Pegasus spyware is forensically confirmed to exist and to have been used against journalists, human rights activists, lawyers, politicians, and associates of Jamal Khashoggi.
1,108 wordsUpdated 13 May 2026
7 supporting3 debunking12 sources
Pegasus NSO Spyware
Introduction
Pegasus is a mobile phone surveillance software package developed by the Israeli private-intelligence firm NSO Group Technologies. Marketed exclusively to government clients as a tool for fighting terrorism and serious crime, Pegasus is capable of silently infecting both iOS and Android devices, extracting call records, messages, emails, photos, and GPS data, and — in its most advanced versions — activating the microphone and camera without the target's knowledge. Its infection mechanism has evolved from targeted link-click attacks to "zero-click" exploits that require no action by the target.
NSO Group's Pegasus spyware: forensically confirmed by Citizen Lab (2016+), Amnesty International, and Apple. 2021 Pegasus Project (Forbidden Stories + 17 media orgs) leaked 50,000+ apparent targets including Khashoggi associates, 180+ journalists, heads of state, and Catalan independence figures. Apple sued NSO Nov 2021; US Commerce Dept added NSO to Entity List Nov 2021. Confirmed surveillance at scale.
Analysis
Claim Map
Core claim
Pegasus is a commercial surveillance software package developed by the Israeli firm NSO Group and sold exclusively to government clients. Its existence and capabilities were first definitively confirmed by Citizen Lab (University of Toronto) forensic analysis beginning in 2016. The 2021 Pegasus Project — a coordinated investigation by Forbidden Stories with Amnesty International and 80 journalists across 17 media organisations — documented over 50,000 phone numbers in a data leak, identifying journalists, human rights activists, lawyers, heads of state, and associates of murdered journalist Jamal Khashoggi as apparent surveillance targets. NSO Group disputes characterisations of misuse; the US Commerce Department added NSO to its Entity List in November 2021; Apple and Meta both filed lawsuits against NSO. The surveillance capabilities are forensically confirmed; the scale of alleged misuse is documented; the specific authorisations for each target remain contested.
Documented fact
Citizen Lab forensic confirmation (2016–present)
Unsupported inference
NSO Group disputes the 50,000-number list methodology
Evidence that would change this
A verdict change would require new primary records, reproducible physical evidence, or named, corroborated testimony that directly answers the disputed claim.
Current verdict
confirmed, 95% confidence
Evidence Strength Matrix
A compact map of what is documented, where the claim leaps, and what evidence affects the verdict.
Unsupported: The adjacent fact does not by itself prove coordination, motive, scale, or concealment.
Counter-evidence: NSO Group disputes the 50,000-number list methodology
Verdict impact: Sets the baseline for what is real before broader claims are tested.
Claim mechanism
Documented: Any proposed mechanism must be tied to records, physical evidence, technical limits, or named procedures.
Unsupported: A mechanism remains weak when it depends on inference from coincidence, visual artifacts, or anonymous claims.
Counter-evidence: NSO Group terminated some client contracts for misuse
Verdict impact: Determines whether the claim is testable or mainly narrative pattern-matching.
Verdict movement
Documented: The page states what future evidence would matter.
Unsupported: A claim does not move the verdict by repeating suspicion without new primary evidence.
Counter-evidence: Pegasus spyware is forensically confirmed to exist and to have been used against journalists, human rights activists, lawyers, politicians, and associates of Jamal Khashoggi. Citizen Lab (University of Toronto), Amnesty International Security Lab, and Apple's own vulnerability disclosure team have independently verified infections. The 2021 Pegasus Project documented 50,000+ apparent targets across NSO Group's government clients. The US Commerce Department added NSO to its Entity List in November 2021. Apple and Meta have filed lawsuits against NSO. The core surveillance claims are documented facts, not speculation.
Verdict impact: confirmed, 95% confidence
Claim Element
Documented Fact
Unsupported Leap
Counter-Evidence
Source Quality
Verdict Impact
Adjacent documented fact
Citizen Lab forensic confirmation (2016–present)
The adjacent fact does not by itself prove coordination, motive, scale, or concealment.
