More than 300 Hungarian phone numbers — connected to journalists, lawyers, business titans and activists, among others — appeared on a list that included numbers selected for surveillance by clients of NSO Group, an Israeli security company.
The records do not indicate how many of those numbers were targeted or successfully compromised. But forensic examination of six Hungarian phones associated with numbers on the list found that three had been infected with Pegasus spyware, a tool marketed to governments by NSO. Two other phones showed signs of attempted targeting with Pegasus. The sixth phone, that of independent media mogul Zoltan Varga, was inconclusive, possibly because it had been replaced since the period when his number was put on the list.
NSO denied a correlation between the phone list and its technology. Asked for comment before publication, it said in a lengthy statement that it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets.” It insisted that its technologies are intended for legitimate law enforcement and national security purposes and that it would “continue to investigate all credible claims of misuse.”
In follow-up comments after publication on Sunday, Shalev Hulio, NSO’s chief executive, told The Washington Post that some of the reported allegations were “disturbing,” including the surveillance of journalists. “Every allegation about misuse of the system is concerning me,” he said. “It violates the trust that we give customers. We are investigating every allegation … and if we find that it is true, we will take strong action.”
NSO said it could not disclose the identity of its customers. But a former NSO employee, speaking on the condition of anonymity to discuss internal company arrangements, confirmed the Hungarian government was a client.
Hungarian Justice Minister Judit Varga, asked Monday at a Brussels news conference about whether her government used Pegasus, did not directly answer the question.
“Hungary is a state governed by the rule of law and, like any decent state, in the 21st century it has the technical means to carry out its national security tasks,” she told reporters. “It would be a serious problem if we did not have these tools, but they are used in a lawful manner.”
When Pegasus’s infiltration is successful, it can enable total access to a device, allowing spies to review emails, texts and photos, including messages within encrypted communications apps such as WhatsApp and Signal. It can let people listen in on phone conversations, secretly turn on cameras and microphones and marshal location data. In a brochure, NSO bragged to potential clients that, by sending a text message that recipients don’t even have to open, its product can turn smartphones into “an intelligence gold mine.”
Some of the Hungarian phone numbers on the list were tied to convicted criminals and others who might be legitimate targets. But the phones with confirmed Pegasus infection belonged to two journalists with Hungarian outlet Direkt36, Szabolcs Panyi and Andras Szabo, along with a businessman who did not want to be identified. And the phones that showed signs of attempted targeting belonged to a Belgian-Canadian PhD student and activist, Adrien Beauduin, and an entrepreneur who did not want to be named.
The spyware’s deployment against members of Hungarian civil society suggests a willingness by authorities to revive tactics deemed out-of-bounds since the transition to democracy three decades ago, making a mockery of the far-reaching digital privacy protections the European Union has enacted. It also underscores how far Hungarian authorities have been willing to go to expand their reach. Numbers associated with at least five journalists were added to the list, along with the numbers of at least 10 lawyers, including the head of the Hungarian Bar Association, at a time when Orban’s government was consolidating control over the country’s media and asserting vast powers over the courts.
Orban’s office did not engage with a detailed set of questions, including about whether any Hungarian security agencies were NSO clients, or whether journalists and other members of civil society had been surveilled with Pegasus spyware. The government responded broadly in a statement: “Hungary is a democratic state governed by the rule of law, and as such, when it comes to any individual it has always acted and continues to act in accordance with the law in force. In Hungary, state bodies authorised to use covert instruments are regularly monitored by governmental and non-governmental institutions.”
Opposition lawmakers on Monday called for a parliamentary inquiry, although because Orban’s Fidesz party dominates the Hungarian legislature, it was unclear whether there would be the votes to do so. “This is the Hungarian Watergate affair, and if Fidesz keeps quiet about it, it is an admission,” said Janos Stummer, a far-right opposition lawmaker who heads the parliament’s national security committee, in an interview with news outlet hvg.hu.
The Hungarian phone numbers were among more than 50,000, from more than 50 countries, on the list. Paris-based nonprofit Forbidden Stories and Amnesty International had access to the list and shared it with The Post and 15 other media partners. The outlets have collaborated on further analysis and reporting. Amnesty International’s Security Lab conducted the forensic analysis, which was then reviewed by the University of Toronto’s Citizen Lab. (Amnesty has openly criticized NSO’s spyware business and supported an unsuccessful lawsuit against the company in an Israeli court seeking to have its export license revoked.)
