Pegasus

Pegasus Plot Summary

Introduction

In March 2021, a journalist's iPhone in Delhi was subjected to forensic analysis, revealing an unsettling truth: the device had been compromised by sophisticated spyware. This wasn't an isolated incident. Across the globe, from Mexico to Morocco, Hungary to India, journalists, human rights activists, and even heads of state were being secretly surveilled through their own mobile phones. The culprit was Pegasus, a military-grade surveillance tool developed by the Israeli company NSO Group, capable of extracting messages, photos, and activating cameras and microphones without the user's knowledge. The digital age has transformed surveillance from targeted physical observation to mass digital monitoring that leaves no trace and requires no warrant. This shift represents one of the most significant threats to privacy, democracy, and human dignity in modern times. The investigation into Pegasus revealed how authoritarian regimes and democratic governments alike have weaponized this technology against critics, journalists, and political opponents. The implications extend far beyond individual privacy violations, striking at the heart of press freedom, democratic processes, and the fundamental relationship between citizens and the state. This examination of the surveillance state offers crucial insights for anyone concerned about the future of privacy and democracy in our increasingly connected world.

Chapter 1: Origins: NSO Group and the Birth of Pegasus (2010-2015)

The story of Pegasus begins in 2010 in a renovated chicken coop outside Tel Aviv, where three Israeli entrepreneurs - Shalev Hulio, Omri Lavie, and Niv Karmi - founded NSO Group. Unlike many Israeli cybersecurity firms, these founders weren't veterans of elite intelligence units, but rather self-described "serial entrepreneurs" seeking their next opportunity after the 2008 financial crisis derailed their previous venture in consumer technology. NSO found its opening in what law enforcement agencies worldwide were calling the "going dark" problem. As smartphones became more sophisticated and encryption more widespread, authorities were losing their ability to monitor potential criminals and terrorists. According to Hulio, a European intelligence service approached them with a desperate plea: "We are going blind. Help us." This narrative of urgent security needs would become central to NSO's corporate identity, though former co-founder Karmi would later dispute this origin story. The breakthrough came with the development of Pegasus, named because it was "a Trojan horse we sent flying through the air to devices." This spyware could infiltrate smartphones, bypass encryption, and extract virtually all data - messages, calls, photos, location information - while remaining undetected. Most revolutionary was its focus on mobile devices at a time when most cybersecurity experts were still concentrated on desktop computers. The system could even remotely activate cameras and microphones, turning the target's phone into a surveillance device. Mexico became NSO's first major client, purchasing the system in 2011 for approximately $15 million amid its brutal war against drug cartels. With billions flowing from the United States through the Merida Initiative, Mexican agencies had substantial funds to spend on cutting-edge surveillance technology. This initial sale established NSO as a viable company and set its business model: selling exclusively to government agencies for purportedly legitimate law enforcement and counterterrorism purposes. The ethical compromises began immediately. NSO's relationship with its first Mexican reseller, Jose Susumo Azano Matsura (known as "Mr. Lambo"), revealed the murky reality of the surveillance industry. Despite Azano being suspected of bribery, money laundering, and drug trafficking, NSO proceeded with the deal. As one company insider later admitted: "If you're a small company struggling to pay salaries and you have ten million dollars coming from a state in Mexico, you don't really think about human rights." By 2015, NSO had established itself as a formidable player in the growing "Intrusion as a Service" industry, particularly after its main competitor, Hacking Team, suffered a catastrophic data breach. The stage was set for global expansion and the ethical controversies that would follow, as the technology developed for legitimate security purposes began its inevitable drift toward more questionable applications.

