NSO Group

Overview

NSO Group Technologies is an Israeli cyber-intelligence firm founded in 2010 by Niv Carmi, Shalev Hulio, and Omri Lavie. The company is best known for developing Pegasus, the most sophisticated commercial spyware ever created, capable of compromising any smartphone through zero-click exploits that require no user interaction. Headquartered in Herzliya, Israel, NSO Group has become the definitive example of the private surveillance industry's dangers.

Ownership and Financial History

NSO's ownership history reflects the murky intersection of private equity and surveillance technology:

• 2014: American private equity firm Francisco Partners acquired a majority stake for approximately $130 million
• 2019: NSO co-founders Hulio and Lavie reacquired control with backing from European private equity firm Novalpina Capital, valuing the company at approximately $1 billion
• 2021: Following the Pegasus Project revelations and U.S. blacklisting, Novalpina Capital was placed into receivership by its own limited partners. NSO's valuation collapsed.
• 2023-2024: Reports surfaced of attempted sales and restructuring, with the company facing potential bankruptcy amid mounting legal costs and revenue decline from lost contracts

NSO markets its products exclusively to government intelligence and law enforcement agencies, claiming its technology helps combat terrorism and serious crime. However, extensive investigations by Citizen Lab (University of Toronto), Amnesty International's Security Lab, and a consortium of 17 international media organizations have documented the systematic abuse of Pegasus against journalists, human rights activists, opposition politicians, lawyers, and dissidents worldwide.

Data Collection Practices

NSO Group's Pegasus spyware represents the most invasive commercial surveillance tool ever documented.

Zero-Click Exploitation

Pegasus can be installed on target devices without any user interaction. The spyware has exploited multiple zero-day vulnerabilities across iOS and Android:

• Trident (2016): A chain of three iOS zero-days discovered by Citizen Lab after UAE activist Ahmed Mansoor received a suspicious SMS. This was the first public identification of Pegasus.
• KISMET (2020): An iMessage zero-click exploit used against Al Jazeera journalists, discovered by Citizen Lab. Affected iOS 13.5.1.
• FORCEDENTRY (2021): A zero-click iMessage exploit that bypassed Apple's BlastDoor sandbox protection. Discovered by Citizen Lab on the phone of a Saudi activist. Apple issued emergency patches.

Deployment methods include invisible iMessages, WhatsApp calls (even unanswered), and network injection attacks, the target never needs to click any link or take any action.

Total Device Compromise

Once installed, Pegasus provides operators with complete access to:

• All messages, including encrypted apps (Signal, WhatsApp, Telegram)
• Emails, photos, videos, and contact lists
• Browsing history, calendar entries, and passwords
• GPS location data (real-time and historical)
• Microphone activation for real-time audio surveillance
• Camera activation for visual surveillance
• Keylogging of all typed input

Cloud Extraction

Pegasus can access the target's cloud accounts (iCloud, Google Drive, etc.) by stealing authentication tokens from the infected device. This enables access to data stored beyond the phone itself, including cloud backups, synchronized documents, and shared files.

Network-Level Interception (Circles)

NSO also operates Circles, a separate product that exploits SS7 (Signaling System 7) vulnerabilities in telecommunications networks. Circles enables network-level interception of calls and messages without requiring device infection. Citizen Lab identified Circles deployments in at least 25 countries.

Anti-Forensics

Pegasus includes sophisticated anti-forensics features:

• Self-destruct mechanisms that erase traces from devices
• Encrypted command-and-control communications
• Anonymized server infrastructure across multiple countries
• Ability to selectively activate/deactivate to avoid detection

Amnesty International's Security Lab developed the Mobile Verification Toolkit (MVT), an open-source forensic tool, specifically to detect Pegasus infections, a testament to the difficulty of identifying the spyware through conventional means.

Known Clients & Government Contracts

NSO Group's client list, revealed through the 2021 Pegasus Project investigation and years of Citizen Lab research, includes governments with among the worst human rights records globally. The company is estimated to have sold to 45+ government clients across at least 36 countries.

Saudi Arabia: Used Pegasus to surveil journalist Jamal Khashoggi's inner circle before his assassination at the Saudi consulate in Istanbul in October 2018. Targets included his fiancee Hatice Cengiz, son Abdullah Khashoggi, and close associates. Saudi Arabia also targeted women's rights activists including Loujain al-Hathloul (whose phone was compromised months before her arrest).

