{
	"id": "4eeafa2d-e35c-4a5c-85d3-926684f9901f",
	"created_at": "2026-04-06T00:16:40.645283Z",
	"updated_at": "2026-04-10T13:11:39.414736Z",
	"deleted_at": null,
	"sha1_hash": "c9f9c01dfb50542d39eb9b985fcd373f5a56d79c",
	"title": "Devices of Palestinian Human Rights Defenders Hacked with NSO Group’s Pegasus Spyware - The Citizen Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77831,
	"plain_text": "Devices of Palestinian Human Rights Defenders Hacked with NSO\r\nGroup’s Pegasus Spyware - The Citizen Lab\r\nArchived: 2026-04-05 20:17:36 UTC\r\nOpens in a new window Opens an external site Opens an external site in a new window\r\nContents\r\nMethodology\r\nTargets\r\n4. Conclusion\r\nThis document is a joint technical report by the University of Toronto’s Citizen Lab and Amnesty International’s\r\nSecurity Lab reviewing Front Line Defenders’ technical research.\r\nIn October 2021, the human rights non-governmental organization (NGO) Front Line Defenders (FLD) began\r\ncollecting data on the suspected hacking of the devices of several Palestinians working for civil society\r\norganizations based in the West Bank. FLD shared the data they collected with the Citizen Lab and Amnesty\r\nInternational’s Security Lab for separate independent peer review of their initial findings. FLD’s analysis indicated\r\nthat six devices belonging to six Palestinian human rights defenders were hacked with Pegasus, a spyware\r\ndeveloped by the cyber-surveillance company NSO Group. Both the Citizen Lab and Amnesty International’s\r\nSecurity Lab independently confirmed these findings.\r\nOf the six individuals, three consented to be named. Of these three, two individuals are dual-nationals: one\r\nFrench, the other American. Further, all three work at NGOs designated “terrorist organizations” by the Israeli\r\ngovernment in October 2021. These designations have been widely condemned internationally, including by\r\nprominent international NGOs (including Amnesty International and Human Rights Watch), governmental offices\r\nand representatives (such as Sweden’s Minister of International Development Cooperation and Humanitarian\r\nAffairs, the High Representative of the EU for Foreign Affairs and Security Policy, Ireland’s Minister of Foreign\r\nAffairs and Minister of Defence, the French Ministry of Foreign Affairs, the EU Special Representative for\r\nHuman Rights, and U.S. Congressional representatives), and UN experts (such as the UN High Commissioner for\r\nHuman Rights and the UN Special Rapporteur for Freedom of Association). The hacking described in this report\r\ntook place prior to this designation.\r\nMethodology\r\nTo establish whether or not the devices had been hacked, the Citizen Lab and Amnesty International’s Security\r\nLab each performed forensic analysis on the logs from each device. The results of our analysis are listed in Table\r\n1.\r\nOur analysis involved reviewing results shared with us by FLD, as well as analyzing logs extracted from the\r\nphones; these logs record names and other details about processes, apps, or code that have run on the phone. We\r\nhttps://citizenlab.ca/2021/11/palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware/\r\nPage 1 of 4\n\nwere able to connect specific process names back to NSO Group’s Pegasus spyware on the basis of observing\r\ntemporal correlations on other devices between the process names and communication with NSO Group servers.\r\nNSO Group has implicitly acknowledged that this methodology establishes signs of bona fide Pegasus\r\ncompromise. On the basis of the Citizen Lab’s technical analysis of the devices of Al Jazeera journalists, which is\r\ndescribed here, NSO Group reportedly terminated its contract with Saudi Arabia. Additionally, NSO Group\r\nreportedly terminated its contract with the Emirate of Dubai because the customer abused the spyware to hack the\r\nEmir’s ex-wife, Princess Haya Bint al-Hussein, and her lawyers. In May 2021, the High Court of England and\r\nWales ruled that the phones had been hacked with Pegasus on the basis of this technical methodology.\r\nTargets\r\nThe table below summarizes information regarding the targets’ identity and when the targeting occurred. Note that\r\nsome dates of hacking may not be particularly significant, as zero-click hacking can sometimes be driven by\r\navailability of exploits rather than specific timeframes of interest. Of interest is the fact that four hacked phones\r\nexclusively used SIMs issued by Israeli telecoms companies with Israeli (+972) phone numbers. NSO Group has\r\nsaid that exported versions of Pegasus cannot be used to hack Israeli phone numbers.\r\nTarget Position\r\nApproximate Dates\r\nPhone Hacked with\r\nPegasus\r\nSIM(s)\r\nGhassan\r\nHalaika\r\nField researcher and human\r\nrights defender working for\r\nAlhaq\r\n(1) 2020-07-14 –\r\n2020-07-18\r\n(1) MCC 425,\r\nMNC 07\r\n(HOT Mobile – IL)\r\nUbai\r\nAboudi\r\nExecutive Director at Bisan\r\nCenter for Research and\r\nDevelopment\r\n(1) 2021-02-12 –\r\n2021-02-17\r\n(1) MCC 425,\r\nMNC 05\r\n(Jawwal – PS)\r\nSalah\r\nHammouri\r\nLawyer and field researcher at\r\nAddameer Prisoner Support\r\nand Human Rights Association\r\nbased in Jerusalem\r\n(1) 2021-04-12 –\r\n2021-04-30\r\n(1) MCC 425,\r\nMNC 02\r\n(Cellcom ltd. – IL)\r\nT4 Human rights defender (1) 2021-04-12\r\n(1) MCC 425,\r\nMNC 02\r\n(Cellcom ltd. – IL)\r\nT5 Human rights defender\r\n(1) 2021-02-10\r\n(2) 2021-04-03\r\n(3) 2021-04-12\r\n(1) MCC 425,\r\nMNC 01\r\n(Orange/Partner –\r\nIL)\r\nT6 Human rights defender (1) 2020-11-04 (1) MCC 425,\r\nMNC 05 (Jawwal –\r\nhttps://citizenlab.ca/2021/11/palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware/\r\nPage 2 of 4\n\nTarget Position\r\nApproximate Dates\r\nPhone Hacked with\r\nPegasus\r\nSIM(s)\r\nPS)\r\nTable 1\r\nResults of forensic analysis conducted on the phones of Palestinians targeted with NSO Group’s\r\nPegasus spyware.