Chapter 2: Mexico's Testing Ground: Early Surveillance Expansion

Between 2011 and 2016, Mexico became the primary testing ground for NSO's Pegasus spyware, coinciding with the country's escalating war against drug cartels. Under Presidents Felipe Calderón and Enrique Peña Nieto, the Mexican government invested heavily in surveillance technology, transforming the country into what industry insiders called "la Plaza del Mercado Vigilancia Cibernética" - the cyber surveillance marketplace. The Merida Initiative provided over $1.5 billion in U.S. funding, giving Mexican agencies unprecedented resources to acquire cutting-edge spyware. The surveillance landscape in Mexico was remarkably fragmented. Multiple agencies operated separate Pegasus systems, including the federal police, the attorney general's office (PGR), the Center for Investigation and National Security (CISEN), and military intelligence units. Additionally, state-level governments in places like Puebla, Veracruz, and Durango acquired their own licenses. This created a patchwork of surveillance operations with minimal oversight or coordination, essentially establishing multiple independent spying operations throughout the country. For Pegasus operators like "Jose" (a pseudonym used by one of the few willing to speak about his experience), the technology represented a powerful weapon against sophisticated cartels. Criminals had adapted to traditional surveillance by constantly changing phones and using encrypted communications. Pegasus changed the equation by allowing operators to extract all data from a target's phone, track their location in real-time, and even remotely activate microphones and cameras. "This is not ordinary crime," Jose explained. "It is crime with a very strong economic apparatus, with infiltration at all levels of government. It needs tools with a more invasive nature than normal." However, the power of Pegasus created what Jose called a "temptation" for operators. "For any person who sits in the chair where decisions have to be made in the use of this type of tool, it is attractive—with a certain morbid curiosity to get into people's lives," he admitted. This temptation proved impossible to resist for many Mexican agencies. By 2016, evidence emerged that Pegasus was being deployed against journalists, human rights defenders, and political opponents rather than just criminals and terrorists. The turning point came during a period of political crisis for President Peña Nieto. In late 2014, Mexico was rocked by the disappearance of 43 student teachers from Ayotzinapa, followed by revelations about a luxury mansion ("Casa Blanca") that a government contractor had built for the president's family. As protests mounted, surveillance against critics intensified. Carmen Aristegui, the journalist who broke the Casa Blanca story, received suspicious text messages containing links - a hallmark of Pegasus targeting. Jorge Carrasco, editor of the influential magazine Proceso, was similarly targeted after publishing Panama Papers revelations about Peña Nieto's associates. By 2017, Mexico had become not only NSO's first major client but its most prolific user, with more than fifteen thousand phone numbers selected for potential targeting. What began as a tool to fight cartels had transformed into a weapon against civil society, revealing how quickly surveillance technology could be repurposed from legitimate security concerns to political control. Mexico's experience would become a cautionary tale for the rest of the world about the dangers of unregulated surveillance technology in the hands of governments with weak democratic institutions.

Chapter 3: Zero-Click Evolution: The Technological Arms Race

Between 2016 and 2019, surveillance technology underwent a revolutionary transformation with the development of "zero-click" attacks, representing perhaps the most significant advancement in digital intrusion capabilities. Earlier versions of Pegasus required targets to click on a malicious link, typically sent via SMS message. This approach, while effective against unsuspecting victims, still relied on social engineering - crafting messages tailored to each target that would entice them to click. Security-conscious individuals like journalists and activists were increasingly aware of such tactics and could avoid infection by simply ignoring suspicious messages. Zero-click attacks eliminated this limitation entirely. As first documented by Claudio Guarnieri and Donncha Ó Cearbhaill at Amnesty International's Security Lab in 2019, these new exploits could compromise a device without any interaction from the target. While analyzing the iPhone of Moroccan journalist Maati Monjib, they discovered evidence of a sophisticated attack that had hijacked his browser while he was simply surfing the internet. When Monjib tried to visit Yahoo's homepage, he was redirected within milliseconds to a suspicious website that dropped malicious code into his phone without any alert or notification. The technical sophistication of these attacks was staggering. NSO engineers had discovered vulnerabilities in core iPhone functions like iMessage, FaceTime, and even the Photos app. When a target received a specially crafted message or image - which they didn't even need to open - the exploit would execute, installing Pegasus without any visible indication. The spyware would then disable crash reporting functions to prevent Apple from detecting the intrusion. "The big problem with mobile devices is lack of visibility," explained Donncha. "These kinds of sophisticated attacks, especially zero-click attacks, were clearly going undetected." This evolution rendered traditional security advice obsolete. For years, cybersecurity experts had recommended encrypted messaging apps like Signal as protection against surveillance. Zero-click attacks bypassed this defense entirely by compromising the device itself. "We all as journalists were feeling kind of secure, even after the whole Snowden NSA revelations," noted Hungarian journalist Frederik Obermaier. "This is a huge threat for all of us, and our sources." Even Apple's iPhone, long considered the most secure consumer smartphone, proved vulnerable to these sophisticated attacks. The implications were profound for journalists, activists, and dissidents worldwide. There was no longer any foolproof way to protect communications from determined government surveillance. As one victim, Hungarian reporter Szabolcs Panyi, discovered when shown forensic evidence of his infection: "If you're receiving a Signal message that was encrypted on the way, as soon as you read it, and you can see it here [on your phone], then they can access it." The psychological impact was devastating - victims carried the surveillance weapon in their pockets, with no way to detect its presence. By 2020, zero-click attacks had become NSO's signature capability, commanding premium prices from government clients eager to bypass encryption and monitor targets without detection. This technological leap forward represented a fundamental shift in the balance of power between states and citizens in the digital age. As Claudio Guarnieri observed, "There is a technological imbalance between states and their citizens. Billions of dollars are poured into systems of surveillance both passive and active... Credible defenses really lag behind or remain inaccessible." The era of truly private digital communication appeared to be ending.

