Web application

About the Project – OCCRP


  1. What is The Pegasus Project, and how did it come about?

  2. What does “selected for targeting” mean? Were these people actually hacked?

  3. Who are the clients?

  4. Who was being targeted?

  5. What does it mean to get infected by Pegasus?

  6. How do we know it was NSO Group?

  7. What’s new here? What does the Pegasus Project add to what’s known about NSO Group?

  8. Is this kind of surveillance legal?

  9. Was Pegasus ever used for its stated purpose of targeting terrorists and criminals?

  10. What was NSO Group’s response to the data presented by the Pegasus Project?

1. What is The Pegasus Project, and how did it come about?

The Pegasus Project is a collaborative investigation into NSO Group, an Israeli “cyber intelligence” company that sells sophisticated spyware to governments around the world.

NSO Group insists that its mobile phone surveillance software, called Pegasus, is meant to help its clients combat crime and terrorism. But it has also been used to spy on journalists, activists, opposition politicians, and dissidents.

After years of criticism, the secretive company has recently become more communicative, publicizing its commitment to human rights and even publishing a “Transparency and Responsibility Report” in June 2021.

But the spyware intrusions haven’t stopped. That’s why more than 80 journalists, representing 17 media organizations around the world, have come together to produce this investigation.

It began when journalism nonprofit Forbidden Stories and human rights group Amnesty International gained access to a set of more than 50,000 leaked phone numbers believed to be a list of targets of NSO Group’s phone hacking software. As the coordinator of the project, Forbidden Stories then invited OCCRP, the Washington Post, the Guardian, and 13 other partners to help investigate.

In the course of the project, we identified hundreds of individuals who owned these phones. Sixty-seven of them were subject to forensic analysis to determine whether they had been infected, and 37 showed signs of Pegasus activity. This reporting, supplemented by additional databases, internal documents, interviews, court documents, and other sources, formed the basis of the Pegasus Project, an unprecedented effort to understand who has been targeted by the users of NSO Group’s software — and what happens to them next.

2. What does “selected for targeting” mean? Were these people actually hacked?

A key part of the Pegasus Project is a list of over 50,000 phone numbers in nearly 50 countries, which is believed to be a list of numbers that have been “selected for targeting” by NSO clients.

This is a characterization that NSO Group has rejected. (See question 10 below for more on NSO Group’s response to the data, which can be read here in more detail.)

However, reporting by The Pegasus Project builds a case that the list indeed contains cell phone numbers selected by NSO Group clients for targeting with Pegasus. There is no evidence or suggestion that the company itself compiled or had any knowledge of these numbers.

The list does not include identifying information, but reporters were able to independently identify the owners of over 1,000 numbers. OCCRP focused on identifying numbers from Azerbaijan, Kazakhstan, Rwanda, and Indonesia.

In many of these cases, the phone numbers identified were consistent with persons of interest to governments, including both legitimate security threats like terrorists and hundreds of independent journalists, dissidents, and members of the political opposition.  Furthermore, some of these numbers appeared on the list during time periods corresponding to real world events — such as elections, arrests, or the release of compromising private information — in ways that suggest a correlation with the data.

Pegasus Project partners spoke with off-the-record industry insiders who corroborated key issues, found that court documents from WhatsApp’s suit against NSO Group contained some of the same numbers as on the leaked list, and confirmed other details that further corroborated the Pegasus Project’s understanding of the data.

The strongest indication that the list really does represent Pegasus targets came through forensic analysis.

Amnesty International’s Security Lab examined data from 67 phones whose numbers were in the list. Thirty-seven phones showed traces of Pegasus activity: 23 phones were successfully infected, and 14 showed signs of attempted targeting. For the remaining 30 phones, the tests were inconclusive, in several cases because the phones had been replaced.

Fifteen of the phones in the data were Android devices. Unlike iPhones, Androids do not log the kinds of information required for Amnesty’s detective work. However, three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.

In a subset of 27 analyzed phones, Amnesty International researchers found 84 separate traces of Pegasus activity that closely corresponded to the numbers’ appearance on the leaked list. In 59 of these cases, the Pegasus traces appeared within 20 minutes of selection. In 15 cases, the trace appeared within one minute of selection. This strongly suggests the list represents the selection of numbers for targeting by state actors.

There is still much we can’t prove about the list: how it was compiled, who compiled it, or how it was used. Just because a number was included does not necessarily mean it was compromised. The list may include phone numbers where an attempted infection was unsuccessful, or where no attempt was made.

3. Who are the clients?

Based on the geographical clustering of the numbers on the leaked list, reporters identified potential NSO Group clients from more than 10 countries, mostly (but not always) one per country.

These countries include:

  • Mexico
  • Azerbaijan
  • Kazakhstan
  • Hungary
  • India
  • United Arab Emirates
  • Saudi Arabia
  • Bahrain
  • Morocco
  • Rwanda
  • Togo

NSO Group insists that it sells its software only to governments, suggesting that the clients in these countries represent intelligence services, law enforcement agencies, or other official bodies.

4. Who was being targeted?

NSO Group contends that its Pegasus software is meant only to help legitimate law enforcement bodies go after criminals and terrorists, and that any other use would violate its policies and user agreements.

The Pegasus Project did find numbers belonging to suspected criminal figures on the leaked list. However, of over 1,000 numbers whose owners were identified, at least 188 were journalists. Many others were human rights activists, diplomats, politicians, and government officials. At least 10 heads of state were on the…


Read More:About the Project – OCCRP

Products You May Like