NSO Group’s Spyware Reportedly Used in Attempted and Successful Phone Hacks of Journalists and Activists

The Pegasus spyware can be activated by tricking victims into clicking a link or with no clicks at all.

We may earn a commission from links on this page.
An Israeli woman uses her iPhone in front of the building housing the Israeli NSO group, on August 28, 2016, in Herzliya, near Tel Aviv.
An Israeli woman uses her iPhone in front of the building housing the Israeli NSO group, on August 28, 2016, in Herzliya, near Tel Aviv.
Photo: Jack Guez / AFP (Getty Images)

A list of more than 50,000 phone numbers and a subsequent investigation has led a consortium of 17 news organizations to believe that NSO Group’s Pegasus spyware was used to attempt or successfully carry out hacks on the phones of journalists, human rights activists, and more.

The investigation, titled the “Pegasus Project” and published by the Washington Post on Sunday, begins with the list. The tens of thousands of numbers were mainly from a group of 10 countries known to spy on their citizens, such as Azerbaijan, Bahrain, Hungary, India, Mexico, and Saudi Arabia, and also confirmed to have been clients of NSO Group, an Israeli security firm whose customers include dozens of intelligence, military, and law enforcement agencies.

Although the numbers on the list do not include a name, the consortium was able to identify more than 1,000 people, including 189 journalists and more than 600 politicians and government officials, across more than 50 countries. Amnesty International and the French journalism nonprofit Forbidden Stories had access to the list and shared it with the consortium of news organizations, including Le Monde, Die Zeit, the Guardian, and PBS Frontline, among others.


A forensic analysis by Amnesty International of 37 smartphones with numbers on the list found that many demonstrated a “tight correlation” between the time stamp associated with the number and the start of surveillance, the Post stated.

Victims that were successfully hacked and identified by the outlet include Hatice Cengiz, the fiancée of the Post writer Jamal Khashoggi, who was brutally murdered by Saudi Arabian operatives in 2018. Cengiz’s phone was hacked in the days after Khashoggi’s murder in Turkey. Another victim was top Azerbaijani journalist Khadija Ismayilova, who had been hacked a number of times since March 2019 until this past May. Siddharth Varadarajan, co-founder of Wire, an independent media outlet in India, was also successfully targeted, the investigation found.


Ismayilova revealed that she had stopped communicating with people because those she spoke with were harassed by security services.

“You don’t trust anyone, and then you try not to have any long-term plans with your own life because you don’t want any person to have problems because of you,” Ismayilova said.


In total, Amnesty analyzed 67 smartphones suspected of being attacked. It determined that 23 had been successfully infected with Pegasus and 14 showed signs of a hack attempt. Amnesty was unable to come to a conclusion regarding the remaining 30 phones, the Post said. In several cases, this was due to the fact that the phone had been replaced.

It’s not hard for Pegasus to infect phones, which is frankly terrifying. To target a phone, someone sends a link to the victim that tricks them in clicking and activating the spyware. Pegasus can also activate itself without any clicks. A hacked phone can be used to record from the device’s cameras and microphone as well as collect location data, call logs, and contacts.


NSO Group firmly denied the claims in the investigation, calling many of them “uncorroborated theories” that raise serious doubts about the reliability of the consortium’s sources and the basis for its story. The Guardian published an edited summary of the statements issued by NSO Group and its lawyers in response to the Pegasus Project on Sunday.

The Israeli security firm said the consortium’s claims were based on a misleading interpretation of leaked data from “accessible and overt basic information.”


“NSO Group has good reason to believe that this list of ‘thousands of phone numbers’ is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes,” said Thomas Clare, NSO Group’s attorney, in the Post story.

The company also denied that its technology was associated “in any way” with the death of Khashoggi and said that it had already investigated the matter. It maintained that its technology has helped prevent terror attacks, gun violence, car explosions, and suicide bombings.


“Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds,” it said.

We’ll let you all be the judge of that. You can read the full, in-depth investigation over at the Washington Post.