NSO Group disputes the 50,000-number list methodology
11 high, 1 medium, 0 low
Sets the baseline for what is real before broader claims are tested.
Claim mechanism
Any proposed mechanism must be tied to records, physical evidence, technical limits, or named procedures.
A mechanism remains weak when it depends on inference from coincidence, visual artifacts, or anonymous claims.
NSO Group terminated some client contracts for misuse
Latest source year 2022
Determines whether the claim is testable or mainly narrative pattern-matching.
Verdict movement
The page states what future evidence would matter.
A claim does not move the verdict by repeating suspicion without new primary evidence.
Pegasus spyware is forensically confirmed to exist and to have been used against journalists, human rights activists, lawyers, politicians, and associates of Jamal Khashoggi. Citizen Lab (University of Toronto), Amnesty International Security Lab, and Apple's own vulnerability disclosure team have independently verified infections. The 2021 Pegasus Project documented 50,000+ apparent targets across NSO Group's government clients. The US Commerce Department added NSO to its Entity List in November 2021. Apple and Meta have filed lawsuits against NSO. The core surveillance claims are documented facts, not speculation.
How this claim moves from origin to amplification, record check, verdict, and recurrence.
1
First appearance
2016
2
Amplification
Amplification pattern still being documented.
3
Record check
Citizen Lab forensic confirmation (2016–present)
4
Verdict boundary
Pegasus spyware is forensically confirmed to exist and to have been used against journalists, human rights activists, lawyers, politicians, and associates of Jamal Khashoggi. Citizen Lab (University of Toronto), Amnesty International Security Lab, and Apple's own vulnerability disclosure team have independently verified infections. The 2021 Pegasus Project documented 50,000+ apparent targets across NSO Group's government clients. The US Commerce Department added NSO to its Entity List in November 2021. Apple and Meta have filed lawsuits against NSO. The core surveillance claims are documented facts, not speculation.
5
Recurrence risk
Often recurs through the synthetic media and platform claims claim family.
This page is below one or more content-quality gates: body depth (1108/1200 words), counter-evidence balance (3/4), further reading (0/4), missing verdict-change standard. Editors are expanding the narrative, source base, and related reading before marking the page complete.
4 min readDifficulty: 5/5Fact-checked: May 2026
Body 1108/1200 wordsSources 12/12Freshness May 2026, review May 2027Evidence 7 supporting / 3 counter
The framing of Pegasus as a "conspiracy theory" is somewhat misleading: the core claims — that Pegasus exists, that it can do what it is alleged to do, and that it has been used against journalists, activists, and politicians — are not conspiracy speculation but documented forensic findings. The conspiracy dimensions concern scale, authorisation, and the degree to which NSO Group or its clients acted unlawfully or unethically.
Citizen Lab and the Forensic Record
The first forensic documentation of Pegasus came from Bill Marczak and John Scott-Railton of the Citizen Lab at the University of Toronto's Munk School of Global Affairs. In 2016, their analysis of an attack on UAE human rights activist Ahmed Mansoor provided the first technical reconstruction of how Pegasus infected a device via a targeted link. Apple issued an emergency patch (iOS 9.3.5) within ten days of Citizen Lab's disclosure. This episode established the forensic methodology that subsequent Pegasus investigations have used.
Between 2016 and 2021, Citizen Lab published multiple reports documenting Pegasus infections on devices belonging to journalists, dissidents, and lawyers across Mexico, Saudi Arabia, India, Azerbaijan, Kazakhstan, Rwanda, and at least a dozen other countries. NSO Group consistently denied misuse, arguing that Pegasus was sold only to vetted government clients for lawful interception of terrorism and serious crime suspects.
