The TLDR: So far, the story of the spyware Pegasus has focused on targets and their snoopers—who and when. But the bigger story is how a tech company put a dangerous product in the hands of governments and their agencies—with the active support of the Israeli government. This is a whole new kind of public-private partnership that poses a clear and present danger to human rights.
Researched by: Sara Varghese
Origin story: Shalev Hulio and Omri Lavie are childhood friends, and used to be part of Unit 8200—a cyber spy agency. This is a secretive unit of the Israeli Defense Forces (IDF), and which has produced the country’s biggest tech super stars. Much like their former colleagues, Lavie and Hulio decided to do a tech startup. Their first venture MediaAnd—a product placement tool—bombed due to the 2008 recession. The second, CommuniTake, showed promise. It allowed the tech support of a telecommunication company to take remote control of a customer’s device. And that’s when intelligence agencies started paying notice, according to Lavie:
“We were approached several times by intelligence agencies and asked, ‘Can you do it without [the user’s] permission?’ So we lied and we said, ‘Sure’. We didn’t understand at the time that this was considered one of the holy grails of the industry.”
Point to understand: This was a “holy grail” because until then intelligence agencies had to intercept messages while they were in transit from one device to another. But the rise of end-to-end encryption—where the message cannot be read except by the sender and receiver—posed a huge problem for this method. However, CommuniTake directly accessed the device instead: “agencies could simply pirate the phone itself, bypassing encryption and giving them all of the information they needed and more.”
The birth of NSO: Unwilling to let go of this brilliant opportunity, the two buddies got a third founder on board: Niv Carmi, a former intelligence operative of the spy agency Mossad. And they recruited their then CEO Yair Pecht—who served in the IDF’s elite Mamram computer unit. And the two worlds of spies and tech meshed together to create NSO—for Niv, Shalev and Omri. Carmi handled the tech and Hulio and Lavie the business—though Carmi would leave NSO later.
Birth of Pegasus: Responding to popular demand, NSO developed a spyware tool called Pegasus—which “offered a plug-and-play spying solution for intelligence agencies and police forces that couldn’t afford to develop their own tools.” The official goal was to help them fight crime, be it terrorism, money laundering or drug trafficking. Within a year, riding the coattails of Pegasus, NSO went from upstart startup to cybersecurity giant. As an exec of a rival firm said, “When we were selling our solutions for hundred of thousands of dollars, NSO Group managed to negotiate million dollar contracts. We were already behind in a sense.”
Finding clients: NSO soon cultivated what Lavie calls the “very fine art” of marketing to foreign governments:
“Companies in the emerging cyberwarfare field cannot just go to trade fairs or rely on publicity and hope customers will come. Like conventional defence companies, they rely largely on private agencies that transact business for products on commission.”
In 2012, they landed their first big client, the government of Mexico—which allegedly paid $32 million to help fight drug cartels. In 2014, the Mexicans used Pegasus to track and arrest none other than Joaquín Guzmán aka ‘El Chapo’. But a 2017 investigation would reveal that the Mexican government—which by then had spent a whopping $80 million—was also using Pegasus to spy on human rights activists, political rivals and journalists, some of whom turned up dead. The latest Pegasus Project revealed 15,000 such numbers on the global database of potential targets.
Sweet rewards: US-based venture fund Francisco Partners bought NSO for $120 million in 2014—the same year that Pegasus helped nab El Chapo. Now, the company had lots of money to invest in refining its spyware. Where it had once relied on the user to click on malicious links to take over their phone, NSO moved to ‘zero click’ attacks—where just a missed call on WhatsApp or text on iMessage is sufficient to hijack your phone. And it is very unapologetically not a defensive tool, but an offensive weapon aimed at a specific target. Lavie says to the Financial Times:
“It’s like laying a trap in the forest versus setting a sniper gun for a bear. If you’re laying a trap, you’re hoping for your bear to wander out but if you’re sitting in a bush waiting for a specific bear, once you see it you can actually act on it.”
Point to note: None of the bad press has deterred NSO from getting funding or clients. Lavie and Hulio bought back the company from Francisco Partners in 2019 with investments from Novalpina Capital, a London-based private equity firm. At the time of the transaction, NSO was valued at $1 billion. According to a 2021 report, it has 60 customers in 40 countries. Fifty-one percent of its clients are intelligence agencies, 38% law enforcement agencies and 11% military.
