{ "id": "602d0c0e-b70a-4a07-90ee-7ed35b5c10e8", "created_at": "2026-04-06T00:13:09.228479Z", "updated_at": "2026-04-10T13:13:10.243615Z", "deleted_at": null, "sha1_hash": "d3e41945376e51be692997899336ac8acd88b8bb", "title": "CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru - The Citizen Lab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1769126, "plain_text": "CatalanGate: Extensive Mercenary Spyware Operation against\r\nCatalans Using Pegasus and Candiru - The Citizen Lab\r\nArchived: 2026-04-02 12:26:21 UTC\r\nKey Findings\r\nThe Citizen Lab, in collaboration with Catalan civil society groups, has identified at least 65 individuals\r\ntargeted or infected with mercenary spyware.\r\nAt least 63 were targeted or infected with Pegasus, and four others with Candiru. At least two were targeted\r\nor infected with both.\r\nVictims included Members of the European Parliament, Catalan Presidents, legislators, jurists, and\r\nmembers of civil society organisations. Family members were also infected in some cases.\r\nWe identified evidence of HOMAGE, a previously-undisclosed iOS zero-click vulnerability used by NSO\r\nGroup that was effective against some versions prior to 13.2.\r\nThe Citizen Lab is not conclusively attributing the operations to a specific entity, but strong circumstantial\r\nevidence suggests a nexus with Spanish authorities.\r\nWe shared a selection of Pegasus cases with Amnesty International’s Tech Lab, which independently\r\nvalidated our forensic methodology.\r\nOur latest research is a story of secret hacking capabilities, how a government used them, and the\r\nthreat they pose to fundamental rights and democracy. Explore the data and ask yourself: would you\r\nclick?\r\nIntroduction\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 1 of 41\n\nIn 2019, WhatsApp patched CVE-2019-3568, a vulnerability exploited by NSO Group to hack Android phones\r\naround the world with Pegasus. At the same time, WhatsApp notified 1,400 users who had been targeted with the\r\nexploit. Among the targets were multiple members of civil society and political figures in Catalonia, Spain. The\r\nCitizen Lab assisted WhatsApp in notifying civil society victims and helping them take steps to be more secure.\r\nThe cases were first reported by The Guardian in 2020. Following these reports, the Citizen Lab, in collaboration\r\nwith civil society organisations, undertook a large-scale investigation into Pegasus hacking in Spain. The\r\ninvestigation has uncovered at least 65 individuals targeted or infected with Pegasus or spyware from Candiru,\r\nanother mercenary hacking company.\r\nForensic evidence was obtained from victims who consented to participate in a research study with the Citizen\r\nLab. Further, victims publicly named in this report consented to be identified as such, while other targets chose to\r\nremain anonymous. Confirmed cases of Pegasus and Candiru hacking (i.e. when the spyware is successfully\r\ninstalled on a device) are referred to as “infections” or being “infected” throughout the report, while “targeted”\r\nrefers to an act of targeting with Pegasus or Candiru spyware that may or may not correspond to a forensically-discovered infection (i.e. because a device was unavailable for analysis, or is an Android which is more difficult to\r\nforensically analyse). “Hacking” is used as a global term to describe the act of targeting and/or infecting devices.\r\nThe hacking covers a spectrum of civil society in Catalonia, from academics and activists to non-governmental\r\norganisations (NGOs). Catalonia’s government and elected officials were also extensively targeted, from the\r\nhighest levels of Catalan government to Members of the European Parliament, legislators, and their staff and\r\nfamily members. We do not conclusively attribute the targeting to a specific government, but extensive\r\ncircumstantial evidence points to the Spanish government.