{
	"id": "a0dda9c6-fd6c-4008-ba59-844a957223f2",
	"created_at": "2026-04-06T00:08:43.794352Z",
	"updated_at": "2026-04-10T03:23:52.26329Z",
	"deleted_at": null,
	"sha1_hash": "5f03aafc2e906335e7f21a84a0aba302a572d060",
	"title": "Nothing Sacred: Religious and Secular Voices for Reform in Togo Targeted with NSO Spyware - The Citizen Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1879222,
	"plain_text": "Nothing Sacred: Religious and Secular Voices for Reform in Togo\r\nTargeted with NSO Spyware - The Citizen Lab\r\nBy Authoritarianism, Violence \u0026 Surveillance in Togo\r\nArchived: 2026-04-05 19:01:21 UTC\r\nThis Research Note identifies NSO Spyware targeting in Togo originating from the 2019 WhatsApp incident.\r\nKey Points\r\nNSO spyware was used in 2019 to target Togolese civil society, including a Catholic bishop, priest, and\r\nopposition politicians.\r\nThe targeting coincided with nationwide pro-reform protests which were forcibly dispersed, amidst\r\nviolence and arrests.\r\nBackground\r\nIn May 2019, WhatsApp identified and shortly thereafter fixed a vulnerability that allowed attackers to inject NSO\r\nGroup spyware onto phones with a missed WhatsApp video call. At least 1,400 WhatsApp users were targeted as\r\npart of this incident. WhatsApp attributes the attacks to NSO Group, an Israeli spyware developer.\r\nThe Citizen Lab volunteered to assist WhatsApp to investigate the 2019 Incident as part of the Citizen Lab’s\r\nmandate to study digital threats against civil society. In the Fall of 2019 Citizen Lab’s researchers reached out to\r\nmore than 100 members of civil society among the targets to inform them of the attack and point them to\r\nresources to help them improve their digital security. On October 29th, 2019, WhatsApp sent messages to users\r\ntargeted in the 2019 Incident. On the same day, WhatsApp filed a lawsuit against NSO Group in the United States.\r\nNSO Spyware Attacks In Togo\r\nDuring our investigation we identified multiple targets in Togo. These individuals were targeted between April and\r\nMay, 2019. Four have now chosen to come forward. They include a bishop and a priest that have supported\r\nreform, as well as two members of Togo’s political opposition. We believe the infection attempts would have led\r\nto the infection of most targeted devices with NSO’s spyware.\r\nSpyware Targets in the Catholic Church\r\nMonseigneur Benoît Comlan Alowonou is the Bishop of Kpalimé, Togo. Bishop Alowonou is also the current\r\npresident of the Conférence des Evêques du Togo (“Conference of Bishops in Togo”). The Catholic Church of\r\nTogo has been vocal in its support for human rights and democracy, and critical of abuses by the regime.\r\nhttps://citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/\r\nPage 1 of 8\n\nThe Bishop has been the target of misinformation, and false reporting. For example, in 2015 he met with Pope\r\nFrancis in Rome. During the Ad Limina visit, the Pope recognized the Togolese Bishops for their efforts for\r\njustice, peace and reconciliation, while cautioning about political entanglements. However, according to the\r\nDiocese, while the Bishop was in Rome it was falsely reported by a Togolese outlet that he had called on the\r\nopposition to “admit electoral defeat.”\r\nFather Pierre Marie-Chanel Affognon is a Togolese Catholic priest. He is the founder of a movement to\r\npromote constitutional, institutional, and electoral reform in Togo. Father Affognon describes his work as\r\ninforming and encouraging Togolese citizens to hold their government to account. In the lead up to the 2020\r\nelections, Father Affognon and other members of the campaign attempted to organize peaceful marches but their\r\npermits were denied by the government.\r\nhttps://citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/\r\nPage 2 of 8\n\nIn 2018 and into 2019, Father Affognon was the target of a smear and disinformation campaign apparently\r\nintended to undermine his activities and those of the movement. Father Affognon speculates that the authors of\r\nthis campaign may have had access to personal information only available on his phone.\r\nOpposition Figures\r\nElliott Ohin is a prominent politician who has previously served in several senior cabinet roles, including Foreign\r\nMinister, and Minister for State Reform and Modernization. Ohin departed government in 2019. Ohin is also the\r\nformer president of the opposition party Union des Forces du Changement (“Union of Forces for Change”: UFC).\r\nRaymond Houndjo was a mayoral candidate for the city of Lomé, and is currently a visible member of the\r\nopposition party Alliance Nationale pour le Changement (“National Alliance for Change”: ANC).\r\nTargeting Context\r\nThe targeting in April – May 2019 coincided with nationwide protests calling for presidential term limits. Planned\r\ndemonstrations by the opposition Pan-African National Party (PNP) were largely banned by the government,\r\nwhich only permitted demonstrations in three cities. On April 13, 2019, protestors were violently dispersed by\r\narmed security forces, with one person killed and many others injured. Dozens of journalists, opposition leaders,\r\nand human rights defenders were detained. Detained in inhumane conditions, 19 were later sentenced to prison.