Chapter 4: Journalists Under Siege: Global Targeting Patterns

By 2017, a disturbing pattern had emerged across multiple continents: journalists investigating corruption, human rights abuses, or sensitive political topics were being systematically targeted with Pegasus spyware. Mexico represented the epicenter of this phenomenon, with dozens of reporters selected for surveillance. Among them was Cecilio Pineda, a 39-year-old journalist from Guerrero who had been reporting on collusion between local officials and drug cartels. His phone number appeared in the Pegasus targeting data just two months before he was gunned down by assassins in March 2017. The targeting of journalists wasn't limited to those covering organized crime. Carmen Aristegui, one of Mexico's most respected investigative reporters, was selected after publishing her "Casa Blanca" investigation into President Peña Nieto's luxury mansion. Jorge Carrasco, editor of the influential magazine Proceso, found himself targeted after publishing Panama Papers revelations about government officials. The pattern suggested surveillance was being deployed not to fight crime but to monitor and intimidate the press. In Morocco, the situation proved equally alarming. Omar Radi, a 34-year-old investigative journalist known for exposing corruption and land appropriation by the monarchy, became a central case study in the abuse of Pegasus. "He was passionate about understanding and disclosing ongoing processes of theft and robbery of impoverished people and their territories," explained one of his colleagues. Radi had been part of Morocco's February 20 Movement during the Arab Spring, advocating for democratic reforms and freedom of expression. When Amnesty International's Security Lab analyzed Radi's iPhone in 2020, they discovered evidence of multiple zero-click Pegasus infections. The timing of these infections coincided with his investigations into land deals benefiting King Mohammed VI and his associates. Just days after this finding was published by Forbidden Stories and its media partners in June 2020, Radi was summoned for questioning by Moroccan authorities. Within weeks, he was arrested and charged with both "undermining state security" and rape - charges widely seen as fabricated to discredit him. The pattern repeated in Azerbaijan, where celebrated investigative journalist Khadija Ismayilova found herself targeted after years of reporting on corruption within President Ilham Aliyev's family. Ismayilova had previously been imprisoned for 18 months on politically motivated charges and was under constant physical surveillance. Pegasus offered the Azeri government a new tool to monitor her communications with sources and international supporters. In India, the pattern extended to the founders of the Wire, an independent news site known for critical coverage of Prime Minister Narendra Modi's government. Siddharth Varadarajan and M.K. Venu discovered their phones had been compromised in 2018-2019. Forensic analysis revealed that the infection occurred shortly after Varadarajan published articles critical of government policies. "I was really afraid that my sources could be jeopardized," Varadarajan explained when learning of the infection. What made these cases particularly chilling was the totality of the surveillance. Pegasus didn't just intercept communications - it gave governments access to journalists' notes, source lists, unpublished materials, and personal lives. The psychological impact was devastating. As one targeted reporter noted: "It was like being in a time machine, going back to my early youth, experiencing something that was going on in the 1980s" under Communist rule. The digital age had paradoxically revived surveillance techniques from authoritarian pasts, but with far greater reach and precision.