\r\nBackground: Spain, Catalonia, and Surveillance\r\nFollowing three years of civil war spanning from 1936 to 1939, and thirty-six years of brutal dictatorship under\r\nGeneral Francisco Franco, Spain’s government transitioned into a democratic, constitutional monarchy in 1975-\r\n1978. Under the King as head of state, Spain’s elected Prime Minister and Council of Ministers form the\r\ngovernment. The Spanish Parliament appoints, and dismisses, the prime minister. Pedro Sánchez, leader of the\r\nSocialist Workers’ Party, currently serves as prime minister, a position he has held since 2018.\r\nSpain maintains a robust security and intelligence apparatus largely as a function of the country’s experience with\r\nterrorism and organised crime. The National Intelligence Center (CNI) acts as both a domestic and international\r\nintelligence agency, while the Guardia Civil is the country’s policing and law enforcement body of a “military\r\nnature.” Both are accountable to the head of government through the Ministry of the Defense. As with most\r\ncountries’ intelligence agencies, the CNI’s activities are shrouded in secrecy, and the agency lacks public\r\ntransparency. The CNI has also been at the centre of a series of surveillance and espionage scandals. Ensuring\r\ntransparency and public accountability in the operations of Spain’s intelligence apparatus is an enduring challenge,\r\ndespite the requirement of some judicial oversight.\r\nBackground on Catalonia’s History and Government\r\nThe autonomous community of Catalonia (one of several autonomous communities in Spain) is located in north-eastern Spain and comprises four provinces: Girona, Barcelona, Tarragona, and Lleida. Catalonia is considered\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 2 of 41\n\namong the wealthiest regions of Spain and its economy represents a significant portion of Spain’s Gross Domestic\r\nProduct. The region’s official languages are Catalan, Spanish, and Aranes.1 Catalonia has a long and complex\r\nhistory and its desire for greater autonomy and independence has roots that date back hundreds of years.\r\nCatalonia’s autonomous status, culture, and society were persecuted throughout Franco’s dictatorship, until it\r\nregained autonomy following the regime’s demise in 1977-1978. Since Catalonia’s 1979 Statute of Autonomy,\r\nefforts in favour of greater autonomy ebbed and flowed for several decades, but grew larger and more organised\r\nleading up to the 2003 elections. The winning coalition led by Pasqual Maragall produced the 2006 Statute of\r\nAutonomy. Maragall said the Statute would grant Catalonia unprecedented, “state-like” autonomy.\r\nEvents Leading Up to and Following the 2017 Referendum\r\nThe campaign for a fully independent Catalonia, while divisive, gradually gained traction in the late 1990s. The\r\nmomentum then accelerated following the 2008 financial crisis. In 2009, the municipality of Arenys de Munt held\r\na referendum on the secession question (96% in favour, 41% turnout). Self-determination referenda have been\r\nfound to violate Article 2 of the 1978 Spanish Constitution, which entrenches the “indissoluble unity” of the\r\nnation. Notwithstanding, Arenys inspired other Catalan municipalities to hold similar referenda. Over the next\r\nyear and a half, 58.3% of Catalan municipalities—constituting 77.5% of Catalonia’s population—held separate\r\nreferenda.\r\nIn 2010, Spain’s Constitutional Court struck down certain sections of the 2006 Statute of Autonomy, which\r\ngoverns the relationship between Catalonia and Spain. This decision led to a massive protest in Barcelona.\r\nFurther, significant pro-independence protests (accompanied by the slogan “Catalonia, a new European state”)\r\nfollowed in Barcelona in 2012. On the heels of the protest, the Catalan government issued a resolution affirming\r\n“a new era based on the right to decide.” This resolution, and others, were systematically rejected by the Spanish\r\nConstitutional Court. In 2014, after an attempt to hold an official referendum was ruled to be illegal by the\r\nConstitutional Court, the Catalan government held a non-binding self-determination referendum, also referred to\r\nas the Citizen Participation Process on the Political Future of Catalonia. The referendum led to serious\r\nconsequences for the then president of Catalonia, Artur Mas, and some other government officials.