{ "id": "17b4dc4a-cb91-422a-ae70-9b1e2374be1a", "created_at": "2026-04-06T00:14:46.228437Z", "updated_at": "2026-04-10T03:35:29.177847Z", "deleted_at": null, "sha1_hash": "c0c52a7fe421bdbfeb6380645394b8e0037e5979", "title": "Snoop List Has 40 Indian Journalists, Forensic Tests Confirm Presence of Pegasus Spyware on Some - The Wire", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 274196, "plain_text": "Snoop List Has 40 Indian Journalists, Forensic Tests Confirm\r\nPresence of Pegasus Spyware on Some - The Wire\r\nBy Anuj Srivas\r\nPublished: 2021-07-18 · Archived: 2026-04-05 18:58:47 UTC\r\nNew Delhi: The phone numbers of over 40 Indian journalists appear on a leaked list of potential targets for\r\nsurveillance, and forensic tests have confirmed that some of them were successfully snooped upon by an\r\nunidentified agency using Pegasus spyware, The Wire can confirm.\r\nThe leaked data includes the numbers of top journalists at big media houses like the Hindustan Times, including\r\nexecutive editor Shishir Gupta, India Today, Network18, The Hindu and Indian Express.\r\nThe Pegasus Project, a consortium of news organisations that analysed this list, has reason to believe that the data\r\nis indicative of potential targets identified in advance of surveillance attempts. The presence of a phone number in\r\nthe data does alone not reveal whether a device was infected with Pegasus or subject to an attempted hack –\r\ntechnical examination of the phone’s data is needed for that.\r\nIndependent digital forensic analysis conducted by Amnesty International’s Security Lab on 10 Indian phones\r\nwhose numbers were present in the data showed signs of either an attempted or successful Pegasus hack.\r\nOf equal importance is how the results the forensic analysis threw up shows sequential correlations between the\r\ntime and date a phone number is entered in the list and the beginning of surveillance. The gap usually ranges\r\nbetween a few minutes and a couple of hours. In some cases, including forensic tests conducted for two India\r\nnumbers, the time between a number appearing on the list and the successful detection of a trace of Pegasus\r\ninfection is just seconds.\r\nPegasus is sold by the\r\nIsraeli company, NSO Group, which says it only offers its spyware to “vetted governments”. The company refuses\r\nto make its list of customers public but the presence of Pegasus infections in India, and the range of persons that\r\nhttps://thewire.in/media/pegasus-project-spyware-indian-journalists\r\nPage 1 of 7\n\nmay have been selected for targeting, strongly indicate that the agency operating the spyware on Indian numbers is\r\nan official Indian one.\r\nTwo founding editors of The Wire are on this list, as is its diplomatic editor and two of its regular contributors,\r\nincluding Rohini Singh. Singh’s number appears after she filed back-to-back reports on the business affairs of\r\nhome minister Amit Shah’s son, Jay Shah, and Nikhil Merchant, a businessman who is close to Prime Minister\r\nNarendra Modi, and while she was investigating the dealings of a prominent minister, Piyush Goyal, with\r\nbusinessman Ajay Piramal.\r\nAlso read: Read: NSO Group’s Response to the Pegasus Project and Our Take\r\nThe number of former Indian Express journalist Sushant Singh appears on the list in mid-2018, at a time when he\r\nwas working on an investigation into the controversial Rafale aircraft deal with France, besides other stories.\r\nDigital forensics conducted on Singh’s current phone showed signs of Pegasus infection earlier this year.\r\nLeaked data, NSO disputes purpose\r\nThe France-based media non-profit, Forbidden Stories, and Amnesty International first had access to this leaked\r\nlist which they shared with The Wire and 15 other news organisations worldwide as part of a lengthy collaborative\r\ninvestigation called the Pegasus Project.\r\nWorking together, these news organisations – which include The Guardian, The Washington Post, Le\r\nMonde and Suddeutsche Zeitung – were able to independently identify the owners of over 1,571 numbers across at\r\nleast 10 countries, and forensically examine a small cross-section of phones associated with these numbers to test\r\nfor the presence of Pegasus.