Pegasus

Audio readout of this entry.

Overview

Pegasus is the principal commercial mobile-spyware platform documented in the post-2010 published record. The platform's operational characteristics — the combination of zero-click installation capability against iOS and Android target devices, the operational reach into the encrypted-messenger and contact-database content of the targeted device, and the institutional pattern of state-client deployment under regulated-export licence — have made the platform the defining commercial-spyware product of the 2010s and 2020s.

The settled subsequent assessment of NSO Group's institutional position has produced the body of academic-and-policy literature, civil-litigation record, and institutional-reform proposals that constitutes the principal post-2018 engagement with commercial-spyware regulation. The unresolved institutional question — whether the commercial-spyware industry's operational pattern can be constrained through export-control regulation, civil-litigation accountability, or alternative institutional mechanisms — remains a continuing thread in the post-2021 environment.

Founding and the Israeli industry context

NSO Group Technologies Ltd. was founded in 2010 in Herzliya, Israel by Niv Karmi (a former Israeli Defence Forces signals-intelligence officer), Shalev Hulio (a former IDF officer, who served in Search and Rescue), and Omri Lavie (a technology entrepreneur). The founding cohort's pattern — Israeli signals-intelligence veterans transitioning to commercial cybersecurity following IDF service — was the broader pattern of the Israeli commercial-spyware industry of the post-2005 period, which also produced Candiru, Cellebrite, Quadream, Paragon Solutions, and adjacent firms.

The institutional context of NSO Group's emergence was the post-2008 maturation of mobile-platform exploitation as a cybersecurity discipline. The 2007 introduction of the Apple iPhone and the subsequent consumer-mobile-platform expansion across 2008–2010 had produced a new operational target environment — mobile devices that consolidated communication, identification, location, and personal data into a single networked platform — for which commercial exploitation tooling had limited prior existence. NSO Group's technical contribution was the development of operational tooling for that mobile-platform environment.

Product evolution

The documented institutional development pathway across 2011–2016 produced successive Pegasus versions. The first commercially deployed version — documented in the 2016 Citizen Lab disclosure of the operational targeting of UAE human-rights activist Ahmed Mansoor — was the iOS-targeted Pegasus 1.x platform with one-click delivery via SMS-message social engineering.

The development across 2017–2019 produced the zero-click delivery capability — initial implementations through the iMessage and FaceTime exploitation chains, subsequent expansion through WhatsApp (the May 2019 vector at the heart of the WhatsApp Inc. v. NSO Group civil litigation), and the FORCEDENTRY iMessage-rendering exploitation chain documented in the Citizen Lab–Apple September 2021 disclosure.¹

The Israeli export-licensing framework

The Israeli regulatory framework for NSO Group's export operations is the Defence Export Control Law of 2007 — the post-2007 statutory framework under which dual-use cybersecurity products are regulated as defence exports requiring Israeli Ministry of Defence licensing for export to specific government clients. The MOD reviews each NSO Group sale at the country-client level and approves or rejects the proposed export.

The documented operational pattern is that the Israeli MOD has approved Pegasus exports to approximately fifty country clients across the post-2011 period; rejected exports to certain clients (the publicly cited examples are Iran, the People's Republic of China, and the Russian Federation); and re-licensed exports following adverse public-record disclosure (the post-2018 Khashoggi-related licensing review and the post-2021 Forbidden Stories disclosure-related review).

Delivery vectors

The zero-click delivery vector is the defining operational characteristic of Pegasus 2.x and later versions. The vector requires no target-user interaction — the operational deployment of the implant is triggered by the receipt of a specially crafted message at the target device. Documented variants across the post-2018 period include WhatsApp voice-call delivery (the May 2019 vector that produced the WhatsApp Inc. v. NSO Group lawsuit); iMessage attachment-rendering delivery (the FORCEDENTRY chain documented in September 2021, exploiting an iOS CoreGraphics image-parsing component); and adjacent platform-vulnerability vectors.

The one-click delivery vector — operational across 2011–2016 and in continuing operational use as a fallback against zero-click-resistant targets — requires target-user interaction with a delivered link.

Operational capability on the target device

The operational capability documented on Pegasus-installed target devices includes SMS-content extraction (full message-history archive); contact-list extraction; call-history extraction; real-time geolocation tracking; hot-microphone activation with audio capture; camera activation with photograph and video capture; encrypted-messenger content access (Signal, WhatsApp, Telegram, Wickr, iMessage) through interception of the unencrypted endpoint state on the target device; email-application content access; password and credential extraction; web-browser history and cookies extraction; and adjacent operational capability across the broader application landscape on the target device. The institutional substance of the capability is comprehensive — the implant produces full visibility into the content the target user maintains on the target device.

Persistence and exfiltration

The institutional pattern of Pegasus persistence on the target device is limited rather than indefinite. The implant is designed for finite operational deployment rather than indefinite persistence. The documented pattern is that operational deployment is initiated for a specific institutional purpose; persistence on the target device extends across days to weeks rather than years; and the implant self-deletes upon completion of the operational requirement. The institutional rationale for the limited-persistence design is operational-security: the implant's forensic footprint on the target device is reduced by limited deployment duration. Exfiltration of collected data occurs through the operational command-and-control channel to an NSO-customer-controlled infrastructure stack.

Documented deployments

Confirmed Ahmed Mansoor (UAE, 2016). The 24 August 2016 Citizen Lab disclosure of the targeting of UAE human-rights activist Ahmed Mansoor was the first documented Pegasus deployment in the public record. The disclosure established the institutional pattern that subsequent Citizen Lab and Amnesty International disclosures across 2017–present have extended.

