Pegasus Project: massive data leak reveals Israeli NSO group's spyware used to target activists, journalists, and political leaders globally

‘They paint a picture of legitimacy, while profiting from widespread human rights violations’ - Agnès Callamard

NSO Group’s spyware has been used to facilitate human rights violations around the world on a massive scale, according to a major investigation into the leak of 50,000 phone numbers of potential surveillance targets. These include heads of state, activists and journalists, including Jamal Khashoggi’s family.

The Pegasus Project is a ground-breaking collaboration by more than 80 journalists from 17 media organisations in ten countries coordinated by Forbidden Stories, a Paris-based media non-profit, with the technical support of Amnesty International, which conducted cutting-edge forensic tests on mobile phones to identify traces of the spyware.

“These revelations blow apart any claims by NSO that such attacks are rare and down to rogue use of their technology.  “While the company claims its spyware is only used for legitimate criminal and terror investigations, it’s clear its technology facilitates systemic abuse. They paint a picture of legitimacy, while profiting from widespread human rights violations.

In a written response to Forbidden Stories and its media partners, NSO Group said it “firmly denies… false claims” in the report. It wrote that the consortium’s reporting was based on “wrong assumptions” and “uncorroborated theories” and reiterated that the company was on a “life-saving mission”. A fuller summary of NSO Group’s response is available here.

At the centre of this investigation is NSO Group’s Pegasus spyware which, when surreptitiously installed on victims’ phones, allows an attacker complete access to the device’s messages, emails, media, microphone, camera, calls and contacts.

Over the next week, media partners of The Pegasus Project - including The Guardian, Le Monde, Süddeutsche Zeitung and The Washington Post - will run a series of stories exposing details of how world leaders, politicians, human rights activists, and journalists have been selected as potential targets of this spyware.

From the leaked data and their investigations, Forbidden Stories and its media partners identified potential NSO clients in 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates.

NSO Group has not taken adequate action to stop the use of its tools for unlawful targeted surveillance of activists and journalists, despite the fact that it either knew, or arguably ought to have known, that this was taking place.

During the investigation, evidence has also emerged that family members of Saudi journalist Jamal Khashoggi were targeted by Pegasus before and after his murder in Istanbul on 2 October 2018 by Saudi operatives, despite repeated denials from NSO Group.

Amnesty’s Security Lab established that Pegasus spyware was successfully installed on the phone of Khashoggi’s fiancée Hatice Cengiz just four days after his murder. His wife, Hanan Elatr was also repeatedly targeted with the spyware between September 2017 and April 2018 as well as his son, Abdullah, who was also selected as a target along with other family members in Saudi Arabia and the UAE.

In a statement, the NSO Group responded to the Pegasus Project allegations saying that its “technology was not associated in any way with the heinous murder of Jamal Khashoggi”. The company said it “previously investigated this claim, immediately after the heinous murder, which again, is being made without validation”.

The investigation has so far identified at least 180 journalists in 20 countries who were selected for potential targeting with NSO spyware between 2016 to June 2021, including in Azerbaijan, Hungary, India and Morocco, countries where crackdowns against independent media have intensified. The revelations show the real-world harm caused by unlawful surveillance:

Amnesty is today releasing the full technical details of its Security Lab’s in-depth forensic investigations as part of the Pegasus Project.

The Lab’s methodology report documents the evolution of Pegasus spyware attacks since 2018, with details on the spyware’s infrastructure, including more than 700 Pegasus-related domains.

There is nothing to suggest that NSO’s customers did not also use Pegasus in terrorism and crime investigations, and the Forbidden Stories consortium also found numbers in the data belonging to suspected criminals.

In response to a request for comment by media organisations involved in the Pegasus Project, NSO Group said it “firmly denies” the claims and stated that “many of them are uncorroborated theories which raise serious doubts about the reliability of your sources, as well as the basis of your story”. NSO Group did not confirm which governments are NSO Group’s customers, although it said the Pegasus Project had made “incorrect assumptions” in this regard. Notwithstanding its general denial, NSO Group said it “will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations”.