NSO Group’s notorious spyware Pegasus was used to target 1,223 WhatsApp users in 51 different countries during a 2019 hacking campaign, according to a new court document.
The document was published on Friday as part of the lawsuit that Meta-owned WhatsApp filed against NSO Group in 2019, accusing the surveillance tech maker of exploiting a vulnerability in the chat app to target hundreds of users, including more than 100 human rights activists, journalists, and “other members of civil society.”
At the time, WhatsApp said around 1,400 users had been targeted. Now, an exhibit published in the court document shows exactly in what countries 1,223 specific victims were located when they were targeted with NSO Group’s Pegasus spyware.
The country breakdown is a rare insight into which NSO Group customers may be more active, and where their victims and targets are located.
The countries with the most victims of this campaign are Mexico with 456 individuals, India with 100, Bahrain with 82, Morocco with 69, Pakistan with 58, Indonesia with 54, and Israel with 51, according to a chart titled “Victim Country Count,” that WhatsApp submitted as part of the case.
There are also victims in Western countries like Spain (12 victims), the Netherlands (11), Hungary (8), France (7), United Kingdom (2), and one victim in the United States.
The court document with the list of victims by country was first reported by Israeli news site CTech.
“Numerous news articles have been written over the years documenting use of Pegasus to target victims around the world,” said Runa Sandvik, a cybersecurity expert who’s been tracking victims of government spyware for years.
“What’s often missing from these articles is the true scale of the targeting — the number of victims who were not notified; who did not get their devices checked; who opted not to share their story publicly. The list we see here — with 456 cases in Mexico alone, a country with documented, well-known civil society victims — speaks volumes about the true scale of the spyware problem,” Sandvik told TechCrunch.
Another piece of data that shows the scale of the government spyware problem is that the hacking campaign targeting WhatsApp users occurred over a period of only two months, “between in and around April 2019 and May 2019,” as WhatsApp wrote in its original complaint.
In other words, in just two months, NSO Group’s government customers targeted more than a thousand WhatsApp users.
It’s important to note that it is not clear if the fact that there is a victim located in a certain country means that specific country’s government was the customer using NSO Group’s spyware against those victims. It’s possible that a government customer could be using Pegasus to target someone outside of the country.
As CTech noted, Syria appears on the victim list, but NSO Group cannot export its technology to Syria, a country that’s sanctioned by countries all over the world.
The number of victims also gives an insight into who may be NSO Group’s highest-paying customers. Companies like NSO Group, and other predecessors like Hacking Team and FinFisher, determine what price to offer their surveillance products to their customers in part by the number of targets that can be concurrently infected with the spyware.
Mexico, for example, was reported to have spent more than $60 million on NSO Group’s spyware, according to a 2023 New York Times article that cited Mexican officials, which could explain why there are so many Mexican targets in this list.
Last year, WhatsApp scored an historic victory when the judge presiding over the lawsuit ruled that NSO Group had breached U.S. hacking laws by targeting WhatsApp users. The next step in the lawsuit is an upcoming hearing that will determine the damages that the spyware maker will have to pay to WhatsApp.
Apart from this list of victims, the court case brought by WhatsApp has led to other revelations, including the fact that NSO Group disconnected 10 government customers after reports that they abused the spyware, and that the WhatsApp hacking tool produced by NSO Group cost up to $6.8 million for a one year license, which in total netted the company “at least $31 million in revenue in 2019.”
WhatsApp spokesperson Zade Alsawah declined to comment. NSO Group did not respond to a request for comment.
