Bangladesh’s surveillance system, rooted in colonial-era policing traditions and strengthened by post-independence military intelligence priorities, has transformed significantly over the past two decades. It has evolved from rudimentary physical monitoring to a sophisticated, cyber-enabled network capable of real-time interception, metadata analysis, remote eavesdropping, and content filtering. This transition accelerated under the pretext of counterterrorism, especially following the 9/11 terrorist attack in the United States and 2016 Holey Artisan Bakery attack in Bangladesh. However, our investigation finds that cyber surveillance has increasingly been used to target political opposition, journalists, activists, and ordinary citizens, particularly during electoral cycles and mass protests.
In this 70-page report, backed by over a year of research, we investigate the evolution, architecture and implications of Bangladesh’s surveillance apparatus, revealing a system that has expanded over the years with limited transparency, oversight, or accountability. Drawing on public and government records, procurement and trade documents, and open-source intelligence, the study traces the historical, political, technological, and legal contours of its expanding cyber monitoring regime, and maps how invasive surveillance technologies—often acquired from foreign vendors operating in legal grey zones—have been systematically embedded into the country’s security, political, and governance frameworks. Of note, the research findings are limited to available public records and documents, and as such, actual figures and technologies may be higher.
A central finding of this investigation is that at least 160 surveillance technologies and other spyware systems were imported into and/or deployed in Bangladesh between 2015 and 2025, often via opaque procurement processes and third-country intermediaries.
These tools range from IMSI catchers and Wi-Fi interceptors to spyware like Cellebrite, FinFisher and Predator, enabling expansive, often warrantless state-sanctioned surveillance. The following provides a list of technologies, broken down by their use and procuring agency, to provide a glimpse of the expansiveness of Bangladesh’s surveillance architecture.
Who Sells Surveillance and Spyware to Bangladesh
The investigation identifies the origin countries of known suppliers and finds that companies registered in France, Germany, the United States, Canada, the United Kingdom, and others, sold surveillance technologies and spyware to the former Bangladeshi government, despite its record of serious human rights abuses. Critically, the report documents how Israeli-origin technologies, such as Cellebrite UFED and spyware from NSO Group and Intellexa, were routed through Cyprus, Singapore, and Hungary to circumvent formal trade restrictions, raising ethical and legal concerns about global surveillance exports.
Between 2015 and 2025, it is estimated that Bangladesh spent nearly USD 190 million on surveillance and spyware.
Of this, U.S. firm Yaana Technologies alone sold their technology to Bangladesh for approximately USD 51.7 million. At least USD 40 million was on Israeli-origin technologies, majority of which have reportedly been used in other authoritarian regimes worldwide. Bangladesh does not have diplomatic relationships with Israel and these purchases were made through third-country intermediaries to avoid trade restrictions or scrutiny.
Who Are the Buyers
The investigation finds the National Telecommunications Monitoring Center (NTMC) alone appears to have spent over USD 100 million on surveillance technologies (58% of total spend) between 2015 and 2025, including deep packet inspection (DPI) and decryption platforms to intercept internet traffic, and spyware to filter content and extract data. Meanwhile, the Information and Communication Technology Division’s BGD e-GOV CIRT, has invested heavily on spyware for social media, messaging and web content interception and analyses. These figures are likely underestimated due to the absence of comprehensive public records and documentation on surveillance procurement. Nonetheless, together, these investments point to a coordinated expansion of the state’s capacity to monitor and control digital communications.
While geolocation tracking and network interception are common across intelligence, law enforcement, and certain government agencies, our investigation identified clear patterns based on procurement records and training logs. NTMC is the single largest buyer, spending nearly USD 90 million between 2018 and 2024, with a focus on network interception, deep packet inspection, remote eavesdropping, and app- and device-level data extraction. Bangladesh Police and RAB have invested heavily in Wi-Fi and mobile network interception, as well as signal jamming through both vehicle-mounted and portable systems. Given their capabilities and specifications, these tools are primarily deployed for crowd control and the surveillance of protests. Meanwhile, DGFI has primarily invested in infrastructure for cell network monitoring and tapping, and signal jamming. Citizen Lab’s investigations find that in 2015, DGFI purchased FinFisher, a computer spyware suite that can install malware on a target’s device to gain access to their data and even take control of it.