The 2021 Pegasus Project
In July 2021, Forbidden Stories (a Paris-based nonprofit journalism organisation) and Amnesty International published the results of a coordinated investigation involving 80 journalists across 17 media organisations — including The Guardian, Le Monde, Süddeutsche Zeitung, the Washington Post, and others. The investigation was based on a leaked list of over 50,000 phone numbers that appeared to have been selected as surveillance targets by NSO Group clients.
Key findings of the Pegasus Project:
Journalists and media figures: Over 180 journalists from 20 countries appeared on the list, including reporters from Reuters, the Associated Press, the Financial Times, CNN, Le Monde, Al Jazeera, and others.
Khashoggi associates: Numbers associated with family members and close associates of Washington Post columnist Jamal Khashoggi — murdered in the Saudi consulate in Istanbul in October 2018 — appeared on the list. Forensic analysis of the phone of Khashoggi's fiancée, Hatice Cengiz, confirmed Pegasus infections.
Heads of state: The French government subsequently confirmed that President Emmanuel Macron's phone number appeared on the list. Moroccan intelligence was identified as the likely client responsible; Morocco denied this. Numbers associated with at least fourteen other heads of state and senior government officials appeared on the list.
Catalan independence figures: At least 65 individuals connected to the Catalan independence movement — including Catalan President Carles Puigdemont and other politicians and lawyers — were identified as targets, with the Spanish government implicated as the client.
Amnesty International's Security Lab performed forensic analysis on a sample of devices and confirmed Pegasus infections on 37. NSO Group disputed the methodology and the interpretation of the leaked list, arguing that the list was not an NSO product and that the forensic analyses contained errors.
Apple and Meta Lawsuits
In November 2021, Apple filed suit against NSO Group in federal court in California, seeking to permanently bar NSO from using Apple products and services, and seeking damages. Apple simultaneously disclosed an iOS vulnerability (CVE-2021-30860) that NSO had exploited via iMessage in a zero-click attack dubbed "FORCEDENTRY." The complaint cited Citizen Lab's forensic work extensively.
Meta (then Facebook) had filed an earlier lawsuit in October 2019, alleging that NSO had used WhatsApp infrastructure to deliver Pegasus to approximately 1,400 devices in a two-week window in May 2019, targeting journalists, human rights activists, and government officials. That lawsuit is ongoing.
US Commerce Department Entity List
In November 2021, the US Department of Commerce added NSO Group (and Candiru, another Israeli surveillance firm) to its Entity List, restricting US companies from exporting technology to NSO without a licence. The Commerce Department cited credible evidence that NSO had supplied spyware to foreign governments that used it to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers. This is a formal US government determination, not a speculative claim.
NSO Group's Defences
NSO Group has consistently argued:
Pegasus is sold only to vetted government clients for lawful interception of terrorism and serious crime suspects.
NSO has no visibility into which specific targets its clients select; it provides the tool, not the targeting.
Amnesty International's forensic methodology contains errors; the 50,000-number list is not an NSO product.
NSO terminated contracts with clients found to have misused the product, and has a human rights policy.
These defences are partially credited in the record: NSO has terminated some client contracts. But the forensic evidence of infections — confirmed by Apple, Citizen Lab, and Amnesty International's Security Lab independently — establishes that the product has been used against civilians, journalists, and activists, not only terrorism suspects.
Why the Verdict Is "Confirmed"
The core claims are forensically confirmed by multiple independent technical teams including Citizen Lab (University of Toronto), Amnesty International Security Lab, and Apple's own vulnerability disclosure process. The US government's formal Entity List designation constitutes an official determination of misuse. The victims are identified by name. The scale (50,000+ numbers) and breadth of targets (journalists, activists, heads of state, Khashoggi associates) are documented, not speculated. The outstanding contested questions — precise authorisation chains for each targeting decision, the complete universe of clients and operations — do not undermine the core confirmed claims.
