A new investigation by The Washington Post and 16 media partners is raising further questions about the use of Pegasus in this young democracy. The investigation has found evidence of the spyware in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists and businesspeople around the world. Their numbers appear on a list of more than 50,000 numbers concentrated in countries known to have been clients of NSO.
Nearly one-third of the numbers are in Mexico, all from 2016 and 2017. The team of journalists identified and verified more than 400 of them. They include phone contacts for dozens of people close to then-presidential candidate Andrés Manuel López Obrador: top advisers, his wife, three of his sons, his brothers, his drivers — even his cardiologist. Scores of numbers for other top politicians appeared, as well as those for union representatives, journalists and civic activists.
Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International, a human rights group, had access to the list and shared it with the news organizations, which did further research and analysis. Amnesty’s Security Lab did the forensic analyses on the smartphones.
It is not known how many of the Mexican phones were selected for surveillance or how many were successfully targeted. The consortium did not verify additional infections in Mexico but did identify attempted penetrations in the phones of a Mexican magazine reporter and a broadcast journalist’s assistant whose numbers were on the list. Analysis of the phones of a human-rights defender and a former prosecutor on the list were inconclusive; both had replaced the phones they used in 2016 and 2017, making detection of any hacking attempt more difficult.
Mexico has been rocked repeatedly by political espionage scandals. From 2017 to 2020, Mexican nongovernmental groups, Amnesty International and Citizen Lab, a technology research center at the University of Toronto, identified signs of the NSO spyware in the phones of 26 Mexican journalists, activists and politicians between 2015 and 2017.
NSO says it licenses Pegasus only to government agencies but had no visibility into its clients’ data. A spokesperson said Tuesday that the list of 50,000 numbers “is not a list of Pegasus targets or potential targets” and that “the numbers in the list are not related to NSO Group in any way.” One of the company’s lawyers, Thomas A. Clare, said NSO believed the list was based on “publicly accessible, overt sources, such as the HLR Lookup service.” That service keeps records on networks of cellphone users and their general locations. It can be used as a step toward spying on targets.
A person familiar with NSO’s operations in Mexico, who spoke on the condition of anonymity to discuss sensitive matters, said the company terminated Pegasus contracts with several Mexican clients at least two years ago, after seeing news reports of human-rights abuses and the phone-tapping of journalists.
The person added that NSO had refused a request by the federal police to license Pegasus to them. “The company believed they are one of the most corrupt entities in Mexico,” he said. (The force was dissolved by López Obrador, who said its leadership “lacked morals”).
The person would not say whether there is still a Pegasus customer in Mexico.
Forbidden Stories organized the media consortium’s investigation, titled the Pegasus Project, and Amnesty provided analysis and technical support but had no editorial input. Amnesty has openly criticized NSO’s spyware business and supported an unsuccessful lawsuit against the company in an Israeli court seeking to have its export license revoked.
During seven decades of one-party rule in the 20th century, the Mexican government regularly eavesdropped on politicians and journalists. That was supposed to change during the democratic transition that started in the late 1990s. But the leaked numbers — along with interviews with politicians, activists, reporters and security experts — bolster concerns that Mexico in recent years employed a level of surveillance more commonly associated with authoritarian regimes.
“It’s a monster that’s grown out of control,” said a former senior security official, who spoke on the condition of anonymity because of the sensitivity of the subject.
The official’s own phone number turned up on the list. He said he received a suspicious text while feuding with another prominent official in 2016. He immediately worried it was Pegasus. If a user clicks on a text message, the spyware can infect the phone, gaining access to emails and phone contacts.
The official promptly erased all the data from his phone.
Many of those interviewed by the team of reporters in Mexico no longer had their old phones or had deleted strange texts they had received, making it impossible to verify if they had been surveilled.
How Pegasus works
Target: Someone sends what’s known as a trap link to a smartphone that persuades the victim to tap and activate — or activates itself without any input, as in the most sophisticated “zero-click” hacks.
Infect: The spyware captures and copies the phone’s most basic functions, NSO marketing materials show, recording from the cameras and microphone and collecting location data, call logs and contacts.
Track: The implant secretly reports that information to an operative who can use it to map out sensitive details of the victim’s life.
It is clear that Mexico used Pegasus aggressively over a period of several years that ended in 2017. The newspaper Milenio published documents that year showing that the Pegasus system at the attorney general’s office could monitor 500 people at once. López Obrador’s administration said last year that the spyware was also used from 2014 to 2017 by the domestic intelligence agency known as CISEN — the Center for Investigation and National Security — which was housed at the Government Ministry. In addition, the Defense Ministry licensed the software, according to press accounts that have not been confirmed by authorities.
Victims say the use of spyware has had a chilling effect on journalists and human rights workers. Opposition parties worried that it hurt their chances of winning elections.
“This is something that absolutely violates any democratic system,” said Fernando Rodríguez Doval, a senior official with the National Action Party.
