{
	"id": "4f404b83-2b23-47fb-bdc3-982a0998174e",
	"created_at": "2026-04-06T00:12:45.502554Z",
	"updated_at": "2026-04-10T03:21:30.886432Z",
	"deleted_at": null,
	"sha1_hash": "65c4e8ce5c0e47e6415513a2a93c6ea086252cb4",
	"title": "Serbia: BIRN journalists targeted with Pegasus spyware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47798,
	"plain_text": "Serbia: BIRN journalists targeted with Pegasus spyware\r\nPublished: 2025-03-27 · Archived: 2026-04-05 18:40:49 UTC\r\nTwo journalists from Balkan Investigative Reporting Network (BIRN), an award-winning Serbian network of\r\ninvestigative journalists, were targeted with NSO Group’s Pegasus spyware last month, a new Amnesty\r\nInternational investigation reveals.   \r\nJournalists Bogdana (not her real name) and Jelena Veljkovic received suspicious messages on the Viber\r\nmessaging app from an unknown Serbian number linked to Telekom Srbija, the state-telecommunications\r\noperator. \r\nSuspecting that their smartphones were being targeted by a spyware attack, they approached Amnesty\r\nInternational’s Security Lab, whose forensic analysis confirmed their suspicions.  \r\n“We discovered that the text messages contained hyperlinks to a Serbian language domain name which\r\nwe have determined with high confidence to be associated with NSO Group’s Pegasus spyware,   \r\nDonncha Ó Cearbhaill, the Head of Amnesty International’s Security Lab.\r\nThis is the third time in two years that Amnesty International’s Security Lab has found NSO Group’s Pegasus\r\nspyware being used against civil society in Serbia. In November 2023, Amnesty International, Access Now,\r\nSHARE Foundation and Citizen Lab documented how two Serbian civil society members where targeted by a\r\nzero-click spyware attack, which Amnesty International later attributed as Pegasus attack attempts.   \r\nOn 14 February 2025, Bogdana received a message on Viber with a link to a news article and a message asking:\r\n“Do you have info that he is next? I heard something completely different.” \r\nAt the time she was working on an article about foreign investments and state-linked corruption cases. The\r\nprevious day she had met sources for her story including individuals close to the government. \r\nBogdana did not click the Pegasus infection link, and a forensic analysis of her device did not indicate that\r\nPegasus spyware had been installed on her phone. Amnesty International’s Security Lab later found that, if\r\nclicked, the infection link redirected to a decoy page on a Serbian media website, a technique previously seen in a\r\nPegasus attempt targeting a Serbian protest leader in July 2023. \r\nNSO Group stated in a letter to Amnesty International that “all sales of our systems are to vetted government end-users”. Amnesty International believes that the continued use of Serbian language Pegasus infection domain\r\nnames, and the targeting of Serbian civil society with a consistent methodology are indicative of these attacks\r\nbeing carried out by a Serbian state entity.  \r\nBogdana said: “When I found out that the link on my phone was Pegasus, I was absolutely furious. This was the\r\nphone registered to my name, and I felt as if I had an intruder in my own home. This is an unnerving feeling…. I\r\nwas extremely concerned about my sources who could be at risk because they communicated with me.” \r\nhttps://www.amnesty.org/en/latest/news/2025/03/serbia-birn-journalists-targeted-with-pegasus-spyware/\r\nPage 1 of 2\n\nJelena Veljkovic received a similar Viber message to the one sent to Bogdana from the same Serbian phone\r\nnumber on 14 February and deleted it without clicking it. Amnesty International concluded that, based on the\r\nnature of the attempt, this was also a Pegasus 1-click infection attempt. 1-click attacks require action from the\r\ntarget to enable the infection of their device, typically the opening of a malicious link. \r\n“When I found out that I was a target of a Pegasus attack, I was not particularly scared but found it quite\r\nunsettling. This was my private telephone, which I also use for work, and a virus like Pegasus, which is not\r\nselective at all and can access everything on one’s phone, can have repercussions on my family too. \r\n“This was a targeted attack on investigative journalists – a form of pressure and a warning. Whether it\r\nwas an attack on me personally or on BIRN, as a media outlet, I am not sure,  \r\nJelena. \r\nBIRN and its staff face frequent threats, harassment and Strategic Lawsuits against Public Participation (SLAPPs),\r\nincluding by senior government officials, for their investigative journalism. Currently it is fighting four SLAPP\r\nsuits, mostly filed by public officials, including the current mayor of Belgrade, or others with known links to the\r\nauthorities. \r\nAmnesty International shared its findings with NSO Group who responded saying: “We cannot comment on\r\nspecific existing or past customers. Additionally, as a matter of policy, we are unable to disclose any information\r\nregarding our technical specifications, functionality or operational features of our products.” \r\nRepeated attempts to engage the Serbian Security Information Agency (BIA, Bezbednosno-informativna\r\nAgencija) were unanswered. \r\nThese findings provide further evidence that Serbian authorities are abusing highly invasive spyware products and\r\nother digital surveillance technologies to target journalists, activists, and other members of civil society amid\r\nwidespread student protests that have gripped the country since November 2024.  \r\nSerbian authorities must stop using highly invasive spyware and provide effective remedy to victims of unlawful\r\ntargeted surveillance and hold those responsible for the violations to account. NSO Group must stop selling\r\nPegasus and the use of its products in Serbia. \r\nSource: https://www.amnesty.org/en/latest/news/2025/03/serbia-birn-journalists-targeted-with-pegasus-spyware/\r\nhttps://www.amnesty.org/en/latest/news/2025/03/serbia-birn-journalists-targeted-with-pegasus-spyware/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.amnesty.org/en/latest/news/2025/03/serbia-birn-journalists-targeted-with-pegasus-spyware/"
	],
	"report_names": [
		"serbia-birn-journalists-targeted-with-pegasus-spyware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434365,
	"ts_updated_at": 1775791290,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/65c4e8ce5c0e47e6415513a2a93c6ea086252cb4.pdf",
		"text": "https://archive.orkl.eu/65c4e8ce5c0e47e6415513a2a93c6ea086252cb4.txt",
		"img": "https://archive.orkl.eu/65c4e8ce5c0e47e6415513a2a93c6ea086252cb4.jpg"
	}
}