Chapter 5: The Pegasus Project: Collaborative Investigation Emerges

In late 2020, a remarkable opportunity presented itself to Laurent Richard and Sandrine Rigaud of Forbidden Stories, a small Paris-based nonprofit dedicated to continuing the work of journalists who had been threatened, imprisoned, or killed. They gained access to a leaked list of over 50,000 phone numbers that appeared to be potential targets of NSO Group's Pegasus spyware. This data represented a potential breakthrough in understanding the true scale of surveillance against journalists, human rights defenders, and political figures worldwide. The journalists faced immediate challenges. The list itself contained only phone numbers and timestamps - no names, no confirmation of actual infections, and no clear indication of which government clients had selected each target. To transform this raw data into reportable stories would require months of painstaking work: identifying the owners of these numbers, convincing them to submit their phones for forensic analysis, and building a secure global reporting network that could investigate targets across dozens of countries without alerting NSO or its government clients. Security concerns dominated every aspect of the investigation. The team established extraordinary protocols: no cell phone calls among team members, dedicated laptops used only for this project, and in-person meetings conducted with all electronic devices stored in separate rooms. "You might be out having drinks with friends and after about four beers you might be tempted to tell them about this amazing story you're working on," Laurent told his team. "Don't. You can't tell your family, the person you're living with, your best friend. Nobody. People's lives are at stake." The technical backbone of the investigation came from Claudio Guarnieri and Donncha Ó Cearbhaill at Amnesty International's Security Lab. These cybersecurity researchers had spent years tracking NSO Group and had developed sophisticated forensic tools capable of detecting traces of Pegasus infections in smartphone backups. Their work would prove crucial in confirming that the leaked data truly represented Pegasus targeting. "We operate on the assumption that any device can be hacked," they warned the journalists, emphasizing the need for extreme caution. By March 2021, the project had expanded to include trusted media partners: The Washington Post, Le Monde, Süddeutsche Zeitung, and Die Zeit formed the initial circle. Each partner contributed specialized expertise and regional knowledge. The investigation gained momentum when forensic analysis of phones belonging to journalists in India, Hungary, and Morocco revealed clear evidence of Pegasus infections that matched timestamps in the leaked data. Each successful analysis built confidence that the list represented actual targeting by NSO clients. Some of the findings were shocking. The data suggested that the president of France, Emmanuel Macron, had been selected as a potential target by Moroccan intelligence, along with several members of his cabinet. In Hungary, forensic evidence showed that Prime Minister Viktor Orbán's government had used Pegasus against independent journalists like Szabolcs Panyi, who had been investigating corruption and Chinese influence. In Mexico, the number of a journalist murdered in 2017 appeared in the data just weeks before his assassination. As the investigation progressed, the team faced growing ethical dilemmas. When they informed Moroccan journalist Omar Radi that his phone had been compromised by Pegasus, he was arrested within weeks on dubious charges. "The case of Omar was an important lesson," noted Claudio. "Things can go wrong, even for the people we tried to help." This sobering reality reinforced the need for careful consideration of how and when to approach potential victims. By June 2021, after months of forensic analysis, source development, and careful coordination, the Pegasus Project was ready to publish. What had begun with two journalists in a Berlin apartment reviewing a mysterious list had grown into one of the most significant collaborative journalism projects in history, involving more than 80 reporters across 17 media organizations in 10 countries. Their findings would soon shock the world and force a reckoning with the unregulated market for surveillance technology.

