Pegasus and NSO Group
An Israeli company sold a zero-click spyware product to governments. A leaked list of fifty thousand phone numbers suggested who they pointed it at.
In July 2021, a coalition of seventeen newsrooms coordinated by the Paris-based non-profit Forbidden Stories published the Pegasus Project. At its core was a leaked list of fifty thousand phone numbers that had reportedly been selected, since 2016, as potential targets for surveillance with a product called Pegasus.
What zero-click means
Pegasus is the flagship product of NSO Group, an Israeli company licensed by the country's defense ministry. Its distinguishing feature is the absence of any user interaction. Earlier mobile spyware required the target to tap a phishing link. Pegasus could be delivered by an iMessage or WhatsApp call that the phone displayed for less than a second, or sometimes not at all. Once installed, it had access to messages, microphones, cameras, location, and end-to-end encrypted apps from the inside.
Who was on the list
The numbers identified by the Pegasus Project included journalists at Le Monde, the Financial Times, and Al Jazeera; the inner circle of murdered Saudi columnist Jamal Khashoggi; opposition politicians in France, India, Hungary, and Mexico; and at least one French head of state. NSO disputed parts of the methodology and maintained that its product was sold only to government clients for lawful use against serious crime and terrorism.
What the chronicle remembers
Pegasus moved commercial spyware from an industry secret into the open. It forced Apple, Google, and the platform vendors to ship hardened modes for high-risk users, and it pushed several governments into placing NSO on entity lists that block US technology exports. The market it represents — sovereign buyers, plausible deniability, and unbreakable mobile compromise — has not shrunk.