{
	"id": "8221133b-c300-4c22-9de6-2beb29d2eef9",
	"created_at": "2026-04-06T00:21:18.776309Z",
	"updated_at": "2026-04-10T13:12:02.649019Z",
	"deleted_at": null,
	"sha1_hash": "57eea08139105ed1265a486d58918b6cf88ddd05",
	"title": "Breaking the News: New York Times Journalist Ben Hubbard Hacked with Pegasus After Reporting on Previous Hacking Attempts - The Citizen Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 991682,
	"plain_text": "Breaking the News: New York Times Journalist Ben Hubbard\r\nHacked with Pegasus After Reporting on Previous Hacking\r\nAttempts - The Citizen Lab\r\nArchived: 2026-04-05 14:38:38 UTC\r\nOpens in a new window Opens an external site Opens an external site in a new window\r\nContents\r\nKey Findings\r\n1. Background: NSO Group’s Zero-Click iPhone Hacking Capabilities\r\n2. The 2021 Pegasus Hack of Ben Hubbard\r\n3. The 2020 Pegasus Hack of Ben Hubbard\r\n4. The 2018 Pegasus Artifacts on Hubbard’s Phone\r\n5. Conclusion\r\nKey Findings\r\nNew York Times journalist Ben Hubbard was repeatedly targeted with NSO Group’s Pegasus spyware over\r\na three-year period from June 2018 to June 2021. The targeting took place while he was reporting on Saudi\r\nArabia, and writing a book about Saudi Crown Prince Mohammed bin Salman.\r\nThe targeting resulted in Pegasus infections in July 2020 and June 2021. Notably, these infections occurred\r\nafter Hubbard complained to NSO Group that he was targeted by the Saudi-linked KINGDOM Pegasus\r\noperator in June 2018.\r\nWhile we attribute the 2020 and 2021 infections to NSO Group’s Pegasus spyware with high confidence,\r\nwe are not conclusively attributing this activity to a specific NSO Group customer at this time. However,\r\nwe believe that the operator responsible for the 2021 hack is also responsible for the hacking of a Saudi\r\nactivist in 2021.\r\nSome forensic artifacts that we connect to NSO Group are present on Hubbard’s device as early as April\r\n2018, although we are unable to confirm whether this represents a genuine infection attempt or a feasibility\r\ntest.\r\nA phone number belonging to Hubbard also reportedly appeared on the Pegasus Project list in July 2019.\r\nUnfortunately, forensic evidence is not available for this timeframe.\r\n1. Background: NSO Group’s Zero-Click iPhone Hacking Capabilities\r\nMultiple reports indicate that NSO Group has used and demonstrated zero-click iPhone exploits since at least\r\n2017. A Haaretz story cited a June 2017 zero-click iPhone demo to the Saudi Government, and a 2018\r\nMotherboard article described a different zero-click iPhone demonstration. Meanwhile, in 2019, WhatsApp\r\nhttps://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/\r\nPage 1 of 6\n\nannounced that NSO Group had been exploiting WhatsApp video calling functionality to conduct zero-click\r\ninfections of Android devices. \r\nWinter 2019: iMessage Zero-Click Activity\r\nWe first observed a Pegasus zero-click attack directed against an iPhone in December 2019 when we began\r\nrunning VPNs on the phones of potentially targeted users. We were not able to recover any logs from the targeted\r\nphone at that time, so we are unsure of the precise exploit used.\r\nSummer 2020: The KISMET Exploit (iOS 13.5.1 and iOS 13.7)\r\nThis was followed by the KISMET zero-click exploit which NSO customers widely deployed starting in July 2020\r\nagainst iOS 13.5.1 and later against iOS 13.7. The iOS14 update apparently blocked exploitation of KISMET.\r\n2021: The FORCEDENTRY Exploit (iOS 14.x until 14.7.1)\r\nNSO Group customers began using the FORCEDENTRY exploit as early as February 2021. NSO Group\r\ncustomers were continuing to deploy FORCEDENTRY against iPhones running iOS versions through 14.7.1 as of\r\nSeptember 2021. We captured the FORCEDENTRY exploit and disclosed it to Apple in September 2021. Apple\r\npatched FORCEDENTRY in iOS 14.8, six days after our disclosure. Amnesty Tech also saw traces associated\r\nwith this exploit during forensic analyses they performed as part of the Pegasus Project.