Paul May

Paul May is the information security lead at OpenSanctions. He also works on threat intelligence, cybercrime, money laundering and spyware. He has conducted and published investigations in drug trafficking and organised crime in cross-border collaborations with investigative journalists.

‍

Talk: The Blueprint for a Modern Commercial Spyware-Maker? (with Julian-Ferdinand Vögele) [TLP:RED]

In 2026, commercial spyware makers are not only the providers of a single surveillance product but an intentionally-fragmented global enterprise: a network of export brokers in one jurisdiction, shell companies in another, and boutique exploit developers elsewhere. These deliberately disparate networks, connected through layers of legal, technical and logistical intermediaries, form a structure designed to create jurisdictional arbitrage and reduce liability across borders.

This talk unpacks that machinery through the notorious yet still not-understood case of the Intellexa network, a complex web of entities behind the Predator spyware. Despite the prosecutions of Intellexa-linked actors in Greece, elements of the network continue to operate, highlighting the resilience of this distributed structure.

Following years of investigations drawing on non-public data, we demonstrate the network’s architecture, identifying overlooked and previously unreported entities associated with an initial access technique and clarifying their roles. We show how blurred boundaries between contractors, employees, and service providers complicate attribution and accountability.

Does Intellexa represent a blueprint of the modern commercial spyware vendor? We demonstrate whether the network as a case study can help us better understand the growing commercial surveillance industry.

‍