In response to detailed questions from the consortium, NSO denied any wrongdoing. It said it did not operate the spyware it licensed to clients. It added that its technologies have helped prevent terrorist attacks and bombings and broken up rings that trafficked in drugs, sex and children.
“NSO Group will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations,” the company said.
In 2017, then-President Enrique Peña Nieto told journalists that his administration deployed Pegasus to fight organized-crime groups, but “categorically rejects any sort of intervention in the private lives of activists or any other citizens.”
Efforts to reach Peña Nieto, who was president until December 2018, were unsuccessful. His former spokesman, Eduardo Sánchez, three of his former cabinet ministers and his Institutional Revolutionary Party (PRI, for its initials in Spanish) all said they did not know how to reach him. There was no response to a letter sent to his daughter Paulina.
NSO was not the only firm selling spyware in Mexico. Numerous federal agencies and state governments acquired surveillance systems in recent years in what became an espionage free-for-all.
López Obrador, who succeeded Peña Nieto as president in December 2018, said Tuesday that he believed the government no longer used Pegasus. “If any contract still exists, we must cancel it,” he said at a news conference.
“We no longer do this, we don’t spy on anyone,” he said. But many Mexicans believe the practice continues.
Rodríguez Doval got his first glimpse of Mexico’s political espionage in 2016, when he was the PAN’s spokesman. An odd-looking text message urged him to read a newsmagazine article that mentioned his name. Another text nudged him to verify his Netflix subscription. Both included links.
It wasn’t until a year later that he began to realize what had happened. In an article that stunned Mexicans, the New York Times revealed that the phones of human rights lawyers, journalists and anti-corruption activists were being attacked using Pegasus spyware.
As the scandal mushroomed, Rodríguez Doval reported his suspicious texts to the party’s then-leader, Ricardo Anaya. “He said, ‘I’ve also gotten them.'"
Citizen Lab determined in 2017 that the two politicians, plus a third PAN official, were victims of hacking by someone using Pegasus. Their numbers appeared on the list.
The damage didn’t end there. Margarita Zavala, who, like Anaya, was planning a presidential run, spotted the strange texts on her phone. So did the party’s congressional deputies and senators.
“We became very paranoid,” Rodríguez Doval said. Scores of numbers for opposition politicians — including those from the PAN — are on the recently leaked list.
Some of those whose numbers also appeared in the records said political espionage has become almost routine in Mexico.
They include Claudia Pavlovich, the governor of northern Sonora state. During her 2015 campaign, recordings of her conversations were leaked to suggest that she was involved in corruption. “They had been listening to me for a long time,” the PRI politician said. She said she suspected — but couldn’t prove — that state officials were to blame. Her comments, she said, were doctored to falsely suggest wrongdoing.
The 15,000 Mexican numbers on the list analyzed by the media consortium included phones for both Zavala and her husband, Felipe Calderón, president of Mexico from 2006 to 2012. Zavala said the phone-bugging is so pervasive that it discourages many from seeking office. “It shouldn’t be so difficult to be a politician,” she said.
The deployment of spyware in Mexico remains shrouded in mystery. Guillermo Valdés Castellanos, who led CISEN from 2007 to 2011, said “the use of Pegasus went wild” under Peña Nieto, who took office in 2012.
But when Alfonso Navarrete Prida became government minister toward the end of Peña Nieto’s term — and assumed oversight of CISEN — he found “no documents that showed that this software had been used,” he said in an interview.
Miguel Ángel Osorio Chong, his predecessor, said the Government Ministry had no access to Pegasus — contradicting the current administration. He said in a statement that he “never authorized, nor had knowledge or information that CISEN acquired or used the Pegasus hacking tool.”
Mexican prosecutors are investigating possible abuses involving Pegasus. But no one has been charged, and the investigations sometimes take on a hall-of-mirrors quality.
In 2019, officials from the federal data-protection agency visited one of the former clients, the Justice Ministry. The ministry affirmed it had removed the spyware system — but there were no records of when, or what had been done with any data collected. In fact, the ministry said it had found no evidence the software had been used at all, even though it had signed a $32 million contract for Pegasus in 2014.
Former ministry employees as well as an official who worked regularly with the ministry described its Pegasus operation in detail.
Senior officials from the data-protection agency called the ministry’s assertion absurd.
“It’s clear there’s something weird going on,” said one of the senior officials, Oscar Guerra Ford.
Elizabeth Dwoskin in Tel Aviv, Gabriela Martinez in Mexico City, Mathieu Tourliere and Omar Fierro of Proceso magazine, Sebastián Barragán and Carmen Aristegui of Aristegui Noticias, Paloma Dupont de Dinechin of Forbidden Stories and Lilia Saúl of the Organized Crime and Corruption Reporting Project contributed to this report.
The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organizations coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read more about this project.