Under Digital Siege: How Spyware Became the Gulf's Weapon of Choice Against Its Own Citizens

In September 2020, Citizen Lab published a report titled "The Great iPwn." It documented that 36 journalists at Al Jazeera, the Qatari-owned news network, had their iPhones compromised by Pegasus spyware over a period of months. The attacks exploited a zero-click vulnerability in iMessage, requiring no action from the targets. The operators behind the campaign were identified through technical infrastructure analysis as likely connected to Saudi Arabia and the UAE. For Al Jazeera's newsroom, the implications were immediate: every source, every unpublished story, every editorial conversation had potentially been accessible to the intelligence services of hostile neighboring states.

This was not an anomaly. It was the visible surface of a surveillance architecture that Gulf governments had been assembling for years, purchasing commercial spyware from Israeli and European vendors and deploying it systematically against journalists, activists, and political opponents. The appearance of DarkSword on GitHub in March 2026, a full iOS exploit chain available to anyone with an internet connection, adds a new dimension to this threat. For populations in the Middle East and North Africa already living under extensive state surveillance, the question is no longer only what governments do with these tools. It is what happens when actors outside government gain access to the same capabilities.

The Gulf as Spyware's Premier Market

The Gulf states were not merely customers of the commercial spyware industry. They were among its most important ones, and their purchasing patterns shaped the industry's growth.

Saudi Arabia's use of Pegasus is the most extensively documented case in the region. The Pegasus Project, the 2021 investigation by Forbidden Stories and 17 partner media organizations, revealed that Saudi operators had selected phone numbers belonging to journalists, activists, and members of the royal family for potential targeting. The connection to the Khashoggi case gave the Saudi deployment its most consequential public dimension: researchers at Citizen Lab established that Pegasus was used to monitor individuals in Khashoggi's circle before his murder at the Istanbul consulate in October 2018.

The UAE's spyware procurement was equally aggressive and more diverse. Beyond Pegasus, Emirati intelligence operated a domestic surveillance program called Project Raven, staffed in part by former NSA operatives working through a UAE-based company called DarkMatter. Project Raven targeted journalists, foreign governments, and human rights activists. The case of Ahmed Mansoor illustrates the cumulative effect: Mansoor, a prominent human rights defender, was targeted with FinFisher spyware in 2011, with Hacking Team tools in 2012, and with Pegasus in 2016. Citizen Lab's interception of the Pegasus links sent to Mansoor's phone was a critical early exposure of NSO Group's operations. Mansoor was arrested in March 2017 and sentenced to ten years in prison on charges of damaging the UAE's reputation.

Bahrain's use of spyware against domestic opposition is documented across multiple research reports. Citizen Lab identified Bahrain as a Pegasus operator and documented targeting of activists affiliated with the Bahrain Center for Human Rights. Morocco deployed Pegasus against journalists, including Omar Radi, a reporter who covered corruption and the protest movement. French authorities investigated Morocco's alleged targeting of French citizens, including journalists and a human rights lawyer.

The scale of procurement across the region created a feedback loop. Gulf states' willingness to pay premium prices for spyware incentivized vendors to develop increasingly sophisticated tools. NSO Group's revenue, which peaked at approximately $250 million annually, was substantially supported by Gulf contracts. The region did not just consume the spyware industry's products. Its demand helped finance the research and development that made those products possible.

The Human Cost in Documented Cases

The victims of spyware deployment in the MENA region are not abstractions. They are identifiable individuals whose cases have been confirmed through forensic analysis.

Jamal Khashoggi's case remains the most prominent because it connects surveillance technology to a lethal outcome. But the pattern of targeting extends far beyond a single case. In Saudi Arabia, women's rights activists including Loujain al-Hathloul were reportedly targeted with Pegasus. Al-Hathloul, who campaigned for the right to drive and for the end of the male guardianship system, was detained in 2018 and held for nearly three years. Analysis of her device after release confirmed Pegasus infection.

The Al Jazeera operation documented in "The Great iPwn" report affected 36 journalists in a single operation, making it one of the largest documented spyware campaigns targeting a media organization. The targets included producers, anchors, and executives. In the context of the Saudi-led blockade of Qatar from 2017 to 2021, the surveillance of Al Jazeera had both intelligence and political dimensions: the network was a primary target of the blockading states' diplomatic demands.

In Morocco, the journalist Omar Radi's phone was found to have been infected with Pegasus through a network injection attack as early as 2019, according to Amnesty International analysis. Radi was subsequently arrested and convicted on charges that press freedom organizations described as politically motivated.

Across the region, the targeting pattern is consistent. The individuals surveilled are not criminals or security threats in any conventional definition. They are journalists whose reporting discomforts governments, activists whose campaigns challenge policy, lawyers who represent dissidents, and sometimes family members of any of these groups.

Surveillance Infrastructure Beyond Spyware

Commercial spyware exists within a broader surveillance infrastructure in the Gulf that combines technical capabilities with legal frameworks enabling extensive monitoring.

