Pegasus

Pegasus is mercenary spyware developed and sold by NSO Group, an Israeli surveillance contractor founded in 2010. Sold exclusively to government customers under contracts approved by the Israeli Ministry of Defense. Confirmed deployments against journalists, lawyers, NGO staff, dissidents, and political opposition in over 45 countries. Cataloged extensively by Citizen Lab (Toronto) and Amnesty International’s Security Lab.

What it means in practice

Pegasus is the highest-tier consumer-device implant publicly documented. It runs on iPhone and Android, installs through zero-click exploits delivered via iMessage, WhatsApp, FaceTime, or Apple Music (the specific delivery vector changes as Apple and Google patch). Once on the device, it has full access: messages before encryption (Signal, WhatsApp, anything), microphone, camera, location, files, calendar, contacts. Detection is hard by design: the implant deletes itself after extraction, leaves minimal forensic traces, and rotates indicators of compromise to evade Citizen Lab’s public detection methodologies. The cost per target runs into hundreds of thousands of dollars; this is not mass surveillance, it is targeted operations.

Who is targeted, and by whom

Confirmed targets include the family of Jamal Khashoggi (deployed by Saudi Arabia before and after his murder), at least 65 Catalan independence movement figures (Spain), 14 heads of state, dozens of journalists at the New York Times, Wall Street Journal, Le Monde, El País, and others, opposition figures in Mexico, India, Hungary, Morocco, Rwanda, Azerbaijan, El Salvador. The buyer pattern is governments using Pegasus against critics, dissidents, lawyers representing critics, and the journalists who write about all of the above. The 2021 Pegasus Project (Forbidden Stories, Amnesty, 17 newsroom consortium) leaked a list of 50,000 selected phone numbers across NSO customer states. NSO denies it is a target list; the targeting evidence on individual devices contradicts that.

What you can change today

Pegasus is a threat for a small percentage of journalists, activists, and lawyers. If you might be in that percentage (high-profile reporting on intelligence services, organized crime, or authoritarian governments; legal representation of dissidents; advocacy work that has drawn government attention), the operational response is structural, not configuration-level. Use a hardened device (GrapheneOS or a fresh iPhone running Lockdown Mode, iOS 17+) for sensitive work, kept separate from your daily-life device. Reboot the sensitive device daily (some implants do not survive a reboot). Get a forensic scan from Citizen Lab’s Security Lab or Amnesty’s MVT toolkit (free, open-source, github.com/mvt-project/mvt) if you suspect compromise.

Related articles

• Three breaches in ten days. In two of them, the attacker never wrote a line of code.
• You don’t have to be a suspect. You just have to have been there.
• Digital security for journalists in 2026: the complete operational guide.
• The FBI recovered deleted Signal messages from a seized iPhone. The encryption wasn’t broken.