Pegasus NSO Spyware

Introduction

Pegasus is a mobile phone surveillance software package developed by the Israeli private-intelligence firm NSO Group Technologies. Marketed exclusively to government clients as a tool for fighting terrorism and serious crime, Pegasus is capable of silently infecting both iOS and Android devices, extracting call records, messages, emails, photos, and GPS data, and — in its most advanced versions — activating the microphone and camera without the target's knowledge. Its infection mechanism has evolved from targeted link-click attacks to "zero-click" exploits that require no action by the target.

The framing of Pegasus as a "conspiracy theory" is somewhat misleading: the core claims — that Pegasus exists, that it can do what it is alleged to do, and that it has been used against journalists, activists, and politicians — are not conspiracy speculation but documented forensic findings. The conspiracy dimensions concern scale, authorisation, and the degree to which NSO Group or its clients acted unlawfully or unethically.

Citizen Lab and the Forensic Record

The first forensic documentation of Pegasus came from Bill Marczak and John Scott-Railton of the Citizen Lab at the University of Toronto's Munk School of Global Affairs. In 2016, their analysis of an attack on UAE human rights activist Ahmed Mansoor provided the first technical reconstruction of how Pegasus infected a device via a targeted link. Apple issued an emergency patch (iOS 9.3.5) within ten days of Citizen Lab's disclosure. This episode established the forensic methodology that subsequent Pegasus investigations have used.

Between 2016 and 2021, Citizen Lab published multiple reports documenting Pegasus infections on devices belonging to journalists, dissidents, and lawyers across Mexico, Saudi Arabia, India, Azerbaijan, Kazakhstan, Rwanda, and at least a dozen other countries. NSO Group consistently denied misuse, arguing that Pegasus was sold only to vetted government clients for lawful interception of terrorism and serious crime suspects.

The 2021 Pegasus Project

In July 2021, Forbidden Stories (a Paris-based nonprofit journalism organisation) and Amnesty International published the results of a coordinated investigation involving 80 journalists across 17 media organisations — including The Guardian, Le Monde, Süddeutsche Zeitung, the Washington Post, and others. The investigation was based on a leaked list of over 50,000 phone numbers that appeared to have been selected as surveillance targets by NSO Group clients.

Key findings of the Pegasus Project:

• Journalists and media figures: Over 180 journalists from 20 countries appeared on the list, including reporters from Reuters, the Associated Press, the Financial Times, CNN, Le Monde, Al Jazeera, and others.
• Khashoggi associates: Numbers associated with family members and close associates of Washington Post columnist Jamal Khashoggi — murdered in the Saudi consulate in Istanbul in October 2018 — appeared on the list. Forensic analysis of the phone of Khashoggi's fiancée, Hatice Cengiz, confirmed Pegasus infections.
• Heads of state: The French government subsequently confirmed that President Emmanuel Macron's phone number appeared on the list. Moroccan intelligence was identified as the likely client responsible; Morocco denied this. Numbers associated with at least fourteen other heads of state and senior government officials appeared on the list.
• Catalan independence figures: At least 65 individuals connected to the Catalan independence movement — including Catalan President Carles Puigdemont and other politicians and lawyers — were identified as targets, with the Spanish government implicated as the client.

Amnesty International's Security Lab performed forensic analysis on a sample of devices and confirmed Pegasus infections on 37. NSO Group disputed the methodology and the interpretation of the leaked list, arguing that the list was not an NSO product and that the forensic analyses contained errors.

Apple and Meta Lawsuits

In November 2021, Apple filed suit against NSO Group in federal court in California, seeking to permanently bar NSO from using Apple products and services, and seeking damages. Apple simultaneously disclosed an iOS vulnerability (CVE-2021-30860) that NSO had exploited via iMessage in a zero-click attack dubbed "FORCEDENTRY." The complaint cited Citizen Lab's forensic work extensively.

Meta (then Facebook) had filed an earlier lawsuit in October 2019, alleging that NSO had used WhatsApp infrastructure to deliver Pegasus to approximately 1,400 devices in a two-week window in May 2019, targeting journalists, human rights activists, and government officials. That lawsuit is ongoing.

US Commerce Department Entity List

In November 2021, the US Department of Commerce added NSO Group (and Candiru, another Israeli surveillance firm) to its Entity List, restricting US companies from exporting technology to NSO without a licence. The Commerce Department cited credible evidence that NSO had supplied spyware to foreign governments that used it to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers. This is a formal US government determination, not a speculative claim.

NSO Group's Defences

NSO Group has consistently argued:

1. Pegasus is sold only to vetted government clients for lawful interception of terrorism and serious crime suspects.
2. NSO has no visibility into which specific targets its clients select; it provides the tool, not the targeting.
3. Amnesty International's forensic methodology contains errors; the 50,000-number list is not an NSO product.
4. NSO terminated contracts with clients found to have misused the product, and has a human rights policy.

These defences are partially credited in the record: NSO has terminated some client contracts. But the forensic evidence of infections — confirmed by Apple, Citizen Lab, and Amnesty International's Security Lab independently — establishes that the product has been used against civilians, journalists, and activists, not only terrorism suspects.

Why the Verdict Is "Confirmed"

The core claims are forensically confirmed by multiple independent technical teams including Citizen Lab (University of Toronto), Amnesty International Security Lab, and Apple's own vulnerability disclosure process. The US government's formal Entity List designation constitutes an official determination of misuse. The victims are identified by name. The scale (50,000+ numbers) and breadth of targets (journalists, activists, heads of state, Khashoggi associates) are documented, not speculated. The outstanding contested questions — precise authorisation chains for each targeting decision, the complete universe of clients and operations — do not undermine the core confirmed claims.

What Would Change Our Verdict

• Comprehensive client and targeting disclosure by NSO Group (would clarify scale)
• Judicial findings in the Apple and Meta lawsuits (would clarify specific legal violations)
• Successor technology assessments as Pegasus evolves

Verdict

Confirmed. Pegasus's existence and capabilities are forensically documented by multiple independent technical teams. Its use against journalists, activists, Khashoggi associates, and heads of state is confirmed by Citizen Lab, Amnesty International, and Apple's own vulnerability disclosure. The US Commerce Department has formally determined misuse. NSO Group's contested defences do not overturn the forensic record; they contest scope and authorisation at the margins.