What Would Change Our Verdict
Comprehensive client and targeting disclosure by NSO Group (would clarify scale)
Judicial findings in the Apple and Meta lawsuits (would clarify specific legal violations)
Successor technology assessments as Pegasus evolves
Verdict
Confirmed. Pegasus's existence and capabilities are forensically documented by multiple independent technical teams. Its use against journalists, activists, Khashoggi associates, and heads of state is confirmed by Citizen Lab, Amnesty International, and Apple's own vulnerability disclosure. The US Commerce Department has formally determined misuse. NSO Group's contested defences do not overturn the forensic record; they contest scope and authorisation at the margins.
The Strongest Case For This Theory
Citizen Lab forensic confirmation (2016–present)
SupportingStrong
Bill Marczak and John Scott-Railton at the Citizen Lab (University of Toronto) forensically documented Pegasus infections beginning with UAE activist Ahmed Mansoor in 2016. The methodology — examining device memory and network traffic for NSO Group infrastructure signatures — has been peer-reviewed and independently replicated. Apple patched the iOS vulnerability within ten days of Citizen Lab's disclosure.
Forbidden Stories (Paris) coordinated an investigation with Amnesty International and 80 journalists at 17 media organisations based on a leaked list of 50,000+ apparent surveillance targets. Amnesty International's Security Lab forensically confirmed Pegasus infections on 37 devices from the sample they examined.
Khashoggi associates confirmed as targets
SupportingStrong
Forensic analysis by Amnesty International Security Lab confirmed Pegasus infections on the phone of Hatice Cengiz, fiancée of murdered Washington Post journalist Jamal Khashoggi, shortly before his October 2018 murder in the Saudi consulate in Istanbul. Phone numbers of other Khashoggi associates also appeared in the leaked list.
Apple patched FORCEDENTRY zero-click exploit and filed lawsuit
SupportingStrong
Apple disclosed CVE-2021-30860 (dubbed FORCEDENTRY) — a zero-click iMessage exploit used by NSO Group to install Pegasus without any target interaction — and filed a federal lawsuit against NSO Group in November 2021, seeking permanent injunctions against NSO using Apple products. The exploit was independently confirmed as NSO-developed by Google Project Zero.
US Commerce Department Entity List designation
SupportingStrong
The US Department of Commerce added NSO Group to its Entity List in November 2021, citing "credible evidence that NSO Group and Candiru developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers." This is a formal US government determination with legal consequences.
Meta (WhatsApp) lawsuit: 1,400 targets in two-week window
SupportingStrong
In October 2019, Meta (then Facebook) filed suit in California federal court alleging NSO Group used WhatsApp infrastructure to install Pegasus on approximately 1,400 devices across 20 countries in a two-week period in May 2019, targeting journalists, lawyers, human rights activists, and government officials. The lawsuit is ongoing.
Heads of state and Catalan independence figures on target list
SupportingStrong
French President Emmanuel Macron's phone number appeared in the leaked list; the French government convened an emergency meeting of the defence council. Forensic analysis identified at least 65 individuals connected to the Catalan independence movement — including politicians, lawyers, and activists — as Pegasus targets, with the Spanish government implicated as the client.
How That Case Fares Against the Evidence
NSO Group disputes the 50,000-number list methodology
Debunking
NSO Group argues that the leaked 50,000-number list is not an NSO Group product and that its interpretation as a targeting list is methodologically unsound. NSO contends that Amnesty International's forensic methodology — specifically iCloud backup analysis and network traffic correlation — produces false positives.
Rebuttal
The methodology dispute covers the interpretation of the full 50,000-number list, not the forensically confirmed infections on individual devices. Citizen Lab, Amnesty International Security Lab, and Apple's own CVE disclosure team have independently confirmed specific infections using multiple technical methods. The methodological objection is a partial point, not a wholesale refutation.
NSO Group terminated some client contracts for misuse
DebunkingWeak
NSO Group has stated it has terminated contracts with at least two government clients found to have misused Pegasus, and has published a human rights policy and transparency reports. The company argues it is a responsible vendor that cannot control how clients use the product.
