{
	"id": "78e58831-d300-4022-a5ab-7d1a3954e72e",
	"created_at": "2026-04-06T01:30:50.245265Z",
	"updated_at": "2026-04-10T03:21:21.256589Z",
	"deleted_at": null,
	"sha1_hash": "5295c58c3fd7ae04f948e48691be6289b5b1e56a",
	"title": "The inside view of spyware’s 'dirty interference,' from two recent Pegasus victims",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 377171,
	"plain_text": "The inside view of spyware’s 'dirty interference,' from two recent\r\nPegasus victims\r\nBy Suzanne Smalley\r\nPublished: 2024-06-25 · Archived: 2026-04-06 01:08:08 UTC\r\nAndrei Sannikov challenged longtime Belarusian dictator Aleksandr Lukashenko in the country’s 2010 national\r\nelections, a move that landed him in jail for 16 months, provoked threats that his young son would be taken by the\r\nstate and led him to flee the country after his release from prison due to death threats.\r\nSannikov has spent every day since his escape trying to undermine Lukashenko, leading a campaign promoting\r\nthe integration of Belarus into the European Union by writing books, speaking at universities and attending\r\nconferences with other freedom fighters.\r\n“My goal is to go back to a free Belarus,” said Sannikov, who now lives in exile in Poland.\r\nPerhaps it’s no surprise, then, that Sannikov is one of seven Russian- and Belarusian-speaking activists and\r\njournalists living in exile whose phones were recently discovered to have been targeted by or fully infected with\r\npowerful commercial spyware known as Pegasus, according to a recent report published by the digital civil rights\r\ngroup Access Now. \r\nFive of the seven victims’ devices were infected with Pegasus, while two others had an attempted breach or, in one\r\ncase, could not be confirmed with an infection.\r\nThe findings about Sannikov and the six other victims are part of a broader ongoing probe into Pegasus attacks\r\nagainst similar people in the region, Recorded Future News has learned. The powerful spyware has become a\r\nthreat to activists, political opposition figures and journalists around the globe as authoritarian and even many\r\ndemocratic governments deploy it outside its intended use for fighting crime and terrorism.\r\nSannikov worries about Pegasus, he said in an interview, because “there are no effective means to prevent it and to\r\nfight it.”\r\n“If the software spreads then we will be vulnerable in every part of the world,” he added.\r\nAnother of the seven victims to speak with Recorded Future News, Evgeny Erlikh, works in Latvia on a U.S.-\r\nfunded Radio Free Europe/Radio Liberty news program designed for a Russian-speaking audience. He believes he\r\nis likely one of several additional and so far mostly unknown Latvia-based journalists to be hit with Pegasus.\r\nDigital forensic researchers are now studying the devices of other potential victims with similar profiles,\r\naccording to Natalia Krapiva, senior tech legal counsel at Access Now. \r\nEven as Pegasus is showing up on an increasing number of phones belonging to civil-society organizations and\r\nindividuals, experts and victims say they are bracing for usage of the powerfully invasive spyware to grow\r\nhttps://therecord.media/pegasus-spyware-victims-sannikov-erlikh\r\nPage 1 of 7\n\nexponentially. \r\nThe newly discovered infections are just the “tip of the iceberg,” Sannikov said, echoing Ehrlikh’s contention that\r\nmany victims in his community likely remain unknown.\r\nThe tip of the iceberg\r\nSix of the seven new victims received Apple threat notifications, which are warnings that say an iPhone may have\r\nbeen targeted by mercenary spyware. The alerts are sent to users by email and iMessage as well as in a red-lettered\r\ndisplay after they sign into their device with their Apple ID. \r\nSannikov did not receive a threat notification from Apple and instead learned of the infection when he turned over\r\nhis phone for a free security check offered at a large conference he attended in November 2023. \r\n“It was quite a coincidence that I submitted my phone,” Sannikov said.\r\nThe random nature of the discovery of Pegasus on his phone suggests to him that a much larger number of\r\nBelarusian and Russian opposition leaders and journalists could unknowingly own infected devices, he said. Still\r\nothers may have been breached but chosen not to go public.\r\n“There might be hundreds or even thousands of cases because I spoke to the people, especially those who are in\r\nthe opposition and Russian and Belarusian journalists, and they said that they were hacked and they were\r\ninfected,” he said.\r\nDigital forensic researchers found Sannikov’s phone was compromised in September 2021 at a time when the\r\nopposition leader said he was attending a prominent conference in Poland. A large number of opposition\r\npoliticians, journalists, civil society activists and major public figures were among the 5,000-plus attendees.\r\n\"For me, it was clearly a very dirty interference in my private life.