\r\n2. The 2021 Pegasus Hack of Ben Hubbard\r\nWe conclude with high confidence that an iPhone belonging to Hubbard was successfully hacked with NSO\r\nGroup’s Pegasus spyware on June 13, 2021, with the infection process starting around 15:45:20 GMT.\r\nDetails from Hack of Saudi Activist\r\nWe recovered the FORCEDENTRY exploit from a backup of a Saudi activist’s iPhone. The FORCEDENTRY\r\nexploit was delivered to the Saudi activist’s phone in 31 iMessage attachments sent from the iMessage account\r\n[EMAIL ADDRESS 1], based on an analysis of the activist’s phone logs, including their\r\ncom.apple.identityservices.idstatuscache.plist file. The FORCEDENTRY exploit was used to deploy NSO\r\nGroup’s Pegasus spyware onto the phone of the Saudi activist, and this process involved a file dropped into the\r\nLibrary/Caches folder.\r\nhttps://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/\r\nPage 2 of 6\n\nWe believe that iMessage accounts used to deliver Pegasus, like [EMAIL ADDRESS 1], are used exclusively for\r\nthis purpose, as other elements of NSO Group’s Pegasus infrastructure, such as infection servers and command-and-control servers, are used exclusively in relation to Pegasus and not for any other uses.\r\nSimilarities Between Hubbard’s Phone and Phone of Saudi Activist\r\nHubbard’s com.apple.identityservices.idstatuscache.plist file shows that the same iMessage account\r\n[EMAIL ADDRESS 1] communicated with his phone at June 13, 2021 15:45:20 GMT, about five minutes before\r\na file was dropped in or deleted from the Library/Caches folder, and at least 41 iMessage attachments were\r\ndeleted. Additionally, three items were deleted from Hubbard’s DataUsage.sqlite file, leaving a gap in the\r\nsequence of Z_PK values in the ZPROCESS table. The deleted items all had timestamps greater than June 9, 2021\r\n11:56:46 GMT and less than June 16, 2021 8:46:17 GMT. Based on this pattern of facts, we conclude with high\r\nconfidence that Hubbard’s iPhone was hacked with NSO Group’s Pegasus spyware on June 13, 2021 15:45:20\r\nGMT.\r\n3. The 2020 Pegasus Hack of Ben Hubbard\r\nWe conclude with high confidence that an iPhone belonging to Hubbard was successfully hacked with NSO\r\nGroup’s Pegasus spyware on July 12, 2020, with the infection process starting around 16:46:01 GMT.\r\nDataUsage.sqlite Artifact\r\nWe found that Ben Hubbard’s DataUsage.sqlite file showed that process name bh was active on July 13,\r\n2020 16:46:01. This process name is consistent with NSO Group’s Pegasus spyware, which uses the bh process\r\nname apparently as an abbreviation for “bridgehead,” which appears to be a term of art referring to an initial stage\r\nof a malicious payload. A subsequent backup of Hubbard’s phone taken in July 2021 (after the 2021 Pegasus hack\r\nof his phone) shows that this bh entry was deleted from DataUsage.sqlite , leaving a gap in the sequence of\r\nZ_PK values in the ZPROCESS table.\r\nWe found that attachments for at least 13 iMessages were deleted at July 12, 2020 16:45:55, several seconds\r\nbefore the DataUsage.sqlite artifact, indicating iMessage as the likely vector for Pegasus in this case. NSO Group\r\ncustomers were widely deploying the KISMET zero-click iMessage exploit at this time to hack target phones.\r\nHIPPOCRENE FACTOR Present on Hubbard’s Phone\r\nhttps://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/\r\nPage 3 of 6\n\nHubbard’s phone logs show a sign of Pegasus infection that we call the HIPPOCRENE FACTOR. A careful\r\nanalysis of Hubbard’s logs indicates that the HIPPOCRENE FACTOR was introduced onto Hubbard’s phone\r\nsometime after January 29, 2020 and before December 14, 2020. We have attributed the HIPPOCRENE FACTOR\r\nto NSO Group’s Pegasus spyware with high confidence, though we are not describing additional technical details\r\nof the HIPPOCRENE FACTOR here, in order to maintain visibility into NSO Group’s spyware.