NSO Group, the notorious Israeli spyware vendor, will no longer allow its clients to hack citizens of the United Kingdom, sources close to the company told The Guardian this week. The changes have been “hard-coded” into NSO’s infamous malware, Pegasus, and will make future targeting of UK-based phone numbers impossible, the sources claim.
Such abrupt changes have doubtlessly been spurred by a recent British hacking scandal involving Princess Haya bint al-Hussein, the daughter of the king of Jordan and the former wife of the ruler of Dubai, Sheikh Mohammed bin Rashid al-Maktoum. After leaving Dubai and fleeing to London in 2019, Haya’s phone was hacked repeatedly at the behest of her ex-husband, Sheik Mohammed, while the former couple were involved in a child custody battle over their two children. Five of Haya’s associates were also hacked, including two of her attorneys. The case spilled out into public view again this week, when a British senior high court judge ruled that the hacking incident had occurred and that NSO’s malware had been involved.
As a result, sources close to the spyware vendor now say that changes made to the company’s software ensure that its clients will no longer be allowed to target phone numbers based in the United Kingdom: “We shut down completely, hard-coded into the system [Pegasus], to all of our customers. We released a quick update in the middle of the night that none of our customers can work on UK numbers,” the source apparently told The Guardian. The update blocks hacking of phones with the region’s country code: +44.
This is... good, if true. However, it’s unclear why the company wouldn’t just come out and make an official statement, instead of allowing unofficial sources to make claims to the press.
The company underwent a shitstorm of global criticism earlier this year after the launch of the “Pegasus Project,” an international collaboration between journalists and researchers that revealed the extent to which NSO’s spyware is used throughout the world. The project was based largely upon a list of some 50,000 phone numbers that researchers say represent “potential targets” of Pegasus surveillance. The list, which NSO has denied is legitimate, contained the numbers of presidents, prime ministers, and a king, among others. For years, the company has maintained that its product is only used to track and surveil “terrorists” and other criminals, but time and time again, Pegasus has been discovered on the devices of political activists, human rights lawyers, journalists, politicians and businessmen.
NSO Group has also long maintained that it doesn’t allow its malware to be used against citizens of the United States—and that phones with +1 country code are unhackable with its products. However, in January of last year, it was reported that the FBI was “investigating the role” of NSO in “possible hacks on American residents and companies.” It turned out that investigation concerned then Amazon CEO Jeff Bezos, whose phone was, according to reports, personally hacked by Saudi Crown Prince Mohammed bin Salman, possibly to steal intimate messages and photos, like pictures of the tech mogul’s dick. It was suspected at the time that NSO’s malware was the product used in the episode, though the company repeatedly denied that it had any involvement.