The fact that two seemingly unrelated operations—Dark Caracal and the Kazakhstan campaign—shared technical characteristics hints at a bigger story. It might mean that an unknown third party is offering up infrastructure and malware to various nation-state customers for hacking campaigns. That would suggest that both the operations are part of a larger group of attacks that all use the same tools.

“We do not think it’s likely that Dark Caracal is managing this infrastructure,” said Cooper Quintin, an EFF security researcher and one of the report’s authors. “We think it’s far more likely that this infrastructure is being run by an unknown third party who is also selling their services to Kazakhstan and possibly other countries.”

Think of it as government surveillance as a paid service.

This week’s report only hinted at that third party, but Quintin said that researchers are already working on identifying it. “We have some ideas,” he said.

This is a marked departure from how nation-state surveillance usually works. Governments, especially those without a deep bench of homegrown hacking talent, often do buy surveillance tools from companies: Just look at the long list of governments that purchased espionage software from Hacking Team, an Italian company that was itself hacked in 2015. But what’s going on here seems to go a couple steps further. Instead of acquiring a hacking tool and using it for spying, Dark Caracal seems to have paid someone else to use theirs. “They subscribe to this, and then somebody sets up the whole thing for them,” Quintin said. “And they just have to log in and download reports about the people they’re spying on.”

In a way, this means digital espionage software is only just catching up to consumer trends. Like Google’s G Suite products, which are hosted on Google servers and customers pay to access, the report is describing a sort of cloud-based surveillance service. It’s just not clear where that cloud is.

The business model might be innovative, but the hacking methods the report revealed were relatively primitive. Dark Caracal didn’t use fancy code or expensive equipment: Much of its success came from plain old social engineering. They (or the group they paid to hack for them) used tricks like setting up fake Facebook accounts with photos of smiling Arab women to convince targets to download fake versions of messaging platforms like WhatsApp. These apps would then send entire chat transcripts back to their spymasters, plus various other revealing information like GPS location, contact lists, and SMS messages. The malware could even take photos with the infected phone’s front and back cameras, and secretly record audio from the device’s microphone.

The scale of the spying efforts emanating from the General Security building is surprising, said Mohamad Najem, the codirector of SMEX, a Lebanese digital-rights organization. So, too, is the list of countries where individuals were targeted, many of which are Lebanon’s allies. Najem questioned whether the operation was green-lit through the normal legal process, which requires judicial supervision and only allows targeted surveillance for a limited time period. “They’re doing anything they want, without any legal processes—and that’s very dangerous,” he said.