Chapter 6: Digital Forensics: The Security Lab's Counteroffensive

The battle against Pegasus required a special kind of hero - not traditional journalists, but digital detectives capable of finding invisible traces of the world's most sophisticated spyware. At the center of this effort were Claudio Guarnieri and Donncha Ó Cearbhaill of Amnesty International's Security Lab, two young cybersecurity researchers who had devoted their careers to protecting human rights in the digital realm. Their backgrounds couldn't have been more different. Claudio was a self-taught Italian security researcher who had witnessed how technologies of liberation during the Arab Spring were quickly repurposed as tools of repression. His colleagues described him as intense and methodical, occasionally taking breaks from his computer to play death metal drums when frustrated by the seemingly endless cat-and-mouse game with surveillance vendors. Donncha came from rural Ireland, where his family had a long history of resistance against oppression. As a teenager, he had been arrested for hacking the website of Rupert Murdoch's Sun newspaper, an early act of digital activism that nearly landed him in prison. The technical challenge they faced was immense. NSO Group had invested millions in making Pegasus virtually undetectable, with sophisticated self-destruct mechanisms and anti-forensic features. "The big problem with mobile devices is lack of visibility," Donncha explained. Unlike computers, smartphones offered users almost no way to see what processes were running or detect malicious code. Even when a phone was infected, the spyware left minimal traces and often deleted itself after a certain period. Their breakthrough came in 2019 when analyzing the iPhone of Moroccan journalist Maati Monjib. By jailbreaking the device - essentially bypassing Apple's restrictions to gain complete access to the system - they discovered that iPhones retained far more data in their backup logs than anyone had realized. Within these logs, they found evidence of suspicious processes with names like "bh" (believed to stand for "Bridgehead") that appeared at the exact moments when Monjib's phone was redirected to malicious websites. This discovery allowed them to develop a forensic methodology that could detect Pegasus infections even after the spyware had disappeared from the device. They identified specific markers - unusual process names, disabled crash reporting functions, and distinctive network connections - that served as Pegasus fingerprints. "If we find more of these patterns across different cases," Claudio explained, "that's additional confidence and consistency. It all sort of contributes to establishing a modus operandi." When the Pegasus Project began in late 2020, Claudio and Donncha refined their tools to analyze the thousands of potential victims identified in the leaked data. The work was painstaking and labor-intensive. Each phone backup required hours of analysis, with Donncha typing command after command, searching through gigabytes of logs for the telltale signs of Pegasus. For a decade, Claudio had typically analyzed "two, three, maybe four cell phones a year" for spyware infections. Now they were being asked to examine dozens in a matter of months. The results were remarkable. In India, they found evidence that Siddharth Varadarajan's phone had been infected the day after he updated his iOS - suggesting NSO had exploited a vulnerability in the new version. In Hungary, they discovered that journalist Szabolcs Panyi's phone had been compromised during his investigation of arms deals involving the Orbán government. In France, they found that Pegasus had extracted more than 220 megabytes of data from journalist Lénaïg Bredoux's iPhone in a single month. Perhaps most significantly, they identified previously unknown attack vectors. NSO had apparently found ways to exploit vulnerabilities in core iPhone functions like iMessage, FaceTime, and even the Photos app. "The phone of a French human rights lawyer was compromised and the 'bh' process was executed seconds after network traffic for the iOS Photos app was recorded for the first time," they reported. These discoveries helped explain how Pegasus could infect devices without any user interaction. Their work didn't just provide evidence for the Pegasus Project's reporting - it fundamentally changed the understanding of smartphone security. "Security can no longer be a privilege in the hands of those few who can afford it," Claudio insisted. "Security has to become a right; it has to be exercised and protected. It is the precondition for privacy, which is the key enabler for freedom of expression, which is a requirement for a healthy democracy."