\r\nIn 2017, Carles Puigdemont—the successor to Mas—announced before the Catalan Parliament that he would hold\r\na binding referendum on independence. The referendum was held on October 1, 2017, despite Spain’s\r\nConstitutional Court finding the referendum to be illegal under Spanish law. Of those who voted, 90% supported\r\nindependence, although the final turnout was low at only 42% of voters. At the time, the Catalan government’s\r\nspokesperson stated that the count did not include ballots seized in raids by the Spanish police. There were also\r\nreports of police turning away voters from polling places. During the referendum, Human Rights Watch described\r\nthe Spanish police as using excessive force when confronting peaceful demonstrators. The UN High\r\nCommissioner for Human Rights, Zeid Ra’ad Al Hussein, called for an independent investigation into the\r\nviolence, and urged that the dispute be resolved through dialogue.\r\nIn late October 2017, the Catalan Parliament approved a resolution in favour of independence, with 72 of the 135\r\nmembers signing. The Spanish government responded by firing Puigdemont, dissolving the Catalan Parliament,\r\nand scheduling new elections. Regardless, pro-independence parties still won a majority in the new Parliament.\r\nPuigdemont, meanwhile, had fled Catalonia, accompanied by several colleagues. Although some later returned to\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 3 of 41\n\nface trial, Puigdemont remained in Brussels. He was subsequently elected as a member of the European\r\nParliament, and continues to fight extradition to Spain.\r\nReportedly, the CNI collaborated with German intelligence agencies to undertake surveillance on Puigdemont\r\nleading to his March 25, 2018 arrest in Germany. In October 2019, the Supreme Court of Spain sentenced a\r\nnumber of Catalans convicted of sedition for participating in the 2017 referendum to prison terms of nine to 13\r\nyears. Several international human rights organisations strongly criticised the convictions and sentencing as\r\npotential violations of international human rights law. The sentencing sparked new protests, including calls for\r\nnon-violent civil disobedience organised by a tech-savvy independence movement called the Tsunami Democràtic.\r\nThe Catalans convicted of sedition were eventually pardoned by the Spanish government in 2021.\r\nSpanish courts have determined that Catalan secession is contrary to Spanish domestic and constitutional law. But\r\nthe question may be more nuanced under international law and raises legal questions related to territorial integrity,\r\nself-determination, declarations of independence, secession, and recognition. Negotiations between Catalonia and\r\nthe Spanish government resumed in September 2021, after a hiatus of a year and a half. In February 2022, Pere\r\nAragonès—now president of the government of Catalonia – indicated that he was open to continuing negotiations\r\nwith the Spanish government.\r\nDocumented Surveillance Abuses in Spain and Catalonia\r\nWhile secrecy surrounds Spain’s surveillance practices, a number of cases have come to light over the last several\r\ndecades that are relevant to this report and demonstrate a track record of domestic surveillance and the use of\r\nspyware by Spanish authorities. In 2001, Mariano Rajoy, then Spain’s Minister of Interior, purchased the Sistema\r\nintegral de interpretación de las comunicaciones (SITEL), spyware the Guardia Civil and CNI used to track\r\nsuspects’ phones. Spain also reportedly ‘colluded’ with the National Security Agency (NSA) in the United States.