Season 01: Episode 03

Shoot the Messenger: Espionage, Murder and Pegasus Spyware continues with its third episode of the series digging into the origin story behind the company that makes Pegasus spyware, the NSO Group. Israeli tech entrepreneurs Shalev Hulio and Omri Lavie initially developed remote access to smartphones, which evolved into Pegasus. In a twist of fate, over the course of a decade, they have managed to beat out or outlast major competition in the spyware industry, including the Italian company Hacking Team.

Listen here:

Share:

ROSE REID: January 2016. It’s late at night in Los Mochis, in the coastal region of Sinaloa, Mexico, which lies just across the gulf from Baja, California.

A late night food order is placed, and a man driving a white van picks up a large order of tacos and brings them back to a compound around midnight. Hours pass.

Just before sunrise, fifty soldiers line up around the perimeter and more than a dozen Special Forces Marines from the Mexican Navy prepare to storm the house.

They are aligned on a single mission – to capture one man inside the house.

As the Marines break down the metal door, they are met with heavy fire. The fighting rages, and inside, two men manage to escape through a hidden tunnel system.

By 6:30 am, five men protecting the fugitives are killed, and four gunmen have been arrested.

Across town, outside a Walmart, the two men who escaped the raid drag themselves out of a sewer system and into the middle of traffic.

They steal a white Volkswagen that breaks down several blocks later. They get out of the car, and approach a woman driving a red Ford Focus with her grandson. They tell her to get out and point a weapon at her. They hand over her purse before they speed away.

Hours later, authorities apprehend the fugitives.

One of the world’s most exhaustive manhunts has come to a close, in an effort that involved more than 2500 people across the country of Mexico1:

[NEWS MONTAGE]
MEDIA CLIP: Breaking overnight, a ruthless drug lord, the top illegal drug supplier to the US, arrested in Mexico.2
MEDIA CLIP: After years on the run, Mexican and US law enforcement officials caught up with Joaquin “El Chapo” Guzman3
MEDIA CLIP: You really can’t overstate what a huge figure El Chapo is – so vicious, so innovative, so crafty.4

NANDO VILA: Mexican authorities shared that they used Pegasus to help capture the drug lord Joaquin Guzman, better known as El Chapo, by tapping the phones of those in his inner circle.

It’s a very rare example of NSO or its clients sharing the use of Pegasus in a specific case.

Here’s the NSO Group co-founder Shalev Hulio responding to the capture in an interview on 60 Minutes:

SHALEV HULIO: In order to catch El Chapo, for example, they had to intercept a journalist, an actress, and a lawyer. Now, by themselves, they, you know, they’re not criminals, right?
LESLEY STAHL: Right.
SHALEV: But if they are in touch with a drug lord… And in order to catch them, you need to intercept them. That’s a decision that intelligence agencies should get.5

ROSE: Even if a target is legitimate – say a dangerous drug lord, terrorist, or criminal – it is hard for innocent people not to get entangled. Here’s security advisor Ian Iftach Amit:

IAN IFTACH AMIT: The target itself is probably going to be very well protected. And a lot of times you have to target the wife of, the widow of, the daughter, the, the secretary or whatever it is. You get warrants, you know, trying to hit this terrorist, but he doesn’t have a phone or he doesn’t use a phone because he knows he’s being targeted or she knows. So she’s not going to use a phone, but she’s got an accountant, a lawyer, family, friends, whatever it is. Let’s target them – completely legitimate. You kind of cast a wider net and do the work.

NANDO: Kate Del Castillo is the actress implicated in the capture of El Chapo. Months before the raid, she and the actor Sean Penn facilitated an interview with El Chapo in an effort to make a new film about his life.6 She maintains that her efforts to meet El Chapo for the project were completely sincere – and denies she was anyway connected – let alone responsible – for El Chapo’s capture. To challenge those accusations, she’s even made a documentary about her experience7:

KATE DEL CASTILLO: I have nothing to do with him getting caught. I don’t work for the government, and I am just interested in my career and trying to do a good story and that was it.8

ROSE: The New York Times has reported that Mexican authorities have read the text messages between Kate Del Castillo and El Chapo in the months leading up to his capture.