\"\r\n— Andrei Sannikov\r\nA seasoned activist, Sannikov said he doesn’t trust any electronics and never discusses sensitive work-related\r\ninformation on his phone or computer.\r\nHis personal communications are a different story.\r\n“It was creepy,” he said in an interview. “There were a lot of personal conversations which are not meant for\r\nanybody's ears. … For me, it was clearly a very dirty interference in my private life.”\r\nA spokesperson for the NSO Group said that it cannot confirm or deny specific customers for regulatory reasons,\r\nbut did reiterate that it does not sell Pegasus to Russia or its allies.\r\n“NSO complies with all laws and regulations and sells only to vetted intelligence and law enforcement agencies,”\r\nthe spokesperson said via email. “Our customers use these technologies daily to prevent crime and terror attacks.”\r\nA chilling effect\r\nhttps://therecord.media/pegasus-spyware-victims-sannikov-erlikh\r\nPage 2 of 7\n\nSannikov doesn’t think it is random that his phone was breached when he was at a conference mingling with\r\npoliticians, journalists and other public figures. \r\nThe larger pattern supports his thesis: Four of the seven newly revealed victims were attacked or infected\r\nimmediately before, while or after attending similar conferences, meetings or, in one case, a press conference with\r\na Belarusian opposition leader.\r\nLast February, an iPhone belonging to Galina Timchenko, a prominent Kremlin critic, also was compromised on\r\nthe eve of a gathering with like-minded journalists, according to digital forensics researchers. Timchenko, the\r\nowner of the independent Latvia-based news organization Meduza, was infected the day before she attended a\r\nprivate meeting in Berlin with other exiled Russian-speaking reporters, the researchers said.\r\n“Pegasus creates a chilling effect on human rights by making journalists and activists scared to talk to their\r\nsources and attend human rights conferences out of fear they are being surveilled,” said Krapiva of Access Now.\r\nThe software allows astonishing access to devices. It is typically zero-click — meaning that a recipient’s device\r\nonly needs to receive the file for it to be activated — and once installed can activate a phone’s microphone and\r\ncamera, allowing Pegasus operators to not only access emails, text messages, live phone conversations and call\r\nhistories belonging to a given phone’s owner, but also spy on bystanders who are speaking with a victim whose\r\nphone is nearby.\r\nIt is impossible to know with certainty that a device is infected with advanced commercial spyware without\r\nhaving it checked by experts. Sometimes even they can’t detect infections. With advanced commercial spyware,\r\nexperts say, we don’t know what we don’t know.\r\nWhile it is unclear who is responsible for any of the seven new attacks, five of the seven devices analyzed in the\r\nnew report “recorded Apple IDs used by Pegasus operators in their hacking attempts,” according to researchers\r\nfrom The Citizen Lab, a University of Toronto-based digital security and human rights research group, which\r\nworked with Access Now investigating the digital forensics of the attacks.\r\n“The targeting timeframe, victim profiles, and overlap of operator Apple IDs suggest (but do not prove) the\r\npossibility that a single actor is responsible for these five attacks,” a Citizen Lab blog post said.\r\nA Latvian connection?\r\nThere is no evidence that Russia or Belarus are Pegasus customers, and Poland stopped using the spyware in\r\n2021, Access Now says.\r\nLatvia appears to use the spyware but is not known for deploying it against people in other countries, according to\r\nthe researchers, who also said that neighboring Baltic nation Estonia coordinates with Latvia and Lithuania on\r\nsecurity matters and does use Pegasus extensively across Europe.\r\nErlikh, the journalist who produces a Radio Free Europe/Radio Liberty news show, worked for years in Russia,\r\nincluding as a correspondent in Chechnya. His phone was found to be infected with Pegasus in 2023.\r\nhttps://therecord.media/pegasus-spyware-victims-sannikov-erlikh\r\nPage 3 of 7\n\nEvgeny Erlikh at a press conference in Latvia in 2015. Image courtesy of Evgeny Erlikh\r\nHe thinks it is notable that he, Timchenko and a third victim named in the new report, Maria Epifanova, were\r\namong the first Russian journalists to move to Latvia and establish offices in Riga, all around 2014 when Russia\r\nannexed Crimea and invaded Ukraine for the first time. \r\nAround then, Erlikh says, Baltic countries like Latvia started worrying they might be the next victims of Russian\r\naggression.