\r\nOne interpretation of the 2013 Snowden disclosures suggested that the NSA had intercepted 60 million calls in\r\nSpain between December 2012 and January 2013. However, a subsequent analysis showed that these assertions\r\nwere based on a likely misinterpretation of slides from the Snowden disclosures, and actually related to data\r\ncollection by NATO allies, including Spain, in Afghanistan.2\r\nAccording to El Confidencial3, the CNI and National Police paid at least 209,000 euros to the Milan-based\r\nsurveillance software company Hacking Team for use of its spyware in 2010. The purchase was first revealed in\r\n2015 when WikiLeaks published internal Hacking Team emails. El País then reported that the contract with the\r\nCNI was “valid from 2010 to 2016, worth 3.4 million euros.” The CNI acknowledged it purchased the spyware at\r\nthe time, saying it did so “in accordance with the public sector contracting laws.” CNI declined to give any further\r\ninformation as to what they did with Hacking Team’s spyware. In 2015, the Citizen Lab mapped the proliferation\r\nof Finfisher, a sophisticated computer spyware suite sold exclusively to governments for intelligence and law\r\nenforcement purposes, and identified a suspected Spanish customer.\r\nThe latest targeted espionage scandal in Spain arose publicly in 2020 when several prominent Catalans announced\r\nthat WhatsApp and the Citizen Lab had notified them that they were targeted in the 2019 WhatsApp Pegasus\r\nbreach. The first to do so was Roger Torrent, then pro-independence president of the Catalan Parliament. The\r\ntargeting of Torrent with NSO Group’s spyware was confirmed by WhatsApp. Ernest Maragall, leader of the pro-independence, Barcelona-based Republican Left of Catalonia party, was the second target to come forward,\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 4 of 41\n\nfollowed by Anna Gabriel, a former regional member of Parliament for the far-left party, the Popular Unity\r\nCandidacy (CUP), activist Jordi Domingo, and Puigdemont staffer Sergi Miquel Gutiérrez. Gabriel was targeted\r\nwhile she was living in Switzerland. The Spanish prime minister’s office claimed that it was “not aware” of this\r\nspying. Nonetheless, in 2020, El País confirmed that the Spanish government was an NSO Group customer, and\r\nthat the CNI actively used Pegasus spyware. A former NSO employee commented to Motherboard that they\r\n“‘were actually very proud of them as a customer’ … ‘Finally, a European state.’”\r\nFinding: Catalans Targeted with Pegasus\r\nWith the targets’ consent, we obtained forensic artefacts from their devices that we examined for evidence of\r\nPegasus infections. Our forensic analysis enables us to conclude with high confidence that, of the 63 people\r\ntargeted with Pegasus, at least 51 individuals were infected.\r\nExplore a graphical overview of our findings\r\nAlmost all of the incidents occurred between 2017 and 2020, although we found an instance of targeting in 2015.\r\nAll targets publicly named in this report consented to be identified as such.\r\nIn addition to the forensic confirmations, we identified additional cases of Catalans targeted by Pegasus infection\r\nattempts, but where we were unable to forensically validate an infection. This was due to multiple reasons,\r\nranging from changed or discarded devices, to the limitations of our forensic tooling.\r\nCase Type\r\nNumber\r\nObserved\r\nIndividuals with forensically-confirmed infections. 51\r\nIndividuals targeted via SMS or WhatsApp with Pegasus infection\r\nattempts, without forensic confirmation of a successful infection.\r\n12\r\nTotal Pegasus targets 63\r\nTable 1\r\nAn overview of Pegasus infection and targeting.\r\nSpain has a high Android prevalence over iOS (~80% Android in 2021). Anecdotally, this is somewhat reflected in\r\nthe individuals we contacted. Because our forensic tools for detecting Pegasus are much more developed for iOS\r\ndevices, we believe that this report heavily undercounts the number of individuals likely targeted and infected with\r\nPegasus because they had Android devices.\r\nRelational or “Off-Centre” Targeting\r\nTargeting friends, family members, and close associates is a common practice for some hacking operations. This\r\ntechnique allows an attacker to gather information about a primary target without necessarily maintaining access\r\nto that person’s device. In some cases, the primary target may also be infected, but in others this may not be\r\nfeasible for various reasons.\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 5 of 41\n\nWe observed several cases of relational or “off-centre” targeting: spouses, siblings, parents, staff, or close\r\nassociates of primary targets were targeted and infected with Pegasus. In some cases those individuals may also\r\nhave been targeted, but forensic information was unavailable. In others, we found no evidence that a primary\r\ntarget was infected with Pegasus, but found targeting of their intimates.