You don't need an elaborate crime ring (or a government agency) to write malware that spies on others -- sometimes, just one person can be responsible. The US Department of Justice has charged Ohio resident Philip Durachinsky with 16 crimes for allegedly writing malware, nicknamed "Fruitfly," that gave him unfettered access to the PCs of "thousands" of individuals and institutions between 2003 and January 2017. Reportedly, he not only stole sensitive data to use for fraud and blackmail (such as logins, embarrassing chats and medical records) but took screenshots, logged keystrokes and spied on people through their webcams.
The DOJ also alleged that Durachinsky used victims' PCs as a kind of malicious search engine. Fruitfly would alert him when users typed in words associated with porn, helping him save "millions" of images and take "detailed notes." The charges (which mostly cover violations of the Computer Fraud and Abuse Act and the Wiretap Act) include an indictment for the production of child porn, but it's not clear to what degree the images or the eavesdropping were involved.
Whether or not the charges are validated in court, the claims serve as not-so-subtle reminders that backdoor malware can sometimes be created for entirely personal reasons, not just by gangs looking for profit or spies collecting intelligence. You don't have to be an obvious target to be a victim, and good security policies are important even if you don't think you have anything particularly valuable.