{
	"id": "4fa99533-5d5f-40fc-b5e4-ed3badc71d4c",
	"created_at": "2026-04-06T01:30:07.931556Z",
	"updated_at": "2026-04-10T03:21:15.032267Z",
	"deleted_at": null,
	"sha1_hash": "3268e661afe0554b3640594846a6ab8f2abb7c20",
	"title": "Hacking Meduza: Pegasus spyware used to target Putin’s critic",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 96674,
	"plain_text": "Hacking Meduza: Pegasus spyware used to target Putin’s critic\r\nBy Natalia Krapiva @natynettle\r\nArchived: 2026-04-06 00:13:31 UTC\r\nAn investigation by Access Now and the Citizen Lab at the Munk School of Global Affairs at the University of\r\nToronto (the Citizen Lab) has revealed that the iPhone of journalist Galina Timchenko, head of Meduza, a leading\r\nRussian independent media outlet based in Latvia, has been infected with Israeli firm NSO Group’s Pegasus\r\nspyware. The spyware attack took place two weeks after the Russian government declared Meduza an\r\n“undesirable organization” for its critical coverage of Vladimir Putin’s regime and the war in Ukraine. At the same\r\ntime, some European political leaders were publicly arguing for surveillance of all Russians in exile. This is the\r\nfirst documented case of a Pegasus infection of a Russian journalist.\r\nWhat happened\r\nRussian independent media under attack\r\nWho is behind this Pegasus attack?\r\nSpyware violates human rights and international humanitarian law\r\nCall for action\r\n// What happened\r\nOn June 22, 2023, Timchenko, co-founder, CEO, and publisher of Meduza, received a notification from Apple that\r\nstate-sponsored attackers may be targeting her iPhone. The next day, Meduza’s Chief Technology Officer\r\ncontacted Access Now to check the phone for traces of spyware. Access Now, with forensic assistance from the\r\nCitizen Lab, tested the device, and discovered that it had been infected with Pegasus spyware on or around\r\nFebruary 10, 2023, with the infection likely lasting several days or weeks after that. At the time of the infection,\r\nTimchenko, who lives in Latvia, was in Berlin, attending a private gathering organized by Redkollegia with other\r\nmembers of Russian independent media living in exile to discuss the legal risks of “undesirable” and “foreign\r\nagent” designations.\r\nThe Pegasus attack was conducted within the larger context of attacks against Meduza and other Russian\r\nindependent media organizations, at home and in exile. \r\nTimchenko and her colleagues founded Meduza in 2014, after the owner of Lenta.ru removed her as the chief\r\neditor for publishing an interview with the head of a Ukrainian nationalist group. The organization chose to base\r\nMeduza in Latvia, relying on digital technologies to reach audiences inside Russia. The publication became one of\r\nthe first independent media outlets run by Russian journalists in exile to launch a mobile app as a means of\r\ncircumventing Russian censorship. \r\nMeduza’s critical coverage did not, however, go unnoticed by Putin’s regime. In 2019, Russian police arrested\r\nMeduza journalist Ivan Golunov on fabricated drug charges. After public outcry, Golunov was subsequently\r\nreleased, and the police officers involved were sent to prison for the unlawful arrest. In 2021, the Russian\r\nhttps://www.accessnow.org/publication/hacking-meduza-pegasus-spyware-used-to-target-putins-critic/\r\nPage 1 of 4\n\ngovernment designated Meduza a “foreign agent,” a move condemned by the E.U. and media freedom\r\norganizations, among others. In March 2022, due to Meduza’s critical coverage of Russia’s full-scale invasion of\r\nUkraine and condemnation of the war, the government went even further and blocked Meduza’s website. Finally,\r\nin January 2023, Putin’s regime officially outlawed Meduza, classifying it an “undesirable organization,” a more\r\nserious designation. This action drew strong condemnation from the Organization for Security and Cooperation in\r\nEurope (OSCE), International Press Institute, European Federation of Journalists, and others. \r\nOther independent media organizations, such as TV Rain, The Insider, Novaya Gazeta, The Moscow Times,\r\nMediazona, DOXA, as well as human rights NGOs, like Memorial, OVD-Info, Golos, Sakharov Center, and many\r\nothers, have likewise faced escalating persecution in recent years, especially since Russia’s 2022 full scale\r\ninvasion of Ukraine. They have been targeted under various designations, blocked, banned, and disbanded. \r\nIn addition, Meduza, like many other Russian independent media and human rights organizations, was also\r\nheavily impacted by tech and financial companies’ over-compliance with sanctions against Russia. Blocked and\r\ncriminalized in its own country, Meduza was unable to receive donations from supporters inside Russia due to\r\nWestern payment services pulling out. Despite the enormous financial challenges, the organization continued to do\r\nits work. \r\nHorrifically, Russian independent journalists have also faced suspected poisoning attacks while seeking refuge in\r\nEurope. In October 2022, Elena Kostyuchenko, Novaya Gazeta and Meduza journalist, was allegedly poisoned in\r\nGermany. Her symptoms were similar to those experienced by other Russian journalists, activists, and dissidents\r\ncriticizing Putin’s regime.