\r\nFor example, one individual targeted with Candiru had a US SIM card in their device, and resided in the US. We\r\nfailed to find evidence that this individual was infected with Pegasus. This is consistent with reports that most\r\nPegasus customers are not permitted to target US numbers. However, both of the target’s parents use phones with\r\nSpanish numbers, and were targeted on the day that the primary target flew back to Spain from the US. Neither\r\nparent is politically active or likely to have been targeted because of who they are or what they do.\r\nTarget: Members of the European Parliament\r\nFour Catalan Members of the European Parliament (MEP) that supported independence were targeted either\r\ndirectly with Pegasus, or via suspected relational targeting.4 Two MEPs were directly infected, two more had staff,\r\nfamily members, or close associates targeted with Pegasus.\r\nDiana Riba (MEP, ERC), who assumed office in July 2019 was infected on or around October 28, 2019.\r\nIn some cases, the targeting coincided with political events, underlining that the targeting may have been for the\r\npurposes of political espionage. For example, Jordi Solé (MEP, ERC) was targeted during party discussions about\r\nwho would replace MEP Oriol Junqueras. One instance took the form of a fake SMS from Spain’s social security\r\nsystem. Forensic evidence confirms that he was infected at least twice on or around June 11 and June 27, 2020,\r\nshortly before being substituted into his role as a MEP in July 2020.\r\nThese dates and findings do not preclude the possibility of other infections or targeting. As with other victim\r\nclusters, we were not always able to fully forensically examine all relevant devices.\r\nDirect Targeting\r\nDiana Riba Infected (Pegasus)\r\nMember of the European Parliament, ERC (2019 – present)\r\nJordi Solé Infected (Pegasus)\r\nMember of the European Parliament, ERC (2020 – present)\r\nFormer Member of the Parliament of Catalonia (2012 – 2015)\r\nInfected during discussions leading to his substitution into the role of a previous MEP.\r\nLikely Relational Targeting\r\nClara Ponsati Relational targeting against a European Parliament staff member\r\nMember of the European Parliament, JUNTS (2020 – present)\r\nFormer Minister of Education of Catalonia (2017 – 2017)\r\nCarles Puigdemont Relational targeting via key staff, spouse, and close associates\r\nMember of the European Parliament, JUNTS (2019 – present)\r\nFormer President of Catalonia (2016 – 2017)\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 6 of 41\n\nFigure 1\r\nMembers of the European Parliament Infected or Likely Relationally Targeted with Pegasus\r\nWe observed Pol Cruz, a key parliamentary staff member of Clara Ponsati (MEP, JUNTS), infected with Pegasus\r\non or around July 7, 2020.\r\nThe spouse, key staff members, and close associates of Carles Puigdemont (MEP, JUNTS) were all targeted with\r\nPegasus. We count up to eleven individuals that fit this category. For example, Marcela Topor, his spouse, was\r\ninfected at least twice (on or around October 7, 2019 and July 4, 2020).\r\nLearn more about the relational targeting around Puigdemont\r\nTarget: Catalan Civil Society\r\nMultiple Catalan civil society organisations that support Catalan political independence targeted with Pegasus,\r\nincluding Òmnium Cultural and Assemblea Nacional Catalana (ANC). Catalans working in the open-source and\r\ndigital voting communities were also targeted. This section highlights a selection of the cases.\r\nTarget: Assemblea Nacional Catalana (ANC)\r\nAt ANC, five board members were targeted, including university professor Jordi Sànchez (President, 2015 –\r\n2017). Interestingly, Sànchez was first seen targeted with a Pegasus SMS infection attempt via SMS 2015, shortly\r\nafter a large demonstration in Barcelona. This is the earliest Pegasus infection attempt that we have observed as\r\nbulk of the targeting uncovered by this investigation appears to have occurred between 2017 and 2020.