Investigations by Forbidden Stories, Amnesty International, Citizen Lab and major news outlets found that NSO Group’s Pegasus spyware was repeatedly used far beyond stated counterterrorism and criminal investigations, with targets including journalists, human rights lawyers, anti-corruption activists, diplomats, aid workers, and political exiles. A leaked dataset of more than 50,000 phone numbers linked to NSO customers and forensic analysis of examined devices showed confirmed or attempted infections on dozens of phones, including successful compromises of Apple iPhones. Reporting tied selections and infections to multiple governments and highlighted targeting of figures around the Dalai Lama, overseas numbers used by Americans, and civil society members across countries including Mexico, India, Hungary, Morocco and France.
Mexico emerged as one of the clearest examples of abuse, where Pegasus-linked phishing messages and other surveillance tactics were used against prominent reporters, lawyers and activists investigating corruption, human rights abuses and politically sensitive cases. Separate reporting alleged that weak oversight and corruption allowed spyware bought by Mexican authorities to be misused and, in some cases, to reach actors connected to drug cartels, deepening risks for journalists and investigators. NSO denied that the leaked list represented Pegasus targets and said it sells only to vetted governments, but the disclosures prompted warnings about national security risks to U.S. personnel abroad and renewed calls, including from Edward Snowden, for a global crackdown on the commercial spyware trade.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
29 events from the most recent confirmed update back to the earliest known activity.
Lookout and Google disclosed research on an Android variant of NSO Group's Pegasus spyware, describing infections across multiple countries and detailing capabilities such as keylogging, screenshot capture, live audio capture, and data theft from major apps. The report said the malware used the Framaroot rooting technique with a fallback permission-abuse path, and Google alerted potential targets and provided remediation guidance.
In June 2023, the European Parliament considered findings from its PEGA Committee inquiry into Pegasus and equivalent spyware. The process followed a March 2023 committee report and a May 2023 draft recommendation that condemned illegitimate spyware use and cited evidence of contraventions or maladministration in Poland, Hungary, and Greece.
The U.S. government added NSO Group to its Entity List, restricting the Israeli spyware company's access to U.S. technology and exports. The move followed reporting and concern over Pegasus spyware being used to target journalists, activists, and government officials.
Citizen Lab reported that NSO Group's Pegasus spyware used a zero-click iMessage exploit dubbed ForcedEntry to compromise a Bahraini activist's fully updated iPhone beginning in February 2021, bypassing Apple's BlastDoor protections. The researchers also said eight other Bahraini activists were targeted between June 2020 and February 2021 and linked the activity to the Bahraini government.
Pegasus Project reporting indicated that phone numbers belonging to senior Tibetan exile figures around the Dalai Lama were selected as persons of interest by an NSO client, with analysis strongly pointing to India. Although the Tibetan leaders' phones were not forensically examined, related devices tied to the suspected Indian client showed Pegasus traces or signs of targeting.
NSO Group publicly disputed that the leaked 50,000-number dataset was a Pegasus target list and denied that the reporting proved surveillance or infection. Governments including Rwanda, Hungary, Morocco, and India also rejected or denied the allegations after the Pegasus Project findings were published.
Following the Pegasus Project revelations, Edward Snowden publicly called for a global moratorium on the international spyware trade. He argued that commercial spyware such as Pegasus enables scalable state surveillance that ordinary users cannot realistically defend against.
Amnesty International released the open-source Mobile Verification Toolkit (MVT) along with indicators of compromise to help users check iPhones and Android devices for signs of Pegasus targeting or infection. The release accompanied Pegasus Project reporting and technical documentation reviewed by Citizen Lab.
A Washington Post-led Pegasus Project report found overseas numbers used by about a dozen Americans in the leaked dataset, including numbers linked to diplomats, CDC staff, journalists, aid workers, academics, and dissidents. Amnesty separately confirmed repeated Pegasus infections on the Belgian phone of U.S.-Belgian activist Carine Kanimba, highlighting potential risks to U.S. persons abroad.
Guardian reporting as part of the Pegasus Project said phone numbers belonging to Hungarian investigative journalists, media figures, and people connected to a businessman who had fallen out with Viktor Orbán appeared in the leaked Pegasus selection data. The findings suggested Pegasus was being used in Hungary against members of the media and perceived political opponents.
Forbidden Stories and Amnesty International's Security Lab published the Pegasus Project, concluding that NSO Group spyware was widely misused against journalists, human rights defenders, politicians, and other civil society figures. The investigation said forensic examinations found Pegasus infection or attempted infection on 37 phones and identified at least 180 journalists selected as targets.
Forensic analysis cited by the Pegasus Project found technical evidence that Pegasus was delivered through iPhone security flaws, including concerns around iMessage-related vulnerabilities. The investigation said such exploitation was observed from 2019 through at least July 2021.
The Pegasus Project reported that a leaked dataset reflected more than 50,000 phone numbers selected by NSO customers as persons of interest starting in 2016. The list later underpinned reporting on targeting across multiple countries and sectors.
Amnesty International confirmed Pegasus targeting of Proceso editor Jorge Carrasco, making him the 10th Mexican journalist identified in the Cartel Project as targeted with the spyware. The finding added to evidence of Pegasus misuse in Mexico beyond stated lawful purposes.
