Our forensic analysis confirms that phones belonging to three individuals in Bahrain were hacked in 2021 with NSO Group’s Pegasus spyware.

El Citizen Lab y Access Now han confirmado 35 casos de periodistas y miembros de la sociedad civil salvadoreña cuyos teléfonos fueron infectados con el programa espía Pegasus del NSO entre julio del 2020 y noviembre del 2021. Hemos compartido una muestra de nuestros datos forenses con el Laboratorio de Seguridad de Amnistía Internacional, el cual confirma de forma independiente los hallazgos.

The Citizen Lab and Access Now have confirmed 35 cases of journalists and members of civil society whose phones were successfully infected with NSO’s Pegasus spyware between July 2020 and November 2021. We shared a sample of forensic data with Amnesty International’s Security Lab which independently confirms the findings.

بواسطة: بيل مارزاك، جون سكوت-رايلتون، بحر عبد الرزاق، نورا الجيزاوي، سيينا أنستيس، كريستين بردان، ورون ديبرت. النتائج الرئيسية تم اختراق معارضَين مصريين في المنفى؛ وهما السياسي أيمن نور، ومقدم برنامج شهير (والذي يرغب بألا يفصح عن هويته). تم الاختراق بواسطة برنامج التجسس بريداتور (Predator)، والذي تم تطويره وبيعه بواسطة  Cytrox لتطوير برامج التجسس المرتزقة، وهي… Read more »

Two Egyptians—exiled politician Ayman Nour and the host of a popular news program (who wishes to remain anonymous)—were hacked with Predator spyware, built and sold by the previously little-known mercenary spyware developer Cytrox. The phone of Ayman Nour was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different government clients.

Our forensic analysis of two iPhones belonging to Hubbard found evidence of Pegasus infections in July 2020 and June 2021. Notably, these infections occurred after Hubbard reported in January 2020 that we found that he was targeted in 2018 by the Saudi Arabia-linked Pegasus operator that we call KINGDOM.

“Smart” in-store shopping carts, developed by Caper and used by Sobeys, issue electronic receipts via SMS message and share a URL that uses an easily predictable format. These receipts contain a number of personal data points, including the customer’s partial credit/debit/Air Miles card numbers, a full list of purchases, and the date, time, and location of the customer’s purchase.

While analyzing the phone of a Saudi activist infected with NSO Group’s Pegasus spyware, we discovered a zero-day zero-click exploit against iMessage. The exploit, which we call FORCEDENTRY, targets Apple’s image rendering library, and was effective against Apple iOS, MacOS and WatchOS devices.

Candiru is a secretive Israel-based company that sells spyware exclusively to governments. Using Internet scanning, we identified more than 750 websites linked to Candiru’s spyware infrastructure. We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.

Over the course of our multi-year investigation, we found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy. This report highlights several clusters of targets. In future reports, we will provide more details about specific clusters of targets and Dark Basin’s activities.