Additionally, the French government told a French news outlet that its investigators had confirmed Amnesty’s earlier findings that two of its journalists had been hacked. It was the first corroboration by a government of Amnesty’s findings.
Haigh said that at the time of the infection, he was secretly communicating with Princess Latifa bint Mohammed al-Maktoum, the daughter of Dubai’s ruler, Sheikh Mohammed bin Rashid al-Maktoum. The princess had been detained by Dubai operatives in 2018 after she attempted a daring escape across the Arabian Sea.
Haigh said he had been exchanging videos and text messages for more than a year and a half with Princess Latifa through a phone that had been smuggled into the Dubai villa where she was being held. She stopped responding on July 21, 2020, according to a screenshot of the messages Haigh shared. The analysis shows that Haigh’s phone was hacked two weeks later.
The journalists analyzed the list of more than 50,000 phone numbers in an effort to identify to whom they belonged, and with the help of researchers at Amnesty International’s Security Lab, examined some of the phones for evidence of attempted or successful hacks.
Before publication of a series of articles last month, the Amnesty researchers examined data from 67 smartphones on the list: Twenty-three showed successful infections, while 14 others showed signs of an attempt. Thirty of the tests were inconclusive.
In the days since, the journalists have continued to ask whether people who had suspicions that they were targeted would consent to have their phones examined. Following those tests, the researchers said they found traces of Pegasus on five other phones. Four of those numbers were on the list. NSO officials have rejected suggestions that the list is related to the surveillance activities of its clients.
Haigh’s number does not appear on the list, which included phone records only up to 2019, the year before Haigh’s phone was hacked. But journalists nevertheless asked if he would consent to his phone being tested as part of the ongoing investigation.
Of the four newly examined phones that were on the list and showed traces of Pegasus in forensic exams, three had been infected and the fourth showed signs of having been targeted with malicious text messages that included links to websites known to be used in Pegasus hacks.
The infected phones belonged to Anas Altikriti, a Muslim activist in the United Kingdom; Brigitta Csikász, a journalist in Hungary; and Ragip Soylu, a journalist in Turkey for the news organization Middle East Eye, whose phone was infected several times between February and July of this year, the forensic analyses showed. The fourth phone had been used by a legal officer in India.
Amnesty researchers said their forensic examination showed that Haigh’s iPhone had been compromised by Pegasus through a vulnerability in the iMessage app. That compromise took place Aug. 3, 2020, the researchers said. The analysis also found that there had been an “execution of a Pegasus process” on both Aug. 3 and 4.
The researchers’ test detects indicators that are specific to Pegasus, such as website domains, iCloud accounts and snippets of code. When phones have been replaced, the researchers are able to detect intrusions from data that users generally move from their old phone to their new.
The analysis could not say what, if any, files had been taken from the device. Haigh said the phone held a considerable amount of messages and sensitive information pertaining to Latifa’s life.
Meanwhile, the French news organization Mediapart reported that French government investigators had confirmed Amnesty’s findings that phones belonging to two of its journalists had been infected by Pegasus. Mediapart said Forbidden Stories had notified it in April that the journalists’ phones had been found on the list and that the journalists had consented to Amnesty conducting a forensic examination.
In response to a judicial complaint lodged by the journalists, French investigators also conducted an examination of the phones and confirmed the infections, Mediapart reported.
Other investigations are ongoing. The list of numbers included those belonging to several French officials, including French President Emmanuel Macron. It is unknown if phones belonging to those officials have been examined for possible intrusions.
NSO marketing documents and independent analyses from the University of Toronto’s Citizen Lab say Pegasus can infiltrate a phone in seconds, even without the owner clicking a link. Once infected, hackers have access to virtually everything on the phone, including photos, videos, call logs, emails, saved passwords, text messages and location data. The malware can also be used to activate the phone’s cameras and microphones.
The forensic analysis of Haigh’s phone could not determine which NSO client instigated the hack. But two people familiar with NSO operations, who spoke to The Post on the condition of anonymity to discuss internal affairs, say NSO terminated its contract with Dubai within the last year after it learned of the princesses’ surveillance and other human rights concerns.
