Pegasus Spyware Victims Ask U.K. Police to Charge Shadowy NSO Group
Anas Altikriti was in London, and busy, on the day in July 2020 when his phone was hacked. He frequently works as a hostage negotiator and, at the time, he was negotiating a deal to free a hostage being held on the Libya–Chad border. Altikriti also had a meeting with former Labour Party leader Jeremy Corbyn. But his schedule did not include having his phone infiltrated by Pegasus, the phone hacking software made by Israel’s NSO Group.
Four years later, Altikriti, an Iraqi-born British citizen and vocal critic of the United Arab Emirates, is filing a report to the Metropolitan Police in London accusing the Israeli spyware firm NSO Group of complicity in the targeted hacking of his phone. On Wednesday, he filed the complaint about NSO and its associates alongside three fellow U.K.-based human rights defenders whose phones were also hacked.
“This case has some real legs,” said Leanna Burnard, a lawyer at the nonprofit Global Legal Action Network, who prepared the complaint. “The U.K. shouldn’t stand for the hacking of human rights defenders on its own soil.”
Assembled with the help of advocates from GLAN on behalf of the victims, the extensively footnoted filing sent to the Metropolitan Police, which was obtained by The Intercept, puts the ball in the police’s court. The police now have discretion over whether to open an investigation and subsequently bring charges.
“The U.K. shouldn’t stand for the hacking of human rights defenders on its own soil.”
“Due to regulatory constraints, we cannot confirm or deny any alleged specific customers,” Gil Lanier, vice president for global communications at NSO, told The Intercept. “NSO complies with all laws and regulations and sells its technologies exclusively to vetted intelligence and law enforcement agencies. Our customers use these technologies daily, as Pegasus continues to play a crucial role in thwarting terrorist activities, breaking up criminal rings, and saving thousands of lives.”
The Metropolitan Police declined to comment.
The U.S. blacklisted NSO in 2021 after its software was accused of enabling human rights abuses by the company’s authoritarian government clients. Amnesty International has said NSO was complicit in many of these phone hackings.
The cyber spying firm, however, has never been sanctioned in the U.K., despite calls from members of Parliament. The failure to act was particularly jarring because the government itself had been a target of the software. In 2022, cybersecurity researchers at Citizen Lab said that the U.K. prime minister’s office and the Foreign Office likely had been victims of multiple Pegasus attacks, with the UAE as the main suspect.
While prosecutors around the world have investigated criminal claims against NSO in countries, including Spain, Hungary, and Poland, so far there have been no formal charges.
The complaint against NSO to London police has been two years in the making, since lawyers began investigating the hackings victims on British soil. Lawyers on the case said they hoped the police report could lead to a landmark moment for human rights defenders who have been targeted. Altikriti, alongside the other complainants, certainly hopes so.
“This has to be exposed,” he said. “We are now talking about a potential world where literally no one can ever claim to enjoy anything called privacy.”
Hacked on British Soil
Alongside Altikriti, the hacking victims include include Azzam Tamimi, a Palestinian-born British journalist and academic, a prominent critic of the Saudi regime; Mohammed Kozbar, a Lebanese-born British citizen and the leader of the Finsbury Park mosque; and Yusuf Al Jamri, a Bahraini human rights activist who was granted asylum in the U.K. All were hacked between 2018 and 2021 on British soil.
Related
After Pegasus Was Blacklisted, Its CEO Swore Off Spyware. Now He’s the King of Israeli AI.
Their complaint to the police is being made against NSO Group and its board members; the firm’s parent company Luxembourg-based Q Cyber Technologies; London-based private equity firm Novalpina, which bought NSO in 2019. The human rights activists are alleging the people involved with NSO breached the U.K.’s Computer Misuse Act by enabling state actors to hack their phones using Pegasus. (Novalpina did not respond to a request for comment.)
The hackers in question are believed to be the Kingdom of Saudi Arabia, the UAE, and the Kingdom of Bahrain.
The U.K. recently became more significant to NSO’s operations. In 2023, the management of five NSO-linked companies was moved to London and two U.K.-based officers were appointed.
Meanwhile, NSO continues to face a slew of civil cases in the U.S., with the company moving for dismissal in lawsuits by hacked Salvadoran journalists and Hanan Elatr Khashoggi, the widow of murdered journalist Jamal Khashoggi.
Last week, Apple asked a court in San Francisco to dismiss its three-year hacking suit against NSO, after Israeli officials took files from NSO’s headquarters — an apparent attempt to frustrate lawsuits in the U.S. Apple argued it may now never be able to get the most critical files about Pegasus and that the revelation of its own defensive systems in court might aid other spyware companies.
