In July 2021, a consortium of journalists revealed that NSO Group's Pegasus spyware had been used to target more than 50,000 phone numbers worldwide. The Israeli company's surveillance tool can access every function of a smartphone without the user clicking anything. It has been used by governments in Mexico, Saudi Arabia, the UAE, Hungary, Rwanda, and India to surveil journalists, human rights defenders, political opposition leaders, and heads of state. The targets included Washington Post columnist Jamal Khashoggi's family, French President Emmanuel Macron, and at least 180 journalists globally.
On August 10, 2016, Ahmed Mansoor, a human rights activist in the United Arab Emirates, received a text message on his iPhone promising "new secrets" about detainees tortured in UAE jails. The message included a link. Mansoor, who had been targeted by government surveillance before, did not click. Instead, he forwarded the message to researchers at Citizen Lab at the University of Toronto.
What Citizen Lab discovered changed the understanding of what was technically possible in mobile surveillance. The link would have silently installed malware exploiting three previously unknown vulnerabilities in Apple's iOS operating system — what security researchers call zero-day exploits. Had Mansoor clicked, his iPhone would have become a surveillance device transmitting his messages, emails, calls, location, and even audio from his microphone and video from his camera to an unknown operator. The malware was Pegasus. The vendor was NSO Group, an Israeli company that had been operating in secrecy for six years.
The technical sophistication was extraordinary. Apple patched the vulnerabilities within ten days, but by then NSO had demonstrated something that intelligence agencies and authoritarian governments had long sought: a way to break into the most secure consumer devices on the market without the target doing anything at all. Within three years, NSO would develop zero-click exploits that required no user interaction whatsoever.
NSO Group was founded in 2010 by three Israeli entrepreneurs: Niv Carmi, Omri Lavie, and Shalev Hulio. All three had backgrounds in Israeli military intelligence. The company's pitch was straightforward: governments needed tools to surveil criminals and terrorists who had shifted their communications to encrypted smartphones. NSO would provide those tools, but only to vetted government clients, and only for legitimate law enforcement and counterterrorism purposes.
The business model was lucrative. According to leaked documents and court filings, NSO charged governments between $650,000 and $8 million per Pegasus deployment, plus additional fees for each target surveilled. The New York Times reported that a standard system could monitor 10 iPhones and 10 Android devices for $650,000, with additional monitoring licenses available at $550,000 for 50 users, $750,000 for 100 users, or $800,000 for 200 users. Installation services cost extra. Premium features, including the ability to monitor encrypted messaging applications, commanded additional fees.
By 2014, NSO had attracted the attention of Francisco Partners, a San Francisco private equity firm specializing in technology investments. Francisco Partners acquired NSO for approximately $120 million. Five years later, in 2019, Francisco Partners led a consortium including Novalpina Capital in a leveraged buyout valuing NSO at $1 billion. The deal loaded the company with approximately $500 million in debt but reflected the explosive growth in government demand for sophisticated surveillance capabilities.
The customer list remained secret, but investigative reporting and forensic analysis would eventually reveal that NSO sold Pegasus to government agencies in at least 45 countries. These included democracies like the United States and members of the European Union, but also authoritarian regimes with documented records of human rights abuses: Saudi Arabia, the United Arab Emirates, Bahrain, Kazakhstan, Azerbaijan, Rwanda, and others.
Pegasus is modular spyware that operates at the kernel level of iOS and Android operating systems, granting it the highest level of system privileges. Once installed, it can access virtually everything on the device. It activates the microphone to record conversations even when the phone is not in use. It turns on the camera. It reads messages from encrypted applications including WhatsApp, Signal, Telegram, and others — not by breaking the encryption, but by capturing messages before encryption or after decryption on the device itself.
The spyware logs keystrokes, extracts browsing history and passwords, accesses photos and videos, reads emails, and tracks real-time location using GPS. It can extract contact lists and call logs. In some configurations, it can access cloud storage accounts if credentials are stored on the device. The surveillance is comprehensive and continuous.