\r\nIn May 2019, the National Assembly approved constitutional changes to reinstate presidential term limits in\r\nresponse to the protests. However, this restriction could not be applied retroactively, allowing President\r\nGnassingbé (who has ruled Togo uninterrupted since 2005 after succeeding his father as President) to stay in\r\nhttps://citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/\r\nPage 3 of 8\n\noffice until 2030. In addition to this, the amendments guarantee all former presidents immunity from prosecution\r\nfor life “for acts committed during their presidential term.”\r\nIn our 2018 Hide and Seek report, Citizen Lab identified a single Pegasus operator spying in Togo that we called\r\nREDLIONS. Because the operator appeared to be spying only in Togo, we suspected that REDLIONS was\r\noperated by an agency of the Togolese Government.\r\nTwo websites used by REDLIONS appeared to suggest politically motivated targeting, nouveau-president[.]com\r\n(“new president”) and politiques-infos[.]info (“political information”), and four REDLIONS websites appeared to\r\nbe designed to faciliate religiously focused targeting, including Christianity and Islam.\r\nReligious-Themed Pegasus Domains Used By REDLIONS\r\nchretiendaujoudhui[.]com (“Christian today”)\r\nviedechretien[.]org (“Christian life”)\r\nvie-en-islam[.]com (“life in Islam”)\r\nleprotestant[.]com (“the Protestant”)\r\nThe first domains that we associated with REDLIONS were registered in January 2017, suggesting that the entity\r\nbehind REDLIONS acquired the system prior to that point.\r\nTogo has a history of authoritarian rule and serious human rights abuses. Faure Gnassingbé, Togo’s President, has\r\nbeen in power since 2005. He succeeded his father, President Gnassingbé Eyadéma, who ruled Togo from 1967\r\nuntil his death. Faure Gnassingbé has been re-elected four times, with each election deemed a sham by opposition\r\nmembers.\r\nOver the past five decades the Gnassingbé family and their supporters have suppressed and modified democratic\r\nprocesses to ensure their hold on power. Mass protests have repeatedly sought electoral reform and his\r\nresignation, but are typically met with repression and violence. Togo remains one of the poorest countries of the\r\nworld. It is ranked 167/189 in the 2019 United Nations Human Development Index.\r\nViolence and Repression\r\nThe Gnassingbé government makes extensive use of force against opposition groups and human rights defenders,\r\nand its rule is marked by arbitrary detentions, torture, inhumane prison conditions, and killings by security forces.\r\nLegal and constitutional measures are regularly used to curtail rights to freedom of expression and peaceful\r\nassembly.\r\nThe 2020 Election\r\nAhead of the February 2020 national election, two opposition-friendly newspapers were suspended for two\r\nmonths for “discourteous, insulting and defamatory words.” By election time, the primary election observation\r\ngroup was barred from monitoring the voting, as were monitors from the Catholic Church; the government\r\nclaimed that these measures were taken to prevent interference. The election’s results were met with\r\naccusations of extensive irregularities and voter fraud. The government placed the retired Archbishop of\r\nhttps://citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/\r\nPage 4 of 8\n\nLomé under house arrest after he questioned the results. In July 2020, Togo’s government issued an arrest\r\nwarrant for the primary opposition candidate.\r\nDigital Repression\r\nThe Togolese government uses technical means to curb dissent. Authorities have disrupted mobile phone\r\nand internet service during protests and on election days to suppress protest and to curtail press coverage. In June\r\n2020, the Economic Community of West African States (ECOWAS) Community Court of Justice ruled that the\r\nnine-day internet shutdown in September 2017 by the Togolese government during anti-government protests was\r\nillegal. The Court ordered the government of Togo to pay compensation to the applicants, and enact safeguards to\r\nmeet international human rights law.\r\nIn 2018, the National Assembly passed a cybersecurity law which includes provisions to criminalize the\r\npublication of “false” information, breaches of public morality, and “the production, diffusion or sharing of data\r\nwhich undermine ‘order, public security or breach human dignity.’” Police are also granted greater authority to\r\nconduct electronic surveillance without adequate judicial oversight.\r\nNSO Group \u0026 Abuses of Its Spyware\r\nNSO Group is majority-owned by Novalpina Capital, a European private equity firm based in London. While\r\nNSO Group’s spyware (often called “Pegasus”) is marketed as used for crime fighting, there are over 130 cases in\r\nwhich NSO Group’s hacking technology has been used to conduct abusive surveillance against civil society\r\naround the globe.