Mexican authorities have shared a surprising number of details about how they were able to triangulate and follow El Chapo because of the use of Pegasus on his inner circle.

In our last two episodes, we explored how Pegasus was found on the phones of three people close to the murdered journalist Jamal Khashoggi.

The method used to surveil El Chapo was the same method used against Jamal Khashoggi.

In the case of Jamal Khahosggi’s, the former CEO and co-founder of the NSO Group unequivocally denies that Pegasus was on Khahosggi’s phones or his relatives9:

SHALEV: Khashoggi murder is horrible, really horrible. And therefore, when I first heard their accusations that our technology being used on Jamal Khashoggi or on his relatives, I started an immediate check about it. And I can tell you very clear, we had nothing to do with this horrible murder.10

ROSE: What do you say when the company you lead is in the midst of controversy, and contradictions?

[SERIES MONTAGE]
DANA: Hanan is the smoking gun.
HANAN: They did track him through me, because they know I’m the closest one to him.
BILL: It was full access to the phone.
NICOLE: This was the most sophisticated mobile spyware on the market.
RON: You have to go back to getting a copy of Pegasus, reverse engineering it.
OMAR: They were listening, they were reading our chats.11
OMAR: The hacking of my phone played a major role in what happened to Jamal.12

NANDO: This is Shoot the Messenger, a new biweekly investigative reporting podcast from EXILE Content Studio.

Every season, we investigate one international news story. You may have heard the headlines; this is the deep dive. I’m Nando Vila.

ROSE: And I’m Rose Reid. When Nando and I started reporting on this project we had one question: what is the biggest threat to journalists today?

When we put up a bulletin board and stuck a pin for every journalist threatened or assassinated in the past 5 years, we found one repeating link over and over. From Mexico, to DC, to the United Arab Emirates: Pegasus.

NANDO: Over the course of ten episodes, we’re doing a special partnership with the Committee to Protect Journalists for our first season, “Espionage, Murder, and Pegasus Spyware.”

[MONTAGE FORESHADOWING EPISODE]
ALBERTO PELLICCIONE: NSO was selling for tens of millions.
OMRI LAVIE: I was wondering if, if you guys can get into a device without asking for permission.
AMITAI: It’s not NSO, it’s the clients of NSO.
IAN: You have to target the wife of, the widow of, the daughter, the secretary…
ALBERTO: We knew that something was happening that was extremely bad.
AMITAI ZIV: But from the first customer, we know that there was abuse in the system.

ROSE: The NSO Group co-founders didn’t start out with a grand plan to be at the forefront of spyware13.

But, in a twist of fate, they have made the most infamous espionage software to date. The power of Pegasus is forcing citizens and governments to a new frontier negotiating a new digital social contract.

Over the last ten years, the NSO Group has managed to beat-out or outlast major competition. The NSO Group and its Pegasus spyware has been instrumental in fueling the growth of a multi billion dollar industry, and perhaps an even bigger shadow economy in its wake. This is Episode 3: Who is the NSO Group?

ROSE: The NSO Group shares its mission clearly on its website – which is to “work to save lives and create a better, safer world.”14

Over the course of one decade, this company has revolutionized spyware.15 When Shalev Hulio and Omri Lavie started out in the mid 2000s,16 cyber security was a budding industry measured in the millions. Today, the cyberwarfare industry and the mercenary companies that support it represent more than $43 billion dollars.17 And those are just the reported numbers.

Bloomberg projects there are more than 200 companies in this space. But none are more infamous than the NSO Group18:

AMITAI: So what is the snapshot for NSO right now? I think NSO is in big troubles right now because it’s coming from all sides.