Pegasus also employs sophisticated anti-forensic techniques. It operates largely in memory rather than writing extensive data to disk, making detection more difficult. It can self-destruct if it detects forensic analysis tools or if it has not communicated with its command-and-control server within a specified period. Early versions had limited persistence and would be removed if the phone was restarted, though later versions achieved greater persistence.
The delivery mechanisms evolved significantly between 2016 and 2021. Early Pegasus attacks used one-click exploits — malicious links sent via SMS that required the target to click. By 2018, NSO had developed zero-click exploits for WhatsApp, sending malicious code through the app's calling function that would install Pegasus whether the call was answered or not. In 2019, Facebook-owned WhatsApp discovered this attack vector and disclosed that approximately 1,400 users had been targeted over a two-month period.
The most sophisticated exploit documented to date is FORCEDENTRY, discovered by Citizen Lab in September 2021. FORCEDENTRY exploited a vulnerability in Apple's iMessage application, requiring zero interaction from the target. The attack worked even on fully updated iPhone 12 devices running iOS 14.8. Apple issued an emergency security patch within 24 hours of Citizen Lab's disclosure, but the incident demonstrated that even the most current devices from the most security-conscious manufacturer were vulnerable.
In July 2021, a consortium of journalists published the results of the most comprehensive investigation into NSO Group's operations. The Pegasus Project, coordinated by Paris-based nonprofit Forbidden Stories, involved more than 80 journalists from 17 media organizations in 10 countries, including The Washington Post, The Guardian, Le Monde, Süddeutsche Zeitung, and others.
The investigation was based on a leaked list of more than 50,000 phone numbers that had been selected as potential surveillance targets by NSO clients between 2016 and 2021. The list did not prove that every number had been successfully surveilled — presence on the list indicated selection for targeting, not necessarily successful infection. But forensic analysis by Amnesty International's Security Lab confirmed that the list was authentic and correlated with actual Pegasus infections.
Amnesty International examined 67 smartphones belonging to individuals whose numbers appeared on the list. The Security Lab confirmed successful Pegasus infections on 37 devices — a 55% confirmed compromise rate among those examined. An additional 14 devices showed signs of targeting attempts. The Security Lab released its forensic methodology publicly and made available the Mobile Verification Toolkit (MVT), allowing potential targets to check their own devices.
The composition of the target list revealed the breadth of Pegasus deployment. The investigation identified at least 180 journalists from major news organizations on every continent. Media workers from CNN, BBC, Al Jazeera, The New York Times, The Wall Street Journal, Bloomberg, Le Monde, Financial Times, The Economist, and dozens of other outlets had their numbers selected for targeting. The list included investigative reporters covering government corruption, organized crime, and human rights abuses — precisely the kind of journalism that holds power accountable.
"This is a weapon. This is a weapon designed to attack people. And it's been sold to governments who have been shown to have very little regard for human life."
John Scott-Railton, Senior Researcher, Citizen Lab — The Guardian, 2021The list also included at least 600 politicians and government officials. Ten prime ministers, three presidents, and one king had their numbers selected. French President Emmanuel Macron was on the list, selected by Morocco. The phone of Barham Salih, president of Iraq, was selected. So were phones belonging to senior officials in Pakistan, Belgium, Finland, Hungary, and elsewhere. The targeting of heads of state and senior officials suggested that NSO clients were using Pegasus not just for criminal investigations but for political intelligence and espionage.
Human rights activists, lawyers representing controversial clients, business executives, diplomats, and academics also appeared on the list. The targeting was global: numbers traced to 45 countries. The diversity of targets and locations made clear that Pegasus was being used far beyond the counterterrorism and serious crime investigations that NSO cited to justify its business.