NSO officials responded to a request for comment for this article by pointing to a statement last month saying the company would no longer answer journalists’ questions. Previously, NSO has said its spyware tool is supposed to be used by its government clients only to track criminals and terrorists. The company has said it investigates claims of misuse and intends to review the alleged abuses revealed in the Pegasus Project investigation and take appropriate action.
The company said in a June “transparency report” that it had severed deals with government clients in cases where the system has been used improperly, including to target “protected” individuals.
The hack of Haigh’s phone marked the first time that Amnesty’s researchers had identified a successful Pegasus attack on a U.K. phone number. A person familiar with NSO operations said that phone numbers with the U.K. country code of +44, such as Haigh’s phone, were blocked from searches roughly six months ago but offered no further detail. NSO has said that numbers with the United States’ +1 country code also cannot be hacked.
After Amnesty shared the evidence with Haigh showing his phone had been hacked, the British activist said in a statement that he was “horrified” by this “state-sponsored harassment” and called on the U.K. government to investigate this “attack on human rights by a despotic regime.”
Haigh reported the hack to the Devon and Cornwall police force, which covers the stretch of southern England where he lives. Police officials have contacted Amnesty about potentially investigating the hack, the researchers said.
Officials in Dubai, one of the United Arab Emirates’ wealthiest enclaves, did not respond to requests for comment. The UAE’s Foreign Ministry said in a statement last month: “The allegations made by recent press reports claiming that the UAE is amongst a number of countries accused of alleged surveillance targetting of journalists and individuals have no evidentiary basis and are categorically false.”
Personal attorneys for Sheikh Mohammed, Latifa’s father and the emirates’ prime minister, vice president and minister of defense, declined to comment. They have previously denied his involvement in any hacks and said the episode — including the commando assault on his daughter’s escape yacht, which the sheikh has called a rescue — is a private family matter.
Haigh was photographed in November 2019 alongside Tiina Jauhiainen, one of Latifa’s closest friends and a collaborator in her failed escape, outside the U.K. High Court proceedings for Sheikh Mohammed’s ex-wife, Princess Haya bint Hussein, who is fighting a custody battle after fleeing Dubai with her two young children.
In March 2020, the High Court released a fact-finding judgment ruling that Sheikh Mohammed had ordered Latifa’s abduction and orchestrated an intimidation campaign against Haya.
Phone numbers for Latifa and Haya, Latifa’s closest friends, and eight of Haya’s associates, including members of her legal and security teams, appeared on the list. Their phones have not been made available for forensic analysis.
Attorneys at the law firm Taylor Wessing, which represents Latifa, did not respond to requests for comment for this article. Princess Haya and her legal team declined to comment.
Haigh is a vocal opponent of Dubai. A former managing director of the professional soccer team Leeds United, he was arrested in 2014 and convicted by a Dubai court in 2015 on charges he that had fraudulently stolen more than $5 million from his former employer, the Dubai private-equity firm GFH Capital.
Haigh has maintained his innocence and said he was abused and tortured during nearly two years in prison. He was released in 2016 and declared bankrupt last year after GFH Capital won a British court order forcing him to repay the money.
The secret phone Latifa used to communicate while detained in her guarded villa, Haigh said, was also used to record the videos released by the BBC this year in which she said that guards had told her she “would never see the sun again” and that “every day I am worried about my safety and my life.” Haigh said she recorded the messages in her bathroom, the only room where she could lock the door.
In a screenshot Haigh shared of the text conversation he had with Latifa shortly before his phone was hacked, he could be seen sending increasingly panicked messages after she suddenly stopped responding: “im worried … where are you young lady … next time u vanish for 24 hours ill get on a plane there. and i mean that … Ok. Now really relay worried … Hello … Hello …”
NSO and the Israeli government, which approves the export licenses for NSO clients, have faced growing questions internationally over the Pegasus Project’s findings. Israeli officials have launched an investigation and visited NSO’s office in a Tel Aviv suburb last week, an Israeli official told The Post last week, speaking on the condition of anonymity because that person was not authorized to discuss the matter publicly.
A top White House adviser raised concerns over NSO’s Pegasus software to an Israeli senior official in the White House last month, and members of Congress have urged the Biden administration to more strongly rein in the “hacking for hire industry.”
Harwell reported from Washington. Sabbagh is a reporter for the Guardian.
The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organizations coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read more about this project.