According to new court documents, NSO group's infamous spyware Pegasus targeted 1,223 WhatsApp users in 51 different countries during its 2019 hacking campaign.
The document was published Friday as part of a lawsuit filed by meta-owned WhatsApp against NSO groups in 2019, accusing surveillance technology manufacturers of targeting chat app vulnerabilities to more than hundreds of users, including more than 100 human rights activists, journalists and “other members of civil society.”
At the time, WhatsApp said it had targeted around 1,400 users. The exhibit currently featured in court documents shows exactly in which country 1,223 specific victims were placed when targeted by NSO group Pegasus Spyware.
The country's breakdown is a rare insight that NSO Group customers may become more active and victims and targets may be located.
The countries with the most casualties of the campaign are 456 individuals, 100 India, 82 Bahrain, 69 Morocco, 58 Pakistan, 54 Indonesia and 51 Israeli, 51 Mexico, entitled “Counters of Victims.”
There are victims in Western countries, including Spain (12 victims), the Netherlands (11), Hungary (8), France (7), the UK (2), and one casualty in the United States.
Court documents containing a list of victims by country were first reported by Israeli news site CTECH.
“There have been many news stories over the years documenting the use of Pegasus targeting victims around the world,” said Runa Sandvik, a cybersecurity expert who has been tracking government spyware victims for many years.
“What is often missing in these articles is the true size of the target: the number of victims not notified, the number of people who didn't check their devices, and the choice not to publicly share their stories.
Contact Us Do you have any more information about the NSO Group or other spyware companies? From unprocessed devices and networks, you can safely contact Lorenzo Franceschi-Bicchierai with a signal of +1 917 257 1382, via Telegram and Keybase @lorenzofb, or by email. You can also contact TechCrunch via SecureDrop.
Another data showing the scale of the government's spyware problem is that hacking campaigns targeting WhatsApp users occurred over just two months between April 2019 and April 2019.
In other words, in just two months, government customers from the NSO group targeted more than 1,000 WhatsApp users.
It is important to note that it is not clear whether the fact that there are casualties in a particular country means that governments in a particular country were customers using NSO group spyware against those victims. Government customers may be using Pegasus to target someone abroad.
As CTECH noted, Syria is listed on the victim list, but the NSO group cannot export its technology to Syria, a country approved by countries around the world.
The number of victims also gives insight into who is the highest-paid client of the NSO group. Companies such as NSO Groups, as well as other predecessors such as Hacking Teams and Finfisher determine the price at which the surveillance product will be offered to customers based on the number of targets that can concurrently be infected with spyware.
For example, Mexico reportedly spent more than $60 million on NSO group spyware, according to a 2023 New York Times article cited Mexican officials.
Last year, WhatsApp won a historic victory when NSO groups ruled that NSO groups violated US hacking laws by targeting WhatsApp users. The next step in the lawsuit is an upcoming hearing that determines the damages spyware manufacturers must pay WhatsApp.
Apart from this list of victims, the court case filed by WhatsApp led to other revelations, including the fact that the NSO group cut 10 government customers after reports of the NSO group abused spyware, and the WhatsApp hacking tool generated by the NSO group cost up to $6.8 million on a one-year license, totaling “at least $31.3 million in 2019.”
WhatsApp spokesman Zade Alsawah declined to comment. The NSO group did not respond to requests for comment.