Among the most disturbing revelations of the Pegasus Project was the connection to Jamal Khashoggi, the Saudi journalist murdered inside the Saudi consulate in Istanbul on October 2, 2018. The leaked data revealed that phone numbers belonging to Khashoggi's fiancée Hatice Cengiz and two of his associates had been selected as targets in the months before his murder. Forensic analysis confirmed that Cengiz's phone had been successfully infected with Pegasus just four days after Khashoggi's death.
The targeting extended to people close to Khashoggi in multiple countries. Numbers for contacts in the United States and Mexico appeared on the list. The timing suggested Saudi authorities had used Pegasus to track Khashoggi's activities, communications, and location before orchestrating his killing. While NSO Group has consistently denied that its technology played any role in Khashoggi's murder, the company has never explained what legitimate law enforcement purpose would justify surveilling the personal contacts of a journalist critical of the Saudi government.
The UN Special Rapporteur on extrajudicial executions, Agnès Callamard, concluded in her investigation that Saudi Arabia bore responsibility for the "deliberate, premeditated execution" of Khashoggi. The Pegasus revelations added another layer to understanding how extensively Saudi authorities monitored Khashoggi before his death. The case illustrated the most extreme endpoint of surveillance technology abuse: tools marketed for public safety used to facilitate murder.
Mexico emerged as one of the most prolific users of Pegasus, with the government purchasing licenses worth at least $80 million between 2011 and 2017, according to procurement records. Citizen Lab documented at least 15 suspected Pegasus attacks against journalists, lawyers, and activists investigating government corruption and organized crime between 2016 and 2017.
The targets included Carmen Aristegui, Mexico's most prominent investigative journalist, who had exposed a conflict-of-interest scandal involving President Enrique Peña Nieto and his wife's purchase of a luxury home from a government contractor. Aristegui and at least two of her colleagues received malicious text messages in 2016 attempting to install Pegasus on their phones. The messages were crafted to exploit their professional interests and personal concerns — fake notices about their children's schools, fabricated government announcements about press regulation, and bogus breaking news alerts.
Other Mexican targets included international investigators examining the 2014 disappearance of 43 students in Iguala, a case that implicated local officials and police with ties to organized crime. Scientists advocating for public health measures, including a soda tax opposed by the beverage industry, were targeted. Lawyers representing victims of government abuses received malicious messages. The pattern revealed surveillance used not to investigate crime but to monitor those investigating crimes committed by government-connected actors.
The Mexican government initially denied using Pegasus. After evidence became overwhelming, officials claimed the technology was only deployed for criminal investigations and never against journalists or activists. But authorities never provided evidence supporting these claims or identified a single terrorism or organized crime case where Pegasus had been legitimately used.
India accounted for one of the largest concentrations of numbers on the leaked Pegasus target list, with over 1,000 phone numbers traced to the country. The list included at least 40 Indian journalists, representing all major news organizations including The Hindu, Hindustan Times, India Today, and others. Also on the list were human rights activists, political opposition leaders, government critics, and business executives.
Forensic analysis confirmed Pegasus infections on phones belonging to journalists Siddharth Varadarajan, founder of The Wire, and M.K. Venu, founding editor of The Wire. Both journalists had published investigations critical of Prime Minister Narendra Modi's government. The targeting occurred during a period of declining press freedom in India, which fell to 150th place out of 180 countries in Reporters Without Borders' 2021 World Press Freedom Index, down from 138th in 2016.
The Indian government has never confirmed or denied purchasing Pegasus. IT Minister Ashwini Vaishnaw — whose own phone number appeared on the target list before he joined the government — dismissed the Pegasus Project revelations as an attempt to malign Indian democracy. In October 2021, India's Supreme Court established a technical committee to investigate, but the committee's January 2022 report was inconclusive, noting that most targeted individuals had declined to submit their phones for examination, fearing government retaliation.
