On Thursday, Amnesty International published a new report detailing attempted hacks against two Serbian journalists, allegedly carried out with NSO Group’s spyware Pegasus. 

The two journalists, who work for the Serbia-based Balkan Investigative Reporting Network (BIRN), received suspicious text messages including a link — basically a phishing attack, according to the nonprofit. In one case, Amnesty said its researchers were able to click on the link in a safe environment and see that it led to a domain that they had previously identified as belonging to NSO Group’s infrastructure. 

“Amnesty International has spent years tracking NSO Group Pegasus spyware and how it has been used to target activists and journalists,” Donncha Ó Cearbhaill, the head of Amnesty’s Security Lab, told TechCrunch. “This technical research has allowed Amnesty to identify malicious websites used to deliver the Pegasus spyware, including the specific Pegasus domain used in this campaign.”

To his point, security researchers like Ó Cearbhaill who have been keeping tabs on NSO’s activities for years are now so good at spotting signs of the company’s spyware that sometimes all researchers have to do is quickly look at a domain involved in an attack. 

In other words, NSO Group and its customers are losing their battle to stay in the shadows.

“NSO has a basic problem: they are not as good at hiding as their customers think,” John Scott-Railton, a senior researcher at The Citizen Lab, a human rights organization that has investigated spyware abuses since 2012, told TechCrunch. 

There is hard evidence proving what Ó Cearbhaill and Scott-Railton believe. 

In 2016, Citizen Lab published the first technical report ever documenting an attack carried out with Pegasus, which was against a United Arab Emirates dissident. Since then, in less than 10 years, researchers have identified at least 130 people all over the world targeted or hacked with NSO Group’s spyware, according to a running tally by security researcher Runa Sandvik. 

The sheer number of victims and targets can in part be explained by the Pegasus Project, a collective journalistic initiative to investigate abuse of NSO Group’s spyware that was based on a leaked list of more than 50,000 phone numbers that was allegedly entered in an NSO Group targeting system. 

But there have also been dozens of victims identified by Amnesty, Citizen Lab, and Access Now, another nonprofit that helps protect civil society from spyware attacks, which did not rely on that leaked list of phone numbers. 

An NSO Group spokesperson did not respond to a request for comment, which included questions about Pegasus invisibility, or lack thereof, and whether NSO Group’s customers are concerned about it. 

Apart from nonprofits, NSO Group’s spyware keeps getting caught by Apple, which has been sending notifications to victims of spyware all over the world, often prompting the people who received those notifications to get help from Access Now, Amnesty, and Citizen Lab. These discoveries led to more technical reports documenting spyware attacks carried out with Pegasus, as well as spyware made by other companies.

Perhaps NSO Group’s problem rests in the fact that it sells to countries that use its spyware indiscriminately, including reporters and other members of civil society. 
“The OPSEC mistake that NSO Group is making here is continuing to sell to countries that are going to keep targeting journalists and end up exposing themselves,” Ó Cearbhaill, using the technical term for operational security.