NANDO: Amitai Ziv is a cybersecurity reporter based in Tel Aviv, Israel.

AMITAI: My name is Amitai Ziv. I’ve been a tech journalist for 15 years now and I’ve been writing a lot about cybersecurity. Most of the years I was working for Haaretz Group. And in the last year, I’ve been working with a big broadcaster here in Israel that is called Keshet. I was a partner in the Pegasus Project, and included journalists all around the world that were jointly investigating NSO.

NANDO: Amitai has been covering the NSO Group and its ups and downs for years; he knows the NSO employees on a personal level:

AMITAI: Look, I have like a good relationship with NSO to tell the truth. They are nice guys and very warm, actually. But we have like different views on the things. [4]

NANDO: Over the course of a decade the NSO Group has grown from a few founders working in a renovated chicken coop, to being valued at over $2 billion dollars.1920 They are facing legal challenges and controversies around the world, while they argue that they are making a productthat saves thousands of lives.

How did they get here?

AMITAI: Like, like many of the good things in the world or the bad things in the world, it started by accident. Those two guys actually are not typical, like, Israeli founders. They didn’t came from like, elite unit in the in the intelligence service.

OMRI: People sometimes lack the ability to dare. Me and Shalev, when we founded NSO, despite everybody telling us that it’s completely crazy, despite not having the right background, not having the right connections, we thought there was a good opportunity.21

ROSE: You just heard Omri Lavie, co-founder of the NSO Group in a rare interview.22 Omri met Shalev Hulio in high school. There are several versions of how it happened, but the two became best friends. There’s some descriptions of Shalev loving theater and the arts23 while Omri was more into computers. It’s said they spent a lot of time playing video games or talking in chat rooms, and it’s also said they bonded on a summer trip to Europe.24

After high school, Omri and Shalev did what every high school graduate is required to do in Israel – serve in the army. Shalev was discharged from the Israeli Defense forces as a captain — he says he went from being a company commander overseeing 200 soldiers to selling dead sea cream to elderly women at an American mall.25 And Omri found a job at a cell phone kiosk.26

Then the market crash of 2008 hit almost every economy in the world like a tidal wave, and many people were starting over. Omri launched his first startup and Shalev went to law school. Afterwards – the story goes, the friends decided to start a business together.27

NANDO: Their new company, called CommuniTake28, provided IT support for this new thing called smartphones.

They developed a tool that could provide remote access to your phone the same way you grant IT support access to your computer – with permission of course.29

AMITAI: The story tells that in one convention, a few top guys from intelligence unit, I don’t know from which country came to Omri and Shalev and said to them, “Can you really do it? It’s working.” And they said, “Yes, of course we can demo it to you.”

ROSE: Here’s NSO co-founder Omri Lavie describing that initial meeting in an interview from 2021.30

OMRI: And we were approached by a certain individual, from a certain organization, and he said, “So let me get this straight. You ask for permission as the operator and you come into the phone and then you fix it.” And we said, “Yes, of course.” And he says, “Well, I was wondering if you can do the opposite of all that.” And me and Shalev kind of paused for a second. We said, “What do you mean?” He says, “Well, I was wondering if, if you guys can take this solution and basically get into a device without asking for permission.” I remember talking to our CTO who looked at us and says, “Are you crazy?
There’s no way we can do this. This is impossible. There’s so many things that are not even in the right place to have this ability.”31 [2]

ROSE: Omri and Shalev made a decision – they wanted to refocus their business. They wanted to create a technology that can enter people’s phones without consent, with the intention to sell to security and intelligence agencies.

OMRI: We went to our board. All I remember is that it was an extremely emotional board. We were shouted at and being the pushy entrepreneurs we are, we were shouting back. We said, “You guys are crazy. We have to do this. We want it to be a division within CommuniTake”. And the board completely refused. They said, “There’s no way that we’re defocusing the company. We have to stay on track. And if you guys want to do this, this has to be in a different company.” So we said “Okay.” And we left the company and founded NSO Group.32

NANDO: They had a new business plan and were developing a new product.