Rebuttal
Termination of some contracts confirms rather than refutes that misuse occurred. The terminations are evidence that NSO was aware of the misuse problem and that its client-vetting and compliance mechanisms were insufficient to prevent targeting of journalists and activists. The human rights policy postdates the confirmed misuse incidents.
Specific authorisation chains for individual targeting decisions remain contested
DebunkingWeak
While the infections and the victim identities are confirmed, the complete chain of authorisation — which specific government official approved which specific target for surveillance — has not been fully documented for most cases. Some targets may have been lawful under the laws of their respective countries; others clearly were not.
Rebuttal
Uncertainty about authorisation chains at the margins does not undermine the confirmed core: journalists and human rights activists in multiple countries were forensically confirmed as Pegasus targets. The lawfulness of surveilling a French journalist or a Khashoggi associate does not vary significantly across plausible authorisation interpretations.
Evidence Filters10
Citizen Lab forensic confirmation (2016–present)
SupportingStrong
Bill Marczak and John Scott-Railton at the Citizen Lab (University of Toronto) forensically documented Pegasus infections beginning with UAE activist Ahmed Mansoor in 2016. The methodology — examining device memory and network traffic for NSO Group infrastructure signatures — has been peer-reviewed and independently replicated. Apple patched the iOS vulnerability within ten days of Citizen Lab's disclosure.
Forbidden Stories (Paris) coordinated an investigation with Amnesty International and 80 journalists at 17 media organisations based on a leaked list of 50,000+ apparent surveillance targets. Amnesty International's Security Lab forensically confirmed Pegasus infections on 37 devices from the sample they examined.
Khashoggi associates confirmed as targets
SupportingStrong
Forensic analysis by Amnesty International Security Lab confirmed Pegasus infections on the phone of Hatice Cengiz, fiancée of murdered Washington Post journalist Jamal Khashoggi, shortly before his October 2018 murder in the Saudi consulate in Istanbul. Phone numbers of other Khashoggi associates also appeared in the leaked list.
Apple patched FORCEDENTRY zero-click exploit and filed lawsuit
SupportingStrong
Apple disclosed CVE-2021-30860 (dubbed FORCEDENTRY) — a zero-click iMessage exploit used by NSO Group to install Pegasus without any target interaction — and filed a federal lawsuit against NSO Group in November 2021, seeking permanent injunctions against NSO using Apple products. The exploit was independently confirmed as NSO-developed by Google Project Zero.
US Commerce Department Entity List designation
SupportingStrong
The US Department of Commerce added NSO Group to its Entity List in November 2021, citing "credible evidence that NSO Group and Candiru developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers." This is a formal US government determination with legal consequences.
Meta (WhatsApp) lawsuit: 1,400 targets in two-week window
SupportingStrong
In October 2019, Meta (then Facebook) filed suit in California federal court alleging NSO Group used WhatsApp infrastructure to install Pegasus on approximately 1,400 devices across 20 countries in a two-week period in May 2019, targeting journalists, lawyers, human rights activists, and government officials. The lawsuit is ongoing.
Heads of state and Catalan independence figures on target list
SupportingStrong
French President Emmanuel Macron's phone number appeared in the leaked list; the French government convened an emergency meeting of the defence council. Forensic analysis identified at least 65 individuals connected to the Catalan independence movement — including politicians, lawyers, and activists — as Pegasus targets, with the Spanish government implicated as the client.
NSO Group disputes the 50,000-number list methodology
Debunking
NSO Group argues that the leaked 50,000-number list is not an NSO Group product and that its interpretation as a targeting list is methodologically unsound. NSO contends that Amnesty International's forensic methodology — specifically iCloud backup analysis and network traffic correlation — produces false positives.
Rebuttal
The methodology dispute covers the interpretation of the full 50,000-number list, not the forensically confirmed infections on individual devices. Citizen Lab, Amnesty International Security Lab, and Apple's own CVE disclosure team have independently confirmed specific infections using multiple technical methods. The methodological objection is a partial point, not a wholesale refutation.
