Meet the Team That Investigates When Journalists and Activists Are Hacked With Government Spyware

For more than a decade, journalists and human rights activists around the world have been targeted and hacked by government-backed surveillance operations. Law enforcement agencies and intelligence services in countries including Ethiopia, Greece, Hungary, India, Mexico, Poland, Saudi Arabia, and the United Arab Emirates have used advanced spyware to compromise targets' phones. In many cases, these digital attacks have been accompanied by real-world intimidation, harassment, and in the most extreme situations, even killings.

In recent years, a small team of digital security specialists has emerged as a crucial line of defence for these high-risk communities. The group, comprising around a dozen experts based in Costa Rica, Manila, and Tunisia, works for the New York–based nonprofit Access Now through its Digital Security Helpline.

The helpline serves as a point of contact for journalists, human rights defenders, and dissidents who believe they may have been targeted with mercenary spyware developed by companies such as NSO Group, Intellexa, and Paragon.

"The idea is to provide this 24/7 service to civil society and journalists so they can reach out whenever they experience a cybersecurity incident," said Hassen Selmi, who leads the helpline's incident response team, in an interview with TechCrunch.

Bill Marczak, a senior researcher at the University of Toronto's Citizen Lab who has investigated spyware for nearly 15 years, described Access Now's helpline as a "frontline resource" for individuals who suspect they have been targeted by government spyware.

The helpline has become such a central resource that Apple, when sending "threat notifications" to users warning them of mercenary spyware attacks, routinely directs affected individuals to Access Now's investigators for help.

Selmi explained how Access Now assists people who receive these alerts. "Having someone who can explain what the notification means, what they should do, and what they should avoid doing is a big relief," he said.

Several digital rights experts who have worked on spyware investigations have previously told TechCrunch that Apple's approach is generally appropriate, even if it appears that a trillion-dollar company is relying on a small nonprofit team to assist victims. Selmi noted that being referenced by Apple in these alerts marked "one of the biggest milestones" for the helpline.

Today, the team reviews roughly 1,000 suspected government spyware cases each year. About half of those cases progress to complete investigations, and approximately 5% — approximately 25 instances annually — result in confirmed spyware infections, according to helpline director Mohammed Al-Maskati.

When Selmi began this work in 2014, Access Now was handling around 20 suspected spyware cases per month. At that time, the team consisted of three or four staff members in each central time zone, enabling continuous coverage. While the team has grown slightly, it still includes fewer than 15 people. The helpline now has a more substantial presence across Europe, the Middle East, North Africa, and Sub-Saharan Africa, regions identified as hotspots for spyware activity.

Selmi attributed the increase in reported cases to several factors: the helpline's growing reputation, the global expansion and availability of government spyware, and increased outreach efforts that have uncovered cases which might otherwise have gone unreported.

When someone contacts the helpline, investigators first confirm receipt and determine whether the individual falls within Access Now's mandate, meaning they are part of civil society rather than a business executive or government official. The team then conducts a triage to assess the report's urgency and credibility.

If a case is prioritised, investigators ask the individual why they believe they were targeted and what type of device they use. This information helps determine what data may need to be collected. An initial remote analysis is performed, and, if necessary, victims may be asked to provide additional information, such as a whole device backup, for a deeper forensic examination.

"For each known exploit used in the past five years, we have established processes to check for it," Selmi said. "We have a clear sense of what normal behavior looks like and what doesn't."

Helpline staff who manage communications often speak the victim's language and guide next steps, including whether to replace the device or take additional security precautions.

Selmi emphasised that every case is different. "It varies from person to person and from culture to culture," he said, adding that more research and broader expertise are needed to support victims beyond technical analysis alone.

The helpline also collaborates with investigative teams in other regions by sharing tools, documentation, and expertise through CiviCERT. This global coalition supports civil society members who believe they may have been targeted by spyware.

According to Selmi, this network has expanded the helpline's reach into areas that would otherwise be difficult to access. "No matter where they are, victims have people they can talk to and report to," he said. "Having support from people who understand their language and context has made a significant difference."