Threat briefing

Pegasus 2: the spyware era has changed — and high-value people need to wake up

Helix research · why the modern smartphone is the most valuable target on earth

There was a time when spyware sounded like something out of a bad action movie. A shadowy government agency. A dissident. A secret phone tap. A journalist being followed through encrypted messages.

That world still exists.

But the bigger problem now is that military-grade mobile surveillance has escaped the "state actor only" conversation. Tools inspired by Pegasus, NSO Group, Graphite, Predator, commercial spyware brokers, zero-click exploits and private cyber-intelligence markets have turned the modern smartphone into the most valuable target on earth.

Your phone is no longer just a phone.

It is your bank. Your wallet. Your crypto vault. Your camera. Your microphone. Your boardroom. Your location tracker. Your identity. Your private life. Your business deal flow. Your password-reset device. Your Telegram, WhatsApp, Signal, iMessage, exchange logins, wallet apps, cloud backups and 2FA codes.

That is why Pegasus-style spyware matters. And that is why anyone with money, crypto, political exposure, litigation risk, business secrets, family-office access, private banking relationships, defense connections, media exposure or sensitive personal data needs to stop thinking like a normal consumer and start thinking like a target.

What is Pegasus?

Pegasus is the now-infamous spyware developed by Israeli cyber-intelligence company NSO Group. It became globally known after investigations by Amnesty International, Citizen Lab, The Guardian and other media organizations alleged that it had been used to target journalists, activists, lawyers, businesspeople, politicians and human rights defenders around the world. Amnesty's Pegasus Project reported a leaked list of more than 50,000 phone numbers selected as potential surveillance targets, including political figures, journalists and activists.¹

The public story is that Pegasus is sold to governments for serious crime and terrorism investigations. That is the official line. The uncomfortable reality is that spyware of this class has repeatedly been linked to political surveillance, media monitoring, corporate intelligence, intimidation and abuse of power. Amnesty's forensic research also documented traces of Pegasus infections and zero-click attack methods on iOS and Android devices.²

Pegasus is not a normal virus. It is not some dodgy Android APK your uncle downloaded from a fake casino app.

It is surveillance-grade spyware designed to get inside a phone quietly, collect data, monitor activity and — depending on the version and access level — potentially reach messages, photos, emails, location data, microphones, cameras and app content. Security researchers and major cybersecurity firms have consistently described Pegasus as capable of deep device compromise, including access to sensitive communications and device sensors.³

So what is "Pegasus 2"?

"Pegasus 2" is often used informally to describe the next generation of Pegasus-style threats — not necessarily one single public product name, but the newer wave of mobile spyware, zero-click exploits, commercial surveillance tools, private-sector surveillance brokers and state-grade mobile compromise platforms.

The original Pegasus story was shocking because people realized a phone could be infected without the old-school hacker-movie nonsense. You did not always need to click a link. You did not always need to download a file. You did not always need to do anything obviously wrong.

Citizen Lab documented FORCEDENTRY, a zero-click exploit against Apple's iMessage image-rendering system that was used to deploy NSO Group spyware against a Saudi activist's device.⁴ WhatsApp also sued NSO Group over an attack that allegedly targeted around 1,400 WhatsApp users, and in 2025 Meta was awarded nearly US$170 million in damages after a US jury found NSO liable in relation to the WhatsApp hacking case.⁵

That is the real lesson. The phone itself is the battlefield. Not just the apps. Not just the browser. Not just your password. The device.

Who uses Pegasus-style spyware?

Officially, tools like Pegasus are marketed to government agencies for serious criminal investigations, counter-terrorism and national security. NSO Group has long maintained that its technology is only supplied to government clients for those purposes.²

But the documented target lists and investigations tell a much broader story. Pegasus-style spyware has been associated with the targeting of journalists, lawyers, activists, political opponents, diplomats, businesspeople, government officials, dissidents, human rights defenders, high-net-worth individuals, people connected to sensitive commercial disputes, and people close to powerful targets.

That last category matters. Sometimes the main target is not the prime minister, billionaire, crypto founder, defense contractor, mining executive or family-office principal. Sometimes the easier target is the assistant, spouse, lawyer, accountant, broker, developer, adviser, driver, partner, ex-business partner, chief of staff, crypto wallet manager or IT consultant.

Modern surveillance does not always kick the front door in. It goes around the side.

Why would anyone target a rich crypto bro?

Because crypto changes the incentive model. A traditional wealthy person might have assets locked behind banks, trusts, lawyers, accountants, compliance checks and settlement delays. A crypto-heavy person may have access to liquid digital value that can move in minutes. That makes them attractive.

A high-value crypto target may hold: seed phrases, exchange accounts, OTC relationships, private Telegram groups, wallet access, trading signals, cold-wallet locations, DeFi positions, stablecoin balances, investor contacts, private deal flow, launchpad allocations, token vesting schedules, market-moving information, confidential fund documents, screenshots of wallet balances, 2FA recovery flows, KYC documents, and private keys stored stupidly in notes, cloud drives or screenshots.