\r\nNSO disputes the claim that the leaked list is linked in any way to the functioning of its spyware. In a letter to The\r\nWire and Pegasus Project partners, the company initially said it had “good reason to believe” that the leaked data\r\nwas “not a list of numbers targeted by governments using Pegasus”, but instead, may be part of “a larger list of\r\nnumbers that might have been used by NSO Group customers for other purposes”.\r\nHowever, the forensic testing of targeted phones has confirmed the use of Pegasus spyware against some of the\r\nIndian numbers on this list and has also established that this highly intrusive form of surveillance – technically\r\nillegal under Indian law as it involves hacking – is still being used to spy on journalists and others.\r\nPegasus and India\r\nFounded in 2010, the NSO Group is best known for having created Pegasus, which allows those operating it to\r\nremotely hack into smartphones and gain access to their contents and functions, including the microphone and\r\ncamera. The company has always insisted Pegasus is not sold to private entities or even to any and every\r\ngovernment. In fact, in its letter to The Wire and its media partners, NSO reiterated that it sells its spyware only to\r\n“vetted governments”.\r\nNSO will not confirm whether the Indian government is a customer but the presence of Pegasus infections in the\r\nphones of journalists and others in India and the nature of the targets selected for a potential hack suggests that\r\nhttps://thewire.in/media/pegasus-project-spyware-indian-journalists\r\nPage 2 of 7\n\none or more official agencies here are actively using the spyware. This inference must be drawn because Pegasus\r\ncan only be used by a client of NSO and NSO has only “vetted governments” as clients.\r\nAlso read: FAQ: On the Pegasus Project’s Digital Forensics\r\nWhile the Narendra Modi government has not so far issued a categorical denial that Pegasus is officially being\r\nused, it has been dismissive of allegations that Pegasus might have been used to conduct illegal surveillance of\r\ntargets in India.\r\nOn Saturday, the Ministry of Electronics and Information Technology reiterated this stand in a response to a\r\nquestionnaire about individual targets sent by Pegasus Project partners.\r\nIndependent forensic analysis conducted by Amnesty International’s Security Lab on a small worldwide cross-section of the smartphones of the people on the leaked list threw up traces of Pegasus spyware infection in over\r\nhalf the cases. Among the 13 iPhones examined in India, nine showed evidence of being targeted, of which seven\r\nwere successfully infected with Pegasus. Among nine Androids tested, one showed evidence of targeting while 8\r\nwere inconclusive, mainly because Android logs do not provide the kind of detail Amnesty’s team needs to\r\nconfirm the presence of Pegasus.\r\nSpecific digital forensics conducted by AI ‘s Security Lab found traces of Pegasus spyware on the mobile phones\r\nof six Indian journalists who agreed to have their phones examined after discovering their number was in the\r\nleaked data.\r\nThe list of journalists to emerge from the Pegasus Project’s reporting cannot be considered exhaustive list or even\r\na representative sample of reporters subject to official snooping as it is limited to an analysis of one leaked dataset\r\nover a narrow time period and covering only one potential vector of surveillance, i.e. Pegasus.\r\nDelhi journalists dominate list of persons of interest\r\nA good chunk of the journalists who appear in the records are based out of the national capital and work with\r\nprominent organisations.\r\nFor instance, the leaked data shows that at least four current employees and one former employee of the\r\nHindustan Times group were of potential interest to the Indian Pegasus client – executive editor Shishir Gupta,\r\neditorial page editor and former bureau chief Prashant Jha, defence correspondent Rahul Singh, a former political\r\nreporter who covered the Congress Aurangazeb Naqshbandi, and a reporter in HT’s sister paper, Mint.\r\nOther prominent media houses also had at least one journalist whose phone number appears in the leaked records.