When the Watchdogs Become Targets: The Recurring Pattern of Pegasus Spyware Use Against Investigators
One of the most unsettling patterns to emerge from years of digital forensic investigation into commercial spyware is not just that Pegasus has been used against journalists, activists, and opposition politicians. It is how often the specific people investigating spyware abuse, or exposing corruption and wrongdoing that powerful interests would prefer stayed hidden, have themselves turned up as targets. Politicians pushing for oversight hearings. Lawyers representing spyware victims in court. Journalists reporting on surveillance overreach. Prosecutors examining government conduct. The tool built to surveil has repeatedly been aimed at the people trying to hold its users accountable.
This piece looks at that pattern: what Pegasus actually is and how it works, how forensic researchers detect its use, several of the publicly documented cases that established this pattern over the past several years, and what the accumulated evidence has meant for the ongoing fight over commercial spyware accountability.
What Pegasus Is and How It Works
Pegasus is a commercial spyware product developed by NSO Group, an Israeli technology company. It is sold, according to the company's own public statements, exclusively to government agencies for use against serious crime and terrorism. Once installed on a target's phone, Pegasus can access messages, calls, photos, location data, and can activate a device's microphone and camera, effectively turning the phone into a surveillance device the owner has no way of detecting through normal use.
What has made Pegasus particularly difficult to defend against is its history of exploiting "zero-click" vulnerabilities, security flaws that allow infection without the target clicking a link or taking any action at all. Some documented infections have occurred through nothing more than a missed call or a malformed message the operating system processes automatically. That capability puts Pegasus in a different category from more common phishing-based attacks, since standard user caution, avoiding suspicious links, is not sufficient protection against it.
How Forensic Researchers Detect Pegasus Infections
The organizations most responsible for documenting Pegasus abuse cases are research groups rather than government bodies, which is itself part of why the accountability story has unfolded the way it has. Citizen Lab, based at the University of Toronto's Munk School, and Amnesty International's Security Lab have been the two most consistently cited sources behind major Pegasus revelations over the past several years, developing and refining forensic techniques for detecting spyware traces on a device.
Amnesty's Security Lab developed and released the Mobile Verification Toolkit, an open-source forensic tool that examines a phone's system logs and file structures for the specific digital traces Pegasus infections tend to leave behind, network connections to known NSO Group infrastructure, unusual process activity, and file artifacts associated with known versions of the spyware. Because the tool has been released publicly, journalists and civil society organizations working with suspected targets have been able to independently verify infections rather than relying solely on claims from the spyware maker or the governments accused of deploying it.
- Forensic analysis typically examines device backups for indicators of compromise linked to known Pegasus infrastructure
- Network traffic analysis can reveal connections to servers associated with NSO Group's operational infrastructure, even after the spyware itself has been removed or expired
- Cross-referencing timing of suspicious activity with real-world events, an arrest, a leaked document, an investigation announcement, has repeatedly helped establish a plausible motive and timeline for specific targeting
- Findings are generally peer-reviewed within the digital forensics research community and, where possible, independently corroborated by more than one organization before publication
The 2021 Pegasus Project and the Scale of the Problem
The single largest public revelation about Pegasus's scope came in 2021, through a collaborative investigation known as the Pegasus Project, coordinated by the Paris-based nonprofit Forbidden Stories together with Amnesty International's Security Lab and more than a dozen media organizations around the world. The investigation centered on a leaked list of more than 50,000 phone numbers reportedly selected as potential surveillance targets by NSO Group clients across multiple countries.
Forensic analysis of a sample of phones connected to those numbers found confirmed or likely infections among journalists, human rights defenders, business executives, and political figures, including heads of state and government ministers in multiple countries. The investigation drew global attention to spyware accountability in a way no single case had previously managed, in large part because of the sheer breadth of the people affected and the range of countries implicated as either operators or targets.
"Once a phone is infected with Pegasus, it becomes a digital spy in the target's own pocket, capable of turning their most private communications into surveillance material without their knowledge."
- Common framing used by digital forensics researchers describing Pegasus capabilities
CatalanGate: Politicians Targeted Amid a Political Dispute
One of the more thoroughly documented cases involving political figures emerged from Citizen Lab's 2022 investigation into what became known as CatalanGate. The research documented dozens of Catalan politicians, lawyers, and activists connected to the Catalan independence movement whose phones showed forensic evidence of Pegasus or related spyware infections between 2017 and 2020, a period that coincided with Catalonia's push for independence from Spain and the ensuing political and legal conflict with the Spanish government.
Among those identified in Citizen Lab's findings were members of the Catalan regional parliament, members of the European Parliament, and lawyers involved in representing figures connected to the independence movement. The Spanish government acknowledged conducting court-authorized surveillance of some Catalan independence figures under judicial warrant, but did not confirm responsibility for the full scope of cases Citizen Lab documented, leaving significant parts of the case unresolved even after public acknowledgment of some surveillance activity.