AMITAI: So CommuniTake, went as a company and NSO was spin out as a different company. They had like another founder, a technical partner, which is the third letter. NSO.

ROSE: Niv Carmi was the technical founder, and he joined the best friends Shalev and Omri to start the NSO Group – which is an acronym for the three founders’ first initials: N for Niv Carmi; S for Shalev Hulio and O for Omri Lavie.

AMITAI: And he left few, I think like months or not a long time. Years maybe, but in the first years he left the company.

NANDO: Shalev Hulio and Omri Lavie continued with their new company, the NSO Group. Now, they needed to find engineers:

OMRI: By the way, it wasn’t easy at the time. We interviewed a lot of former engineers from 8200, and they all said, “You guys are crazy, this is impossible. This is not
something that can happen.” But we were adamant and we pushed and pushed and found people who believed in our vision — and we started to build this solution.33

ROSE: Engineers finished coding their first iteration of Pegasus in 2011. It was ready for market. NSO Group leadership created four pillars to guide their new business:34

  1. NSO would not operate the system itself.
  2. It would sell only to governments, not to individuals or companies.
  3. It would be selective about which governments it allowed to use the software.
  4. And it would cooperate with Israel’s Defense Export Controls Agency

Here’s co-founder Omri Lavie explaining:

OMRI: So we do everything within our power to prevent and make sure that this technology is not misused. We’re taking the regulation that is, let’s say, put on our
shoulders and taking it even further by having our own regulatory leaps and bounds and committees and people involved that try and prevent as much as possible misuse of this technology. But I just want to add that nothing will ever be 100%.35

ROSE: Since Pegasus is classified by the Israeli government as a cyber weapon, the NSO Group is required to get approval for every sale.36

AMITAI: The Ministry of Defense have to approve every client of every, every army, every security company that is selling, and that includes the cyber offensive companies.

NANDO: Amitai explains that when the NSO Group launched Pegasus, and their business began to grow, there were two other very well known companies in this space:

ROSE: And when NSO started, who were their initial competitors?

AMITAI: That was FinFisher and Hacking Team. And at the beginning, Hacking Team was very strong.

NANDO: Hacking Team was an early and major competitor of the NSO Group:

ALBERTO: The smartphone adoption was exploding, but the know-how to run a digital investigations on these type of devices was not present in many countries. So there were many, many countries that had no know how on how to do that. And so they were buying these know-how from commercial companies. Even extremely developed countries.

ROSE: That’s Alberto Pelliccione. Alberto was an early employee of Hacking Team, and worked there for six years37.

To understand the rise of the NSO Group starts with understanding the boom and bust of Hacking Team.

Alberto had a front row seat — and during his tenure, he witnessed the increased demands from law enforcement.

Police and other agencies were rewriting the book for how to surveil and track targets, now that smartphones were changing the landscape of communication.

ALBERTO: At the very beginning, when I joined Hacking Team, the offensive security division was probably a year old. There were two departments officially. One was offensive, the other one was defensive. But we were in the same room, which was basically a large living room of an apartment. So we always had a touchpoint with
customers at the very beginning. Basically the connection with customers was very, very, very tight. So they would call us on the phone, they will email us and they would explain what were the issues. And then we were trying to help them on whatever investigations that were running.

NANDO: Most of the time, Alberto knew his clients, and he knew who their targets were, and felt he was doing important work. Alberto worked with Italian police focusing on surveilling the Italian Mafia. The police obtained warrants from a magistrate for 30 or 60 days. Alberto didn’t always know when someone was detained, but he recalls celebrating the big victories, like when the police took down a network of more than 50 mafia members.