\r\nThis includes Ritika Chopra (who covers education and the Election Commission) and Muzamil Jaleel (who\r\nwrites on Kashmir) of the Indian Express, Sandeep Unnithan (who covers defence and the Indian military)\r\nof India Today, Manoj Gupta (editor investigations and security affairs) at TV18, and Vijaita\r\nSingh, who covers the home ministry for The Hindu and whose phone contained traces of an attempted Pegasus\r\ninfection.\r\nThe Pegasus Project is withholding the names of some of those targeted because they have either moved on to\r\nother jobs or have other other reasons not to be identified.\r\nhttps://thewire.in/media/pegasus-project-spyware-indian-journalists\r\nPage 3 of 7\n\nAt The Wire, those targeted were founder-editors Siddharth Varadarajan and M.K. Venu, for whom specific\r\nforensic analysis showed evidence of their phones being infected by Pegasus. The number of Devirupa Mitra, The\r\nWire’s diplomatic editor, also appears in the records.\r\nApart from Rohini Singh, the phone number of another regular contributor to The Wire – senior columnist Prem\r\nShankar Jha, who writes mainly on political and security matters – also appears in the records, as does freelance\r\njournalist Swati Chaturvedi, who was also writing for The Wire at the time she was selected.\r\n“Given the abandon with which this government is abusing the Indian constitution to incarcerate its staunchest\r\ndefenders, I am torn between considering this a threat and a compliment,” Jha said, when informed about his\r\nselection as a target for surveillance.\r\n“My job is to continue [doing] stories… News doesn’t stop, stories should be told as they are, without suppressing\r\nthe facts or with any embellishment,” The Hindu’s Vijaita Singh told The Wire, adding that it would not be\r\n“appropriate to hazard a guess” on why anyone would view her as a potential target for surveillance.\r\n“Whatever information we gather is in the newspaper the following day.”\r\n“Unfortunately,” said Rohini Singh, “surveillance is seen as something that a powerful government would do…\r\nIt’s not even criticised as much by many journalists in mainstream media and I think that’s the unfortunate part.”\r\n“My investigative book on the BJP’s secret digital army exposed the Modi government attacking citizens in a\r\ndemocracy… I take Modi’s illegal surveillance as a compliment to the investigative journalism I do,” said\r\nChaturvedi.\r\n“I did not know about this,” Jaleel told The Wire. “But if you have it from reliable sources, it is a matter of serious\r\nconcern.”\r\nAnother journalist that finds mention on the list is J. Gopikrishnan, an investigative reporter with The Pioneer,\r\ncredited with having broken the 2G telecom scam. “Being a journalist, I contact many people and [there are] many\r\n[who] want to know who all I contact,” he told The Wire.\r\nAlso Read: Pegasus Project: How Phones of Journalists, Ministers, Activists May Have Been Used to Spy On\r\nThem\r\nSeveral senior journalists who have left mainstream organisations also appear in the leaked data as individuals\r\nwho were selected.\r\nThis includes: national security reporter Saikat Datta, who was South Asia editor of Asia Times Online when his\r\nnumber was listed, former Economics and Political Weekly editor Paranjoy Guha Thakurta, who now writes\r\nregularly for Newsclick.in, former TV18 anchor and diplomatic reporter at The Tribune Smita Sharma,\r\nformer Outlook journalist S.N.M. Abdi and former DNA reporter Iftikhar Gilani.\r\nThe Wire’s analysis of the data shows that most of the above mentioned names were targeted between 2018 and\r\n2019 – in the run-up to the 2019 Lok Sabha general elections.\r\nhttps://thewire.in/media/pegasus-project-spyware-indian-journalists\r\nPage 4 of 7\n\nWhile some journalists appear to have been added to the list at more or less the same time, suggesting official\r\ninterest in the group, others figure as standalone entries, perhaps for the stories they were working on at the time.\r\nAnd these stories are not always the obvious ones.\r\nOne young television reporter, who requested that her name be withheld as she has left the profession to pursue a\r\ncareer in another field, told The Wire that the only story she can remember doing during the period the data\r\nsuggests she might have been targeted for surveillance was on the CBSE paper leak.\r\nAn Appeal: Support Investigative Journalism That Brings You The Truth. Support The Wire.