Based on available government records, in 2022, Bangladesh recorded its largest single-year expenditure on surveillance and spyware, totaling nearly USD 88.3 million. NTMC accounted for at least USD 78.3 million of this spending. That year, Major General Ziaul Ahsan assumed leadership of NTMC, overseeing its transformation from a modest intelligence processing unit within the Ministry of Home Affairs into a sophisticated spy agency embedded in the country’s regulatory, political, and intelligence infrastructure.
In August 2022, French cybersecurity firm, Intersec, reportedly won a contract worth EUR 13 million (equivalent to USD 16.7 million at current conversion rate) to provide a geopositioning and complete network intelligence system to NTMC, coupled with five years of technical support and training. Intersec’s website indicates their “govtech” solution can analyze mobile network metadata and facilitate “less intrusive” content interception. That same year, American firm, Yaana Technologies, won a contract worth USD 51.7 million to set up an “integrated lawful interception system” that can target individuals “threatening national security”. Five months following the news, in January 2023, former Minister of Home Affairs Azaduzzaman Khan indicated that NTMC has now introduced an “integrated lawful interception system” that “possesses advanced capabilities for social media monitoring.”
Purchases rose sharply before or just after national elections in 2018 and 2024, indicating these technologies were likely used to suppress political and civic opposition, and maintain regime continuity. Increased spend on geolocation tracking ($10.8m) and spyware and data extraction ($77.1m) ahead of national polls to heighten surveillance on political rallies and candidates.
How Spyware Got Mainstreamed Within the Surveillance Infrastructure
Surveillance and spyware both involve monitoring communications, but differ in intent. Surveillance can be lawful when targeting specific individuals for security or law enforcement. Spyware, however, is malicious software installed without consent to steal information. Today, the line between them is blurred, as modern surveillance increasingly uses spyware for broad, indiscriminate monitoring.
Cellebrite UFED is capable of extracting, decoding, and analyzing data from a wide range of devices, including mobile phones, tablets, GPS units, and other storage media. It can reportedly bypass certain password protections and encryption to access stored information such as call logs, messages, contacts, application data, multimedia files, and location history. When used in conjunction with the UFED Physical Analyzer, the system can conduct more in-depth analysis, recover deleted content, and generate detailed forensic reports.
Public documents from the Ministry of Home Affairs and BPPA indicate that Bangladeshi state agencies have procured digital forensics tools, including Cellebrite UFED and associated Cellebrite UFED Physical Analyzer. The Bangladesh e-Government Computer Incident Response Team (BGD e-GOV CIRT) was involved in the planned procurement, while Bangladesh Police were authorized by the Ministry of Home Affairs to undergo training for Cellebrite Certified Operator (CCO) and Cellebrite Certified Physical Analyst (CCPA) certifications, which relate to advanced data extraction and forensic analysis using the tools. Documents indicate that six police officers were authorized to participate in a training in Singapore in 2019.
Our investigations uncovered cases where malware was delivered through ordinary apps such as ridesharing, food delivery, e-commerce, games, and local content platforms. Once installed, this malware enabled intelligence and law enforcement agencies to fully access the device, monitor communications, and collect data without requiring app-level interception.
In 2018, a report by Citizen Lab revealed that Bangladesh was among 45 countries where Pegasus—the powerful spyware developed by Israeli cyber intelligence firm NSO Group—had been detected. Pegasus is known for its ability to remotely access a target’s smartphone, enabling covert surveillance of calls, messages, and even microphone and camera feeds. NSO Group has faced mounting international scrutiny and was sanctioned by the U.S. government in 2021 for enabling authoritarian regimes to “maliciously target” journalists, activists, and human rights defenders.
Bangladesh’s lack of formal relations with Israel means direct purchases from Israeli companies are officially prohibited. Despite this, multiple Israeli-origin systems reportedly ended up in Bangladesh, facilitated by third-party countries like Cyprus, Singapore, and Hungary. Our investigation found export documents from Cyprus—a known hub for intermediaries involved in surveillance tech transfers—show that another Israeli-owned firm, Coralco Tech, sold spyware worth an estimated USD 1.6 million to DGFI via its Singapore operations. This technology reportedly allows for remote access and real-time eavesdropping on mobile phones, reinforcing state capacity for covert surveillance.
The same export records reveal that UTX Technologies, an Israeli surveillance company later acquired by Verint Systems, supplied multiple spyware systems to NTMC. In 2019, the firm sold a “web intelligence system” for USD 2 million, and in 2021, it provided a cellphone tracking system valued at USD 500,000. These tools can monitor online behavior and geolocate mobile users.
