The FBI spent two years considering whether it should procure a clandestine commercial spyware system that could reportedly hack any phone in the United States, an investigation by the New York Times Magazine has found.
That spyware system, dubbed “Phantom,” was offered secretly to U.S. government agencies by the NSO Group, Israel’s notorious cyberweapons dealer, over a multi-year period between 2019 and last summer. According to the Times, the potential business relationship was negotiated even as NSO increasingly became the subject of controversy, with critics accusing it of aiding human rights abuses in nations all over the world.
The government was reportedly interested in Phantom because NSO’s primary spyware, Pegasus, does not work on U.S. telephone numbers and therefore couldn’t be wielded in law enforcement investigations. The paper reports:
During a presentation to officials in Washington, the company demonstrated a new system, called Phantom, that could hack any number in the United States that the F.B.I. decided to target. Israel had granted a special license to NSO, one that permitted its Phantom system to attack U.S. numbers. The license allowed for only one type of client: U.S. government agencies.
Aside from the bureau, a variety of other federal agencies were also interested in the company’s services, including the Central Intelligence Agency, the Drug Enforcement Agency, the U.S. Secret Service, and the U.S. military’s Africa Command, the newspaper reports. The FBI also purchased Pegasus from the NSO Group, the Times reports.
The bureau reportedly pursued negotiations with the company for at least two years. During that period, FBI and Justice Department lawyers continually sought to clarify whether deploying the surveillance tool would violate domestic wiretapping laws. The agency only backed out last summer—around the time that a series of journalistic exposés caused global amounts of trouble for NSO by exposing the scale and scope of its malware’s penetration. Since that time, things have only gotten worse for the Israeli company, as the U.S. turned its back on any partnerships—even going so far as to officially blacklist it—and ongoing scandals continue to erupt in connection to its products.
We’ve provided some highlights from this lengthy investigation below, but we highly recommend reading the full investigation here.
As the FBI was considering buying Phantom, a steady stream of controversies was enveloping NSO and its secretive client base. The company’s products were being used to hack human rights activists, politicians, and lawyers. But U.S. officials were apparently unperturbed. The newspaper reports that business and legal discussions continued “despite multiple reports that” Pegasus “had been used against activists and political opponents in other countries.”
NSO also notably maintained connections to high-level U.S. politicians and beltway insiders throughout this period. The Washington Post reported last summer that the firm has enjoyed ties to “some of the most powerful members of the Obama, Trump and Biden administrations.” This apparently included people like Rod Rosenstein, the former deputy attorney general at the Department of Justice, who it was reported in 2020 had been providing the company with private legal counsel on matters of cybersecurity and national security.
The notion that the FBI was trying to purchase commercial malware that could compromise any American’s phone is clearly something to be horrified by. When confronted by the Times as to why the agency spent two years trying to wheedle out a permissible legal framework for procuring such an invasive, clandestine product, an FBI spokesperson apparently told the newspaper that investment in such technologies not only helps to “combat crime” but also, apparently, can “protect both the American people and our civil liberties.”
However, the Times highlights another plausible rationale for ongoing law enforcement interest. Its device-hacking capabilities were an effective workaround for a long-standing frustration to police: the popularization of encrypted messaging, which can stymie general government interception of communications.
NSO is currently being sued by Facebook/Meta over the repeated hacking of users of its messaging service WhatsApp. The lawsuit, which was launched in 2019, has alleged that the spyware vendor’s malware was used to hack as many as 1,400 different users. A majority of these users were based outside of the United States, but at least one targeted phone, according to the lawsuit, was American.
Meta’s lawyers have apparently sought to use this as proof that NSO’s longstanding claim—that Pegasus is incapable of targeting U.S. phone numbers—is demonstrably false.
However, the Times reports that the U.S. phone that was hacked using NSO’s spyware was not hacked with Pegasus but was actually part of a demonstration for federal officials who were considering buying Phantom. The Times reports:
What Facebook didn’t appear to know was that the attack on a U.S. phone number, far from being an assault by a foreign power, was part of the NSO demonstrations to the F.B.I. of Phantom — the system NSO designed for American law-enforcement agencies to turn the nation’s smartphones into an “intelligence gold mine.”
In other words, Facebook’s lawsuit against NSO had stumbled upon the spyware company’s attempts to impress the FBI.
As the Times investigation breaks, the NSO Group is still embroiled in countless ongoing controversies that span the globe. And there’s no telling when the allegations will stop.
On Friday morning, news broke that an NSO scandal is now brewing in Finland, where the nation’s Ministry for Foreign Affairs has reported that the phones of multiple Finnish diplomats are believed to have been infected with Pegasus. Only a day ago, it was revealed that a top Human Rights Watch official, Lama Fakih, the U.S.-Lebanese Director of Crisis and Conflict and head of the HRW Beirut office, had also been targeted. In Poland, an ongoing crisis spurred by revelations that Pegasus was used to target a slew of politicians has now boiled over into a full-blown inquiry by the Polish senate to determine whether the spyware was used to help manipulate the nation’s 2019 election. And, in Hungary, several human rights activists targeted by Pegasus have announced their plans to unleash a “legal blitz” aimed at the Hungarian government (which is alleged to have hacked them), as well as NSO itself. Then there are the murky allegations within Israel, the company’s home country: claims that Israeli police used Pegasus to spy on Israeli civilians domestically—including several politicians.