Wouldn't it be better to target the one outfit (NSO), and not its workers? Then again, I suppose the workers would setup another underground business to do the same thing, with the same exploits, and the same people. What is the solution for this?
For governments, standard CT/AML financial intelligence: identify employees, shareholders/UBOs and add them and subsequent companies they start to the various watchlists/blacklists. For the public: open source intelligence, post info on forums, name and shame etc.