Hungary's use of Pegasus represented a particularly troubling development: a member state of the European Union, subject to the bloc's human rights protections and democratic norms, deploying sophisticated spyware against its own citizens. The Pegasus Project revealed that Hungarian authorities had targeted at least 10 lawyers, one opposition politician, and at least five journalists between 2018 and 2021.
The journalists worked for Direkt36, an independent investigative outlet that has published exposés of corruption within Prime Minister Viktor Orbán's government. Forensic analysis confirmed Pegasus infections on the phones of Szabolcs Panyi, who reports on national security issues, and other Direkt36 reporters. The infections were active during periods when the journalists were working on sensitive investigations.
Hungarian Justice Minister Judit Varga responded that intelligence services operated within legal frameworks but refused to confirm or deny Pegasus use. The revelations contributed to the European Parliament's decision in March 2022 to establish the PEGA Committee of Inquiry, investigating spyware use in EU member states. The committee focused on Hungary, Poland, Spain, and Greece, where similar surveillance activities were suspected or confirmed.
As evidence of Pegasus abuse accumulated, NSO Group faced an escalating series of legal challenges and sanctions. In October 2019, WhatsApp filed a lawsuit in federal court in California, alleging that NSO had exploited a vulnerability in WhatsApp's voice calling function to install Pegasus on approximately 1,400 devices across four continents. NSO argued it should be immune from liability because it was acting on behalf of government clients — a modern version of sovereign immunity. A federal judge rejected this argument in 2020, ruling that NSO itself had conducted the attacks and therefore could be held liable.
In November 2021, Apple filed its own lawsuit against NSO, seeking a permanent injunction preventing the company from using any Apple software, services, or devices. Apple alleged that NSO had created over 100 fake Apple ID accounts to carry out attacks and that the FORCEDENTRY exploit violated the Computer Fraud and Abuse Act. Apple announced a $10 million contribution to organizations researching surveillance technology abuse and committed to notifying users targeted by state-sponsored attacks.
The most significant action came from the US government. On November 3, 2021, the Department of Commerce added NSO Group and another Israeli spyware vendor, Candiru, to its Entity List — effectively blacklisting them from receiving US technology. The Bureau of Industry and Security cited evidence that these companies' tools had been used to "maliciously target" government officials, journalists, activists, academics, and embassy workers. The designation prohibited US companies from supplying NSO with technology without special licenses, significantly disrupting NSO's access to security research, vulnerabilities, and technology components sourced from American companies.
"The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad."
Gina Raimondo, US Secretary of Commerce — Department of Commerce Press Release, November 2021The financial consequences were severe. NSO's valuation collapsed from approximately $1 billion in 2019 to a fraction of that figure by 2022. The company, loaded with debt from the 2019 leveraged buyout, entered restructuring negotiations with creditors. Novalpina Capital, one of NSO's major investors, collapsed amid internal disputes related to the investment. Francisco Partners sought to divest but found few buyers willing to acquire a blacklisted surveillance company facing multiple lawsuits.
In 2022, NSO filed for bankruptcy protection while continuing to operate. The company maintained that its technology was used appropriately in the vast majority of cases and that it had terminated contracts with clients who misused Pegasus. But NSO never disclosed which clients had been terminated or provided evidence of its vetting procedures.
The European Parliament's establishment of the PEGA Committee in March 2022 represented the most comprehensive governmental investigation into commercial spyware. The committee held hearings with NSO representatives, government officials from member states suspected of deploying Pegasus, and victims of targeting. Shalev Hulio, NSO's CEO, testified that the company had cut off five government clients for misuse and that it had implemented a human rights policy reviewed by external experts.
The committee's final report, published in June 2023, was damning. It concluded that Pegasus and equivalent surveillance tools posed a fundamental threat to democracy and human rights in the European Union. The report documented that EU member states had spent at least €50 million on surveillance technologies from NSO and similar vendors. It found that spyware had been used against journalists, opposition politicians, and civil society activists in Poland, Hungary, Spain, and Greece.