\r\n4. The 2018 Pegasus Artifacts on Hubbard’s Phone\r\nWe conclude with high confidence that a Pegasus operator, KINGDOM, sent Hubbard SMS and WhatsApp\r\nmessages in June 2018 containing links that, if clicked, would have infected his phone with NSO Group’s Pegasus\r\nspyware. We also noted that an Apple account that we believe is linked to Pegasus contacted Hubbard’s phone in\r\nApril 2018, but we could not determine if this represented an infection attempt.\r\nAn Odd Email Address is Looked Up\r\nThe com.apple.identityservices.idstatuscache.plist files on Hubbard’s phones records that an NSO Group\r\nsystem likely reached out to Hubbard’s phone on April 4, 2018 using Apple’s Thumper cloud calling feature. The\r\noutreach was via an Apple account with the email address [EMAIL ADDRESS 2]. It is presently unclear if this\r\noutreach was a bona fide hacking attempt, or simply a targeted feasibility test to see whether Hubbard’s phone\r\ncould have been hacked with Pegasus. Amnesty Tech observed that the presence of an unfamiliar email address\r\nlooked up by the Thumper cloud calling feature was sometimes correlated with Pegasus hacking.\r\nKINGDOM Pegasus Messages from 2018\r\nWe previously documented that Hubbard received a Pegasus SMS on June 21, 2018 from KINGDOM, a Pegasus\r\noperator that we link to the Kingdom of Saudi Arabia with high confidence. Though NSO Group issued an off-the-record denial that the link sent to Hubbard was related to them, we still connect the link to NSO Group with high\r\nconfidence. Hubbard’s phone also shows a KINGDOM Pegasus WhatsApp message sent on June 2, 2018 8:54:42\r\nPM GMT (Table 1). The message is largely identical to a Pegasus message targeted at an Amnesty International\r\nstaffer in 2018.\r\nhttps://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/\r\nPage 4 of 6\n\nMr Ben Hubbard is it possible for you to cover [a\r\ndemonstration] for your brothers detained in Saudi\r\nArabia in front of the Saudi Embassy in Washington\r\n[DC]?\r\nMy brother is detained during Ramadan, and I am on\r\na scholarship there, so please do not associate me\r\nwith the topic\r\nhttps://akhbar-arabia[.]com/caMVTXn\r\nCover the demonstration now, it will start in less than\r\nan hour\r\nWe need your support please\r\nاستاذ بن هربد هل باالمكان عمل تغطية الخوانك\r\nالمعتقلني في سجون السعودية امام السفارة\r\nالسعودية في واشنطن\r\nانا اخوي معتقل في رمضان وانا مبتعثه هناك\r\nفارجو ان ال يتم ارتباطي بالموضوع\r\nhttps://akhbar-arabia[.]com/caMVTXn\r\nتغطية للمظاهرات االن وستبدا بعد اقل من\r\nساعه\r\nمحتاجني دعمك لو سمحت\r\nTable 1\r\nThe KINGDOM Pegasus WhatsApp message sent to Hubbard on June 2, 2018.\r\n5. Conclusion\r\nHubbard was repeatedly subjected to targeted hacking with NSO Group’s Pegasus spyware. The hacking took\r\nplace after the very public reporting in 2020 by Hubbard and the Citizen Lab that he had been a target. The case\r\nstarkly illustrates the dissonance between NSO Group’s stated concerns for human rights and oversight, and the\r\nreality: it appears that no effective steps were taken by the company to prevent the repeated targeting of a\r\nprominent American journalist’s phone.\r\nThe hacking of a New York Times’ reporter adds to a long list of documented cases of journalists being targeted or\r\nhacked using NSO Group’s Pegasus spyware:\r\nIn December 2020, the Citizen Lab published a report outlining how the personal phones belonging to 36\r\njournalists, producers, anchors, and executives at Al Jazeera, and a personal phone of a journalist at\r\nLondon-based Al Araby TV, were hacked with Pegasus spyware.\r\nAmnesty International’s Security Lab verified that Sevinc Vaqifqizi, a freelance journalist for independent\r\nmedia outlet Meydan TV, had his phone infected with Pegasus in early 2021.\r\nAmnesty also confirmed that the devices of Siddharth Varadarajan and MK Venu, co-founders of India’s\r\nthe Wire, were infected with Pegasus as recently as June 2021.