Pegasus

Technical capabilities

Pegasus is a mercenary spyware suite that targets current-generation iOS and Android devices. Citizen Lab and Amnesty Security Lab have documented zero-click exploit chains, the most recent publicly named being BLASTPASS, identified by Citizen Lab in September 2023 against an iPhone running iOS 16.6. Once deployed, Pegasus grants the operator full device control, including access to messages from end-to-end encrypted apps such as Signal, WhatsApp and iMessage, plus camera, microphone, location, photos, contacts and files.

Per Amnesty Security Lab forensic methodology, traces of Pegasus persist in iOS DataUsage.sqlite and netusage.sqlite databases through process signatures including a “bh” process associated with infections. The Mobile Verification Toolkit (MVT) maintained by Amnesty is the public reference for indicator scanning.

Documented victims

The 2021 Pegasus Project, led by Forbidden Stories with technical analysis by Amnesty Security Lab, leaked a list of 50,000 phone numbers selected for targeting. Verified victims include:

• Jamal Khashoggi: Citizen Lab confirmed Pegasus targeting on devices of close associates and on the phone of his fiancée Hatice Cengiz post-murder.
• Cecilio Pineda Birto, Mexican journalist murdered in 2017, identified in the Pegasus Project leaked target list.
• Roula Khalaf, then-editor of the Financial Times, named in Pegasus Project disclosures.
• Members of the European Parliament including the Catalonia delegation, per Citizen Lab CatalanGate report (April 2022).
• Adam Coogle of Human Rights Watch (US citizen, targeted in Jordan), per Access Now and Citizen Lab joint report (February 2024).
• At least 35 journalists, activists and human rights lawyers in Jordan between 2019 and 2023.
• US State Department employees stationed in Uganda, per Reuters reporting (December 2021).

Customer states

Customers documented through Citizen Lab forensic attribution and Pegasus Project reporting include Saudi Arabia, the United Arab Emirates, Bahrain, Jordan, Morocco, Mexico, Hungary, Azerbaijan, Kazakhstan, Rwanda, Togo, Ghana, India, Spain (former CNI usage prior to 2022), Israel (police usage exposed by Calcalist in 2022), Switzerland (Federal Office of Police, per 2024 reporting), and Germany (BKA confirmed 2021 acquisition).

Legal and sanctions status

• US Department of Commerce Entity List, since November 2021.
• Apple v. NSO Group, filed November 2021 in US District Court for the Northern District of California.
• WhatsApp/Meta v. NSO Group: December 2024 ruling found NSO liable under the Computer Fraud and Abuse Act. Initial damages $168M (May 2025), reduced to approximately $4M plus permanent injunction (October 2025).
• US State Department visa ban policy (February 2024) targets individuals associated with commercial spyware misuse.
• October 2025: NSO Group acquired by a US investor group; David Friedman, former Trump adviser, named executive chairman.

Technical countermeasures

• iOS Lockdown Mode (introduced iOS 16, July 2022): documented by Citizen Lab and Apple to have prevented Pegasus deployment in multiple cases.
• Apple Threat Notifications: users targeted by mercenary spyware receive Apple notifications, deployed worldwide since 2021.
• iOS 18: locked devices automatically reboot after 72 hours of inactivity, mitigating After First Unlock extraction risks.
• Daily reboot: most Pegasus variants do not survive a reboot on current iOS.
• Forensic verification: Amnesty Mobile Verification Toolkit can detect known Pegasus indicators on iOS and Android backups.
• GrapheneOS on Pixel devices is recommended for high-risk Android profiles.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.