NSO Group terminated some client contracts for misuse
DebunkingWeak
NSO Group has stated it has terminated contracts with at least two government clients found to have misused Pegasus, and has published a human rights policy and transparency reports. The company argues it is a responsible vendor that cannot control how clients use the product.
Rebuttal
Termination of some contracts confirms rather than refutes that misuse occurred. The terminations are evidence that NSO was aware of the misuse problem and that its client-vetting and compliance mechanisms were insufficient to prevent targeting of journalists and activists. The human rights policy postdates the confirmed misuse incidents.
Specific authorisation chains for individual targeting decisions remain contested
DebunkingWeak
While the infections and the victim identities are confirmed, the complete chain of authorisation — which specific government official approved which specific target for surveillance — has not been fully documented for most cases. Some targets may have been lawful under the laws of their respective countries; others clearly were not.
Rebuttal
Uncertainty about authorisation chains at the margins does not undermine the confirmed core: journalists and human rights activists in multiple countries were forensically confirmed as Pegasus targets. The lawfulness of surveilling a French journalist or a Khashoggi associate does not vary significantly across plausible authorisation interpretations.
Evidence Cited by Believers7
Citizen Lab forensic confirmation (2016–present)
SupportingStrong
Bill Marczak and John Scott-Railton at the Citizen Lab (University of Toronto) forensically documented Pegasus infections beginning with UAE activist Ahmed Mansoor in 2016. The methodology — examining device memory and network traffic for NSO Group infrastructure signatures — has been peer-reviewed and independently replicated. Apple patched the iOS vulnerability within ten days of Citizen Lab's disclosure.
Forbidden Stories (Paris) coordinated an investigation with Amnesty International and 80 journalists at 17 media organisations based on a leaked list of 50,000+ apparent surveillance targets. Amnesty International's Security Lab forensically confirmed Pegasus infections on 37 devices from the sample they examined.
Khashoggi associates confirmed as targets
SupportingStrong
Forensic analysis by Amnesty International Security Lab confirmed Pegasus infections on the phone of Hatice Cengiz, fiancée of murdered Washington Post journalist Jamal Khashoggi, shortly before his October 2018 murder in the Saudi consulate in Istanbul. Phone numbers of other Khashoggi associates also appeared in the leaked list.
Apple patched FORCEDENTRY zero-click exploit and filed lawsuit
SupportingStrong
Apple disclosed CVE-2021-30860 (dubbed FORCEDENTRY) — a zero-click iMessage exploit used by NSO Group to install Pegasus without any target interaction — and filed a federal lawsuit against NSO Group in November 2021, seeking permanent injunctions against NSO using Apple products. The exploit was independently confirmed as NSO-developed by Google Project Zero.
US Commerce Department Entity List designation
SupportingStrong
The US Department of Commerce added NSO Group to its Entity List in November 2021, citing "credible evidence that NSO Group and Candiru developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers." This is a formal US government determination with legal consequences.
Meta (WhatsApp) lawsuit: 1,400 targets in two-week window
SupportingStrong
In October 2019, Meta (then Facebook) filed suit in California federal court alleging NSO Group used WhatsApp infrastructure to install Pegasus on approximately 1,400 devices across 20 countries in a two-week period in May 2019, targeting journalists, lawyers, human rights activists, and government officials. The lawsuit is ongoing.
Heads of state and Catalan independence figures on target list
SupportingStrong
French President Emmanuel Macron's phone number appeared in the leaked list; the French government convened an emergency meeting of the defence council. Forensic analysis identified at least 65 individuals connected to the Catalan independence movement — including politicians, lawyers, and activists — as Pegasus targets, with the Spanish government implicated as the client.
Top Supporting Evidencetop 3
Citizen Lab forensic confirmation (2016–present)
SupportingStrong
Bill Marczak and John Scott-Railton at the Citizen Lab (University of Toronto) forensically documented Pegasus infections beginning with UAE activist Ahmed Mansoor in 2016. The methodology — examining device memory and network traffic for NSO Group infrastructure signatures — has been peer-reviewed and independently replicated. Apple patched the iOS vulnerability within ten days of Citizen Lab's disclosure.