United Arab Emirates: Deployed Pegasus against human rights activist Ahmed Mansoor, whose device was the first confirmed Pegasus target in 2016. Mansoor was subsequently sentenced to 10 years in prison after his communications were intercepted. UAE also targeted foreign diplomats, Emirati journalists, and royal family members.

Mexico: Purchased Pegasus ostensibly to combat drug cartels but used it extensively against:

• Journalists investigating cartel-government corruption
• Lawyers representing families of the 43 disappeared Ayotzinapa students
• Public health advocates campaigning for a soda tax
• Anti-corruption activists Mexican government spending on NSO technology reportedly exceeded $300 million across multiple contracts.

India: Used Pegasus against opposition politicians, journalists (including Siddharth Varadarajan, founding editor of The Wire), lawyers, and activists critical of the Modi government, as revealed by the Pegasus Project. The Indian government neither confirmed nor denied the purchases.

Hungary: Deployed Pegasus against investigative journalists, opposition figures, and media owners under the Orban government. This represented the first documented use of military-grade spyware by an EU member state against its own citizens.

Spain: The CNI (Centro Nacional de Inteligencia) used Pegasus against Catalan independence leaders including Pere Aragones (now regional president) and other elected officials. The scandal, dubbed "CatalanGate" by Citizen Lab, triggered the firing of CNI director Paz Esteban and a domestic political crisis.

Poland: Used Pegasus against opposition politician Krzysztof Brejza, whose phone was compromised before the 2019 parliamentary elections. Stolen messages were edited and leaked to state media to discredit his campaign. Prosecutor Ewa Wrzosek was also targeted after opening an investigation into government election irregularities.

El Salvador: Targeted journalists at El Faro, the country's premier investigative news outlet, with Pegasus infections found on 35 journalists' and editors' phones, one of the largest single-organization targeting events documented.

Thailand: Deployed against pro-democracy activists and protest leaders, confirmed by Citizen Lab and iLaw (Thai digital rights organization).

Azerbaijan: Targeted Armenian journalists and civil society members in the context of the Nagorno-Karabakh conflict.

Jordan: Targeted journalists, lawyers, and human rights activists, with infections confirmed by Access Now and Citizen Lab.

Privacy Incidents & Litigation

Pegasus Project (2021)

A consortium of 17 media organizations, coordinated by Forbidden Stories with technical support from Amnesty International's Security Lab, analyzed a leaked list of over 50,000 phone numbers selected for potential targeting by NSO Group clients. The investigation revealed surveillance of hundreds of journalists, activists, politicians, and business leaders across dozens of countries. Named victims include:

• Hanan Elatr: Wife of Jamal Khashoggi, targeted by UAE months before his assassination
• Claude Mangin: French-Moroccan human rights activist whose husband was a political prisoner in Morocco
• Carine Kanimba: Daughter of Paul Rusesabagina (Hotel Rwanda hero), targeted by Rwanda
• Cecilio Pineda Birto: Mexican journalist targeted shortly before his murder in 2017

This remains the largest investigation into commercial surveillance ever conducted.

WhatsApp/Meta Lawsuit and $167M Verdict (2019-2025)

Meta sued NSO Group in 2019 for exploiting a vulnerability in WhatsApp's voice calling feature to install Pegasus on approximately 1,400 devices globally. Targets included journalists, human rights activists, and diplomats. In May 2025, a U.S. jury awarded $167 million in punitive damages to WhatsApp, a landmark verdict establishing that spyware companies can be held financially liable for exploiting messaging platforms.

Apple Lawsuit (2021)

Apple filed suit against NSO Group to permanently ban it from using Apple devices, software, and services. The lawsuit followed the discovery of the FORCEDENTRY zero-click exploit that compromised iPhones through iMessage. Apple also committed $10 million to support organizations exposing cyber-surveillance.

U.S. Commerce Department Entity List (2021)

The U.S. Commerce Department placed NSO Group on its Entity List in November 2021, finding that the company's tools were used "to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers." This effectively cut NSO off from U.S. technology suppliers, including processors, operating system components, and cloud services.

Khashoggi Connection

Forensic analysis by Citizen Lab linked Pegasus surveillance of Jamal Khashoggi's associates to the period before his October 2018 assassination in the Saudi consulate in Istanbul. While NSO denied its tools were used to track Khashoggi himself, the targeting of his inner circle by Saudi Arabia demonstrated the lethal potential of commercial spyware. The case became the most prominent example of surveillance technology enabling state violence.