ALBERTO: This situation changed dramatically over over ten years. At the beginning, we didn’t have not even the slightest suspicion that someone was misusing the tools, because pretty much we happen to know all our customers or know personally one to one. I don’t want to say we knew the targets, but we knew we had an idea of the operations.

ROSE: Alberto points out that when the customer base grew – his knowledge of operations decreased. There were limitations of how much he could even understand a foreign operation:

ALBERTO: If they’re running an operation on someone, what is our knowledge? How do we know exactly who’s that person? First of all, we, we lack the skills to even reading the language. You don’t even have any idea of the local network because if you give me a name of an activist in Italy, chances are that I’ve heard about this person. But if you give me a name of, of an activist in, in Saudi Arabia, I have no idea who these guys or lady are, because I just don’t know the network, right? So that’s why it is very, very hard to pinpoint, to put you know, and say, hey, this was the ratio because we couldn’t know, of course. Because I can bring you like a very real example, which is Morocco. We used to have during those years a very good relationship with the, with the intelligence. And we never had any suspicion that they were they were really running investigations on other targets that were not terrorists. That was an interesting moment because the situation started to unfold around 2012 to 2013 with the first report from Citizen Lab in Morocco.

NANDO: In 2012, The Citizen Lab reported that Hacking Team’s systems were used against a Moroccan media outlet. Alberto learned about the abuse from Citizen Lab’s report and was shocked. He and fellow employees asked Hacking Team leadership for answers:38

ALBERTO: The moment was complicated because we first had an internal meeting, trying to figure out, “Is this for real?” And then we decided to approach management and we asked them “What is going on?” Actually went there myself, asking “Are we going to do anything about this?” And after the second time, when I was basically asked to shut up about that, something changed within the organization because they completely isolated the R&D team from, from customers. So we didn’t see the customers anymore. There was a layer in-between, there was basically working as an isolation layer. We didn’t even know who the new customers were. After that time there was another event. I had another frank conversation with the CEO. He said that, basically, made me understand that there was nothing wrong with what he was doing, actually was doing a favor to the world, blah, blah, blah, that type of of attitude. And I said, okay, I’m out of this place. And, and then I went out. And after me, then other people, you know, many other people, they basically decided to take the same, the same stance and say, okay, I don’t want to play this game anymore. And they, and they left.

NANDO: A year after Alberto left the company, Hacking Team was hacked and doxxed.39 An anonymous hacker posted all of Hacking Team’s emails, internal documents, and government contracts on WikiLeaks.40 The documents showed that Hacking Team was lying about – basically everything. Who they sold to, how they chose customers, how their investigations were solely focused on terrorists and criminals. None of it was true. They were selling to Sudan. To Russia.

Their emails showed that they knew clients were flagrantly abusing their technology – and leadership didn’t care who was being targeted41.

Hacking Team lost all credibility – and they set a new precedent for the industry – tell the world one thing, do another.42

That’s after the break.

ROSE: After Hacking Team was hacked, doxxed, and discredited, their emails shed light on an up and coming competitor with even more advanced capabilities – a company called the NSO Group.

The NSO Group went from operating on the sidelines to being in the limelight – the biggest name in a growing industry.

AMITAI: I think the first time that the Israeli public heard about NSO didn’t know how to look to tackle this this company because it was sounds very impressive that a small
company from Herzliya managed to break the iPhone of Apple and and some of the of the media look at it as an achievement.

Between 2011 and 2014, NSO doubled its sales year after year: from $15 million, to $30 million, to $60 million.43

Their client list grew, including: Azerbaijan, Bahrain, Kazakhstan, Rwanda, Togo, and the United Arab Emirates.44

During those years, the NSO Group didn’t even have a publicly listed website45.

NANDO: Alberto recalls hearing about the NSO Group and their new capabilities for the first time.

ALBERTO: We heard about them doing demos, probably six, eight months after they were founded, we already heard about them.

ROSE: Did you think of them as a competitor?