\r\nOrganization Number of targets\r\nÒmnium Cultural 4\r\nANC 5\r\nTable 2\r\nTargeted Catalan organizations\r\nBetween 2017 and 2020, Sànchez received at least 24 more Pegasus SMSes,5 most of which masqueraded as news\r\nupdates relating to Catalan and Spanish politics. He also received messages purporting to come from the Spanish\r\ntax and social security authorities.\r\nMessages received by Sànchez often coincided with important political events. For example, on April 20, 2017, he\r\nwas targeted the day prior to Catalan government meetings with civil society groups to discuss the October\r\nreferendum. Months later, just as polling stations opened on October 1, 2017, he was targeted with an alarming\r\nmessage saying that a police “offensive” was beginning. Forensic analysis confirms that Sànchez was infected at\r\nleast four times with Pegasus between May and October 2017.\r\nSanchez is among the prominent Catalans arrested, and later pardoned, for their role in the Referendum. One of\r\nthe infections occurred on October 13, 2017, just days before his arrest. Interestingly, the SMSes targeting his\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 7 of 41\n\nphone in 2020 coincided with days when he was given weekend release from jail.\r\nProfessor Elisenda Paluzie (ANC President, 2018 – 2022) is a prominent Catalan economist, academic, and\r\nactivist. Prior to her role with the ANC, she served as dean of the Faculty of Economics and Business at the\r\nUniversity of Barcelona.\r\nShe was working from home during the COVID lockdown when the first Pegasus infection attempt arrived. It\r\npurported to be a news story about the ANC. On June 10, 2020, as she was running for a board seat with ANC and\r\nas online voting began, a second infection attempt arrived. It masqueraded as a Twitter update from a Catalan\r\nnewspaper.\r\nAnother ANC board member, Sònia Urpí Garcia, was infected with Pegasus on June 22, 2020, just over a week\r\nafter being elected to the role on June 13, 2020.\r\nTarget: Òmnium Cultural\r\nMultiple individuals around Òmnium were similarly targeted with Pegaus. These included the journalist Meritxell\r\nBonet, who is the spouse of Òmnium’s former president Jordi Cuixart. Bonet was targeted while Cuixart was\r\nfacing charges for his role in the 2017 referendum, and infected on June 4, 2019, not long before he was to make\r\nhis final statements at trial. He was later sentenced in October 2019, and pardoned in 2021.\r\nJournalist and historian Marcel Mauri became vice president of Òmnium after Cuixart was sentenced on October\r\n14, 2019. Within ten days of assuming the role, on October 24, 2019, we found evidence of what would be the\r\nfirst of three Pegasus infections of his phone. We also found evidence of extensive Pegasus SMS targeting\r\nstraddling that period, beginning in February 2018 and ending in May 2020.\r\nElena Jiménez, another executive board member and the international representative of Òmnium, was also\r\ninfected with Pegasus. Although we are unable to determine the date of the infection, the case is interesting: her\r\nrole included dialogue with NGOs throughout Europe including Amnesty International and Frontline Defenders.\r\nThe compromise of her communications would have likely provided a unique view into Catalan advocacy efforts.\r\nJordi Bosch, also an executive board member, was infected with Pegasus on or around July 11, 2020.\r\nCatalan’s Open-Source and Digital Voting Community\r\nJoan Matamala runs a bookstore and foundation promoting the Catalan language and culture, originally founded\r\nby his father in defiance of Franco’s dictatorship. Matamala also recently founded the Nord Foundation which\r\npromotes open-source citizen participation software. Forensic examination of his phone indicates that he was also\r\ninfected at least 16 times with Pegasus between August 2019 and July 2020.\r\nMatamala was also infected with Candiru spyware. Other members of the Catalan open-source community who\r\nwork on voting software and decentralization were similarly targeted with Candiru. Their cases are described\r\nbelow in greater detail (See Finding: Catalans Targeted with Candiru).