The Pegasus Project, an investigation by The Washington Post and 16 other news organizations in 10 countries, was coordinated by the Paris-based journalism nonprofit Forbidden Stories and advised by Amnesty International. Those two groups had access to a list of more than 50,000 phone numbers that included surveillance targets for clients of the Israeli spyware company NSO Group, which they shared with the journalists. Over the past several months, the journalists reviewed and analyzed the list in an effort to learn the identities of the owners of the phone numbers and to determine whether their phones had been implanted with NSO’s Pegasus spyware.

The investigation was able to link more than 1,000 government officials, journalists, businesspeople and human rights activists to numbers and to obtain data for 67 phones whose numbers appeared on the list. That data was then analyzed forensically by Amnesty International’s Security Lab. Thirty-seven of those showed evidence of an attempted Pegasus intrusion or a successful hack.

Further analysis indicated that many of those intrusions or attempted intrusions came shortly after the phone number had been entered onto the list — some within seconds — suggesting a link between the list and subsequent surveillance efforts.

How vulnerable are you to such spyware? Are there steps you can take to keep your phone safe? Here are some answers:

What to know

  • What is ‘spyware’ and who uses it?
  • What can spyware collect?
  • Why doesn’t encryption stop this?
  • What is NSO?
  • Who are NSO’s customers?
  • How are spyware infections found?