EU Parliament PEGA Committee (2022-2023)

The European Parliament established the PEGA Committee to investigate spyware use by EU member states. The committee's final report recommended:

• A moratorium on the sale and use of commercial spyware until adequate regulatory frameworks exist
• A ban on spyware that enables total device compromise (like Pegasus)
• Creation of an EU Technology Lab to assist with forensic investigations
• Sanctions against countries that misuse spyware against journalists and opposition

Threat Score Analysis

NSO Group receives a composite threat score of 95/100, the highest of any company in this database, reflecting its role as the world's most dangerous commercial surveillance vendor:

• Data Collection (98/100): Pegasus represents total device compromise, there is no data on a targeted device that Pegasus cannot access. Zero-click deployment means targets cannot protect themselves through security-conscious behavior. Cloud extraction extends surveillance beyond the device itself. The addition of Circles network interception capabilities means NSO can surveil targets at both the device and network level.

• Third-Party Sharing (95/100): NSO sells surveillance capabilities to governments with documented records of human rights abuses. The company's due diligence process has repeatedly failed to prevent abuse. Once deployed, there are no meaningful controls on how clients use the technology. An estimated 45+ government clients across 36+ countries have access to these capabilities.

• Breach History (70/100): While NSO's own systems have had limited documented breaches, the leaked database of 50,000 target phone numbers and the WhatsApp vulnerability represent catastrophic security failures in the surveillance infrastructure itself. The exposure of NSO's entire targeting methodology and client base through the Pegasus Project constitutes one of the most significant intelligence leaks in commercial surveillance history.

• Government Contracts (99/100): NSO Group exists solely as a government surveillance contractor. Its technology has been documented facilitating:

• Connection to extrajudicial killing (Khashoggi)

• Suppression of political opposition (Hungary, Poland, Spain)

• Persecution of journalists (Mexico, El Salvador, India)

• Targeting of human rights defenders (Saudi Arabia, UAE, Bahrain)

• Disruption of democratic elections (Poland)

• Transparency (10/100): NSO operates with near-zero transparency. The company refuses to disclose its client list, denies most documented abuses, and has no independent oversight mechanism. Its "human rights policy" and compliance review by Chaim Gelfand (former head of compliance) have been repeatedly demonstrated to be ineffective at preventing abuse.

Weighted calculation: (98 * 0.25) + (95 * 0.25) + (70 * 0.20) + (99 * 0.15) + (10 * 0.15) = 24.5 + 23.75 + 14 + 14.85 + 1.5 = 78.6, adjusted to 95 due to demonstrated role in enabling political repression, journalist persecution, and connection to extrajudicial killing.

Transparency & Accountability

NSO Group's transparency record is among the worst in the technology industry. The company has consistently denied documented abuses, claiming it "cannot and does not operate its clients' systems." This defense has been rejected by courts, regulators, and independent researchers.

Failed Reform Attempts

NSO published a "Transparency and Responsibility Report" in 2021 following the Pegasus Project revelations, but independent experts found it lacking meaningful disclosure. The company claimed to have terminated contracts with abusive clients but refused to identify which clients were terminated or what criteria were used. Chaim Gelfand, NSO's former head of compliance, was tasked with implementing human rights due diligence, but the continued pattern of abuse across dozens of countries demonstrated the ineffectiveness of internal controls.

Israeli Export License System

The Israeli government exercises export control over NSO's technology, treating it as a defense export regulated by the Ministry of Defense. This framework has been criticized as enabling rather than preventing abuse:

• Approvals for sales to Saudi Arabia and UAE were granted as part of broader diplomatic deals, including the Abraham Accords
• The Israeli government uses NSO export licenses as diplomatic leverage
• There is no independent review of export decisions
• Revocation of licenses has been rare despite documented abuses

Spawning an Industry

NSO's commercial model has spawned numerous competitors, demonstrating that accountability against individual companies does not address the structural problem:

• Intellexa/Predator (Tal Dilian): Predator spyware documented targeting journalists and politicians in Greece, Egypt, and elsewhere. Also placed on U.S. Entity List.
• Candiru (also Israeli): Spyware targeting journalists and activists, documented by Citizen Lab and Microsoft. Placed on U.S. Entity List alongside NSO.
• Paragon Solutions (Israeli): Graphite spyware, reportedly sold to democratic governments only.
• Cytrox (North Macedonia/Hungary): Developer of Predator, acquired by Intellexa.

The proliferation of these companies demonstrates that the commercial spyware market persists despite individual company accountability efforts, and that NSO's model remains commercially viable even under unprecedented legal and regulatory pressure.