U.K. warns commercial spyware now reaches more than 100 countries

Commercial spyware has spread to more than 100 countries, up from 80 in 2023, giving governments and potentially private actors access to tools that can break into phones and computers and pull out messages, contacts, photos and other sensitive data. The widening market has turned a once-niche state capability into a broader security risk for journalists, dissidents, bankers, wealthy businesspeople and corporate targets.

Richard Horne, who leads the National Cyber Security Centre, delivered the warning in Glasgow at the CYBERUK conference, saying British companies are failing to understand how far the threat has expanded. The U.K. intelligence picture now suggests that more than half of the world’s governments have access to commercial spyware, a striking shift from a system once associated mainly with a small set of advanced intelligence services.

The companies selling these intrusion tools, including NSO Group and Paragon, build products that can exploit flaws in widely used phones and computers. The U.K. assessment has long argued that commercial cyber tools and services lower the barrier to entry for both state and non-state actors, and that some of the most advanced products can rival state-linked hacking groups. That is why the issue now sits at the intersection of national security, human rights and corporate risk management.

The warning also lands against a harder cyber backdrop at home. The National Cyber Security Centre said in its Annual Review 2025 that it handled 204 nationally significant cyber attacks in the 12 months to August 2025, up from 89 in the previous year. Eighteen of those incidents were classified as highly significant, and the agency said the average works out to roughly four nationally significant cyber incidents a week.

Horne has said the most serious attacks are increasingly tied directly or indirectly to nation states rather than criminal gangs alone, naming China, Iran and Russia among the governments driving the sharpest threats. That is consistent with the U.K.’s broader view of cyber conflict, which now includes Chinese-linked intrusions aimed at stealing data and preparing for disruptive action in the event of a future crisis over Taiwan.

London has already tried to push back. In March 2023, the U.K. joined 10 other countries in a joint statement calling for stronger domestic and international controls on commercial spyware. Finland, Germany, Ireland, Japan, Poland and South Korea later joined that commitment in March 2024. At CYBERUK, Security Minister Dan Jarvis added £90 million in new cybersecurity investment over three years, underscoring how quickly the policy response is trying to catch up with a market that is expanding faster than regulation.