\r\nOn August 2, 2021, French intelligence investigators confirmed that forensic traces associated with NSO\r\nGroup’s Pegasus spyware had been detected on three French journalists’ phones.\r\nIn September 2021, the Citizen Lab confirmed that the phone of Dániel Németh, a photojournalist working\r\nout of Budapest, was also hacked with Pegasus spyware, with the forensic analysis independently verified\r\nby Amnesty’s Security Lab.\r\nPrior Citizen Lab research has documented targeted espionage against journalists and civic media using\r\nPegasus spyware in cases involving Saudi Arabia and Mexico.\r\nhttps://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/\r\nPage 5 of 6\n\nThe extensive and routine abuse of Pegasus spyware to hack journalists is a direct threat to press freedom\r\nworldwide, and is contributing to a growing chilling climate for investigative journalism. As a recent report by the\r\nCenter for International Media Assistance notes, “[t]he use of spyware poses safety risks to journalists and their\r\nsources, encourages self-censorship, and creates new financial and operational strains for news outlets.” Until\r\nsteps are taken to rein in the mercenary commercial spyware marketplace, repressive governments will continue to\r\nexploit products like NSO Group’s Pegasus spyware to undermine independent journalism that seeks to hold them\r\nto account.\r\nAcknowledgements\r\nThanks to Adam Senft and Miles Kenyon for editorial assistance and support. Thanks to the anonymous peer\r\nreviewers.\r\nSource: https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/\r\nhttps://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/\r\nPage 6 of 6\n\nrunning VPNs phone at that on the phones time, so we are of potentially unsure of the precise targeted users. We exploit used. were not able to recover any logs from the targeted\nSummer 2020: The KISMET Exploit (iOS 13.5.1 and iOS 13.7)  \nThis was followed by the KISMET zero-click exploit which NSO customers widely deployed starting in July 2020\nagainst iOS 13.5.1 and later against iOS 13.7. The iOS14 update apparently blocked exploitation of KISMET.\n2021: The FORCEDENTRY Exploit (iOS 14.x until 14.7.1)  \nNSO Group customers began using the FORCEDENTRY exploit as early as February 2021. NSO Group\ncustomers were continuing to deploy FORCEDENTRY against iPhones running iOS versions through 14.7.1 as of\nSeptember 2021. We captured the FORCEDENTRY exploit and disclosed it to Apple in September 2021. Apple\npatched FORCEDENTRY  in iOS 14.8, six days after our disclosure. Amnesty Tech also saw traces associated\nwith this exploit during forensic analyses they performed as part of the Pegasus Project. \n2. The 2021 Pegasus Hack of Ben Hubbard   \nWe conclude with high confidence that an iPhone belonging to Hubbard was successfully hacked with NSO\nGroup’s Pegasus spyware on June 13, 2021, with the infection process starting around 15:45:20 GMT.\nDetails from Hack of Saudi Activist    \nWe recovered the FORCEDENTRY exploit from a backup of a Saudi activist’s iPhone. The FORCEDENTRY \nexploit was delivered to the Saudi activist’s phone in 31 iMessage attachments sent from the iMessage account\n[EMAIL ADDRESS 1], based on an analysis of the activist’s phone logs, including their \ncom.apple.identityservices.idstatuscache.plist   file. The FORCEDENTRY exploit was used to deploy NSO\nGroup’s Pegasus spyware onto the phone of the Saudi activist, and this process involved a file dropped into the\nLibrary/Caches folder.     \n   Page 2 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/"
	],
	"report_names": [
		"breaking-news-new-york-times-journalist-ben-hubbard-pegasus"
	],
	"threat_actors": [],
	"ts_created_at": 1775434878,
	"ts_updated_at": 1775826722,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/57eea08139105ed1265a486d58918b6cf88ddd05.pdf",
		"text": "https://archive.orkl.eu/57eea08139105ed1265a486d58918b6cf88ddd05.txt",
		"img": "https://archive.orkl.eu/57eea08139105ed1265a486d58918b6cf88ddd05.jpg"
	}
}