Maintaining deniability: A big part of NSO's spiel is that it doesn’t know what its clients do with Pegasus. As Lavie makes clear:
“In some countries we’re not even allowed to know where the building is, where [the product] will be installed. Not only are we not allowed in the building, we don’t even know where the building is – it could be in another city.”
And all its promises to investigate the misuse of its technology—including recent statements about the Pegasus Project—usually lead nowhere. How can you investigate that which you do not know?
Quote to note: When asked about his clients, Lavie joked: “I don’t want to be beheaded.”
A unique ‘cynergy’: NSO is just one of the many such companies operating out of Israel—which is a leader in cybersecurity:
“The country's well-resourced education system, plus the compulsory military service, brings scores of young Israelis into high-level training in cybersecurity and cyberwarfare before many of them even go to university… Much of the country's most cutting-edge technology has its roots in military development.”
So it’s no coincidence that NSO’s founders all come from military backgrounds.
Authority to approve: Since Pegasus is considered a cyberweapon, its export has to be approved by Israel’s defence ministry, which screens and monitors them before giving the green light. And that in turn raises the question as to why Tel Aviv has been so lax in green-lighting these Pegasus deals.
A diplomatic carrot: One clear answer is that Israel actively uses its cybersecurity companies as a selling point: "One of the tools that Israel uses diplomatically is its ability in intelligence. It's not a secret that Israel is sharing sensitive intelligence even with Arab countries because we have an interest in protecting them.” A Haaretz investigation showed a clear link between a) known Pegasus clients; b) when numbers from their countries were added to the database; and c) when PM Benjamin Netanyahu held meetings with their leaders.
And as FT noted in 2019:
“The sale of such powerful and controversial technologies also gives Israel an important diplomatic calling card. Through Pegasus, Israel has acquired a major presence — official or not — in the deeply classified war rooms of unlikely partners, including, researchers say, Gulf states such as Saudi Arabia and the United Arab Emirates. Although both countries officially reject the existence of the Jewish state, they now find themselves the subject of a charm offensive by Prime Minister Benjamin Netanyahu that mixes a shared hostility to Iran with intelligence knowhow.”
Quote to note: In 2019, NSO’s lawyers argued in a San Francisco court that revealing clients’ names “will meaningfully harm the foreign relations of the state.”
The Israeli defence: One of the key arguments offered in defence of NSO by Israeli experts—why just pick on Israel?
"Let's be honest, intelligence is being gathered by states against each other constantly. Everyone spies on everyone. And when it comes to an Israeli company there's a lot of hypocrisy. NSO is another tool but there are many other tools."
The current Israeli government has instituted a commission to investigate the misuse of Pegasus—acknowledging the serious blowback from the Pegasus expose. And some believe it may result in stricter controls:
"The logic is Israel may be willing to turn a blind eye to transactions that are conducted with friendly regimes in the sense that they are friendly to Israel but not necessarily friendly to human rights. I think this recent scandal, which is quite embarrassing both for NSO but also for Israel, would lead at least in the short run to some tightening of export controls standards."
Meanwhile in the US: Democratic lawmakers have called on President Biden to put NSO on an export blacklist—insisting that the “hacking-for-hire industry must be brought under control.” This despite the fact that NSO has been very clear that it is “technically impossible” to use Pegasus to target US-based phone numbers.
However, in India: The parliamentary IT panel had to indefinitely postpone its meeting to discuss Pegasus because BJP members refused to sign the attendance register—to ensure there wouldn’t be the minimum number required to hold a meeting.
The bottomline: Global capitalism meets local autocracy. Is there a worse combination? We think not.
Forbidden Stories and The Hindu have the most comprehensive history of NSO’s activities. CNN has an excellent report on NSO’s ties to the Israeli government. We highly recommend Haaretz’s investigation into Netanyahu’s ties to Pegasus, and its report on NSO’s current financial woes. The best reporting on NSO’s worldview and modus operandi is in the Financial Times—but it's behind a paywall. You can read our explainers on Pegasus here and here.
The first great political firefight of 2025 will centre on the Muslim tradition of donating property to God.
Read MoreThe Middle East is in turmoil once again—this time due to the startling fall of Assad.
Read MoreGeorgia is in uproar with a rigged national election and a government moving away from the EU.
Read MoreWe know Delhi’s air is toxic. We even know the reasons why. But two great mysteries remain.
Read More