Pegasus and NSO Group

Audio readout of this entry.

Background

NSO Group Technologies was founded in Herzliya, Israel, in 2010 by Niv Karmi (also rendered Carmi), Shalev Hulio, and Omri Lavie. The firm's name was an acronym of the founders' first names. NSO has, across its existence, been licensed by the Israeli Ministry of Defense as a defence-export entity — meaning that all sales to foreign governments require Israeli Government export approval. The firm's flagship product, Pegasus, has been progressively developed across more than a decade as a remote-access tool capable of comprehensive compromise of mobile devices including iPhones and Android handsets.¹

Pegasus's substantive technical capability has expanded across successive versions. Early versions required user interaction — typically a malicious link delivered by SMS or messaging — to install the tool. Later versions, including the KISMET (2020) and FORCEDENTRY (2021) zero-click iMessage exploits, achieved successful installation without any user action: the targeted phone could be compromised through the receipt of a specially crafted message. Once installed, the tool provides comprehensive access to messages, photographs, location data, microphone, camera, and successive other device functions.²

NSO's stated business model — repeated in successive corporate communications and litigation filings — has been the licensing of Pegasus exclusively to government customers, for use against terrorism and organised-crime targets, with contractual restrictions on use against journalists, activists, and opposition figures. The pattern of public-record disclosures across 2016–2024 has progressively undermined this characterisation.³

The Operation

The first publicly documented Pegasus deployment was the August 2016 attempted compromise of the iPhone of Ahmed Mansoor, an Emirati human-rights defender. Mansoor received SMS messages containing links that, had he clicked them, would have installed Pegasus through a chain of three previously unknown ("zero-day") iOS exploits. Mansoor instead forwarded the messages to Citizen Lab, the digital-rights research group at the University of Toronto's Munk School. Citizen Lab's analysis — conducted with security firm Lookout — identified the exploit chain ("Trident") and the operator, subsequently linked to a UAE-government Pegasus operator (distinct from the separate Stealth Falcon campaign documented earlier in 2016). The August 2016 disclosure produced the first comprehensive public-record account of Pegasus capability.⁴

Subsequent disclosures across 2017–2024 progressively documented Pegasus deployments across multiple countries:

• Mexico (2017+): Deployments against journalists, anti-corruption investigators, lawyers representing the Ayotzinapa victims' families, and senior figures of the López Obrador campaign — the most extensive Pegasus deployment outside Saudi Arabia and the UAE.⁵
• Saudi Arabia (2017+): Deployments against Saudi dissidents abroad including Omar Abdulaziz, Ghanem Almasarir, and successive other categories. Citizen Lab's October 2018 report on the targeting of Abdulaziz preceded the Khashoggi killing by approximately one month.⁶
• Morocco (2017+): Deployments against Moroccan journalists Omar Radi and Maati Monjib, and — most prominently in the July 2021 Pegasus Project disclosures — against successive French Government officials including President Emmanuel Macron's personal mobile phone.⁷
• India (2017+): Deployments against Indian journalists, opposition political figures including Rahul Gandhi, civil-society activists, and a former Indian Election Commissioner.⁸
• Spain (2021–2022): "CatalanGate" — deployments against Catalan independence figures — and the May 2022 disclosure that Prime Minister Pedro Sánchez and the personal phones of the Defence and Interior Ministers had been targeted by an unidentified Pegasus operator.⁹
• Poland (2019–2021): Deployments against opposition political figures and associated lawyers.¹⁰
• United Kingdom (multiple deployments documented by Citizen Lab in successive reports).¹¹

The most consequential single moment of public disclosure was the July 2021 Pegasus Project — a consortium investigation by Forbidden Stories and Amnesty International, working with seventeen news outlets including the Washington Post, The Guardian, Le Monde, Süddeutsche Zeitung, and The Wire — based on a leaked list of approximately 50,000 phone numbers identified as having been selected by Pegasus operators across multiple countries. The Pegasus Project's sustained reporting across July 2021 onward produced the most extensive single set of disclosures.¹²

Disclosure

The institutional response to the disclosures has been more substantial than for any other commercial-spyware case. The most consequential single action was the November 2021 US Department of Commerce decision to add NSO Group to the Bureau of Industry and Security's Entity List — a designation that imposes substantial export-control restrictions on US-origin technology to NSO. Apple's November 2021 lawsuit against NSO (subsequently dismissed following Apple's filing for voluntary dismissal 13 September 2024) and Meta's continuing 2019 WhatsApp lawsuit (in which the District Court for the Northern District of California issued a 20 December 2024 summary-judgment finding of NSO liability) constituted parallel private-sector legal action.¹³

The Israeli Government's response has been substantially more limited. The Israeli National Security Council's 2022 review reportedly produced narrowed export-license criteria; specific decisions have not been publicly disclosed. Ministry of Defense export-license cancellations to specific foreign customers — reportedly including Hungary, Poland, and Mexico — have been the subject of partial press confirmation.¹⁴