\r\nPrior Pegasus targets?\r\nIn 2019, WhatsApp, along with Canada-based Citizen Lab, alerted dozens of Indians who had been affected by a\r\nPegasus attack that exploited a hole in the messaging app firm’s security.\r\nTwo journalists whose phone numbers appear in the leaked records obtained by the Pegasus Project, are among\r\nthose who received messages from WhatsApp in 2019 that their phones were compromised.\r\nOf that group, records show that former Lok Sabha MP and veteran journalist Santosh Bharatiya was also marked\r\non the list in early 2019. The former parliamentarian, who early in his career worked as a journalist, publicly\r\nstated that he too had received a message from WhatsApp.\r\nFar away from Delhi\r\nThe leaked data also throws up the numbers of journalists who work far away from Lutyens’ Delhi and the\r\nnational glare. This includes north-east-based editor in chief of Frontier TV Manoranjana Gupta, Bihar-based\r\nSanjay Shyam and Jaspal Singh Heran.\r\nHeran is editor-in-chief of the Ludhiana-based Punjabi daily Rozana Pehredar. The newspaper has reporters in\r\nevery district of Punjab, is read widely and has a sizeable impact on the narrative in the state. The octogenarian\r\ntold the Pegasus Project that due to his newspapers’ critical reportage, he has had run-ins with all governments\r\nover the years and has been at the receiving end of several legal notices.\r\nHe believes that any and all surveillance of journalists is “shameful”. “They don’t like it if we are critical of the\r\ndirection in which this country is heading under their leadership. They try to silence us,” Heran said.\r\n1,500 kilometres south east of Ludhiana we find another journalist not immediately prominent but of immense\r\ninterest to the Indian client of NSO group. Roopesh Kumar Singh is an independent journalist based in\r\nJharkhand’s Ramgarh and three phone numbers belonging to him are part of the leaked data.\r\nSingh was not surprised to learn that he was marked as a potential snooping target. “I have always known that I\r\nam being watched, especially after a 2017 story about the killing of an innocent Adivasi by the Jharkhand police,”\r\nSingh told us. The story Singh mentioned was published by The Wire Hindi on June 15, 2017 and raised questions\r\nabout the killing of an individual whom the police claimed was associated with a banned Maoist group.\r\nSingh’s phone appears in the leaked records just a few months after the story, according to Pegasus Project data.\r\nhttps://thewire.in/media/pegasus-project-spyware-indian-journalists\r\nPage 5 of 7\n\nIn June 2019, Singh was arrested by the Bihar police and booked for possession of explosives under the stringent\r\nUnlawful Activities (Prevention) Act (UAPA). He was released six months later on bail as the police failed to file\r\na charge sheet within the stipulated time. “The police planted the explosives. It was an attempt to intimidate me\r\nbecause of my reporting,” Singh said.\r\nDeepak Gidwani, another name on the list, was principal correspondent with DNA based in Lucknow between\r\n2006 and 2016. Since then he has stepped away from journalism to pursue spiritual interests. Two numbers used\r\nby him were selected  in 2019.\r\n“I have no idea why I may have been under surveillance. Apart from posting occasionally on Facebook and\r\nWhatsApp I don’t write anything now. I prefer to follow the path of spirituality.”\r\nWhat do forensic analyses show?\r\nAmnesty International’s Security Lab was able to conduct digital forensics on the phones of seven journalists. The\r\norganisation’s results were tested for robustness through a blind test carried out by experts at Citizen Lab, a\r\nUniversity of Toronto-based institute whose research partially laid the groundwork for WhatsApp’s landmark\r\nlawsuit against the NSO Group in 2019.\r\nThe security lab’s overarching methodology was peer-reviewed and endorsed by Citizen Lab.\r\nThe phones of former Indian Express journalist Sushant Singh, India Ahead News contributing editor Smita\r\nSharma, former EPW editor Paranjoy Guha Thakurta, former Outlook journalist S.N.M. Abdi, The Hindu’s Vijaita\r\nSingh and The Wire’s two founding editors Siddharth Varadarajan and M.K. Venu were analysed.