ALBERTO: Well, not really at the point. They were actually more complementary in type of technologies that they’re competing with, with us.

ROSE: But the NSO Group had something that Hacking Team could never have – what almost no other competitor in the world would have access to.

AMITAI: NSO got an advantage on the market very fast. And of course it’s only natural because they have this talent pool from the army, very, very talented people that they can recruit with on-job training, real on-job training that… it’s very hard to find it in any other place in the world, I think. In Israel, the army is mandatory. Everybody goes to the army, even girls. Smarter people are going to the army and they’re serving in the cyber units. It’s confidential, but let’s imagine that they want to grab some database from Iran. They’re trained to do that, and they get allowance to do that. And there are hundreds of people like that in the army.

ALBERTO: NSO had the upper hand for the infection stage so they could infect people in a, in a very easy way with a so-called “zero click exploits.” Zero clicks are exploits basically don’t require any interaction from the user.

NANDO: That’s right. The current version of Pegasus doesn’t require any clicks. You don’t have to do anything.

IAN: The beauty, so-called, of Pegasus is that it’s invisible. But I have seen Pegasus run in terms of the operating console, where a client would operate it on the server side and issue commands or issue attacks on, on target phones. My name is Ian Amit. I’m a bicoastal. I live between Tel Aviv and New York. And I am a security practitioner. That means everything from hacking to chief security officer.

ROSE: Ian Iftach Amit is a former hacker turned security practitioner, and has done extensive research on cyber security and cyber crime. He also has close relationships with NSO employees.

IAN: Oh, yeah. I mean, I have close colleagues and friends who used to work there. Two days ago, we’re going out drinking in Tel Aviv. You know, they’re not all with horns and like a pointy tail. It’s a big company. We should acknowledge that NSO Group is just one of multiple companies. They started with probably good intents of providing what’s called lawful interception to law enforcement. I think that initially a lot of those companies that, that were operating kind of in the gray areas did not start with the intent of we’re going to be creating spyware that’s going to be used by, you know, problematic regimes to, to suppress democracy.

NANDO: Countries that didn’t have the infrastructure to build a surveillance system to keep up with targeting smartphones were very interested in the NSO Group and Pegasus.

The NSO Group only sells to government entities – it works like a subscription service.

Countries use a portal and depending on the package are allotted a specific number of targets – the idea is the more you pay, the more targets you get. But NSO is very protective about the intricacies of their deals.46

Here is co-founder Shalev Hulio:

SHALEV HULIO: I’m not going to talk about specific customer.47 I’m not going to talk about customers and I’m not going to go into specific. We do what we need to do. We help create a safer world.48

ROSE: There has been reporting that the cost for subscriptions have a wide range – from
$25,000 a target to $500,000 a target. But once a country has the portal, they are the ones who operate the tool and track targets.49

Often, surveillance and spyware budgets are coming from a country’s defense budget:

ALBERTO: Whatever amount of money they are presented with is nothing for them because the cost of a couple of missiles is basically how much it costs you to, to set up an entire interception infrastructure. So, comparably to what they used to spend, because the cost of software, they are extremely low.

NANDO: During his tenure at Hacking Team, Alberto saw the market value of spyware change:

ALBERTO: An average sale back in 2012, 2013 was maybe half a million euro. Around that. So 250,000 euro was a good sale. But NSO was selling for tens of millions. So we were just surprised that they could manage to push the price so high. So, most of the conversation was around the how the market was, was changing. Rather than being concerned that NSO was going to take a big piece of this cake.

AMITAI: We know that the first customer was in Mexico, in 2011.

ALBERTO: Mexico was one of the best buyers of solutions for offensive security. Not just Hacking Team. For everyone. So Mexico was a big customers for a big customer for the entire surveillance industry, whether it was on device or it was infrastructure, they were they were they probably still are, a very big buyer.