\r\nLawyers Representing Prominent Catalans\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 8 of 41\n\nMultiple lawyers representing prominent Catalans were targeted and infected with Pegasus, some extensively.\r\nWhile not all have consented to be named, the targeting suggests that this group was a specific focus for\r\nmonitoring.\r\nFor example, well-known lawyer Gonzalo Boye, who represents Puigdemont (among others), was targeted at\r\nleast 18 times with infection attempts between January and May 2020. Some of the messages masqueraded as\r\ntweets from organisations like Human Rights Watch, The Guardian, Columbia Journalism Review, and Politico.\r\nBoye was successfully infected with Pegasus on or around October 30, 2020. The timing is interesting: one of his\r\nclients had been arrested just 48 hours before the infection.\r\nAndreu Van den Eynde, lawyer for prominent Catalans Oriol Junqueras, Roger Torrent, Raül Romeva, and\r\nErnest Maragall, was infected on May 14, 2020.6 Jaume Alonso-Cuevillas, a lawyer who also represented\r\nPuigdemont, was infected with Pegasus, although we were unable to determine the date of the infection. Alonso-Cuevillas is currently a member of the Parliament of Catalonia, former dean of the Barcelona Bar Association, and\r\nformer President of the European Bar Federation.\r\nTarget: Catalan Government, Parliament, and Politicians\r\nCatalan politicians were extensively infected with Pegasus. The targeting took place throughout sensitive\r\nnegotiations between the Catalan and Spanish governments. This section lists a selection of the cases.\r\nExplore the targeting of Catalan politicians\r\nEvery Catalan president since 2010 has been targeted or infected with Pegasus, either while serving their term,\r\nbefore, or after their retirement.\r\nPresident Pere Aragonès (infected while serving as VP during Torra’s Presidency)\r\nDate Served: 2021-present\r\nInfected (Pegasus)\r\nFormer President Joaquim Torra (infected while in office)\r\nDate Served: 2018-2020\r\nInfected (Pegasus)\r\nFormer President Carles Puigdemont\r\nDate Served: 2016 to 2017\r\nRelational targeting\r\nFormer President Artur Mas (infected after leaving office)\r\nDate Served: 2010-2015\r\nInfected (Pegasus)\r\nFigure 2\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 9 of 41\n\nCurrent and Former Catalan Presidents Targeted\r\nIn addition, the leadership and members of Catalan legislative bodies were extensively infected, including\r\nmultiple presidents of the Catalan parliament either while in office or prior to taking office.\r\nRoger Torrent Former President of the Parliament of Catalonia (targeted while in office)\r\nTargeted (Pegasus)\r\nLaura Borràs (current President of Catalan parliament, targeted while a member of the Spanish Congress)\r\nTargeted (Pegasus)\r\nFigure 3\r\nExamples of Targets Among Parliamentary Leadership\r\nThe targeting and infections were expansive and touched a wide range of legislators from at least five Catalan\r\npolitical parties.\r\nTogether for Catalonia (Junts per Catalunya)\r\n11 Members targeted\r\nRepublican Left of Catalonia (Esquerra Republicana de Catalunya)\r\n12 Members\r\nPopular Unity Candidacy (Candidatura d’Unitat Popular)\r\n4 members\r\nCatalan European Democratic Party (Partit Demòcrata Europeu Català)\r\n3 members\r\nCatalan Nationalist Party (Partit Nacionalista Català)\r\n1 Member\r\nFigure 4\r\nTargets Among Catalan Political Parties\r\nTaken together, the targeting indicates an extremely well-informed and widespread effort to monitor Catalan\r\npolitical processes. Examination of the SMS targeting also points to a detailed understanding of the targets, their\r\ninterests, concerns, and activities. The timing of the targeting often directly coincided with specific non-public and\r\nsensitive activities such as strategy meetings and negotiations. This is highly suggestive of a well resourced\r\nintelligence service.