Confirmed Mexican journalists and political opposition (2014–present). The documented Pegasus deployment in Mexico across the Calderón, Peña Nieto, and López Obrador presidential periods has targeted approximately fifty journalists, civil-society activists, anti-corruption investigators, and political-opposition figures. The most documented episodes have included the 2017 Citizen Lab disclosure of the targeting of journalists Carmen Aristegui, Carlos Loret de Mola, and the broader Aristegui-affiliated journalistic cohort; the 2017 Citizen Lab Reckless Exploit series disclosing the targeting of relatives of the 43 disappeared Ayotzinapa students; and subsequent disclosures across the post-2018 period.

Confirmed Jamal Khashoggi institutional circle (2018). The documented Pegasus deployment against members of the institutional circle of Saudi journalist Jamal Khashoggi, in the period preceding his 2 October 2018 killing at the Saudi consulate in Istanbul, has been the subject of subsequent academic-and-policy commentary. The documented targets included the spouse of Saudi journalist Omar Abdulaziz (a close associate of Khashoggi); the targeting was conducted by the Saudi-government NSO-customer institutional-deployment vehicle.

Confirmed Catalan independence movement (2017–present). The documented Pegasus deployment against members of the Catalan independence movement across the post-2017 period was the subject of the April 2022 Citizen Lab CatalanGate disclosure, which documented the targeting of approximately sixty-five Catalan political and civil-society figures including Members of the European Parliament Diana Riba and Jordi Solé; Catalan presidents Pere Aragonès and Quim Torra; and additional cases.

Confirmed Hungarian journalists and civil-society figures (2018–21). The documented Pegasus deployment in Hungary across the post-2018 period under the Orbán government has targeted journalists at Direkt36 and Telex.hu, civil-society lawyers, anti-corruption investigators, and adjacent institutional cohorts.

Confirmed Indian opposition figures and journalists (2019–present). The 2021 Forbidden Stories disclosure documented the Pegasus deployment in India against opposition political figures (Rahul Gandhi), journalists (Paranjoy Guha Thakurta), Election Commission officials, and members of the broader Indian civil-society cohort.

The institutional position of NSO Group on these documented deployments has been customer-confidentiality non-acknowledgement combined with the position that abuse-related deployments by client governments have been the responsibility of the client governments rather than of NSO Group. NSO Group's subsequent institutional reform across the post-2018 period has included the establishment of an internal Human Rights Compliance Committee and the termination of a number of country-client relationships across the post-2021 period.³⁸

US Entity List designation

The 3 November 2021 designation of NSO Group on the US Department of Commerce Entity List restricted the institutional ability of US-export-related transactions involving NSO Group products. The designation constrained NSO Group's institutional access to US-developer cloud-computing services, US-supplier components, and US-financial-system transaction processing. The institutional consequences for NSO Group's commercial operations have been substantial across the post-2021 period.⁷

Civil litigation

The major civil litigation against NSO Group across the post-2019 period comprises three principal tracks. WhatsApp Inc. v. NSO Group (filed October 2019, ongoing as of 2026) reached a May 2025 federal jury verdict of $168 million against NSO Group under the Computer Fraud and Abuse Act of 1986. Apple Inc. v. NSO Group (filed November 2021, dismissed September 2024 on jurisdictional grounds following Apple's institutional concern that continued litigation would expose Apple's security-research methodology) closed without judgment. Adjacent civil-litigation actions in Israeli, UK, French, and Catalan courts have been brought by individual targets.⁵⁶

Institutional reform proposals

The post-2021 institutional reform proposals for the commercial-spyware industry have included the March 2023 Biden Executive Order 14093 prohibiting US-government operational use of commercial spyware that has been deployed against US-government personnel or against civil-society targets; the Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware, issued 30 March 2023 at the second Summit for Democracy; the Pall Mall Process diplomatic framework launched February 2024; and subsequent multilateral institutional engagement.⁹

Sources and further reading

1. Bill Marczak and John Scott-Railton, The Million Dollar Dissident: NSO Group's iPhone Zero-Days used against a UAE Human Rights Defender, Citizen Lab Research Report 78, 24 August 2016 — the first documented Pegasus deployment.
2. The Pegasus Project, Forbidden Stories and Amnesty International, beginning 18 July 2021 — the principal investigative-journalism collaboration on the comprehensive Pegasus targeting record.
3. Citizen Lab Targeted Threats Research, University of Toronto Munk School of Global Affairs and Public Policy — the body of Pegasus-related forensic and policy research across the post-2016 period.
4. Amnesty International Security Lab, Forensic Methodology Report: How to Catch NSO Group's Pegasus, 18 July 2021 — the technical-forensic methodology developed for Pegasus detection.
5. WhatsApp Inc. v. NSO Group Technologies Ltd., No. 4:19-cv-07123, US District Court for the Northern District of California, filed 29 October 2019 — the principal civil-litigation track.
6. Apple Inc. v. NSO Group Technologies Ltd., No. 3:21-cv-09078, US District Court for the Northern District of California, filed 23 November 2021 — the secondary civil-litigation track.
7. US Department of Commerce, Commerce Adds NSO Group and Other Foreign Companies to Entity List for Malicious Cyber Activities, 3 November 2021.
8. Citizen Lab, CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru, 18 April 2022.
9. Executive Order 14093, Prohibition on Use by the United States Government of Commercial Spyware, 27 March 2023.
10. Ronan Farrow, How Democracies Spy on Their Citizens, The New Yorker, 18 April 2022 — the principal long-form treatment of the Pegasus operational pattern.