Other Israeli firms, including Passitora, Prelysis, and Cognyte (a company also affiliated with Verint Systems), have also been reportedly involved in selling spyware and surveillance technologies to Bangladesh through intermediary countries like Cyprus and Singapore. These companies are part of a broader network of cyber intelligence exporters that have supplied spyware to dozens of authoritarian regimes worldwide, contributing to the global expansion of invasive digital surveillance tools often used to suppress dissent, monitor civil society, and undermine press freedom.
At least nine known commercial spyware vendors have sold their technologies to Bangladesh, including sanctioned firms and/or their owners like those at NSO Group, Intellexa Consortium and Cytrox. Others include British-German Gamma Group, Israeli conglomerate Verint Systems and its subsidiaries Cognyte and UTX Technologies, as well as Cellebrite and Coralco Tech.
Similarly, Turkish spyware firm, Bilgi Teknoloji Tasarım (BTT) used deceptive tactics to bypass export controls and sell surveillance tools like IMSI-catchers to Bangladesh. In the 2015 Hacking Team leaks, BTT was found selling spyware and other surveillance equipment to NTMC. BTT was later acquired by a UAE firm in 2017 before shutting down.
Separately, in 2019, BGD e-GOV CIRT was found to be actively using Oxygen Forensic Detective and BelkasoftX, which collectively have similar capabilities as Cellebrite, including accessing messaging apps data, cloud and system artifacts. These highlight the state’s broader efforts to institutionalize spyware within the broader surveillance architecture.
Over 22 Laws and Policies Enable Surveillance on Ordinary Citizens
The report identifies a web of domestic laws that either explicitly authorize or indirectly facilitate surveillance. It also demonstrates how law enforcement and intelligence agencies—many of which are established and empowered through non-public executive orders and operate within opaque, black-box structures—carry out extensive surveillance in the absence of explicit legal mandates and in violation of constitutional safeguards.
Among the primary legal instruments relied upon by state authorities to conduct surveillance is the Bangladesh Telecommunication Regulation Act, 2001. Following amendments in 2006 and 2010, the statute effectively granted surveillance powers to law enforcement, intelligence, and regulatory agencies, enabling them to intercept, monitor, and collect information transmitted via telecommunication networks. Notably, this provision was not conceived in a vacuum; it builds on a long-standing legacy of expansive state control powers embedded in colonial-era legislations such as the Telegraph Act, 1885 and the Wireless Telegraphy Act, 1933, which remain operational today and continue to inform contemporary surveillance practices. Collectively, these provisions have been interpreted to confer sweeping authority to agencies such as NTMC, DGFI, NSI, ATU, SB, RAB, and Bangladesh Police to surveil internet traffic, encrypted communications, and voice and data transmissions. Moreover, service providers are legally compelled to cooperate with government requests, under threat of criminal penalties, including fines, imprisonment, and potential non-renewal of operating licenses.
Despite the breadth of these practices, there is no specialized parliamentary committee to oversee intelligence operations, minimal judicial engagement with surveillance-related constitutional questions, and an absence of meaningful procedural guardrails. These gaps are further compounded by official secrecy laws and broad national security exemptions embedded across multiple legal frameworks, which collectively shield surveillance practices from both public scrutiny and institutional accountability. Surveillance tools have been widely adopted across policing, intelligence, government, and military institutions—ostensibly under the mandates of counterterrorism, cybersecurity, or public order—but are frequently deployed to monitor dissent and journalism.
Path Forward
Although elements of these findings have been previously reported by media and research groups, there has been little effort to systematically or specifically address the purchase and deployment of surveillance and spyware in Bangladesh. Despite a change in government, it is unclear whether, and to what extent, surveillance and spyware continue to be purchased and used in Bangladesh. Contrarily, government records show that the Rapid Action Battalion (RAB) acquired vehicular mobile interception devices, and its officers were authorized for training in mobile and Wi-Fi interception, including use during large gatherings and protests as recently as February 2025.
To address these systemic concerns, the report presents a series of legal and institutional recommendations aimed at establishing constitutional limits on surveillance, enhancing transparency, ensuring independent oversight, and aligning Bangladesh’s practices with international human rights standards. With elections approaching, and given the precedent of using surveillance technologies to suppress political opposition or intimidate voters, urgent action is needed to prevent their disproportionate use against citizens.
Without such meaningful reform, the country risks further entrenching a model of digital authoritarianism, where surveillance operates not in service of public interest or security, but as a tool of unchecked state power and political control.
