I'm writing these lines sitting at DevConnect, Buenos Aires. I came all the way here to give a speech at the Cypherpunk Congress organized by the friends at Web3Privacy, titled "Protecting Developers from Mercenary Spyware Abuse" (slides here).

After 2 years away from the "crypto" industry, it was energizing to re-connect with lots of friends in the space. From the events I've been able to attend, it seems that Privacy is finally a core narrative within the industry.

Every developer I spoke to was completely stunned when hearing about the prosecution of open-source developers by the Spanish state for the potential use cases of the tools they were building. While everyone knows about Tornado Cash, almost no-one knows about what happened to Jordi Baylina and the rest of open-source developers and advocates during 2019-2024.

Here's a brief explanation, a summary of my talk at the Cypherpunk Congress.

In 2019, and for two years, our team was targeted, attacked, and breached using Pegasus and Candiru. The industry refers to this as military-grade mercenary spyware. Mercenary spyware is is not just software. It is a capability.

It is the capability to infect your phone and turn it into a spy in your pocket, extracting your private and encrypted chats, your photographs, your emails, your passwords... and even enabling the microphone and camera to turn your phone into a bug in the room.

At least seventy-eight separate attacks were documented across our team, using not only one, but two different mercenary spyware tools. Our team chats, our business files, our private conversations, our family photos... all of them exfiltrated. The spyware attacks didn’t stop with us. They extended to our investors. To our advisors. And even to our families. All of them targeted with tools that governments argue they only use to fight crime and "terrorism".

What triggered this? What was our crime?

We weren’t trafficking weapons. We weren't planning to bomb a marketplace or run down civilians on the street.

We were simply publishing open-source code.

Self-sovereign identity protocols. Anonymous digital voting systems. Digital primitives for technological self-sovereignty.

It seems that the Spanish intelligence agencies and its judiciary system decided that the potential use of those tools by third parties was enough to label us a "threat to national security". I repeat, for the potential future use.

This represents a dangerous escalation of the Tornado Cash playbook. This legal doctrine puts every open-source developer at risk.

Here's how.

The above slide show the current definition of the Terrorism offence in Spain. Most EU countries share similar definitions. Any action (including ofenses using information systems - aka "software") that can be considered to seriously destabilize the institutions or the economic or social structures is potentially prosecutable for the Terrorism offense (which can carry up to 12 year of imprisonment)

The hard reality is that tools that allow citizens to "opt out" or that simply allow new ways for human coordination that do not rely on a centralised party pose a direct threat to the monopolies the nation-state has held for over 300 years.

I'm not even talking about the so-called "network-states", nor mixnets. I'm talking simply about basic primitives such as decentralised governance tooling, self-sovereign identity, censorship-resistant voting, among others.

Every state applies its own flavour when it comes to redefining this term. There's not a universal definition, and it's increasingly being used to target developers, as Fede had the unfortunate luck to experience in August 2025 in Turkey.

Fede was fortunate to have the right connections who could help him get out before it was too late for him. But other developers may not be that fortunate next time. While everyone within the industry thinks the highest threat to their activities may come from AML and Money Transmitting offenses, my thesis is that Terrorism will be the true Achilles Heel of the industry, thanks to a loose interpretation of the Terrorism Offense and "National Security" concerns.

Tornado Cash prosecutions required authorities to seize devices after arrest. It required, let's say, "due process" (whether you might agree with the alleged offenses or not). Now, mercenary spyware enables any government in the world to remotely target you and extract your private conversations. They don’t need to arrest you anymore.

We have also moved from prosecuting especific past actions by third parties, to attempting to make developers liable for the potential future misuse of the tools they build.

I hope you see how the risk surface of publishing open-source code under this new playbook is exponentially higher. You can't control who will be using your tools, and there's a wide range of governmental doctrines out there with varying definitions of what constitutes "dissidence" or "criminal activity". The moment the tools you are developing are used in a real high stake event that is not approved or liked by a government, this playbook will be aimed at you.

1. Legislate for repressive national security laws: create a legislative framework that allows for loose interpretations of national security concerns and terrorism charges, therefore providing the legal coverage for the security forces and the judiciary to prosecute under those severe charges. Criminalize the right of protest, confounding public disorder events with terrorism. Wrap with archaic Official Secrecy Acts to make disclosure virtually impossible (Legislative/Parliament)

2. Procure military-grade mercenary spyware under the guise of national security: use “national security interests” to avoid accountability nor transparency on its usage, effectively keeping it as a black box to public scrutiny. (Executive/Intelligence Agencies)

3. Weaponize national security and spyware to infiltrate targets, even without the proper legal coverage (illegal interventions). Use it to fully penetrate on the target’s professional and personal life and of all its personal relationships. Use the extracted information to create fake narratives and reports, leveraging on the loose definition and interpretation of national security and terrorism. Illegally leak those reports to press (Executive/Intelligence Agencies)

4. Manipulate public opinion with misinformation: (illegally) leak inteligence and judiciary reports to press strategically with the objective to influence political opinion. Generate ad-hominem attacks to the targets to portray them as guilty until proven inocent of severe charges. Stigmatize victims, imposing a double penalization (targetting and stigmatization). (Press)

5. Leverage judiciary to silence and suppress targets within civil society targets based on those reports, which are used as “evidence” by the Judge to open new investigations, approve new targets, and keep investigations secret. Victims most often realise they have been targeted via the press and do not have access to the charges, therefore having their right to defend themselves neutralised. Most never end up being charged with a crime. Prevent real accountability nor restitutions, slow down or block independent judicial investigations or parlamentary oversight. (Judiciary)

The outcome of this playbook is the erosion of the Separation of Powers and the Rule of Law. Instead of maintaining checks and balances, the legislature, executive, judiciary, intelligence agencies, and media collude to target and suppress minorities within civil society, leveraging on the advanced capabilities of mercenary spyware. This coordinated abuse of power undermines the core principles of liberal democracy, leaving civil society exposed, marginalized, and without legal recourse. The system, which should protect rights and freedoms, instead becomes a tool for oppression, threatening the very foundation of democratic governance.

I truly hope I'm wrong and that we don't see any more instances in which this playbook is used.

If you are building privacy-centric and censorship-resistant technology, you are part of a tradition that expands human freedom. That also means you are on the front line of a long-standing conflict between privacy and surveillance, between freedom and control.

The moment your tools are used in high-stakes events, this playbook will be aimed at you. You should not be choosing between your work and your safety. We should reject a future where that is the cost of innovation.

I envision a world in which our children, families, and fellow citizens are protected from state abuse.

Here's how you can help:

1. Share this story across your community to raise awareness on the threat.

2. Or if you or your organization have the resources, contribute to the Developer Legal Defend Fund. Every $ in value we receive is a direct investment in improving our collective defense capabilities.

Stay safe,

Joan Arús