Chapter 7: Democracy at Risk: Surveillance's Threat to Civil Society

By 2021, the unchecked proliferation of military-grade surveillance technology had created an existential threat to democratic institutions worldwide. What began as tools ostensibly designed for tracking terrorists and criminals had morphed into weapons against the pillars of civil society: journalists, human rights defenders, opposition politicians, and independent judges. The Pegasus Project revealed a crisis far deeper than individual privacy violations - it exposed a fundamental challenge to democratic governance in the digital age. The scale of targeting exposed by the investigation was staggering. Among the 50,000 numbers in the leaked data were 14 heads of state and government, including French President Emmanuel Macron, South African President Cyril Ramaphosa, and Iraqi President Barham Salih. There were hundreds of government officials, diplomats, military officers, and intelligence personnel. Most disturbing were the more than 180 journalists identified as targets across 20 countries, along with hundreds of human rights defenders, academics, and lawyers. This pattern of targeting revealed the true purpose of much government surveillance: not public safety, but power preservation. In Morocco, journalists investigating King Mohammed VI's land appropriations found themselves monitored, then arrested on fabricated charges. In Hungary, reporters exposing Prime Minister Viktor Orbán's corruption discovered their phones compromised during their investigations. In India, critics of Prime Minister Narendra Modi's policies were systematically selected for surveillance. The technology had become a tool for undermining democratic checks and balances. The consequences extended far beyond individual privacy. When journalists knew they were being watched, self-censorship inevitably followed. Sources became reluctant to speak, fearing their identities would be compromised. "I was really afraid that my sources could be jeopardized," explained Hungarian journalist Szabolcs Panyi after learning his phone had been infected. This chilling effect undermined the press's ability to hold power accountable - a cornerstone of democratic governance. The global market for surveillance technology had created what experts called a "technological imbalance between states and their citizens." While governments could purchase sophisticated spyware from companies like NSO Group with minimal oversight, ordinary citizens had few defenses. Even encrypted messaging apps like Signal offered no protection against zero-click exploits that compromised the device itself. "If you're receiving a Signal message that was encrypted on the way, as soon as you read it, they can access it," one security researcher explained to a shocked journalist. Perhaps most concerning was the complete absence of effective regulation. The Israeli government, which had to approve all NSO exports, had allowed Pegasus sales to authoritarian regimes with long histories of human rights abuses. International institutions had proven powerless to intervene. When Amnesty International sued to revoke NSO's export license because of documented abuses, an Israeli court dismissed the case. NSO's spokesperson celebrated the ruling as proof that "the regulatory framework in which we operate is of the highest international standard." The Pegasus revelations forced a global reckoning with the surveillance industry. In the aftermath of the project's publication in July 2021, the U.S. Commerce Department placed NSO Group on its Entity List, restricting its access to American technology. Apple sued NSO and began notifying users whose devices showed signs of Pegasus infection. The European Parliament launched an inquiry into the use of Pegasus within EU member states. Yet the fundamental challenge remained: in a world where digital surveillance had become both invisible and pervasive, how could democracies protect the essential freedoms that made them function? As Rachel Maddow noted in her introduction to the Pegasus Project's findings: "Who is going to deliver us from this worldwide Orwellian nightmare? Because it turns out you don't have to be married to the emir of anything to find your every thought, every footstep, every word recorded and tracked from afar. Turns out you just need to have a phone, and a powerful enemy somewhere. Who among us is exempt from those conditions?"

Summary

The surveillance state's evolution from post-9/11 security measures to sophisticated zero-click spyware represents a fundamental transformation in how power operates in the digital age. Throughout this progression, we've witnessed a consistent pattern: technologies developed for legitimate security purposes inevitably expand beyond their original scope, targeting journalists, activists, and political opponents. The core tension driving this history has been the asymmetric power relationship between surveillance capabilities and privacy protections, with offensive technologies consistently outpacing defensive measures. This imbalance has been exacerbated by weak regulatory frameworks, commercial incentives favoring ever more invasive tools, and the willingness of both authoritarian and democratic governments to deploy these capabilities against perceived threats. The surveillance state's development offers crucial lessons for navigating our digital future. First, technological safeguards alone cannot protect privacy and democratic values; robust legal frameworks with meaningful oversight and enforcement mechanisms are essential. Second, transparency about surveillance capabilities and their deployment must be demanded by citizens, as secrecy inevitably enables abuse. Finally, we must recognize that privacy is not merely an individual preference but a collective good necessary for democratic functioning. When journalists cannot protect sources, activists cannot organize securely, and citizens cannot communicate without fear of monitoring, the foundations of civil society erode. The fight against unregulated surveillance represents one of the defining struggles of our time, with implications that extend far beyond individual privacy to the very nature of power, democracy, and human dignity in the digital age.

About Author

Loading...

Laurent Richard

Read more