Poland: Opposition Politicians, a Prosecutor, and a Lawyer
Poland produced one of the more politically consequential Pegasus cases in Europe. Citizen Lab documented Pegasus infections affecting several individuals connected to Poland's political opposition and legal system during a period of tension between the then-governing party and its critics, including a senator who ran a major opposition election campaign, a prosecutor who had criticized government legal reforms, and a lawyer representing opposition politicians in court.
The Polish case eventually led to a parliamentary and Senate investigation examining the use of Pegasus by state security services, and it became a significant point of political controversy within Poland and drew attention from the European Parliament as an example of a European Union member state allegedly using spyware against domestic political opposition rather than the counterterrorism and serious crime purposes NSO Group states its product is intended for.
Why Investigators Themselves Keep Showing Up as Targets
Across these documented cases, a consistent explanation emerges for why people actively investigating or exposing spyware abuse are disproportionately represented among confirmed targets: they are, almost by definition, in possession of information that the operators of surveillance programs have a strong interest in knowing about in advance. A journalist building a story about government surveillance overreach, a lawyer preparing litigation on behalf of spyware victims, or a legislator organizing an oversight hearing each represents a specific, identifiable threat to whoever benefits from that surveillance remaining unexamined.
That dynamic creates a difficult accountability problem: the people best positioned to expose spyware abuse are also among the people most likely to become targets of it, which can have a chilling effect on exactly the investigative and oversight work that would otherwise hold spyware operators accountable. Multiple human rights organizations have specifically flagged this pattern as one of the more corrosive effects of unchecked spyware proliferation, separate from the direct privacy harm to any individual target.
The Legal and Political Fallout
The accumulated documentation of Pegasus abuse cases has produced real, if incomplete, institutional responses over the past several years.
| Response | Details |
|---|---|
| U.S. Commerce Department blacklisting | NSO Group was added to the U.S. Entity List in late 2021, restricting American companies from exporting technology to it without a license |
| Corporate litigation | Both WhatsApp and Apple filed lawsuits against NSO Group over alleged unauthorized access to their platforms and users' devices |
| European Parliament inquiry | The EU Parliament established a dedicated committee, commonly referred to as the PEGA committee, to investigate spyware use against EU citizens and recommend regulatory responses |
NSO Group has consistently maintained that it sells Pegasus only to vetted government clients for legitimate law enforcement and counterterrorism purposes, and that it investigates credible allegations of misuse. Critics, including many of the researchers who have documented specific cases, have argued that the company's vetting and accountability processes have proven insufficient given the repeated pattern of documented abuse against journalists, lawyers, and political figures rather than the serious criminal and terrorism targets the tool is publicly marketed toward.
The Ongoing Oversight Challenge
What makes the commercial spyware accountability problem particularly difficult is the asymmetry between how the technology is deployed and how it is investigated. Government agencies operating spyware programs generally do so under secrecy justified by national security or law enforcement sensitivity, while the researchers, journalists, and civil society organizations working to document abuse operate with comparatively limited resources and no subpoena power, relying instead on forensic analysis of individual devices, leaked documents, and voluntary cooperation from targets willing to have their phones examined.
That asymmetry means the public record of Pegasus abuse, extensive as it has become, almost certainly understates the true scope of the problem. Cases only come to light when a suspected target agrees to forensic examination and when researchers are able to obtain and analyze the relevant device data, a process that depends heavily on targets becoming aware they might be at risk in the first place, itself a circular problem given how effectively Pegasus is designed to avoid detection.
What Comes Next in the Spyware Accountability Fight
The pattern documented across CatalanGate, the Polish case, and the broader 2021 Pegasus Project has established, at minimum, that commercial spyware has repeatedly been used in ways that fall outside the narrow counterterrorism justification the industry publicly relies on, and that investigators, lawyers, and political figures examining that misuse have themselves become recurring targets. Whether ongoing litigation, export restrictions, and legislative oversight efforts translate into durable structural change remains an open question, one that will likely depend heavily on continued forensic investigative work from organizations like Citizen Lab and Amnesty's Security Lab to keep new cases from disappearing into the same secrecy that has protected past ones.
For anyone following a specific, current allegation involving a politician or public figure and Pegasus spyware, the most reliable path is checking directly with organizations that do this forensic work, Citizen Lab and Amnesty International's Security Lab chief among them, since claims in this space carry serious legal and diplomatic weight and deserve the same rigorous, independently verified sourcing that has characterized the credible cases documented so far.
Related Topics: #Pegasus #NSOGroup #Spyware #DigitalSurveillance #CitizenLab #CyberSecurity #Privacy #HumanRights