The UAE's Telecommunications Regulatory Authority operates deep packet inspection systems capable of monitoring internet traffic at the national level. Saudi Arabia's Communications and Information Technology Commission exercises similar capabilities. Bahrain's telecommunications infrastructure routes through monitoring systems that enable bulk collection.

These mass surveillance systems serve a different function than targeted spyware. Bulk interception identifies persons of interest. Spyware provides deep access to specific targets already identified. The combination creates a layered surveillance architecture: broad collection identifies targets, and precision tools like Pegasus extract detailed intelligence from those targets.

Gulf states have also invested in offensive cyber capabilities through state-linked entities. The UAE's DarkMatter, before rebranding and restructuring, employed former Western intelligence personnel and developed indigenous cyber capabilities. Saudi Arabia's National Cybersecurity Authority, established in 2017, formalized the kingdom's cyber operations structure. These institutional investments mean that even if commercial spyware vendors face sanctions or legal pressure, Gulf states have increasingly autonomous capabilities.

DarkSword as Threat Multiplier

For populations in the MENA region, DarkSword's publication on GitHub changes the threat calculus in specific ways that differ from the impact elsewhere.

In most of the world, the primary concern with DarkSword is that it enables new actors to conduct mobile surveillance. In the Gulf and broader MENA region, the concern is compounded. State surveillance is already pervasive. DarkSword does not introduce a new threat category so much as it multiplies the number of actors who can conduct surveillance that previously required state resources.

Consider the actors who now potentially gain access. Non-state groups operating in conflict zones across Libya, Yemen, Syria, and Iraq gain a mobile surveillance tool that previously required either a government patron or an intelligence agency's budget. Criminal organizations involved in trafficking, smuggling, or extortion gain the ability to compromise the phones of witnesses, journalists, or law enforcement contacts. Private security firms serving wealthy individuals or competing business interests gain access to tools that were previously available only through state procurement channels.

The Gulf states themselves face a security paradox. They were among the most prolific purchasers of the controlled commercial market precisely because they valued the exclusivity: the ability to surveil while maintaining the advantage of limited access. DarkSword democratizes that capability. The same tool can now be turned against government officials, royal family members, or state security personnel by actors who were previously excluded from the market.

For activists and journalists in the region, DarkSword represents a layered threat. They already operate under the assumption that state intelligence services can compromise their devices. Now they must consider that non-state actors with grudges, business rivals, or political opponents acting independently of the state can potentially do the same. The operational security measures developed to protect against Pegasus, such as using burner phones, avoiding iMessage, and enabling Apple's Lockdown Mode, remain relevant but are now needed against a wider and less predictable set of potential attackers.

The Limits of Protection

Apple's Lockdown Mode, introduced in 2022 specifically in response to the commercial spyware threat, offers meaningful protection by reducing the device's attack surface. But its adoption in the MENA region faces practical barriers.

Lockdown Mode disables functionality that many users depend on. Web browsing is restricted, message previews disappear, and certain communication features are limited. For journalists who rely on their phones as primary reporting tools, receiving documents and links from sources, conducting interviews via messaging apps, and accessing media-rich content, these restrictions impose real operational costs.

More fundamentally, the devices most vulnerable to DarkSword are those that cannot run iOS 26 at all. Apple's March 2026 security update patches the exploited vulnerabilities, but it requires iOS 26, which supports only iPhone 11 and newer models. In markets across the MENA region, where device replacement cycles are longer than in North America or Europe and where second-hand phone markets are substantial, a significant share of the iPhone installed base runs on devices that will never receive this patch.

The patch gap affects the region disproportionately. In wealthier Gulf states, device turnover may be faster. But across North Africa, in conflict-affected states, and among refugee populations who use smartphones as their primary communication lifeline, older devices persist for years. These populations, already among the most surveilled and most vulnerable, carry phones that are permanently exposed to DarkSword's exploit chain.

No Reversal in Sight

The structural condition is clear. Gulf states built surveillance infrastructures using commercial spyware purchased at premium prices from willing vendors. Regulatory efforts, sanctions, and lawsuits disrupted some vendors but did not dismantle the infrastructure or the institutional demand for surveillance capability. DarkSword's publication added a new variable: the barrier to entry for mobile surveillance dropped to zero, and the number of potential operators expanded beyond any government's ability to monitor or control.

For civil society in the MENA region, the practical implication is that the threat landscape has become permanently more complex. The previous model, where the primary adversary was a government with specific political motivations and identifiable technical infrastructure, was at least legible. Researchers could map Pegasus operators through their server infrastructure. Forensic analysis could attribute infections to specific government clients. The post-DarkSword model offers no such clarity. The attacker could be a state, a criminal group, a business competitor, or any individual with sufficient motivation and moderate technical skill.

This does not diminish the state-level threat. Gulf governments retain their commercial spyware capabilities, their bulk surveillance systems, and their growing indigenous cyber programs. DarkSword does not replace that apparatus. It adds to it, from below, introducing a proliferation dynamic that operates outside the channels through which accountability, however imperfect, has been pursued.