For attackers, the phone is the jackpot. It is not just about stealing coins directly. It is about mapping the person's life: who they talk to, where they travel, which wallets they use, which exchanges they trust, who their lawyer is, who their accountant is, which projects they back, which deals are not announced yet, which family members can be pressured, which passwords can be reset, which emails can be intercepted, and which conversations can be used for blackmail, manipulation or commercial leverage.

This is why the "I'm not important enough" mindset is dangerous. If you hold serious crypto, manage investor funds, advise fintechs, run a token project, work in OTC, sit near a family office, build blockchain infrastructure, or move in circles where millions of dollars can be influenced by one private message — you are absolutely important enough.

Do rich people really have access to spyware licenses?

The public record around Pegasus itself points primarily to government clients, export controls and state-level procurement. Pegasus is not supposed to be a toy for private individuals. Israel's defense export-control framework has been widely discussed in relation to how spyware licenses are approved for foreign government clients.⁶

But the broader commercial spyware industry is messy. There are surveillance vendors. Exploit brokers. Private intelligence firms. "Lawful intercept" companies. Cyber-mercenary markets. Grey-zone operators. Consultants who know consultants. State-linked tools that leak into private disputes. And private clients who do not technically "buy Pegasus" but still obtain access to surveillance capability through intermediaries, influence networks, compromised insiders or outsourced intelligence operations.

That is where things get dangerous. The person attacking you does not need to personally own Pegasus. They just need access to someone who can compromise a device, obtain location data, clone communications, exploit an app vulnerability, steal cloud backups, abuse SS7-style telecom weaknesses, phish recovery accounts or install commercial stalkerware.

The market has changed. The threat is no longer just "the government is watching." The threat is: who wants your phone open — and how much are they willing to pay?

Why Pegasus-style spyware is so hard to detect

Most people think malware means the phone gets hot, the battery drains, weird popups appear and some fake antivirus warning flashes on the screen. That is consumer-malware thinking.

Pegasus-style spyware is different. It is designed for stealth. Kaspersky has noted that detecting advanced mobile spyware is extremely difficult, especially when malware is non-persistent and may leave very few traces after a reboot.⁷

That matters because a sophisticated phone compromise may not behave like a cheap virus. There may be no obvious warning. No weird icon. No "you have been hacked" message. No visible app. No simple uninstall button. The attacker does not want drama. They want silence. They want your phone to keep working normally while they collect intelligence.

The big mistake: thinking iPhone means safe

iPhones are strong devices. Apple has done a huge amount to harden iOS. Android has also improved massively. But "secure" does not mean "untouchable."

Pegasus became famous partly because it proved that fully patched, modern smartphones could still be targeted through sophisticated exploit chains. Amnesty's forensic report documented zero-click attacks against iPhones, including attacks that did not require user interaction.²

That does not mean everyone should panic. It means high-value people need a different security model. The average person can rely on normal updates, good passwords and common sense. A high-value person cannot.

If you are a crypto founder, investor, public figure, political target, commercial-litigation target, journalist, whistleblower, family-office operator, mining executive, fintech founder, defense supplier, lawyer or someone sitting on sensitive intelligence — you need active monitoring. Not paranoia. Monitoring.

What Pegasus wants

Pegasus-style spyware is valuable because it can turn private life into searchable intelligence. Depending on the exploit, device, permissions and attacker capability, spyware may seek access to messages, call logs, emails, photos, microphone input, camera access, GPS location, browser history, encrypted app content after device compromise, cloud tokens, contact lists, app metadata, file storage, screenshots, authentication flows, account-recovery pathways, sensitive documents and wallet information.

Once a device is compromised, encryption becomes less useful because the attacker may be viewing content at the endpoint. In plain English: Signal, WhatsApp, Telegram and iMessage might encrypt messages in transit, but if the phone itself is owned, the attacker may not need to break the encryption. They can read what the user reads. That is the nightmare.

Why crypto people are especially exposed

Crypto culture has a major OPSEC problem. Too many people with serious money still operate like they are anonymous because they use Telegram, a hardware wallet and a cartoon profile picture. That is not security. That is theatre.

Real attackers do not care about your PFP. They care about your operational habits. They care if you screenshot seed phrases, use SMS 2FA, have weak email recovery, leave cloud backups enabled, expose your phone number, link Telegram to your main number, reuse your exchange email as your public email, run a SIM that can be social-engineered, give an assistant calendar access, share a cloud account between laptop and phone, use WhatsApp for OTC settlement, discuss deal flow on unsecured channels, never reboot your phone, ignore strange app behavior, or run your legal, finance and crypto life all through the same device.

A wealthy crypto person is not just a person. They are an attack surface.

The new class of targets

Pegasus-style spyware was once discussed mainly in the context of journalists and activists. That remains serious. But the target pool is expanding because the economics are changing.

Crypto founders

Token launches, vesting schedules, investor chats, treasury wallets, exchange negotiations and private market-making discussions are all commercially valuable.

