mercenaries

May 21, 2023

Familiar with the term cyber mercenaries? If not, you’re about to learn a lot more about them. These private-sector offensive actors (also known as hackers-for-hire) have been making waves in recent headlines, such as QuaDream hacking phones of journalists and NSO Group’s Pegasus found on the devices of European Union officials. With a booming market worth over $12 billion worldwide, cyber mercenaries provide offensive cyber technology to those willing to pay. Governments are driving this growth, seeking sophisticated tools sought under the guise of legitimate purposes (i.e., countering terrorism, combating cybercrime, and so on), but are used for malicious purposes. In this blog post, we’ll help you navigate the impact of cyber mercenaries and provide practical tips to protect yourself online. Get ready to delve into the world of hackers-for-hire and better understand how to safeguard your digital presence. 

What Are Cyber Mercenaries? 

Cyber mercenaries are private sector companies that develop, sell, and support offensive cyber capabilities for their highest bidders. Cyber mercenaries provide a diverse array of digital tools to their clients, but their most renowned offering lies in the realm of zero-day exploits. For those who don’t know, zero-day exploits take advantage of vulnerabilities within a given computer program unknown to its operator, also known as “zero-days,” to breach systems, adversely affect data/networks, or cause real-world damage. Recently, the Carnegie Endowment for International Peace identified at least 74 governments that have contracted with cyber mercenaries to gain access to spyware and digital forensics technology.  

How Do Cyber Mercenaries Impact Our Interconnected World? 

The impact of cyber mercenaries on our daily lives cannot be emphasized enough. One striking example is the NSO Group’s Pegasus, a zero-click spyware designed to infiltrate smartphones and allow its users complete access to the target’s device. Pegasus’s unprecedented surveillance capabilities give rise to profound human rights concerns, including privacy breaches, activist targeting, suppression of free speech, democratic erosion, and the risk of misuse/abuse. The Pegasus Project uncovered that over 1,500 individuals, ranging from students to journalists, human rights activists to political figures, fell victim to this notorious spyware. Notably, the Pegasus spyware played a crucial role in the operation ultimately responsible for the assassination of Jamal Khashoggi, a Saudi journalist. Amidst the opacity of the market, absence of transparency mechanisms, and the immense power wielded by spyware, it’s crucial to acknowledge the profound implications of cyber mercenaries to preserve democratic structures and protect innocent civilians. 

What Can We Do About Cyber Mercenaries? 

When it comes to addressing the impact of cyber mercenaries, there are no quick fixes. One of the underlying reasons tackling this issue proves difficult is the very governing bodies entrusted with regulation actually hire these mercenaries for their own objectives. Consequently, it’s unsurprising that our governments lack the necessary incentive to regulate these hackers-for-hire. However, even though the challenge of cyber mercenaries may seem impossible to overcome, there have been initiatives to address the pervasiveness of these bad actors.  

In March 2022, European Parliament voted to create the PEGA committee, a dedicated body aimed at investigating the utilization of spyware surveillance software by EU member states. This past March, President Biden signed an Executive Order that prohibits US government agencies from using any commercial spyware that is deemed to be a risk to the US. Furthermore, the Cybersecurity Tech Accord released a set of industry principles to mitigate the risk of cyber mercenaries that was endorsed by several industry leaders. Here are the selected principles:

  1. Take steps to counter cyber mercenaries’ use of products and services to harm people 

  2. Identify ways to actively counter the cyber mercenary market

  3. Invest in cybersecurity awareness of customers, users and the general public

  4. Protect customers and users by maintaining the integrity and security of products and services

  5. Develop processes for handling valid legal requests for information 

There is a personal aspect to this issue, and digital citizens must be empowered to protect themselves against cyber mercenaries. Public awareness and education on this topic are key to protecting yourself and your digital presence. Simple cyber hygiene techniques can help reduce the likelihood of cyber mercenaries from using spyware or other malign software from targeting you:

  • Keep your phone updated with the latest software updates! Software updates are helpful because they help patch against zero-days.  

  • Do not click any unknown or suspicious links in messages or emails. 

  • Enable 2FA (Two-Factor Authentication) on all accounts and MFA (Multi-factor Authentication) on more high-risk accounts, such as your bank account. 

  • Be wary of strange or click-baity domains that you haven’t seen before. 


Defending against highly sophisticated cyber mercenaries may pose challenges, but there are proactive measures we can take to combat their impact. By staying informed about their capabilities, demanding accountability for their irresponsible online actions, and practicing vigilant cyber hygiene, we can fortify our defenses against these cyber mercenaries. Together, these actions serve as essential weapons in the ongoing battle against the threats posed by these dangerous digital actors. 

Written by Bilva Chandra, Digital Peace Now’s Global Ambassador.