The night it happened, right after midnight on August 10, Bill Marczak and his girlfriend were staying up late to watch Star Trek reruns in their spare one-bedroom apartment, in El Cerrito, California, just north of the University of California at Berkeley campus.

A trim Ph.D. candidate with dense brown hair and a disciplined beard, Marczak wasn’t just another excitable, fast-talking Berkeley grad student. He was a pioneering analyst in a new and unusual theater of cyber-warfare: the struggle between Middle Eastern freedom activists and authoritarian governments in countries such as Bahrain and Egypt. He was also a senior fellow at Citizens Lab, the University of Toronto “interdisciplinary laboratory” that had almost single-handedly discovered and alerted the world to how these governments were monitoring dissidents with spyware quietly marketed by a group of shadowy European and Israeli companies that have been labeled the first “cyber-arms dealers.”

Before going to sleep, Marczak, always a tad obsessive, rolled out of bed to check his phone for messages. He was standing there in his boxer shorts when he saw it. “Oh my God,” he exclaimed, hopping up and down with excitement, his bright eyes shining even brighter than usual.

Across the bed, his girlfriend wondered, “What is it?”

“I think I just found something huge,” he answered, before kissing her and going into the living room, where he opened his laptop.

When his girlfriend woke the next morning, he was still there.

Marczak had indeed found “something huge.” An activist friend in the United Arab Emirates had sent him an e-mail containing a single Internet link, which Marczak was almost certain would, if clicked, release malignant spyware into his mobile phone. He managed to isolate a portion of its code, but it was so complex he decided to forward a copy across San Francisco Bay to engineers at a computer-security outfit called Lookout, whose offices high in a downtown skyscraper afforded panoramic views from the Golden Gate Bridge to Oakland.

A pair of Lookout engineers, Andrew Blaich, a sandy-haired mobile-security specialist, and Max Bazaliy, an intense grad student from the Ukraine, were the first at the company to study the heavily obfuscated code.

“What do you think it is?” Blaich asked.

“I don’t know. Something really, really bad,” Bazaliy answered in his thick Ukrainian accent.

It took all day for the two to realize just how bad.

It is exceedingly rare to find a never-before-seen vulnerability that allows a hacker to infiltrate the operating system of a computer or mobile phone. Amazingly, the program Marczak had found would be shown to target not one, not two, but three such vulnerabilities.

“Every new line of code, it was like, ‘Oh shit, this can’t be,’ ” Blaich recalls. “ ‘Oh shit. Oh shit.’ It just went on and on.”

By nightfall, the two engineers were staring in disbelief. “This can spy on audio, e-mail, text messages . . . everything. Someone spent a lot of time creating this,” Blaich said.

Bazaliy, a purist, thought it the most beautiful code he had ever seen. “There’s never been anything like this before,” he said.

Video: Sony C.E.O. on How the Hack Changed Business

There was a time, a few years back, when the most sophisticated cyber-warfare tools were still developed and used exclusively by the world’s most sophisticated cyber-warfare combatants: government spy agencies, such as the ultra-secret National Security Agency and its counterparts in Israel and other developed countries and their arch-rivals in China and Russia. The surveillance and monitoring capabilities that Edward Snowden unveiled to the world in 2013 were shocking and little understood, but an ordinary citizen could at least take comfort in the belief that, if he wasn’t a criminal or a spy, it was unlikely these tools would ever be used against him.