The committee called for an immediate EU-wide moratorium on the sale, acquisition, and use of spyware until robust safeguards could be implemented. It recommended stricter export controls, mandatory human rights impact assessments before any government deployment, judicial oversight of surveillance activities, and potential criminal liability for companies and government officials who enabled surveillance abuses. The report called for sanctions against companies found to have facilitated human rights violations.
Implementation of these recommendations remains uncertain. Several EU member states have resisted strict regulations, arguing that intelligence services require sophisticated tools to combat terrorism and organized crime. The debate continues over where to draw the line between legitimate national security surveillance and abusive targeting of journalists and activists.
Apple has issued multiple iOS security updates specifically addressing vulnerabilities exploited by Pegasus. The September 2021 patch for FORCEDENTRY, the emergency update for the BlastDoor sandbox escape, and subsequent patches have gradually hardened iOS against known Pegasus techniques. Apple introduced Lockdown Mode in iOS 16, a feature that disables certain iPhone functions to reduce the attack surface available to sophisticated spyware. When Lockdown Mode is enabled, most message attachments are blocked, link previews are disabled, and certain web technologies are restricted.
Google has similarly patched Android vulnerabilities exploited by NSO and other spyware vendors. The company's Project Zero team, which hunts for zero-day vulnerabilities, has published research on commercial spyware techniques. Google's Threat Analysis Group has tracked NSO's infrastructure and warned potential targets.
But the fundamental problem remains: when a surveillance vendor discovers a zero-day vulnerability before the device manufacturer, there is a window during which no defense exists. NSO reportedly employed dozens of researchers dedicated to finding iOS and Android vulnerabilities. The company allegedly paid independent security researchers up to $250,000 for zero-day exploits. This created a market incentive for researchers to sell vulnerabilities to spyware vendors rather than disclose them to manufacturers for patching.
Citizen Lab and Amnesty International have made forensic tools available to help potential targets check their devices for indicators of compromise. But sophisticated spyware is specifically designed to evade detection. The most reliable defense is using a device in Lockdown Mode, which renders many features unavailable, or frequently replacing devices entirely — an option unavailable to most journalists and activists in developing countries.
The Pegasus investigation documented something that civil liberties advocates had long feared but struggled to prove: that sophisticated surveillance technology originally developed for intelligence agencies had proliferated to dozens of governments, including authoritarian regimes, and was being systematically used against journalists, activists, and political opposition figures rather than terrorists and criminals.
The investigation also revealed the limitations of corporate self-regulation in the surveillance technology industry. NSO Group maintained throughout the revelations that it only sold to vetted governments, that it had a human rights policy, and that it terminated contracts when misuse was discovered. Yet the evidence showed that misuse was not the exception but the pattern. Journalists and activists in dozens of countries were targeted. The "vetting" process failed to prevent sales to governments with documented records of political repression. The human rights policy did not prevent the technology from being used to monitor people close to Jamal Khashoggi before his murder.
The legal and regulatory responses — the US Entity List designation, the lawsuits from WhatsApp and Apple, the European Parliament investigation — represented the first serious attempts to impose accountability on the commercial spyware industry. But they came years after the abuses began and after thousands of journalists, activists, and dissidents had already been compromised.
The Pegasus case raises questions that extend beyond one company or one product. NSO Group is not the only vendor of sophisticated mobile spyware. Companies in Israel, Italy, Germany, and other countries sell similar capabilities. The broader question is whether any framework of regulation and oversight can effectively prevent powerful surveillance tools from being used for political repression when the customers are governments themselves and the targets are those governments' critics.
For now, the evidence is clear: the technology exists to turn any smartphone into a comprehensive surveillance device. Governments around the world have purchased that capability. And the primary targets have not been terrorists or organized criminals, but journalists doing their jobs, activists defending human rights, and lawyers representing controversial clients. The phone in your pocket can become a monitoring device. The only questions are who is watching and whether any meaningful constraints exist to stop them.