Meet the team that investigates when journalists and activists are hacked by government spyware.

For more than a decade, dozens of journalists and human rights activists were targeted and hacked by governments around the world. Cops and spies Ethiopia, Greece, Hungary, India, Mexico, Poland, Saudi ArabiaAnd United Arab Emiratesamong others, used sophisticated spyware to compromise the phones of these victims, who sometimes also confronted with real-world violence being bullied, harassed and in extreme caseseven murdered.

Over the past few years, in the fight to protect these highest-risk communities, a team of a dozen digital security experts, primarily based in Costa Rica, Manila and Tunisia, among others, has played a key role. They work for Access Now, a non-profit organization based in New York, specifically for its Digital Security Helpline.

Their mission is to be a team of people that journalists, human rights defenders and dissidents can turn to if they suspect they have been hacked, for example with mercenary spyware created by companies like ONS Group, IntellexaOr Paragon.

“The idea is to provide this service 24/7 to civil society and journalists so that they can contact us whenever they have…a cybersecurity incident,” Hassen Selmi, who leads the Helpline’s incident response team, told TechCrunch.

According to Bill MarczakA senior researcher at the University of Toronto’s Citizen Lab who has been investigating spyware for nearly 15 years, the Access Now hotline is a “front-line resource” for journalists and others who may have been targeted or hacked by spyware.

The helpline has become a vital channel for victims. So much so that when Apple sends its users a so-called “threat notification” warning them that they have been targeted by mercenary spyware, the tech giant has long referred victims to Access Now investigators.

Speaking with TechCrunch, Selmi described a scenario in which someone receives one of these threat notificationsand where Access Now can help victims.

“Having someone who could explain to them, tell them what they should do, what they shouldn’t do, what that means… It’s a big relief for them,” Selmi said.

According to several digital rights experts who have investigated spyware cases and previously spoken with TechCrunch, Apple generally takes the right approach, even if the optics look like a billion-dollar tech giant offloading responsibility to a small team of nonprofit workers.

According to Selmi, being mentioned by Apple in notifications was “one of the most important steps” for the helpline.

Selmi and his colleagues now review about 1,000 cases of suspected government spyware attacks each year. About half of these cases result in actual investigations, and only about 5 percent of them, or about 25, result in a confirmed case of spyware infection, according to Mohammed Al-Maskati, director of the helpline.

When Selmi began doing this work in 2014, Access Now was investigating only about 20 cases of suspected spyware attacks per month.

At the time, three or four people worked in each time zone in Costa Rica, Manila and Tunisia, places that allowed them to have someone on the line all day. The team isn’t much bigger today, with fewer than 15 people working the helpline. The hotline has more people in Europe, the Middle East, North Africa and the sub-Saharan region, given that these regions are hot spots for spyware cases, according to Selmi.

The increase in cases, Selmi explained, is due to several circumstances. On the one hand, the helpline is now better known and therefore attracts more people. Then, as government spyware globalizes and becomes more available, there is potentially more cases of abuse. Finally, the hotline team increased awareness among potentially targeted populations, finding cases of abuse that they might not have otherwise discovered.

When someone contacts the hotline, Selmi told TechCrunch, its investigators first acknowledge receipt, then they first check whether the person who contacted them falls within the organization’s mandate, that is, whether they are part of civil society — and not, say, a business executive or lawmaker. Then, investigators evaluate the case in triage. If a case is a priority, investigators ask questions such as why the person thinks they were targeted (in the absence of notification) and what device they have, which helps establish what type of information investigators might need to collect from the victim’s device.

After an initial limited device check conducted remotely via the Internet, helpline managers and investigators may ask the victim to send more data, such as a full backup of their device, to perform a more in-depth analysis and look for signs of intrusion.

“For every type of known exploit that has been used in the last five years, we have a process to verify that exploit,” Selmi said, referring to known hacking techniques.

“We know more or less what is normal and what is not,” Selmi said.

Access Now managers, who manage communication and often speak the victim’s language, will also give the victim advice on what to do, such as whether to get another device or take other precautions.

Each case reviewed by the nonprofit organization is unique. “It’s different from person to person, from culture to culture,” Selmi told TechCrunch. “I think we should do more research, involve more people – not just technicians – to know how to deal with these types of victims.”

Selmi said the hotline also supports similar investigative teams in parts of the world, sharing documentation, knowledge and tools, as part of a coalition called CiviCERTa global network of organizations that can help members of civil society who suspect they have been targeted by spyware.

Selmi said this network has also helped reach journalists and others in places they might not otherwise be able to go.

“No matter where they are, [victims] having people to talk to and report to,” Selmi told TechCrunch. “Having these people speak their language and know their context helped a lot.”