\r\nThe phone logs of Ghassan Halaika record that a binary was stored at\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/smmsgingd, and that a process with the name smmsgingd ran\r\non the phone starting on 2020-07-14. There is no legitimate iOS process with the name smmsgingd, and both the\r\nCitizen Lab and Amnesty International’s Security Lab have linked this process name to Pegasus.\r\nThe phone logs of Ubai Aboudi record that three processes ran on the phone, MobileSMSd,\r\nCommsCenterRootH…, and otpgrefd. There are no legitimate iOS processes with these names. The process name\r\notpgrefd was also seen on one of the phones of a journalist at Al Jazeera, whose phone was communicating with\r\nPegasus spyware servers, as well as the phone of Ala’a Al-Siddiq, whose phone was communicating with Pegasus\r\nspyware servers. Amnesty International’s Security Lab linked MobileSMSd and CommsCenterRootH… to\r\nPegasus.\r\nThe phone logs of Salah Hammouri record that two processes ran on the phone, ctrlfs and xpccfd. There are no\r\nlegitimate iOS processes with these names. Both the Citizen Lab and Amnesty International’s Security Lab have\r\nlinked these process names to Pegasus.\r\nThe phone logs of T4 record that one process ran on the phone, bundpwrd. There is no legitimate iOS process\r\nwith this name. Both the Citizen Lab and Amnesty International’s Security Lab have linked this process name to\r\nNSO Group’s Pegasus spyware.\r\nThe phone logs of T5 record that eight processes ran on the phone, gssdp, launchafd, com.apple.Mappit, cfprefssd,\r\nlibtouchregd, ABSCarryLog, contextstoremgrd, and launchrexd. There are no legitimate iOS processes with these\r\nnames. The Citizen Lab and Amnesty International’s Security Lab have linked these process names to Pegasus.\r\nThe process names launchafd, libtouchregd, and launchrexd were also seen on the phone of journalist Khadija\r\nIsmayilova, whose phone communicated with Pegasus spyware servers.\r\nThe phone logs of T6 record that two binaries were stored at\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/accountpfd and\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/logseld, and that a process named accountpfd ran on the\r\nphone starting on 2020-11-04. There are no legitimate iOS processes with these names. The Citizen Lab and\r\nAmnesty International’s Security Lab have linked both accountpdf and logseld to Pegasus.\r\n4. Conclusion\r\nThis report confirms that the devices of six Palestinian human rights defenders were hacked with NSO Group’s\r\nPegasus spyware in 2020 and 2021, as published by Front Line Defenders. The hacking took place prior to the\r\nhttps://citizenlab.ca/2021/11/palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware/\r\nPage 3 of 4\n\nIsraeli government’s decision to designate a number of organizations working in the West Bank as terrorist\r\norganizations, a decision that governments and civil society organizations worldwide have strongly condemned.\r\nThe use of NSO Group’s Pegasus spyware against Palestinian human rights defenders illustrates yet another\r\nfailure of the company’s Human Rights Policy, which professes an “unequivocal respect for human rights,” as\r\nwell as the company’s claim that the Israeli regulatory system imposes sufficient human rights controls on the sale\r\nof NSO Group’s technology. NSO Group’s headquarters in Herzliya, Israel, are less than a hundred kilometers\r\nfrom where the hacked Palestinian organizations work: not only has this technology been exported to countries\r\nwhere it has facilitated human rights abuse like Saudi Arabia and Mexico, but it is also being deployed locally and\r\nin some cases against Israeli numbers—something which NSO Group previously claimed was not possible.\r\nIn the face of such contradictions, it perhaps should come as no surprise that the company was recently added to\r\nthe United States Bureau of Industry and Security (BIS)’s Entity List, with the United States Commerce\r\nDepartment expressly noting that NSO Group was added because the company’s technology was used to\r\n“maliciously target” activists.\r\nSource: https://citizenlab.ca/2021/11/palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware/\r\nhttps://citizenlab.ca/2021/11/palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://citizenlab.ca/2021/11/palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware/"
	],
	"report_names": [
		"palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434600,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c9f9c01dfb50542d39eb9b985fcd373f5a56d79c.pdf",
		"text": "https://archive.orkl.eu/c9f9c01dfb50542d39eb9b985fcd373f5a56d79c.txt",
		"img": "https://archive.orkl.eu/c9f9c01dfb50542d39eb9b985fcd373f5a56d79c.jpg"
	}
}