ResearchTargeted Threats

Reported Blackstone NSO Deal Failure and the Risks of Investing in Spyware Companies

The purchase of a $400 million stake in spyware company NSO Group by Blackstone Group LP has reportedly fallen through.

We do not know why the deal failed, or what Blackstone Group’s due diligence process may have uncovered.  Blackstone did not respond to the open letter we sent them about the deal, which outlined a range of troubling business and human rights risks surrounding NSO Group.  Reports of the deal attracted critical attention from a range of organizations, including Mexican NGOs involved in investigating NSO, Access Now, and Business and Human Rights.

However, Citizen Lab researchers and partners R3D, SocialTic, and Article19 have been investigating the misuse of NSO’s spyware for over a year, and have uncovered a pattern of abusive uses and due diligence failures in three countries (Mexico, Panama, and the United Arab Emirates), two of which now have active investigations (Mexico and Panama).  The most recent discovery, showing that NSO’s spyware was used to target lawyers for slain Mexican women, was published just two weeks ago on August 2nd, 2017.

Here is an ongoing list of concerns over the misuse of NSO’s Technology:

Targeting of an Award-Winning Human Rights Activist

  • On August 24, 2016, Citizen Lab demonstrated that NSO Group’s spyware had been used by one of its customers in the United Arab Emirates to target Ahmed Mansoor, an award-winning human rights defender (Citizen Lab, New York Times). Mr. Mansoor, currently imprisoned in the UAE, is identified as a prisoner of conscience by Amnesty International.
  • Prior to the sale of spyware by NSO Group to the UAE customer, the UAE had gained international notoriety for using spyware made by two other foreign companies to target Mr. Mansoor in 2011 and 2012, such that its ongoing misuse of commercial spyware was wholly foreseeable.
  • NSO Group’s “exploit infrastructure,” named “Pegasus,” included domains spoofing a wide range of legitimate entities. NSO has never publicly clarified its role in registering and maintaining these domains (Citizen Lab, New York Times). Such domains attempt to spoof, among others:
    • The International Committee of the Red Cross
    • Government service portals, such as the United Kingdom’s visa application portal
    • Facebook Inc., Google Inc., Federal Express Inc., and Turkish Airlines
    • News organizations such as CNN, The BBC, Al Jazeera, and Univision

Targeting of Public Health Campaigners and a Federal Scientist

  • On February 11, 2017, Citizen Lab researched showed that NSO Group’s spyware was used to target public health campaigners and a federal scientist in Mexico (Citizen Lab, New York Times).

Targeting of Journalists, Families, and Anti-Corruption Advocates

  • On June 19, 2017, Citizen Lab investigations showed that journalists, lawyers representing families of missing students, and anti-corruption advocates in Mexico were targeted with NSO Group spyware (Citizen Lab, New York Times).
  • Targets included at least one US citizen, as well as a minor child located in the United States.
  • Targeting activities included impersonating the United States government, including to target an individual located within the United States. Targeting using NSO Group’s spyware also included impersonating alerts from the AMBER alert system, a service designed for the protection, location, and rescue of kidnapped children.

Targeting of Political Leadership

  • On June 29, 2017, Citizen Lab demonstrated that prominent Mexican politicians, including the president of Mexico’s Senate and the president of the PAN political party, were targeted using NSO Group’s spyware (Citizen Lab, The Guardian).

Targeting of Forensic Investigators

  • On July 10, 2017, Citizen Lab verified that NSO Group’s spyware was used to target the Interdisciplinary Group of Independent Experts (GIEI), an international body of forensic investigators under the Organization of American States with diplomatic status investigating a mass disappearance in Mexico (Citizen Lab, NY Times).

Targeting of Lawyers for Slain Women

  • On August 2, 2017 Citizen Lab confirmed that NSO Group’s spyware was sent to two lawyers and human rights defenders representing three women that had been killed in Mexico City. The lawyers were targeted as questions and frustrations grew over the Mexican government’s handling of the case (Citizen Lab, Associated Press).

Systematic Abuse in Panama

Reporting and investigation by organizations including R3D, SocialTic, Article 19, and Privacy International—as well as dozens of media outlets internationally—have uncovered additional details that suggest a lack of due diligence and/or a failure of know-your-customer policies on the part of NSO Group, and possible legal violations by NSO Group’s customers.

Collection and Sale of Known Software Vulnerabilities and a Failure to Responsibly Disclose

Services provided by NSO Group include the sale of so-called “zero day” exploits, which enable the remote infection of commercially available electronic devices. These exploits make use of undocumented vulnerabilities in commercial software and operating systems developed by companies that serve consumers worldwide, such as Apple Inc. Instead of responsibly disclosing information about these vulnerabilities to software companies, however, NSO Group sells solutions which exploit them to customers in United Arab Emirates and elsewhere. These zero-day exploits were used to target the abovementioned individuals, and failure to disclose their existence may have left upwards of hundreds of millions of users at risk.

When researchers at Citizen Lab, in collaboration with security firm, Lookout Inc,  discovered a set of three zero-day exploits used by NSO Group, Apple Inc. was forced to urgently develop and deploy a security update for the approximately one billion users of Apple iOS and OS X operating systems. Google Inc. has conducted its own investigation into this issue, referring to NSO Group’s Android technology as both “malware” and “spyware.” Lookout Inc. has also separately investigated NSO Group’s technology targeting Android devices.

Investigations and Calls for Investigation

In light of the serious human rights concerns raised by the use of NSO Group technology, a number of international bodies have called for investigation, and at least one investigation is presently ongoing:


  • The Mexican Government’s Office of the Prosecutor (PGR) is currently conducting an investigation into the abuse of NSO Group’s spyware in Mexico;
  • Panama’s Government is conducting a criminal prosecution of former President Martinelli, who is detained by the United States awaiting extradition, for illegally purchasing and using NSO Group’s spyware.

Calls for Investigation