Forbidden Stories (Paris) coordinated an investigation with Amnesty International and 80 journalists at 17 media organisations based on a leaked list of 50,000+ apparent surveillance targets. Amnesty International's Security Lab forensically confirmed Pegasus infections on 37 devices from the sample they examined.
Khashoggi associates confirmed as targets
SupportingStrong
Forensic analysis by Amnesty International Security Lab confirmed Pegasus infections on the phone of Hatice Cengiz, fiancée of murdered Washington Post journalist Jamal Khashoggi, shortly before his October 2018 murder in the Saudi consulate in Istanbul. Phone numbers of other Khashoggi associates also appeared in the leaked list.
Counter-Evidence3
NSO Group disputes the 50,000-number list methodology
Debunking
NSO Group argues that the leaked 50,000-number list is not an NSO Group product and that its interpretation as a targeting list is methodologically unsound. NSO contends that Amnesty International's forensic methodology — specifically iCloud backup analysis and network traffic correlation — produces false positives.
Rebuttal
The methodology dispute covers the interpretation of the full 50,000-number list, not the forensically confirmed infections on individual devices. Citizen Lab, Amnesty International Security Lab, and Apple's own CVE disclosure team have independently confirmed specific infections using multiple technical methods. The methodological objection is a partial point, not a wholesale refutation.
NSO Group terminated some client contracts for misuse
DebunkingWeak
NSO Group has stated it has terminated contracts with at least two government clients found to have misused Pegasus, and has published a human rights policy and transparency reports. The company argues it is a responsible vendor that cannot control how clients use the product.
Rebuttal
Termination of some contracts confirms rather than refutes that misuse occurred. The terminations are evidence that NSO was aware of the misuse problem and that its client-vetting and compliance mechanisms were insufficient to prevent targeting of journalists and activists. The human rights policy postdates the confirmed misuse incidents.
Specific authorisation chains for individual targeting decisions remain contested
DebunkingWeak
While the infections and the victim identities are confirmed, the complete chain of authorisation — which specific government official approved which specific target for surveillance — has not been fully documented for most cases. Some targets may have been lawful under the laws of their respective countries; others clearly were not.
Rebuttal
Uncertainty about authorisation chains at the margins does not undermine the confirmed core: journalists and human rights activists in multiple countries were forensically confirmed as Pegasus targets. The lawfulness of surveilling a French journalist or a Khashoggi associate does not vary significantly across plausible authorisation interpretations.
Top Counter-Evidencetop 3
NSO Group disputes the 50,000-number list methodology
Debunking
NSO Group argues that the leaked 50,000-number list is not an NSO Group product and that its interpretation as a targeting list is methodologically unsound. NSO contends that Amnesty International's forensic methodology — specifically iCloud backup analysis and network traffic correlation — produces false positives.
Rebuttal
The methodology dispute covers the interpretation of the full 50,000-number list, not the forensically confirmed infections on individual devices. Citizen Lab, Amnesty International Security Lab, and Apple's own CVE disclosure team have independently confirmed specific infections using multiple technical methods. The methodological objection is a partial point, not a wholesale refutation.
NSO Group terminated some client contracts for misuse
DebunkingWeak
NSO Group has stated it has terminated contracts with at least two government clients found to have misused Pegasus, and has published a human rights policy and transparency reports. The company argues it is a responsible vendor that cannot control how clients use the product.
Rebuttal
Termination of some contracts confirms rather than refutes that misuse occurred. The terminations are evidence that NSO was aware of the misuse problem and that its client-vetting and compliance mechanisms were insufficient to prevent targeting of journalists and activists. The human rights policy postdates the confirmed misuse incidents.