High-net-worth investors

Family offices, private wealth groups, SMSFs and offshore structures can be mapped through phone compromise.

Fintech operators

Payment rails, compliance data, banking relationships, KYC systems and sensitive user data create serious exposure.

Legal and litigation targets

Commercial disputes create incentives for surveillance, especially when millions of dollars are on the line.

Political and media figures

Journalists, campaigners, political donors and public commentators remain classic targets.

Defense and critical-infrastructure suppliers

If you deal with defense, government procurement, intelligence, telecommunications, AI, cyber, energy, ports, logistics or critical infrastructure, you should assume your device matters.

Crypto "bros" with too much liquidity and not enough discipline

The stereotype exists for a reason. Some people are walking around with millions in accessible digital assets, using the same phone for dating apps, Telegram groups, exchange logins, Gmail, wallet alerts and private deals. That is not wealth management. That is bait.

Why normal antivirus is not enough

Traditional antivirus is helpful for common threats. It can block known malware, malicious files, phishing domains and unsafe apps. But Pegasus-style threats are not ordinary. They may use zero-click exploits, zero-day vulnerabilities, app-level attack chains, temporary payloads, stealth infrastructure, legitimate system processes, encrypted command channels, cloud-token abuse, forensic evasion and non-persistent behavior.

That does not mean protection is impossible. It means protection must be layered. You need prevention, detection, behavioral monitoring, device hygiene, secure communications, rapid response and education. That is where Helix comes in.

Helix: built for the world we actually live in

Helix is designed for people who understand that their phone is no longer a casual device. It is a security perimeter.

Helix does not force users into an unrealistic setup where they need to abandon normal iOS or Android usage. That matters because most businesspeople, founders, crypto investors, executives and high-value individuals still need to operate in the real world. They need iPhone. They need Android. They need WhatsApp, Signal, email, banking apps, exchange apps, meetings, travel and business continuity.

Helix is built around the practical reality of modern mobile security: monitor the phone, watch network activity and apps in real time, run a daily malware scan, look for Pegasus-style behavior, detect suspicious activity, and warn you instantly — then let you cut every connection in one tap — all without making the device unusable. For high-value users, that is the difference between pretending everything is fine and actually watching the attack surface.

The GrapheneOS question

Some security people believe the only serious phone is a hardened device running something like GrapheneOS. There is a place for that. For some users, a hardened Android environment can make sense.

But most real-world business users are not going to run their entire life through a highly restricted device setup. They will use standard iOS or Android because they need compatibility, convenience and business functionality.

That is why Helix takes a more practical position. The goal is not to shame users into fantasy-level security behavior they will abandon within two weeks. The goal is to give people a serious layer of mobile threat awareness on the devices they actually use. Because the best security system is the one that gets used. (For users who do want the clean-room option, the optional Helix Hardened Phone runs Helix on a locked-down GrapheneOS handset — the maximum-assurance baseline, not a requirement.)

Signs you should take mobile spyware seriously

You should be thinking about Helix if any of the following apply:

you hold meaningful crypto
you manage investor funds
you run a fintech or blockchain company
you are involved in litigation
you work with government or defense clients
you are a journalist, activist or public commentator
you are a high-net-worth individual
you have private banking or family-office exposure
you handle sensitive deal flow
you are in politics or close to political figures
you are a founder raising capital
you have enemies with money, or competitors who play dirty
your phone contains conversations that could damage you
your phone can reset access to valuable accounts
your identity documents are stored digitally
you travel internationally or communicate with people in high-risk countries
your business depends on confidentiality

Most people do not know they need this until something goes wrong. By then, the damage may already be done.

The harsh truth: you may never know you were hit

That is the entire point of advanced spyware. It is not designed to announce itself. A compromised phone may continue working. Calls still connect. Messages still send. Banking still opens. The screen still looks normal. The user keeps moving through life while someone else quietly watches.

That is why waiting for "proof" is the wrong mindset. Security for high-value people should not begin after the breach. It should begin before someone decides you are worth targeting.

Pegasus changed the conversation forever

Pegasus proved something the public did not want to believe: modern smartphones can be compromised at a level most people cannot detect or understand. Since then, the spyware industry has only become more aggressive, more commercialized and more politically controversial. The legal pressure on NSO Group, including WhatsApp and Meta's successful damages verdict, shows just how serious the industry has become.⁵

But lawsuits do not protect your phone today. Awareness does. Better habits do. Active monitoring does. Taking yourself seriously as a target does.

Final word: if your phone is worth money, protect it like money

The old security advice was simple: do not click suspicious links. That advice is no longer enough. We are now in the era of zero-click exploits, spyware brokers, commercial surveillance, crypto-targeted crime, political monitoring, private intelligence and high-value mobile compromise.

If you are a normal person, basic mobile hygiene may be enough. If you are a high-value person, your phone needs more. Helix exists for that world.

Protect your device. Protect your conversations. Protect your crypto. Protect your identity. Protect your business. Protect your life.

Buy Helix today How Pegasus works