\r\nAn iPhone belonging to Epifanova, general director of Novaya Gazeta Europe, a Russian language outlet, was\r\ninfected on or around August 18, 2020, which is the “earliest known use” of Pegasus to target Russian civil\r\nsociety, according to Access Now. The infection coincided with Epifanova seeking accreditation to attend a press\r\nconference hosted by a prominent Belarusian opposition leader. \r\n“Maybe Latvian intelligence had to check the validity of foreign Russian opposition journalists to ensure they\r\nwere not Russian spies,” Erlikh told Recorded Future News. \r\n“Perhaps someone wanted to use us to infiltrate the local community of Russian-speaking, emigrant, opposition\r\njournalists to understand who they are, what they say, and whether there are any dubious characters among them,”\r\nhe added.\r\nErlikh said his Pegasus infection hasn’t made him feel less safe in Latvia, but has “made us realize that apparently\r\nthey [Latvian state officials] are noticing us.”\r\nHe called the recently surfaced cases “just a drop in the ocean.”\r\n“If those behind the infection really wanted to know how Russian opposition journalists live in exile, then there\r\nare many, many more such infections,” Erlikh said. “Right now, we’re talking about the visible part.”\r\nA spokesperson for the Latvian Embassy in Washington said via email that spyware is an international problem\r\nand emphasized that Pegasus can be installed from any location despite the fact that the impacted journalists are\r\nbased in Latvia.\r\nhttps://therecord.media/pegasus-spyware-victims-sannikov-erlikh\r\nPage 4 of 7\n\n“In Latvia, wiretapping and other operational activities are regulated by the Operational Activities Law,” the\r\nspokesperson said. “Wiretapping is carried out only with a permission issued by the judges of the Supreme Court\r\nof Latvia.” \r\n“Security agencies do not publicly comment on the methods used in their operations,” the spokesperson added.\r\nA dangerous technology spreads\r\nThe NSO Group says it only sells Pegasus to vetted law enforcement and intelligence agencies that agree to use\r\nthe technology to investigate legitimate targets, but the company won’t divulge any further information —\r\nincluding which national governments are customers. However, in recent years Pegasus has been found on devices\r\nbelonging to members of civil society or political opposition leaders in Spain, Greece, Hungary, Poland, India, El\r\nSalvador, Thailand and Latvia, among many other countries. \r\nIn February, a random security check of iPhones belonging to European Parliament members and staff turned up\r\ntraces of spyware on devices belonging to two members and an adviser  working on the body’s Subcommittee on\r\nSecurity and Defense, highlighting the likelihood that some people who do not undergo random checks may\r\nunknowingly be victims of attempted hacks or infections.\r\nPolish officials announced in April that nearly 600 people, some of whom were opposition politicians and their\r\nsupporters, were targeted with Pegasus between 2017 and 2022. The mass surveillance effort is now being probed\r\nby Poland’s national prosecutor. \r\n“These cases raise troubling questions, especially against the backdrop of Europe's puzzlingly poor track record\r\non mercenary spyware accountability and transparency,” said John Scott-Railton, a senior researcher at The\r\nCitizen Lab.\r\nIn a June 14 court filing, NSO Group said it believes members of political opposition are legitimate Pegasus\r\ntargets because they are “senior political operatives” and can be probed for “legitimate intelligence\r\ninvestigations.”\r\nCalling himself “the last person who should be hacked,” Erlikh, like Sannikov, focused on the intrusion into his\r\npersonal life.\r\n“Maybe they learned what color my underwear is,” he said. “Maybe such intimate details are now known to\r\nthem.”\r\nVowing not to be silenced, Erlikh said he won’t stop doing work that draws the attention of those in power. \r\n“They could not intimidate us,” he said. “We are not scared.”\r\nEditor's Note: Story updated June 26 with a statement from the Latvian Embassy in Washington. \r\nhttps://therecord.media/pegasus-spyware-victims-sannikov-erlikh\r\nPage 5 of 7\n\nNo previous article\r\nNo new articles\r\nSuzanne Smalley\r\nis a reporter covering digital privacy, surveillance technologies and cybersecurity policy for The Record. She was\r\npreviously a cybersecurity reporter at CyberScoop. Earlier in her career Suzanne covered the Boston Police\r\nDepartment for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington\r\nwith her husband and three children.\r\nhttps://therecord.media/pegasus-spyware-victims-sannikov-erlikh\r\nPage 6 of 7\n\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/pegasus-spyware-victims-sannikov-erlikh\r\nhttps://therecord.media/pegasus-spyware-victims-sannikov-erlikh\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://therecord.media/pegasus-spyware-victims-sannikov-erlikh"
	],
	"report_names": [
		"pegasus-spyware-victims-sannikov-erlikh"
	],
	"threat_actors": [],
	"ts_created_at": 1775439050,
	"ts_updated_at": 1775791281,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5295c58c3fd7ae04f948e48691be6289b5b1e56a.pdf",
		"text": "https://archive.orkl.eu/5295c58c3fd7ae04f948e48691be6289b5b1e56a.txt",
		"img": "https://archive.orkl.eu/5295c58c3fd7ae04f948e48691be6289b5b1e56a.jpg"
	}
}