Vas Panagiotopoulos is a fellow at Tech Policy Press.
Mobile phone spyware has been used on several occasions during wartime in recent years. Originally marketed as a tool for combating terrorism and serious crime, spyware has increasingly appeared in military and intelligence operations around the world.
Spyware can be used for targeting and gathering battlefield intelligence, military espionage and counterintelligence, as well as psychological and deception operations.
States value these capabilities because they can provide a distinct strategic advantage over adversaries that do not possess them. However, these military-grade technologies can cause serious harm to human rights and create significant counterintelligence risks.
Spyware is difficult to detect and document, especially during armed conflict, where there may be no opportunity to examine a device and evidence can easily be lost.
There are several publicly known cases of spyware being deployed in armed conflicts in recent years, including in Iran, Gaza, Ukraine, Nagorno-Karabakh and Syria. Yet the cases documented by researchers to date suggest that what we currently know is only the tip of the iceberg.
What follows is a non-exhaustive list of publicly documented cases involving the deployment of spyware during armed conflicts in recent years:
Targeting and battlefield intelligence collection
Spyware can be used to identify, track, and validate military targets by collecting data from compromised devices and networks, as well as to collect battlefield intelligence — gathering information on enemy communications, locations, movements, plans, and capabilities to support operational decision-making and targeting.
For example, on 16 June 2025, Israeli jets bombarded a bunker where an emergency meeting was taking place, attended by key Iranian figures, including President Masoud Pezeshkian, the heads of the judiciary and the intelligence ministry, and senior military commanders. None of the officials carried mobile phones, aware that Israeli intelligence could track them. Yet, according to an investigation by the New York Times, Israeli forces were led to the meeting by hacking the phones of bodyguards who had accompanied the Iranian leaders to the site and were waiting outside. The piece that cites both Israeli and Iranian sources does not provide more details on the method by which these phones were compromised; however, Israelis are well-known for several such offensive cyber capabilities – including in-house ones, as well as commercial tools such as those by NSO Group and Paragon Solutions.
Another more concrete example of the deployment of commercial spyware for targeting and battlefield intelligence collection can be seen in Gaza. In the aftermath of October 7, Axios reported that several Israeli agencies were likely using NSO Group's Pegasus spyware. “Pegasus can be used to tap into cell phone signals to assess who was on the ground during Hamas’ surprise attack and movement of those cell signals before and after the attack,†noted the piece, quoting an anonymous source with direct knowledge of NSO’s operations.
The source said that NSO had also established a so-called “war room,†bringing together other similar companies and former NSO employees to track and unlock phones belonging to people who have been murdered or gone missing, as well as those of suspected terrorists.
Similarly, in Ukraine, CrowdStrike documented in 2016 the battlefield deployment of the iOS and Android spyware X-Agent against Ukrainian artillery units by the Russian cyber-espionage group Fancy Bear, likely linked to the Russian military intelligence agency (GRU). The malware could activate a device's microphone to record audio and collect, among other data, text messages, contact lists, photos, and geolocation information.
Military espionage and counterintelligence
Spyware can also be used for military espionage to covertly obtain sensitive military, political, diplomatic, scientific, or industrial information from adversaries, as well as for Counterintelligence to monitor, detect, or disrupt hostile intelligence activities and identify compromised personnel.
For example, a new US Defense Intelligence Agency report was prompted by incidents in which American defense personnel in Israel discovered spyware secretly installed on their phones to intercept their communications, highlighting the serious counterintelligence risks associated with such technology.
In 2023, a joint civil society investigation revealed that at least twelve Armenian public figures and officials, including journalists and human rights defenders, were targeted with NSO Group's Pegasus spyware amid conflict in Nagorno-Karabakh in 2020 – 2022. This came after the Pegasus Project had revealed more than 1,000 Azerbaijani numbers were potential NSO targets and was the first documented evidence of the use of Pegasus spyware in an international war context.
The first cluster of civil society Pegasus infections in Armenia emerged against the backdrop of the 2020 Nagorno-Karabakh war with Azerbaijan, its aftermath and ceasefire, which triggered a domestic political crisis, mass protests, an alleged coup attempt, and ultimately Prime Minister Nikol Pashinyan's resignation and snap elections in 2021.
