Pegasus spyware active in 45 countries, Citizen Lab says

An infamous brand of mobile spyware may be operating in 45 countries as part of a sprawling footprint that could enable human rights abuses, according to a new report.
The Thanos ransomware used in the attacks has gained traction on underground forums (Getty Images).

An infamous brand of mobile spyware may be operating in 45 countries as part of a sprawling footprint that could enable human rights abuses, according to a new report.

The Pegasus spyware made by Israeli surveillance company NSO Group correlated with more than a thousand IP addresses over a two year-study conducted by The Citizen Lab, a research and development organization at the University of Toronto. The Pegasus spyware attempts to lure targets into clinking on links and then delivers zero-day exploits to breach the defenses of iPhones and Android phones.

Several of the countries where the researchers detected Pegasus have poor human rights records, such as Bahrain, Kazakhstan, and Saudi Arabia. “Our findings paint a bleak picture of the human rights risks of NSO’s global proliferation,” the report states. At least 10 operators of the spyware “appear to be actively engaged in cross-border surveillance,” according to Citizen Lab, pointing to the geopolitical realities of nation-state spying.

An NSO Group representative could not be reached for comment on the Citizen Lab report. A company spokesperson told Motherboard that NSO Group does not operate in many of the countries listed in the report. The company says its product is used by law enforcement agencies to investigate and prevent crime and terror.


Citizen Lab counters that its results inevitably include non-NSO Group customers because there appear to be Pegasus users operating in multiple countries. The research also notes that the use of location-spoofing tools like VPNs “may skew our geolocation results.”

The surveillance company gained notoriety in 2016 after Citizen Lab produced evidence that the United Arab Emirates government had used Pegasus to spy on human rights activist Ahmed Mansoor, who has since been sentenced to ten years in prison for social media posts.

NSO Group’s surveillance tools are highly coveted. A former company employee has been charged with stealing and trying to sell NSO Group’s proprietary code on the dark web for $50 million in cryptocurrency, the Israeli justice ministry said in July.

NSO Group is not the only spyware company to apparently rub shoulders with autocratic regimes. A report in May from nonprofit Access Now documented how malware from another vendor, FinFisher, was used to target critics of the Turkish government.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts