Newly released court documents have unveiled the global scale of a 2019 hacking campaign in which Pegasus spyware, developed by NSO Group, was used to target more than a thousand WhatsApp users across 51 countries, shedding light on the extensive reach and impact of the surveillance tool.
The document, made public on Friday, is part of WhatsApp’s ongoing lawsuit against NSO Group. In this legal action, WhatsApp, which is owned by Meta, accuses the Israeli surveillance technology company of exploiting a vulnerability in its messaging platform to conduct a sweeping hack. Among those targeted were over 100 human rights activists, journalists, and other civil society members, raising concerns about the spyware’s use against dissenting voices and vulnerable populations.
Initially, WhatsApp reported that approximately 1,400 users had been targeted during the attack. However, a newly disclosed exhibit within the court records provides a detailed breakdown of 1,223 identified victims, pinpointing their locations at the time of the Pegasus attacks. This rare disclosure offers a glimpse into both the global footprint of Pegasus and possible patterns of NSO Group’s client activity.
The data indicates that Mexico was by far the most affected nation, with 456 victims. India followed with 100 cases, while Bahrain saw 82 victims, Morocco 69, Pakistan 58, Indonesia 54, and Israel 51. The exhibit, titled “Victim Country Count,” also lists victims across a range of Western countries, including 21 in Spain, 11 in the Netherlands, 8 in Hungary, 7 in France, 2 in the United Kingdom, and 1 in the United States. The Israeli news outlet CTech was the first to report on the release of this country-by-country victim list.
Cybersecurity experts emphasize that this list likely represents only a portion of the true total. “Numerous news articles have been written over the years documenting use of Pegasus to target victims around the world,” said Runa Sandvik, a cybersecurity expert who has long tracked the impact of government spyware. Sandvik highlighted that many victims remain unnotified or do not publicly share their experiences: “The list we see here — with 456 cases in Mexico alone, a country with documented, well-known civil society victims — speaks volumes about the true scale of the spyware problem.”
The timing and velocity of the attack further underscore the severity of the campaign. According to WhatsApp’s original complaint, the hacking occurred within just two months, between April and May 2019. In that short period, government clients of NSO Group targeted over a thousand WhatsApp users, demonstrating the speed and efficiency with which Pegasus can be deployed against large numbers of individuals.
The court documents clarify that the presence of a victim in a particular country does not necessarily indicate that the local government was responsible for the targeting. Instead, governments may be using Pegasus to track individuals abroad. For example, Syria appears among the listed locations, despite the fact that NSO Group is prohibited from exporting Pegasus to Syria due to international sanctions.
The distribution of victims also offers insight into potential high-value customers of NSO Group. The pricing model for spyware like Pegasus is partially based on the number of simultaneous targets permitted. Mexico’s high victim count aligns with reports that the Mexican government spent over $60 million on NSO Group’s spyware, according to a 2023 New York Times investigation citing Mexican officials. This significant expenditure may explain the prevalence of Mexican targets in the documented campaign.
The ongoing lawsuit has already resulted in a landmark decision: in 2023, a judge ruled that NSO Group violated U.S. hacking laws by targeting WhatsApp users, marking a substantial legal win for WhatsApp. The next stage in the proceedings will determine the amount in damages that NSO Group must pay as a result of this ruling.
Additional revelations from the legal process indicate that NSO Group disabled 10 government clients after reports of Pegasus abuse surfaced. The court filings also disclosed that a one-year license for NSO’s WhatsApp hacking tool could cost up to $6.8 million, and that the company earned at least $31 million from such deals in 2019 alone.
While WhatsApp spokesperson Zade Alsawah declined to comment on the recent court filing, NSO Group did not respond to requests for comment regarding the latest developments.