AMITAI: Mexico is interesting because it’s very comfortable for companies to sell in Mexico for a few reasons. First, it’s a democratic country on the paper. So it’s an OCD member. And the other reason is that it’s a federation. When you have a federation like in the States, you have many states inside the nation. So you don’t have like, one police like we have here in Israel. You have an entity in every state that you can sell the solution. And the third that it’s very close to, to the USA. So it was very comfortable and I think it was very successful. But from the first customer, we know that there was abuse in the system.

[NEWS MONTAGE]
MEDIA CLIP: We continue to look at how the Mexican government used Israeli made spy software to surveil a team of international investigators.50
MEDIA CLIP: It seems the net cast around current Mexican president Andrés Manuel López Obrador with the help of an Israeli spyware company was so wide even his drivers were targeted.51
MEDIA CLIP: Carmen Aristegui. She was doing investigative reporting on corruption around the President’s office. She was targeted relentlessly with text messages that we connected to this Israeli company.52
MEDIA CLIP: The commerce department has blacklisted NSO Group, a tech company based in Israel.53

ROSE: It’s been reported that the Mexican contract with the NSO Group was $20 Million dollars.54 And the cases of abuse of Pegasus in Mexico have been well documented – from journalists to activists to lawyers. But the more scrutiny the NSO Group received, the more demand for their products. It seemed to almost go hand in hand – the scrutiny and the scaling.

AMITAI: So NSO was making a lot of money. NSO was making tons of money. It was profitable, which is pretty rare in the startup arena. They were flying the whole company like 1000 people every year to some other destination. One time it was Sardinia, one time it was Thailand.55

ROSE: Wow.

AMITAI: Yeah. It’s a very big company.

ROSE: Okay. So 800 people to Sardinia. That sounds like so much fun.

AMITAI: Yeah. Listen when you, when you are trying to get the best talent in the cybersecurity and it’s – and the competition is very big here in Israel. So they paid big checks. And you need also to get your employees feel good. So it was part of the DNA of the company is party on. They have a lot of parties, and also flying around the world every year to some kind of, uh, three days, four days. And of course, money helps to polish the moral issues if a person have ones, right? You get paid a lot.

NANDO: Amitai explains that an employee for the NSO Group can make more than double the average salary in Israel – and they count salary by months, not years.

Within the NSO group there is a salary hierarchy – the engineers make more, and those who make Pegasus make even more than that. They’re called vulnerability researchers.

AMITAI: And there are not a lot of them. Less than a hundred in NSO. In the iPhone, it’s like 12 to 15 people. That’s it. Because when you find the vulnerability to iOS, you got all the all the iPhones in the world. It’s just one operating system. In Android because of the fragmentation of the OS, if you find a vulnerability in Samsung, it wouldn’t necessarily apply to some other Android phone. A pixel phone like I have. Okay, so they need more people. Anyway, a vulnerability researcher in NSO can get 80,000, 100,000 shekels per month. So it’s like nine times, ten times the average salary here in Israel. We’re talking about that because NSO have big bucks running, they have big salaries and big offices and party culture. They need to pay a lot to keep the talents.

ROSE: The NSO Group has been blacklisted in the United States and by many European countries. The list of countries that the NSO Group can sell to keeps decreasing.

And the reported cases of abuse are increasing:

AMITAI: After the Ahmed Mansour case, there were many cases in many countries, with the same, like, story going: “NSO was used in Mexico against a journalist. NSO was used in Morocco against the journalist, or opposition member, or even a priest.”

ROSE: The NSO Founders continue to argue that their software helps more than it hurts.

Here’s co-founder Shalev Hulio:

LESLEY: How many lives do you think Pegasus has saved?
SHALEV: Tens of thousands of people.
LESLEY: Really?
SHALEV: Yes. And I can tell you that in the last eight years that the company existed, we only had real three cases of misuse, three cases out of thousands of cases of saving lives. Three was a misuse. And those people or those organizations that misuse the system, they are no longer a customer. They will never be a customer again.