Although the Hungarian numbers represent a small portion of the total, they stand out because Hungary is a member of the European Union, where privacy is supposed to be a fundamental right and core societal value, and where safeguards for journalists, opposition politicians and lawyers are theoretically strong. But in Hungary, Poland, Slovenia and elsewhere in Europe, some of those guarantees are being rolled back — and in Budapest, that rollback has been accompanied by the use of an unusually powerful spying tool.
Direkt36′s Panyi was targeted for surveillance multiple times. Forensic examination confirmed that the journalist’s phone had been repeatedly compromised by Pegasus spyware. As with all the phone examinations, it was not possible to determine what information had been accessed. But in many cases, his number had been added to the phone list shortly after he sought government comment for stories.
How Pegasus works
Target: Someone sends what’s known as a trap link to a smartphone that persuades the victim to tap and activate — or activates itself without any input, as in the most sophisticated “zero-click” hacks.
Infect: The spyware captures and copies the phone’s most basic functions, NSO marketing materials show, recording from the cameras and microphone and collecting location data, call logs and contacts.
Track: The implant secretly reports that information to an operative who can use it to map out sensitive details of the victim’s life.
“I’m being treated as a threat, like a Russian spy or a terrorist or a mobster,” said Panyi, a partner on the investigation.
Another Hungarian reporter, David Dercsenyi, rarely covered sensitive topics. But on one occasion he sent a request for government comment about a terrorism case. Afterward, his personal cellphone, his work cellphone and a third phone registered in his name but actually used by his ex-wife were all added to the phone list. He no longer has any of the phones, and it is unclear whether they were compromised. The idea that his ex-wife’s phone could have been infiltrated “pisses me off,” Dercsenyi said, noting that she has nothing to do with his work and that spies could have captured information about his children.
Among the boldfaced names attached to the Hungarian phone numbers is Varga, one of the country’s few remaining independent media magnates, after Orban loyalists consolidated control of more than 500 outlets inside a foundation in 2018.
In mid-2018, after most of the media takeovers were completed and after Orban’s party had captured two-thirds of the Hungarian parliament in an April election, Varga wondered if a new investigations-oriented think tank might help shake things up. He invited a handful of wealthy and well-connected Hungarians to his home in the hills above Budapest to discuss the idea over dinner, he said. The guests included Attila Chikan, who was Orban’s economy minister in the 1990s but later broke with him. Others were business executives and philanthropists.
“It was just a friendly discussion. It wasn’t a coup,” Varga said.
After the invitations were extended but before the gathering, all seven participants were added to the phone list, and, according to a forensic examination, at least one person’s phone was successfully infected with Pegasus and another’s bore traces of a Pegasus hacking attempt.
Varga updated his phone model in the years since the dinner, and an examination of his new device — an imperfect window into the past — was inconclusive on spyware penetration. But he recalled an episode when he was speaking on the phone and was surprised to overhear the beginning of his conversation, as if on playback. And, two weeks after the dinner, he said, he got an eerie warning from a person he said was close to the government. “Someone approached me. ‘I know that you had this dinner. It’s really dangerous. You shouldn’t do it,’" he recounted. “I didn’t know why or how she got this information that I had this dinner.”
Another set of people selected for the phone list were tied to Lajos Simicska, a former Orban ally who had backed the opposition in the 2018 election and then gave up his fight — and his media and business empire — after Orban’s party prevailed. Simicska does not appear to use a smartphone, according to a former associate, but the phone numbers of his lawyer and son were added around the time he was relinquishing his properties.
In an interview, Simicska’s lawyer, Ajtony Csaba Nagy, said he heard strange sounds and disruptions to his phone conversations that year.
“It also happened that some information appeared in the press that we only discussed on the phone, nowhere else,” he said.
Later in 2018, the phone number of Janos Banati, head of the Hungarian Bar Association, was selected for the list. He was leading the defense in a high-profile homicide case at the time. He also has been critical of Orban’s efforts to control the judiciary, including an aggressive push to set up a parallel court system that would have been directly overseen by the justice minister.
It is not clear whether Banati was targeted. His phone was not among those examined. But he said he would have been on guard anyway.
“I never talk about secrets related to attorney-client privilege on the phone, and ask my clients not to either,” he said. “But honestly, this was because I thought that they were under surveillance, not me.”
Petho works for Direkt36 and Chastand works for Le Monde. Panyi of Direkt36, Shaun Walker of the Guardian, Frederik Obermaier and Bastian Obermayer of Süddeutsche Zeitung, and Astrid Geisler of Die Zeit contributed to this report.
The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organizations coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read more about this project.