“NSO is very vigorously defending these lawsuits,” said Stephanie Krent, attorney at the Knight First Amendment Institute. “It is trying to draw litigation out and really avoid being held to account.”
“Absolute Non-reaction”
In July 2021, Altikriti was notified by The Guardian as part of its Pegasus Project that his number was on a leaked list of those suspected to be hacked. According to The Guardian, Altikriti’s phone number was on a list of people of interest to the UAE given to NSO. Altikriti was concerned but not surprised.
For many years, he had been vocally critical of the UAE, where he previously lived. The UAE designated his organization, the Cordoba Foundation — which works to promote dialogue and rapprochement between Islam and the West — as a terrorist group in 2014. In response, the organization issued a statement calling the country a “despotic regime seeking to silence any form of dissent.” He made similar declarations about the UAE over the following years.
Around the time Altikriti was hacked in July 2020, he had been working on several hostage release deals, mainly in the Middle East. He alleges that phone hacking interfered with his communications related to one deal.
After he was notified of the potential hack, Altikriti’s phone was tested by Amnesty International and Citizen Lab at the University of Toronto, which studies cyber issues affecting human rights. The hack was confirmed. Altikriti quickly went public about the cyberattack, posting a statement calling on the U.K. government to stand against the use of such spyware. Altikriti has since become increasingly frustrated by the lack of action.
“You think that the U.K. Government, having seen a number of its own citizens and those on its lands being violated in the way that we have evidence now, would do something,” Altrikiti told The Intercept. “But so far we have seen an absolute non-reaction.”
In 2022, Altikriti and Kozbar, one of the other human rights activists behind the complaint to police, sent a pre-claim notice to NSO, the UAE, and Saudi Arabia, of their intention to file a civil suit over the alleged Pegasus phone hacking. In formal response letter obtained by The Intercept, NSO said there was “no basis for the claims.”
The company said that since Q Cyber Technologies Ltd and NSO Group Technologies Ltd are each lsraeli companies and neither was present in England and Wales, English courts had no jurisdiction over them. They also argued that the claims were barred by state immunity because, if the alleged attacks happened, they were conducted on behalf of foreign governments who are immune from prosecution.
In Wednesday’s complaint to police, other claimants have stories similar to Altikriti. Al Jamri was active on social media promoting awareness of human rights abuses and political issues in Bahrain. In 2011, he was politically active during the Arab Spring. In its wake, he was regularly subjected to interrogation and harassment by authorities. He was detained for the third time in August 2017 and subjected to torture. Upon his release, he sought asylum in the U.K.
Two years later, Al Jamri was targeted with Pegasus by servers traced to Bahrain, according to Citizen Lab. This happened around the same time he was posting about an incident at the British Embassy of Bahrain, when a dissident was allegedly assaulted by staff. In August 2019, like Altikriti, Al Jamri was notified by The Guardian, and his phone was subsequently tested and confirmed to have infections. He also went public about the hack.
U.S. Lawsuits
Despite Apple’s attempt to withdraw its case, NSO still faces a slew of lawsuits in the U.S. In October 2019, WhatsApp filed a lawsuit against the Israeli company for using its platform to hack the phones of 1,400 of the chat app’s users. NSO has repeatedly tried to get the case thrown out, including by claiming sovereign immunity — that it acted as an agent of foreign governments — though that effort was rejected in January.
In November 2021, the same month NSO was blacklisted by the U.S. government for its role enabling human rights abuses, Apple also filed its case against NSO to hold it accountable for the surveillance and targeting of its users. On September 13, the company moved to dismiss its case, saying that Israeli officials’ seizure of NSO documents “were part of an unusual legal maneuver created by Israel to block the disclosure of information about Pegasus.”
Related
Israeli Spyware Firm NSO Demands “Urgent” Meeting With Blinken Amid Gaza War Lobbying Effort
NSO is known to have a close relationship with the Israeli government, which it claims to have been working with during Israel’s war on Gaza. In November, in an attempt to rehabilitate its image, NSO sent an urgent letter to request a meeting with Secretary of State Antony Blinken and officials at the U.S. State Department, citing the threat of Hamas.
In 2022, the Knight Institute filed its lawsuit on behalf of current and former journalists of El Faro, one of Central America’s leading independent news organizations, based in El Salvador. It was the first case filed by journalists against NSO in U.S. court. A judge dismissed the case in March, but it is currently on appeal.
“We felt it was important that victims have access to courts in order to hold NSO Group to account,” said Krent, the Knight attorney. “At the end of the day, they are facing the most serious threats from the use of this spyware.”
Comments (0)