The Israeli-made Pegasus spyware, sold by the cyberoffense firm NSO to state intelligence agencies around the world, has become infamous in recent years. Exploiting unknown loopholes in WhatsApp, iMessage and Android has allowed the group’s clients to potentially infect any smartphone and gain full access to it – in some cases without the owner even clicking or opening a file.

Digital forensics groups such as Amnesty International and the University of Toronto’s Citizen Lab have revealed numerous potential targets with traces of the spyware on their phones. Last summer, Project Pegasus – led by Paris-based NGO Forbidden Stories with the help of Amnesty’s Security Lab – organized an international consortium of journalists, including Haaretz and its sister publication TheMarker, to investigate thousands of additional potential targets selected for possible surveillance by NSO Group clients worldwide.

So far, targets have been found across the world: from India and Uganda to Mexico and the West Bank, with high-profile victims including U.S. officials and a New York Times journalist.

Now, for the first time, Haaretz has assembled a list of confirmed cases involving Pegasus spyware. (Are we missing someone? Do you have a tip? Email us here)

Though there have been over 450 suspected hacking cases, this list, which was put together with the help of Amnesty’s Security Lab, includes only the cases in which infections were confirmed either by Amnesty or another digital forensics group like Citizen Lab (which also helped construct this list). It also includes a few instances where official bodies such as French intelligence agencies or private firms like Apple or WhatsApp have publicly confirmed attacks.

The list does not include those suspected of being targeted – for example, Amazon’s Jeff Bezos, who was reportedly sent the spyware via a WhatsApp message from no less than Saudi Crown Prince Mohammed bin Salman. Rather, it is those who have actually been found with Pegasus on their phones.

The NSO Group, which refuses to confirm the identity of its clients and claims it has no knowledge of their targets, has denied most of these cases and says digital forensic analysis cannot fully identify its software.

• Police use NSO’s Pegasus to spy on Israelis without warrant, report says
• Israeli NSO spyware found on phones of Jordanian, Bahraini women’s rights activists
• Police using Pegasus spyware against Israelis shows: NSO is an arm of the state
• NSO scandal shows Israelis are fine with human rights violations as long as judges approve

The gap between the massive list of potential targets and those who were actually infected highlights how hard it is to confirm the presence of Pegasus spyware on phones. For instance, a private investigation commissioned by Bezos himself found that his phone had received a strange message from Crown Prince Mohammed, after which the tycoon’s device began sending out a lot of data. However, Bezos was reluctant to hand his phone over to anyone other than the handpicked investigators he had hired; they said it was very likely his phone had been infected.

Here is the list of most, if not all, known and confirmed Pegasus cases. They are sorted by the nationality of the victims or their country of residence when they were targeted.

The list of confirmed cases is followed by an additional list of names of those who have been confirmed to have been targeted but whose actual infection has not been verified.

Open gallery view

The NSO Group logo on one of its Israeli offices.Credit: AMIR COHEN/REUTERS