I also don't recall it. iirc the topic also came up in a tptazcek episode of "security cryptography whatever" and a handful of other places ... so I might be conflating things on who made claims when.
If it were used against their own IL citizens, would it really matter legally? As long as the parent company (NSO) can plausibly claim it had no knowledge of even the existence of a specific SLA between a foreign spinoff (e.g. FloLive, Circle etc) and their clients. If you think yourself into a position where you want to become a global player in an increasingly regulated market (embargoes, sanctions lists etc) the only way to avoid repercussions is by not knowing what other parts of your affiliates are doing.
Just because some of these shell companies have been unmasked must be annoying for NSO. But they can still say they had no idea what directors of these "independent" companies were doing.
It would be normal military tactic to compartmentalize information not just on paper but also in reality to be on a "need to know basis". So it's double baffling to me that the shell companies listed as the main investors are the same people sitting on the NSO board of directors.