\r\n// Who is behind this Pegasus attack? \r\nPegasus is designed to obfuscate which government is behind a particular attack, making it difficult for us to\r\nattribute. However, based on NSO Group’s assertion that Pegasus is only sold to state agencies and the available\r\ntechnical and circumstantial evidence, there are several theories of which state is likely behind the attack.\r\nMeduza’s host state, Latvia, could have been responsible, as they appear to be a Pegasus customer. However,\r\naccording to the Citizen Lab, there has not been any indication of Latvia using Pegasus to spy outside of its\r\nborders. Germany, where Timchenko was staying at the time of her phone’s infection, is another potential culprit,\r\nas they also appear to be a Pegasus customer, although the reported German customer is a police agency, rather\r\nthan an intelligence agency. Two other reported European Pegasus customers, the Netherlands’ General\r\nIntelligence and Security Service (AIVD) and an unnamed Estonian government agency, appear to use Pegasus\r\nextensively outside their borders, including within multiple European countries, according to the Citizen Lab.\r\nWhile there are claims that NSO Group does not allow Estonia to target Russian phone numbers, Timchenko’s\r\nphone number has a Latvian country code (+371).\r\nThe E.U. PEGA Committee revealed at least 14 E.U. states and 22 operators of Pegasus in the E.U. In fact, just\r\ntwo months before Timchenko’s phone was infected, Latvia declared another independent media organization in\r\nexile — TV Rain — to be “a threat to the national security and public order” and canceled its license. This\r\ndecision was criticized by the Latvian Association of Journalists as “disproportionate.” Other E.U. leaders, like the\r\npresident of the Czech Republic, Petr Pavel, have publicly stated that all Russians living in the West should be put\r\nhttps://www.accessnow.org/publication/hacking-meduza-pegasus-spyware-used-to-target-putins-critic/\r\nPage 2 of 4\n\nunder “strict surveillance” as the price of Russia’s war against Ukraine. The public pressure on E.U. leaders to\r\ndemonstrate support for Ukraine in the face of Russia’s aggression may be deepening the risks for Russian\r\nindependent media groups like Meduza that are already in danger because they seek to hold Putin accountable. \r\nAnother possibility is that states with ties to Russia that are suspected Pegasus users — Azerbaijan, Kazakhstan, or\r\nUzbekistan — may have hacked Meduza on behalf of Russia. In May 2023, an investigation by Access Now and\r\npartners revealed that Azerbaijan is a potential culprit behind the targeting of media workers and other civil\r\nsociety actors in Armenia. Notably, Kazakhstan itself has blocked Meduza over a controversial article. However,\r\naccording to the Citizen Lab, there is no evidence of Azerbaijan or Kazakhstan targeting people in Germany,\r\nLatvia, or other E.U. states. Also, Uzbekistan is not believed to have been a Pegasus customer during the period in\r\nquestion.\r\nFinally, as we have seen with the state targeting of independent media and journalists in countries from El\r\nSalvador to Hungary, it is possible Timchenko’s own government — Russia — is behind the hacking. As we have\r\nnoted, the attack happened just two weeks after Russia designated Meduza an “undesirable organization,” which,\r\nunlike the “foreign agent” designation, immediately criminalizes all activities of an organization, requiring it to\r\nshut down. Meduza also experienced a spike in digital attacks in February 2023; for example, attackers blocked\r\nmirror websites, and engaged in phishing and other efforts to compromise user accounts. However, according to\r\nthe Citizen Lab, there is currently no evidence that the Russian government is operating the Pegasus system.