For more than a decade, dozens of journalists and human rights activists have been targeted and hacked by governments all over the world. Cops and spies in Ethiopia, Greece, Hungary, India, Mexico, Poland, Saudi Arabia, and United Arab Emirates, among others, have used sophisticated spyware to compromise the phones of these victims, who at times have also faced real-world violence being intimidated, harassed, and in extreme cases, even murdered.

In the last few years, in the fight to protect these higher-risk communities, a team of a dozen digital security experts, mostly based in Costa Rica, Manila, and Tunisia, among other places, have played a key role. They work for the New York-headquartered nonprofit Access Now, specifically its Digital Security Helpline. 

Their mission is to be the team of people who journalists, human rights defenders, and dissidents can go to if they suspect they’ve been hacked, such as with mercenary spyware made by companies like NSO Group, Intellexa, or Paragon. 

“The idea is to provide this 24/7 service to civil society and journalists so they can reach out whenever they have… a cybersecurity incident,” Hassen Selmi, who leads the incident response team at the Helpline, told TechCrunch. 

According to Bill Marczak, a senior researcher at the University of Toronto’s Citizen Lab who has been investigating spyware for almost 15 years, Access Now’s Helpline is a “frontline resource” for journalists and others who may have been targeted or hacked with spyware.

The helpline has become a critical funnel for victims. So much so that when Apple sends its users a so-called “threat notification” alerting them that they have been targeted with mercenary spyware, the tech giant has long directed victims to Access Now’s investigators. 

In speaking with TechCrunch, Selmi described a scenario where someone gets one of these threat notifications, and where Access Now can help victims.

“Having someone who could explain it to them, tell them what they should do, what they should not do, what this means… This is a big relief for them,” said Selmi. 

According to several digital rights experts who have investigated spyware cases and previously spoke with TechCrunch, Apple is generally taking the right approach, even if the optics look like a trillion-dollar tech giant offloading its responsibility to a small team of nonprofit workers. 

Being mentioned by Apple in the notifications, said Selmi, was “one of the biggest milestones” for the helpline.

Selmi and his colleagues now look into about 1,000 cases of suspected government spyware attacks per year. Around half of those cases turn into actual investigations, and only around 5% of them, around 25, result in a confirmed case of spyware infection, according to Mohammed Al-Maskati, the helpline’s director.

When Selmi started doing this work in 2014, Access Now were only investigating around 20 cases of suspected spyware attacks per month. 

At the time, there were three or four people working in each timezone in Costa Rica, Manila, and Tunisia, locations that allowed them to have someone online throughout the whole day. The team isn’t that much bigger now, with fewer than 15 people working for the helpline. The helpline has more people in Europe, the Middle East, North Africa, and Sub-Saharan region, given that these are hotspots for spyware cases, according to Selmi.  

The increase in cases, Selmi explained, is due to several circumstances. For one, the helpline is now more well known, so it attracts more people. Then, with government spyware going global and becoming more available, there are potentially more cases of abuse. Finally, the helpline team has done more outreach to potentially targeted populations, finding cases of abuse they may not have found otherwise. 

When someone contacts the helpline, Selmi told TechCrunch, its investigators first acknowledge receipt, then they do a first check to see if the person who contacted them is within the organization’s mandate, meaning if they are part of civil society — and not, for example, a business executive or lawmaker. Then, the investigators assess the case in triage. If a case is prioritized, the investigators ask questions, such as why the person believes they were targeted (if there was no notification), and what device they own, which helps to establish what kind of information the investigators may need to collect from the victim’s device.

After an initial, limited check of the device performed remotely over the internet, the helpline’s handlers and investigators may ask the victim to send more data, such as a full backup of their device, to do a more thorough analysis examining for signs of intrusions. 

“For each known kind of exploit that has been used in the last five years, we have a process on how to check that exploit,” said Selmi, referring to known hacking techniques. 

“We know more or less what is normal, what is not,” said Selmi.

The Access Now handlers, who manage communication and often speak the victim’s language, will also give the victim advice on what to do, such as whether to get another device, or take other precautions. 

Every case that the nonprofit looks into is unique. “It’s different from person to person, from culture to culture,” Selmi told TechCrunch. “I think we should do more research, get more people on board — not just technical people — to know how to deal with these kinds of victims.”

Selmi said that the helpline has also been supporting similar investigative teams in some regions of the world, sharing documentation, knowledge, and tools, as part of a coalition called CiviCERT, a global network of organizations that can help members of civil society who suspect they were targeted with spyware. 

Selmi said this network has also helped to reach journalists and others in places where otherwise they could not get to. 

“No matter where they are, [victims] have people who could talk to and report to,” Selmi told TechCrunch. “Having these people talk their language and know their context helped a lot.”