In May 2019, attackers exploited a WhatsApp vulnerability to install Pegasus spyware simply by placing a call to a target device. WhatsApp later publicly attributed the attack to NSO Group, and Citizen Lab said it helped identify more than 100 targeted human rights defenders and journalists in at least 20 countries.
Saudi dissident Omar Abdulaziz filed a lawsuit in Israel alleging that NSO Group's Pegasus spyware was used to hack his phone and monitor his communications with Jamal Khashoggi. The suit argued that the surveillance contributed to the circumstances leading to Khashoggi's murder and intensified scrutiny of NSO's Saudi business.
Citizen Lab reported that Río Doce journalists Andrés Villarreal and Ismael Bojórquez received Pegasus-linked phishing messages in May 2017 shortly after the murder of colleague Javier Valdez Cárdenas. The lures referenced the killing investigation and were tied to NSO infrastructure associated with a Mexican government-linked operator, adding two new journalist victims in Mexico.
New York Times reporting on lawsuits filed in Israel and Cyprus cited leaked emails and documents alleging that the UAE used NSO Group's Pegasus spyware for years to surveil dissidents, journalists, and regional political rivals. The materials reportedly showed NSO-linked personnel helping tailor phishing lures, route exfiltrated data, and support surveillance operations, challenging NSO's claims that it was not involved in customer targeting.
Citizen Lab reported that suspicious SMS and WhatsApp messages sent in June 2018 to an Amnesty International researcher and a Saudi activist were likely attempts to infect their phones with NSO Group's Pegasus spyware. The researchers tied the lure domains to Pegasus Version 3 infrastructure associated with a Saudi-focused cluster, adding new technical evidence of NSO-linked targeting.
Citizen Lab reported that New York Times journalist Ben Hubbard received a Pegasus-linked SMS in June 2018 themed around the Saudi royal family. The researchers tied the lure domain to NSO Group infrastructure operated by a Saudi-linked cluster they call KINGDOM, adding a specific journalist victim to the documented Pegasus abuse cases.
Citizen Lab published an open letter on July 25, 2017 urging Blackstone Group to reconsider or closely scrutinize a reported $400 million investment for a 40% stake in NSO Group, citing Pegasus abuse against journalists, activists, lawyers, and others. An August 15, 2017 update said the proposed Blackstone-NSO deal had fallen through.
Citizen Lab reported that Pegasus-linked phishing messages targeted senior members of Mexico's opposition National Action Party (PAN), using political and social lures timed around sensitive debates and elections. The findings expanded the known victim set in Mexico beyond journalists and activists to include opposition political figures, intensifying the scandal around Pegasus use under President Enrique Peña Nieto's administration.
The New York Times, Citizen Lab, and forensic analysts reported that Pegasus-linked phishing attempts targeted prominent Mexican journalists, anti-corruption advocates, human rights lawyers, and some relatives. Researchers found NSO code on targeted phones and assessed that a Mexican government entity, or a rogue actor within it, was the most likely source.
Citizen Lab reported that Mexican journalist Griselda Triana received Pegasus-linked SMS messages on May 25 and 26, 2017, shortly after the cartel-linked killing of her husband Javier Valdez. The researchers tied the domains to NSO infrastructure associated with a Mexican government-linked operator, adding a new victim to the documented abuse of Pegasus in Mexico.
Citizen Lab reported that UAE human rights defender Ahmed Mansoor received malicious SMS messages that would have installed NSO Group's Pegasus spyware via three chained iPhone zero-day vulnerabilities. Apple was notified and moved to patch the flaws, making the case an early public technical exposure of Pegasus operations.
Citizen Lab and Mexican partners reported that Claudio X. González, director of Mexicanos Contra la Corrupción y la Impunidad, received Pegasus-linked SMS lures in July and August 2016. The messages used bit.ly links redirecting to NSO-associated infrastructure and added a prominent anti-corruption advocate to the documented Pegasus abuse cases in Mexico.
Citizen Lab reported that a phone used by the Interdisciplinary Group of Independent Experts (GIEI), which investigated the disappearance of 43 students in Iguala, received Pegasus-linked infection attempts in March 2016. The report said the lures were tied to NSO infrastructure previously used in Mexico and expanded the known Pegasus target set there to include international investigators.
Citizen Lab reported that Mexican lawyers and human rights defenders Karla Micheel Salas and David Peña were targeted with Pegasus spyware infection attempts in September and October 2015 while representing families of victims in the 2015 Narvarte killings. The report tied the messages to previously identified NSO infrastructure and added two earlier legal-sector victims to the documented abuse of Pegasus in Mexico.
At least three Mexican federal agencies purchased roughly $80 million in spyware, including NSO Group technology, beginning in 2011. The acquisitions created the infrastructure later linked to surveillance of journalists, activists, and lawyers.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
32 references tracked. Mallory keeps watching after this page renders.
theguardian.com
Open sourcecitizenlab.org
Open sourcecitizenlab.ca
Open sourcecitizenlab.ca
Open sourcecitizenlab.ca
Open sourcenytimes.com
Open sourceblog.lookout.com
Open sourceeuroparl.europa.eu
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.