Spain’s Audiencia Nacional (High Court) again closed its criminal investigation into the use of NSO Group’s Pegasus spyware against the mobile phones of senior Spanish government officials, citing a sustained lack of cooperation from Israeli authorities. Judge José Luis Calama said Israel failed to respond to multiple formal requests for assistance (letters rogatory), preventing attribution of the operation to specific individuals and violating international cooperation obligations and the “principle of good faith” between states.
The probe began after Spain disclosed that the phones of Prime Minister Pedro Sánchez and Defence Minister Margarita Robles had been infected (Pegasus is described as zero-click spyware marketed for use by state agencies). Reporting also indicates the Interior and Agriculture ministers were targeted, and that Sánchez’s device was infected multiple times. The case had previously been shelved and later reopened after French authorities shared information tied to similar Pegasus intrusions affecting French officials and civil society, but the Spanish court ultimately concluded it could not proceed without Israeli cooperation; the earlier revelations also contributed to the dismissal of Spain’s intelligence chief and public acknowledgment of shortcomings at the national intelligence center (CNI).

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
9 events from the most recent confirmed update back to the earliest known activity.
Spain's judiciary publicly announced that the Audiencia Nacional had archived the Pegasus case for a second time because of Israel's obstruction of the investigation. The notice formalized the court's position that the probe could not continue without foreign cooperation.
On January 22, 2026, Judge José Luis Calama closed the investigation for a second time, saying Israel had ignored five cooperation requests, including efforts to obtain information from NSO Group and question its CEO. The court said the non-response blocked attribution and undermined international judicial cooperation obligations.
In February 2025, Spanish authorities issued another formal legal assistance request to Israel as part of the Pegasus investigation. Israel again did not respond, according to the court.
In April 2024, Spain's Audiencia Nacional reopened the Pegasus case after receiving information from France about similar spyware targeting. The reopening revived efforts to identify who was behind the infections of Spanish officials' phones.
French authorities provided Spain with information from their own Pegasus investigations involving journalists, lawyers, and government and parliamentary members. That material prompted renewed activity in the Spanish case, though it did not identify the actor behind the Spanish targeting.
In July 2023, Judge José Luis Calama closed the investigation for the first time because the perpetrator could not be identified. The court said the lack of cooperation and absence of attribution prevented further progress.
In May 2022, Spain publicly disclosed the Pegasus infections affecting Prime Minister Pedro Sánchez and Defence Minister Margarita Robles and opened a judicial investigation. The probe examined possible disclosure of secrets and crimes jeopardizing Spanish state security.
The mobile phones of Prime Minister Pedro Sánchez and Defence Minister Margarita Robles, and later additional ministers, were infected with Pegasus in 2021. The suspected intrusions were described as zero-click attacks affecting senior Spanish government officials.
Citizen Lab later found that at least 63 people linked to the Catalan pro-independence movement were targeted or infected with Pegasus during 2017-2020. Spanish authorities later said 18 of those cases had been lawfully conducted by Spain's intelligence service with judicial approval.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
theguardian.com
Open sourcetherecord.media
Open sourceenglish.elpais.com
Open sourcepoderjudicial.es
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.