\r\nExperts on Russia’s intelligence services, like journalist Andrei Soldatov, are not convinced that Russia has been\r\nusing Pegasus. \r\n// Spyware violates human rights and international humanitarian law\r\nWhether during war or peace, surveillance of journalists and independent media by intrusive spyware like Pegasus\r\nis prohibited under E.U law, international human rights law, and international humanitarian law. \r\nSophisticated spyware like Pegasus, which bypasses encryption and takes full control of the victim’s phone,\r\nincluding access to photos, messages, and contacts, as well as the phone’s camera and microphone, represents an\r\nexistential threat to journalists and media freedom globally. Such spyware jeopardizes journalists’ ability to safely\r\ndo their work and protect the confidentiality of their sources. Civil society has documented that it can also\r\nfacilitate domestic and transnational repression and serious human rights violations, including torture, enforced\r\ndisappearance, and extrajudicial killings, such as the murder of the Washington Post journalist Jamal Khashoggi.\r\nUN officials, the European Parliament, the European Data Protection Supervisor, and civil society actors from\r\naround the world have widely condemned the use of spyware against journalists and human rights defenders. The\r\nU.S. government has placed NSO Group and other spyware makers on its Entity List and has banned the federal\r\ngovernment from using certain commercial spyware due to the severe human rights and national security risks.\r\nThe International Committee for Red Cross and Red Crescent (ICRC) experts have stated that the use of spyware\r\nagainst civilians in a context of conflict “exposes civilians to harm, affects their rights, safety, and dignity.”\r\n// Call for action\r\nAll States\r\nhttps://www.accessnow.org/publication/hacking-meduza-pegasus-spyware-used-to-target-putins-critic/\r\nPage 3 of 4\n\n➡️ Implement an immediate moratorium on the export, sale, transfer, servicing, and use of targeted digital\r\nsurveillance technologies until rigorous human rights safeguards are put in place to regulate such practices;\r\n➡️ Where there is evidence that commercial spyware technology facilitates or enables human rights abuses,\r\nimplement a ban on said technology and its vendors;\r\n➡️ Hold the companies who develop and distribute these technologies, and their investors, accountable for their\r\nfailure to respect human rights and for the role they play in enabling abusive end uses, and demand transparency\r\nfrom said companies around their clients and practices, in particular regarding their data collection and processing\r\npractices;\r\n➡️ Reaffirm protections for all journalists and media workers and safeguard press freedom, by recognizing that\r\njournalists and media workers are not legitimate surveillance targets for practicing their work;\r\n➡️ Ensure prompt, impartial, and independent investigation into the hacking allegations and establish\r\naccountability and remedy mechanisms for surveillance victims;\r\n➡️ Fully cooperate with European Court of Human Rights, the UN, and all regional and international\r\ninvestigative bodies and accountability mechanisms with respect to investigation of Pegasus hacking and other\r\nunlawful surveillance;\r\n➡️\r\nImpose sanctions on NSO, its staff, and all of their technologies as a threat to human rights, media freedom, peace,\r\nand security.\r\nRussia (in addition to the recommendations for all other states)  \r\n➡️ End its illegal aggression against Ukraine and attacks on independent media, civil society, and regime critics in\r\nRussia and in exile;\r\n➡️ Comply with international human rights obligations, including in relation to the rights of freedom of\r\nexpression, peaceful assembly, and association. This includes ending all digital and physical repression including\r\ncensorship, surveillance, designation of organizations as foreign agents, undesirable, terrorist/extremist,\r\ncriminalization of protected speech, and targeting and incarceration of political prisoners, as well as revoking the\r\nlaws that enable this repression.\r\nIf you are a journalist, activist, human rights defender, or another member of civil society, and you suspect you\r\nmay be a victim of spyware, please contact Access Now’s Digital Security Helpline at help@accessnow.org (we\r\nspeak Russian and Ukrainian, among other languages). \r\nIf you want to support Meduza, join their crowdfunding campaign. \r\nSource: https://www.accessnow.org/publication/hacking-meduza-pegasus-spyware-used-to-target-putins-critic/\r\nhttps://www.accessnow.org/publication/hacking-meduza-pegasus-spyware-used-to-target-putins-critic/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.accessnow.org/publication/hacking-meduza-pegasus-spyware-used-to-target-putins-critic/"
	],
	"report_names": [
		"hacking-meduza-pegasus-spyware-used-to-target-putins-critic"
	],
	"threat_actors": [],
	"ts_created_at": 1775439007,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3268e661afe0554b3640594846a6ab8f2abb7c20.pdf",
		"text": "https://archive.orkl.eu/3268e661afe0554b3640594846a6ab8f2abb7c20.txt",
		"img": "https://archive.orkl.eu/3268e661afe0554b3640594846a6ab8f2abb7c20.jpg"
	}
}