\r\nOut of these, Amnesty found evidence that the phones of Sushant Singh, Thakurta, Abdi, Varadarajan and Venu\r\nwere compromised with Pegasus spyware.\r\nFor Smita Sharma, the analysis found evidence of a hacking attempt through a vulnerability in Apple’s iMessage\r\nsystem, but nothing to indicate that her phone was successfully infected. She reports on foreign policy issues and\r\nwas deputy editor with The Tribune when the hacking attempts allegedly took place.\r\nAlso read: Old RTI Response Enough To Deny Govt-Pegasus Link, Media Didn’t Do Due Diligence: MeitY\r\nVijaita Singh’s Android phone also showed evidence of an attempted hack, but no evidence of a successful\r\ncompromise was detected.\r\nWhile the results do not indicate what the attacker did using Pegasus, it comes to a few key conclusions for the\r\nfollowing people:\r\n1) S.N.M. Abdi: Phone compromised by Pegasus during the months of April 2019, May 2019, July 2019, October\r\n2019 and December 2019. Amnesty was not able to verify the attack vector (I.e., the method through which the\r\nspyware used to infect the phone).\r\n2) Sushant Singh: Phone compromised by Pegasus from March 2021 to July 2021, through what Amnesty\r\nInternational calls a zero-click exploit in the iMessage service. The attack is referred to as ‘zero-click’, because it\r\nhttps://thewire.in/media/pegasus-project-spyware-indian-journalists\r\nPage 6 of 7\n\ndoes not require the victims to take any action (such as clicking on a malicious link in a SMS or e-mail) for the\r\ninfection to occur.\r\n3) Paranjoy Guha Thakurta: Phone compromised by Pegasus during parts of April 2018, May 2018, June 2018\r\nand July 2018. Amnesty was not able to identify the attack vector that the spyware used to infiltrate the phone.\r\n4) M.K. Venu: Analysts at Amnesty found that the phone was infected with Pegasus as recently as June 2021,\r\nthrough what they called a zero-click iMessage exploit.\r\n5) Siddharth Varadarajan: Phone compromised by Pegasus during parts of April 2018. Digital forensics could\r\nnot determine the manner in which the spyware infected the phone (I.e., the attack vector).\r\nDigital forensic analysis was also conducted for the iPhone of a senior editor at a mainstream Indian newspaper,\r\nbut no traces of Pegasus were found — primarily because it was not the same device being used by the journalist\r\nwhen her number showed up on the list.\r\nForbidden Stories and The Wire also reached out to a number of other journalists, both at mainstream publications\r\nand otherwise, to ask whether they would be open to participating in a forensic analysis. They refused, citing a\r\nnumber of reasons including a lack of support from their management or their inability to trust the underlying\r\nprocess.\r\n(Additional reporting by Pawanjot Kaur, Ajoy Ashirwad Mahaprashasta and Devirupa Mitra)\r\nThe Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news\r\norganisations in 10 countries coordinated by Forbidden Stories with the technical support of Amnesty\r\nInternational’s Security Lab. Read all our coverage here.\r\nSource: https://thewire.in/media/pegasus-project-spyware-indian-journalists\r\nhttps://thewire.in/media/pegasus-project-spyware-indian-journalists\r\nPage 7 of 7\n\nWhile the results following people: do not indicate what the attacker did using Pegasus, it comes to a few key conclusions for the\n1) S.N.M. Abdi: Phone compromised by Pegasus during the months of April 2019, May 2019, July 2019, October\n2019 and December 2019. Amnesty was not able to verify the attack vector (I.e., the method through which the\nspyware used to infect the phone). \n2) Sushant Singh: Phone compromised by Pegasus from March 2021 to July 2021, through what Amnesty \nInternational calls a zero-click exploit in the iMessage service. The attack is referred to as ‘zero-click’, because it\n Page 6 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thewire.in/media/pegasus-project-spyware-indian-journalists" ], "report_names": [ "pegasus-project-spyware-indian-journalists" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434486, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c0c52a7fe421bdbfeb6380645394b8e0037e5979.pdf", "text": "https://archive.orkl.eu/c0c52a7fe421bdbfeb6380645394b8e0037e5979.txt", "img": "https://archive.orkl.eu/c0c52a7fe421bdbfeb6380645394b8e0037e5979.jpg" } }