What is the Pegasus project and what have we learned from it?

Key Takeaways

  • Pegasus is a military-grade spyware capable of infecting iOS and Android phones to surveill unknowing victims

  • The Pegasus project revealed that the spyware was used by several governments to spy on journalists, activists and political opposition

  • The private surveillance industry has quietly boomed in the last decade and operates in a grey area of ethics when it comes to serving the public good

What is Pegasus and who is NSO?

Pegasus is spyware developed by a private company for use by government agencies. Pegasus is capable of bypassing all the standard cybersecurity protections on a mobile device, sometimes without the victim even clicking a suspect link. It works on both Apple and Android devices. The program infects a target’s phone and sends back data, including photos, messages, and audio / video recordings. If you are interested in a description of the software’s capabilities in more detail, you can read this product description document from the company that developed it.

Pegasus was developed by an Israeli company called NSO Group. The company was founded by alumni of Israel’s famous Unit 8200, an Israeli Intelligence Corps responsible for collecting signal intelligence and code decryption; it is analogous to the U.S. National Security Agency. 

NSO Group’s mission statement is to “help governments protect innocents from terror and crime by providing them with the best intelligence of its kind”. Pegasus is not NSO’s sole product. NSO has a range of products, including those designed to augment data analytics capabilities by law enforcement, improve search and rescue efforts, and implement effective counter-measures against incursions by drones. In the company’s 2021 report, it claims that NSO’s technology has helped:

  • Prevent terrorist shooting sprees, car explosions and suicide bombings

  • Find and rescue kidnapped children

  • Locate survivors trapped under collapsed buildings in the wake of natural disasters

  • Protect airspace against disruptive penetration by drones


According to a transparency report from NSO this year, NSO licenses Pegasus to sovereign states and state agencies, does not operate Pegasus, has no visibility into its usage, and does not collect information about customers. 


What is the Pegasus project?

The Pegasus project is a collaborative journalistic investigation into the espionage on journalists, opposition politicians, activists, and business people using the Pegasus spyware. The investigation began with a list of more than 50,000 phone numbers of citizens in countries that are known to be clients of NSO Group. Amnesty International’s security lab examined 67 smartphones from that list and from those revealed 37 instances in which Pegasus was used in the successful hacks of phones - including those belonging to two women who were close to Jamal Kashoggi, a journalist who was assassinated by the Saudi government in 2018.


The origin of this list is still disputed, but the forensic analysis of the 37 phones shows that many display a tight correlation between time stamps of when the number was added to the list and the initiation of surveillance attempts. Reporters were able to identify more than 1,000 people on the list and found them to include several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians  – including three sitting presidents, three current prime ministers and Morocco’s King Mohammed VI. Among the sitting presidents was France’s Emmanuel Macron. 

The Pegasus project has triggered an immediate response from the international community. Hungarian prosecutors have opened an investigation into the spying claims. France has launched an investigation into the french numbers on the list, including their president. Opposition leaders in India are also pushing for an investigation. A senior lawmaker in Israel said a parliamentary panel may look into spyware export restrictions.

What is NSO saying?


NSO Group denies any wrongdoing. NSO has published sections of contracts which require customers to use its products only for criminal and national security investigations. The company has also said it is not always aware of its clients’ surveillance activities and has canceled or refused contracts when it thinks there are human rights concerns. Shalev Hulio, the CEO of NSO Group, broadly denies the allegations that NSO is involved in this illegal surveillance of innocent people and claims that the list of 50,000 phone numbers has nothing to do with Pegasus or NSO. Hulio repeatedly confirms that the software is to help governments catch criminals and terrorists and that law-abiding citizens have “nothing to be afraid of”.

What have we learned from all of this?

Many cybersecurity stories we read are about large companies who were hacked in part because of their own negligence in not setting up proper protections. This story is about individuals having their personal phones hacked at no fault of their own, and in some cases that hacking and surveillance can potentially be tied to suppression or assasination. The overwhelming sentiment from the media has been that such powerful hacking tools must be far better regulated.

The Pegasus project showed us that even some of the most recent versions of iOS are vulnerable to NSO’s products. In a public statement, Apple did not deny NSO’s capability to exploit iPhones and instead emphasized that hacks like Pegasus are highly sophisticated and cost millions of dollars to develop. This shows us that no software is perfect or impenetrable. Where there is complicated software, like iMessage, there will be bugs. Where there are bugs, hackers or security researchers will eventually find and exploit them.

The visibility of the Pegasus project has brought the spyware as a service industry into the spotlight. NSO Group is far from the only company helping governments with their covert surveillance operations. The industry has quietly boomed in recent years and the tools have gotten cheaper and cheaper. It’s not just the world’s wealthiest and foremost intelligence agencies that purchase them, now it’s accessible to smaller governments and local police agencies – emerging countries such as India, Mexico, and Azerbaijan were the most common on the list of phone numbers in the Pegasus project. Hack for hire outfits are becoming more prevalent and accessible. The debate continues around whether these companies are supporting necessary security operations or if they are borderline criminal groups that do “the dirty work”.