In Hungary, Szabolcs Panyi exposed spy intrigue and murky arms deals. In India, Paranjoy Guha Thakurta probed the ties between business and political interests. In Azerbaijan, Sevinj Vaqifqizi caught vote-rigging on tape, OCCRP
Separated by thousands of miles, these journalists have one thing in common: their governments considered them a threat.
All three were among dozens of journalists and activists around the world whose smartphones were infected by Pegasus: spyware made by Israeli firm NSO Group that is able to secretly steal personal data, read conversations, and switch on microphones and cameras at will.
The attacks were revealed by The Pegasus Project, an international collaboration of more than 80 journalists from 17 media organizations, including OCCRP, and coordinated by Forbidden Stories.
The phones of Panyi, Thakurta, and Vaqifqizi were analyzed by Amnesty International’s Security Lab and found to be infected after their numbers appeared on a list of over 50,000 numbers that were allegedly selected for targeting by governments using NSO software. Reporters were able to identify the owners of hundreds of those numbers, and Amnesty conducted forensic analysis on as many of their phones as possible, confirming infection in dozens of cases. The reporting was backed up with interviews, documents, and other materials.
The strongest evidence that the list really does represent Pegasus targets came through forensic analysis.
Amnesty International’s Security Lab examined data from 67 phones whose numbers were in the list. Thirty-seven phones showed traces of Pegasus activity: 23 phones were successfully infected, and 14 showed signs of attempted targeting. For the remaining 30 phones, the tests were inconclusive, in several cases because the phones had been replaced.
Fifteen of the phones in the data were Android devices. Unlike iPhones, Androids do not log the kinds of information required for Amnesty’s detective work. However, three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
In a subset of 27 analyzed phones, Amnesty International researchers found 84 separate traces of Pegasus activity that closely corresponded to the numbers’ appearance on the leaked list. In 59 of these cases, the Pegasus traces appeared within 20 minutes of selection. In 15 cases, the trace appeared within one minute of selection.
In a series of responses, NSO Group denied that its spyware was systematically misused and challenged the validity of data obtained by reporters. It argued that Pegasus is sold to governments to go after criminals and terrorists, and has saved many lives. The company, which enjoys close ties to Israel’s security services, says it implements stringent controls to prevent misuse. NSO Group also specifically denies that it created or could create this type of list.
But instead of targeting only criminals, governments in more than 10 countries appear to have also selected political opponents, academics, reporters, human rights defenders, doctors, and religious leaders. NSO clients may have also used the company’s software to conduct espionage by targeting foreign officials, diplomats, and even heads of state.