\r\nNSO Group claims it sells its spyware strictly to government clients and that all of its exports are undertaken in\r\naccordance with Israeli government export laws and oversight mechanisms. NSO Group also claims to abide by\r\na human rights policy and governance framework. However, the number of documented cases in which their\r\ntechnology is used abusively to target civil society continues to grow. Most recently, Amnesty\r\nInternational confirmed in June 2020 that Pegasus was used to target a Moroccan journalist. That targeting took\r\nplace just three days after NSO Group had implemented its new human rights policy.\r\nFor more information on NSO Group, a summary of key public reporting is here. The Business and Human Rights\r\nResource Center’s website for both NSO Group and Novalpina Capital has additional resources. Further, exhibits\r\nfiled in the ongoing litigation between WhatsApp/Facebook and NSO Group in the United States provide insight\r\ninto Pegasus’ functions and NSO Group’s operations (see, in particular, Exhibit 10 of the complaint).\r\nWhat An NSO Spyware Infection Can Do\r\nNSO’s spyware product is most commonly known as Pegasus, however in specific cases it may be given different\r\ncodenames. Pegasus is a mobile phone hacking tool that provides its operator complete access to a target’s mobile\r\ndevice. Pegasus allows the operator to extract passwords, files, photos, web history, contacts, as well as identity\r\ndata (such as information about the mobile device).\r\nhttps://citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/\r\nPage 5 of 8\n\nPegasus can take screen captures, monitor user inputs and activate a telephone’s microphone and camera. These\r\nfeatures enable attackers to monitor all activity on the device and in the vicinity of the device, such as\r\nconversations conducted in a room.\r\nPegasus also allows the operator to record chat messages (including messages sent through some “encrypted”\r\ntexting apps), as well as regular phone and encrypted VoIP calls.\r\nPegasus also allows the operator to track the target’s location. As with any infection, spyware may also allow for\r\nthe modification or manipulation of data on a device.\r\nA Global List of Abuses\r\nPegasus has been linked to at least 130 cases of abusive targeting of human rights defenders and journalists in\r\ndozens of countries in Asia, Europe, the Middle East, and North America. Research groups, including Amnesty\r\nInternational, have identified additional cases.\r\nCanada \u0026 Europe\r\nhttps://citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/\r\nPage 6 of 8\n\nIn Canada and Europe, targets include critics of the Saudi government, and specifically individuals who believe\r\nthat they were targeted as part of the surveillance of Jamal Khashoggi just prior to his murder. Other targets\r\ninclude the staff of international human rights organizations. In addition, a number of individuals critical of\r\npresident Paul Kagame were targeted in Europe and Africa.\r\nMexico\r\nIn Mexico, at least 25 members of civil society were targeted, ranging from prominent journalists and critics of\r\nthen-President Enrique Peña Nieto, like Carmen Aristegui, to the President of Mexico’s Senate, anti-corruption\r\norganizations, such as Mexicanos Contra la Corrupción y la Impunidad, and public health officials. Troublingly,\r\nseveral targets working in media were targeted shortly after their colleague was assassinated in a cartel-linked\r\nkilling. The wife of the slain journalist, a reporter herself, was also targeted.\r\nMiddle East \u0026 North Africa\r\nGovernment critics and human rights defenders in Gulf countries, as well as journalists and other pro-reform\r\nvoices in Morocco are among those targeted.\r\nIndia\r\nIn India, at least two dozen lawyers, journalists, and other members of civil society, including defenders of ethnic\r\nand cultural minorities, were extensively targeted with NSO spyware.\r\nAcknowledgements\r\nWe thank the many targets of NSO Spyware, including those mentioned in this report, who continue to come\r\nforward. Their courageous choice not to stay silent in the face of digital attacks makes such investigations\r\nhttps://citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/\r\nPage 7 of 8\n\npossible.\r\nThanks to Citizen Lab staff for additional logistical assistance with this investigation.\r\nSource: https://citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/\r\nhttps://citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/"
	],
	"report_names": [
		"nothing-sacred-nso-sypware-in-togo"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434123,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5f03aafc2e906335e7f21a84a0aba302a572d060.pdf",
		"text": "https://archive.orkl.eu/5f03aafc2e906335e7f21a84a0aba302a572d060.txt",
		"img": "https://archive.orkl.eu/5f03aafc2e906335e7f21a84a0aba302a572d060.jpg"
	}
}