In Syria, Assad's army officers were hacked through an app that deployed SpyMax, a widely used Android surveillance tool, New Lines Magazine reported in 2025. The malware enabled keylogging to steal passwords and intercept text messages, extracted confidential files, photos, and call logs, and accessed the camera and microphone for real-time surveillance of its victims. The piece notes that it is difficult to determine exactly how many phones were compromised in the attack, but the number is likely “in the thousands,†adding that the unique element of this “primitive but devastating†phishing attack seemed to have been “focused on compromising an entire military institution.â€
Psychological and deception operations
Spyware can also be used for psychological and information operations to enable influence campaigns on target audiences, as well as for military deception operations to manipulate adversary perceptions, decision-making, and situational awareness.
For example, AP reported in March that Iran had hacked Israelis using Android phones as they were fleeing an Iranian missile strike, an operation that required sophisticated coordination. They received a text message with a link purporting to provide real-time information about bomb shelters. However, the link was malicious and installed spyware, giving hackers access to the device's camera, location, and all its data. The piece notes that such disinformation campaigns are not designed to kill, but to “to spy, steal and frighten.â€
More recently, according to a report by the Times of London, the CIA used NSO Group's Pegasus spyware to carry out a deception campaign in Iran as part of efforts to retrieve the second of two downed US airmen in early April. The report claimed that the American intelligence agency used Pegasus to send messages to Iranian leadership and Islamic Revolutionary Guard Corps operatives, falsely claiming that the downed US airman had already been found.
It's worth pointing out that most of these cases are impossible to independently verify. John Scott-Railton, a Senior Researcher at The Citizen Lab who has researched Pegasus since 2016, expressed skepticism about the Times of London report's claim: “No clear sourcing. No official confirmation. Just dropped in there.â€
Spyware Use in Conflict: Which laws apply?
Legal oversight largely disappears in wartime. Spyware deployment during conflict often occurs on unclear legal grounds, with key safeguards — such as prior judicial authorization, and requirements of necessity, proportionality, and post-surveillance oversight — frequently completely absent. This creates conditions ripe for abuse.
So, are there any legal safeguards when spyware is used during war? In conflict, it is international humanitarian law that applies, which forbids the deliberate or indiscriminate targeting of civilians, humanitarian personnel, and other protected parties.
“Spyware cannot be used to harass, intimidate, and leak data of civilians, war prisoners, and other protected individuals,†Natalia Krapiva, Senior Tech-Legal Counsel at Access Now, told Tech Policy Press
Moreover, under international criminal law, although the use of spyware is not a crime in itself, it may be part of the conduct that forms the basis of war crimes, crimes against humanity, or genocide.
“For example, if it is used to target and persecute civilians and other protected populations, provided that the requirements of intent, gravity, and other requirements are met for the underlying crimes,†continues Krapiva.
The use of spyware may also constitute an offense against the administration of justice if spyware is used to interfere with witnesses, evidence, or otherwise the court proceedings in criminal trials.
International human rights law and domestic law — including the right to privacy and freedom of expression that spyware may violate — usually also apply in conflict, unless a country derogates from these rights under the established procedure, in which case some laws may be temporarily suspended for as long as the public emergency situation is in effect.
“For example, Ukraine has derogated from certain obligations under the European Convention on Human Rights and the International Covenant on Civil and Political Rights (ICCPR),†says Krapiva.
“However, some rights like the right to life, the right to be protected from torture or slavery, are non-derogable, so even in conflict you cannot use spyware to torture people or to kill civilians.â€
There is very little legal precedent concerning the use of spyware during armed conflict. Even in peacetime, spyware is often difficult to detect and document; in conflict settings, these challenges are amplified. Access to compromised devices may be impossible, forensic investigations may be delayed or infeasible, and critical evidence can be destroyed, lost, or rendered inaccessible.
The documented cases identified to date span multiple conflicts, governments, and spyware technologies. Researchers caution, however, that these incidents likely represent only a fraction of the true extent of wartime spyware use. Because spyware is specifically designed to evade detection, and because armed conflict creates significant obstacles to forensic investigation, the full scale of its deployment may never be known.
“From the cases that we do know and have documented, we suspect that there is more spyware used in conflict than we know about,†says Krapiva.