ROSE: Shalev Hulio has stressed that “The governments that have these technologies are very limited in the number of targets they can actually handle.” And that a single client can only have tens – not hundreds – of targets. In 2019, for example, Shalev Hulio said that “in the entire world, there are no more than 150 active targets.”56

The NSO Group defines misuse as “using one of our tools to monitor the electronic communications of someone who falls outside a prescribed investigative scope.”57 That it’s for “the Bin Ladins” of the world.58 The NSO Group claims that they can shut down any operator at any time – and continue to stress that cases of abuse are much smaller than the ones reported by Citizen Lab or the Pegasus Project.

AMITAI: Some of the workers of NSO felt that for the first time, they’re on the bad side of history and didn’t want to be involved. And from then until now NSO is always tackling H.R. problems, because some of the people are saying, “Enough, I don’t want to be a part of this company.”

NANDO: The controversies and the contradictions are catching up with the NSO Group. NSO is facing a lot of challenges right now. From all sides:

AMITAI: You know, the race is ongoing. It’s not like we have Pegasus. Pegasus always evolving when there is a new OS version. A new firmware. For Apple or Android. They sometimes need to rewrite the program. Sometimes from scratch. And they have to have like a backlog of vulnerabilities that they can operate when one of vulnerability is being blocked. So we have like, the technical race. And now it’s becoming harder and harder because the eyes of Apple and everybody in Google and everybody’s on NSO.

ROSE: But once a country has access to Pegasus, it’s hard to give it up.

AMITAI: And it’s so easy. In some ways, cyber weapon is more dangerous than real weapon, than kinetic weapon. Because it’s transparent. Nobody sees it. You can duplicate it. You know, you don’t need to run over the protesters in the Tiananmen square in China. No. Everybody have phones today. You don’t want to it to be photoed. But you don’t need. You just use Pegasus. And you know about this protest before it even starts.

NANDO: Tune in to the next episode of Shoot the Messenger. We examine the biggest challenge the NSO Group has yet to face:

[MONTAGE]
MEDIA CLIP: On Tuesday, the iPhone maker said it had filed a lawsuit against NSO group.59
MEDIA CLIP: Apple has released an emergency software update to fix a security flaw in it’s iPhones – Researchers found was being exploited by the Israeli based NSO Group60
MEDIA CLIP: We hope that it tips the Biden administration and the European Union to sanction NSO Group and ban the use of this technology.61

ROSE: We interview the engineers who were working at Whatsapp the day Pegasus breached their servers, and witnessed the code working in real time to track live targets:

[MONTAGE FROM EPISODE 4]
CLAUDIU: The Monday when we made the public announcement, I think it was extremely stressful for me. I was really afraid of, of the public perception on what happened.
OTTO: Yeah. So this is like I would describe this as like a jigsaw puzzle.
AMITAI: When Facebook sued NSO for breaking WhatsApp, some of the people that work in NSO said, “[Bleep] this [bleep].”

ROSE: That’s on the next episode of Shoot the Messenger.

Shoot the Messenger is a production of EXILE Content Studio and distributed by PRX

Hosted and produced by me, Rose Reid with Nando Vila, Sabine Jansen, Ana Isabel Octavio, Stella Emmett, and Nora Kipnis.

Written by me, Rose Reid. With story editing by Nando Vila and Gail Reid.

Sound design and mixing by Pachi Quinones. Sound engineering by Pedro Aguirre.

Executive producers are me, Rose Reid, Nando Vila, Carmen Graterol, and Isaac Lee. Daniel Batista oversees audio at EXILE Content Studios.

Special thanks to Sonic Union.

For more information on the status of journalists and freedom of the press – visit the Committee to Protect Journalists at cpj.org.

And we want to hear from you – find us on Twitter / Instagram @exilecontent.

Send us a voice memo with your questions about Pegasus to podcasts@exilecontent.com.