Court names details of 1223 attacks on WhatsApp users with Pegasus spyware

Contents

Details of surveillance attacks on WhatsApp users have emerged in the lawsuit brought by Facebook parent company Meta Platforms against the Israeli spyware company NSO Group. According to the document, 1223 users in 51 different countries were attacked in just two months. The recently released court document even names the individual countries in which the victims were located, as well as the locations of the attackers and the servers used for the attacks.

Facebook had already sued the Israeli WhatsApp hackers in 2019, citing 1,400 affected users. These included journalists, lawyers, human rights activists and other government critics. Government employees and military personnel from at least 20 countries were also said to have been hacked using Pegasus. The court document now shows the countries in which the victims of this hacking campaign carried out in April and May 2019 were located and where these attacks originated from.

Mexico with the most spyware victims

According to the document, most of the victims were located in Mexico, namely 456 individuals. There were also numerous victims in India (100), Bahrain (82), Morocco (69), Pakistan (58), Indonesia (54) and Israel (51). A number of people in Cyprus (31) and Turkey (26) were also affected. Although there were fewer cases in Western Europe, there were still 21 in Spain, 11 in the Netherlands, 7 in France, 4 in Belgium, 4 in Finland, 3 in Switzerland and 2 each in Germany and the UK.

"Over the years, numerous news articles have been written documenting the use of Pegasus to target victims around the world," security expert Runa Sandvik told Techcrunch. "What's often missing from these articles is the true scale of the attacks – the number of victims who were not notified, whose devices were not vetted, and who chose not to share their stories publicly. The list we see here – with 456 cases in Mexico alone, a country with documented, known victims from civil society – speaks volumes about the true scale of the spyware problem."

Origin of the attacks and server locations

The list of possible origins of the attacks, which WhatsApp also submitted to the court and which has now been published, is also interesting. According to this list, 60 attacks came from Sweden, 56 from Cyprus, 39 from the Netherlands and 9 from Indonesia. This list is not complete, but shows that attackers and victims are not always located in the same country. There were apparently no victims in Sweden, but many attacks from there. And the number of attacks from the Netherlands clearly exceeds the number of victims there.

The command-and-control infrastructure used for the attacks is also widely distributed internationally. These so-called C2 servers feign normal data traffic in order to remain undetected for as long as possible, but use backdoors for surveillance purposes, for example. WhatsApp has found many of these C2 servers in Hungary and the UK, as well as some in the Netherlands and Sweden. One C2 server was also located in Germany.

NSO: Half-truths and taken out of context

A WhatsApp spokesperson would not comment on this court document when asked by Techcrunch, but the NSO Group stated, according to Israeli magazine CTech: "The list submitted to us for review is an interpretation of information taken out of context, as well as half-truths and one-sided claims by Meta – claims that have already been refuted and continue to be refuted in litigation. For example, the fact that a suspect's phone is identified in a particular area does not infer the identity of the customer."

WhatsApp won the legal dispute against the NSO Group at the end of 2024. A US district court convicted the spyware manufacturer of computer fraud and misuse. Only the question of damages was to be heard this year. However, the proceedings (case no. 19-cv-07123), from which the aforementioned court document originates, have not yet been concluded. The NSO Group is continuing its legal action.

(fds)