Specific authorisation chains for individual targeting decisions remain contested
DebunkingWeak
While the infections and the victim identities are confirmed, the complete chain of authorisation — which specific government official approved which specific target for surveillance — has not been fully documented for most cases. Some targets may have been lawful under the laws of their respective countries; others clearly were not.
Rebuttal
Uncertainty about authorisation chains at the margins does not undermine the confirmed core: journalists and human rights activists in multiple countries were forensically confirmed as Pegasus targets. The lawfulness of surveilling a French journalist or a Khashoggi associate does not vary significantly across plausible authorisation interpretations.
Timeline
Citizen Lab first forensic documentation of Pegasus
Bill Marczak and John Scott-Railton at Citizen Lab publish the first forensic documentation of Pegasus, based on an attack on UAE human rights activist Ahmed Mansoor. Apple issues an emergency iOS 9.3.5 patch within ten days. The methodology becomes the template for subsequent Pegasus investigations.
Khashoggi murdered; associates' phones later confirmed as Pegasus targets
Washington Post journalist Jamal Khashoggi is murdered in the Saudi consulate in Istanbul. Subsequent forensic analysis confirms Pegasus infections on the phone of Khashoggi's fiancée Hatice Cengiz, with targeting attributed to Saudi intelligence as a client of NSO Group.
Pegasus Project published by Forbidden Stories and 17 media partners
Forbidden Stories coordinates the simultaneous publication of the Pegasus Project across 17 media organisations in 10 countries. The investigation is based on a leaked list of 50,000+ apparent targets; Amnesty International's Security Lab confirms Pegasus infections on 37 devices. The findings generate government responses across France, India, Mexico, Hungary, and Morocco.
US Commerce Department adds NSO Group to Entity List
The Bureau of Industry and Security formally adds NSO Group and Candiru to the Entity List, restricting US technology exports to NSO. The designation cites credible evidence of surveillance against journalists, activists, and government officials. NSO Group calls the designation "misguided."
Apple files suit in California federal court against NSO Group and its parent company OSY Technologies, simultaneously disclosing FORCEDENTRY (CVE-2021-30860), a zero-click iMessage exploit used by NSO to deploy Pegasus without any target interaction. Google Project Zero independently confirms the exploit's sophistication.
Pegasus spyware is forensically confirmed to exist and to have been used against journalists, human rights activists, lawyers, politicians, and associates of Jamal Khashoggi. Citizen Lab (University of Toronto), Amnesty International Security Lab, and Apple's own vulnerability disclosure team have independently verified infections. The 2021 Pegasus Project documented 50,000+ apparent targets across NSO Group's government clients. The US Commerce Department added NSO to its Entity List in November 2021. Apple and Meta have filed lawsuits against NSO. The core surveillance claims are documented facts, not speculation.
Sources
Citizen Lab·Aug 2016·Bill Marczak, John Scott-Railton
High Credibility
Forbidden Stories·Jul 2021·Forbidden Stories / Amnesty International
High Credibility
Amnesty International·Jul 2021·Amnesty International Security Lab
High Credibility
Apple·Nov 2021·Apple Legal
High Credibility
US Department of Commerce·Nov 2021·Bureau of Industry and Security
High Credibility
Show 7 more sources
Reuters·Oct 2019·Reuters Staff
High Credibility
The Guardian·Jul 2021·The Guardian / Pegasus Project
High Credibility
Citizen Lab·Sep 2021·Citizen Lab Research Team
High Credibility
New York Times·Apr 2022·NYT / Citizen Lab
High Credibility
BBC News·Jul 2021·BBC Tech Staff
High Credibility
The Guardian·Jul 2021·The Guardian
High Credibility
NSO Group·Jun 2021·NSO Group
Medium Credibility
Sourcestop 3
Sources
Citizen Lab·Aug 2016·Bill Marczak, John Scott-Railton
High Credibility
Forbidden Stories·Jul 2021·Forbidden Stories / Amnesty International
High Credibility
Amnesty International·Jul 2021·Amnesty International Security Lab