European institutional response has included the European Parliament's PEGA Committee — a special committee on the use of Pegasus and equivalent surveillance spyware established in March 2022 and reporting in May 2023 — which produced extensive findings on member-state use of Pegasus and equivalent tools. The Committee's report characterised the use of such tools by member-state governments as "potentially undermining democracy and rule of law."¹⁵

Legacy

The Pegasus disclosures have produced the most extensive public-record documentation of state surveillance against civil society in any contemporary period. The combined work of Citizen Lab, the Amnesty International Security Lab, Forensic Architecture, Access Now, and successive consortium-partner journalists has established a methodology for technical attribution of mobile-device compromise that has been substantially adopted by Western intelligence services and journalistic outlets. The post-2021 emergence of additional commercial-spyware actors — Cytrox / Predator, Candiru, Quadream, and successive entities — has broadly followed the documentation framework established for Pegasus.¹⁶

For the institutional question of how Western jurisdictions should respond to such tools, the case has produced sustained ongoing legislative and regulatory work. The US Executive Order 14093 of March 2023 prohibits operational use of commercial spyware that poses risks to US national security or that has been misused; the executive order is the most substantial single US Government action specifically targeting commercial-spyware vendors. Successive European-level responses — including the EU Council's joint statements on commercial spyware — have followed.¹⁷

For the question of state-intelligence-service practice specifically, the case has progressively documented the use of commercial spyware as a substitute for, or complement to, in-house technical-collection capability — particularly by services that lack the technical depth of comparable Western signals organisations. The pattern has been particularly pronounced for the Saudi GIP, the UAE SIA, the Moroccan DGED/DGST, and the Mexican intelligence and security apparatus.¹⁸

Related agencies

This dossier relates to multiple agencies including the Saudi General Intelligence Presidency, the UAE Signals Intelligence Agency, the Moroccan DGED and DGST, and — through specific named documented Pegasus deployments — to the Indian Intelligence Bureau (suspected Pegasus operator) and other services. The country-level context is on the pages for Israel (the country in which NSO is licensed), Saudi Arabia, the United Arab Emirates, and Morocco. Citizen Lab and the Amnesty International Security Lab — the principal technical-attribution organisations — are not state-intelligence services and do not have agency pages on this site.

Sources & Further Reading

1. Israeli Ministry of Defense, defence-export licensing framework; NSO Group corporate statements and SEC-equivalent filings.
2. Citizen Lab, "FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild," 13 September 2021; Citizen Lab, "Pegasus vs. Predator," 16 December 2021.
3. NSO Group, Transparency and Responsibility Report, June 2021; subsequent NSO statements in litigation filings.
4. Bill Marczak and John Scott-Railton, "The Million Dollar Dissident: NSO Group's iPhone Zero-Days used against a UAE Human Rights Defender," Citizen Lab, 24 August 2016; Lookout Mobile Security technical analysis of Trident, August 2016.
5. Citizen Lab, "Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware," 19 June 2017; Pegasus Project consortium reporting on Mexico, July 2021 onward.
6. Citizen Lab, "The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil," 1 October 2018.
7. Forbidden Stories, The Pegasus Project, 18 July 2021 onward; Le Monde, "Macron's phone targeted in NSO spyware case," 20 July 2021.
8. Pegasus Project consortium reporting on India by The Wire Pegasus Project series, 18 July 2021 onward; Supreme Court of India, Manohar Lal Sharma v. Union of India, 27 October 2021; Technical Committee Report, August 2022.
9. Citizen Lab, "CatalanGate," 18 April 2022; Spanish Government press conference on the targeting of Prime Minister Sánchez, 2 May 2022.
10. Citizen Lab, Pegasus vs. Predator covers Polish opposition Senator targeting; subsequent Polish parliamentary committee findings 2024.
11. Citizen Lab UK-related publications, ongoing series.
12. Forbidden Stories, The Pegasus Project, July 2021 onward; Laurent Richard and Sandrine Rigaud, Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy (Henry Holt, 2023).
13. US Department of Commerce, Bureau of Industry and Security, addition of NSO Group Technologies Limited and Q Cyber Technologies to the Entity List, 86 Fed. Reg. 60759 (Nov. 4, 2021), announced 3 November 2021; published in the Federal Register 4 November 2021; Apple Inc. v. NSO Group Technologies Ltd. et al., N.D. Cal., complaint 23 November 2021, withdrawn 18 September 2024; WhatsApp LLC v. NSO Group Technologies Ltd., N.D. Cal., 4:19-cv-07123.
14. "Israel restricts cyberweapon exports after Pegasus row," Reuters, 6 December 2021; Israel National Security Council statements.
15. European Parliament Committee of Inquiry to Investigate the Use of Pegasus and Equivalent Surveillance Spyware (PEGA Committee), Final Report, 22 May 2023.
16. Citizen Lab Annual Reports and successive specific investigations; Access Now, Pegasus reports series.
17. Executive Order 14093, "Prohibition on Use by the United States Government of Commercial Spyware that Poses Risks to National Security," 27 March 2023; Council of the European Union statements on commercial spyware.
18. Pegasus Project consortium reporting; PEGA Committee, Final Report, op. cit.