\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 10 of 41\n\nExploit Techniques\r\nVictims were infected through at least two vectors: zero-click exploits and malicious SMSes. While users can be\r\ntrained to be vigilant about not clicking suspicious links, the use of zero-click exploits is especially difficult to\r\ndefend against as there is no action that a regular user can take that will reliably protect them against this kind of\r\nattack.\r\nZero-Click Exploits\r\nWe saw evidence that multiple zero-click iMessage exploits were used to hack Catalan targets’ iPhones with\r\nPegasus between 2017 and 2020.\r\nDiscovering Homage\r\nWe have identified signs of a zero-click exploit that has not been previously described, which we call HOMAGE.\r\nThe HOMAGE exploit appears to have been in use during the last months of 2019, and involved an iMessage\r\nzero-click component that launched a WebKit instance in the com.apple.mediastream.mstreamd process, following\r\na com.apple.private.alloy.photostream lookup for a Pegasus email address. The WebKit instance in the\r\ncom.apple.mediastream.mstreamd process fetched JavaScript scaffolding that we recovered from an infected\r\nphone. The scaffolding was fetched from /[uniqueid]/stadium/goblin. After performing tests, the scaffolding then\r\nfetches the WebKit exploit from /[uniqueid]/stadium/eutopia if tests succeed.\r\nOne test run by the scaffolding checks the exact screen resolution in pixels, and compares it with hardcoded\r\nvalues for each type of iPhone hardware, with or without display zoom enabled. If there are multiple possible\r\nmatches (for example, the iPhone X and Xs share the same screen resolution if the latter is running in “display\r\nzoom” mode), then a timing side-channel is tested, which involves measuring the time taken to encrypt a buffer of\r\n2^28 bytes using AES in CBC mode. If the measured time is less than 560ms, then the test concludes that the\r\niPhone device uses PAC (iPhone Xs and above). If the time taken is greater than 560ms, then the test concludes\r\nthat the device does not use PAC (iPhone X and earlier).\r\nThe exploit was fired at the phone on at least the following dates:\r\nMon, 16 Dec 2019 16:05:01 GMT\r\nWed, 18 Dec 2019 10:45:03 GMT\r\nThu, 19 Dec 2019 11:38:45 GMT\r\nThu, 26 Dec 2019 08:32:51 GMT\r\nSun, 29 Dec 2019 10:58:04 GMT\r\nThu, 02 Jan 2020 13:32:49 GMT\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 11 of 41\n\nSat, 04 Jan 2020 10:47:05 GMT\r\nWed, 08 Jan 2020 07:27:46 GMT\r\nAmong Catalan targets, we did not see any instances of the HOMAGE exploit used against a device running a\r\nversion of iOS greater than 13.1.3. It is possible that the exploit was fixed in iOS 13.2. We are not aware of any\r\nzero-day, zero-click exploits deployed against Catalan targets following iOS 13.1.3 and before iOS 13.5.1.\r\nThe Citizen Lab has reported the exploit to Apple and provided them with relevant forensic artifacts. At this time,\r\nwe do not have evidence to suggest that Apple device users on up-to-date versions of iOS are at risk.\r\nKismet\r\nThe zero-clicks used also included the KISMET exploit, which was a zero-day in the summer of 2020 against iOS\r\n13.5.1 and iOS 13.7. Though the exploit was never captured and documented, it was apparently fixed by changes\r\nintroduced into iOS14, including the BlastDoor framework.\r\nThe most recent case we have documented of an iPhone belonging to a Catalan target that was infected with\r\nPegasus was in December 2020, via the KISMET exploit.\r\nThe 2019 WhatsApp Attack\r\nCitizen Lab has previously confirmed that multiple Catalans were among those targeted with Pegasus through the\r\n2019 WhatsApp attack, which relied on the (now patched) CVE-2019-3568 vulnerability.\r\nSMS-Based Targeting\r\nMany victims were targeted using SMS based attacks, and we have collected more than 200 such messages. These\r\nattacks involved operators sending text messages containing malicious links designed to trick targets into clicking.\r\nIn this approach, once a victim clicks on a link, the device is infected via a Pegasus exploit server.\r\nSophistication and personalization of the messages varied across attempts, but they reflect an often detailed\r\nunderstanding of the target’s habits, interests, activities, and concerns. In many cases, either the timing or the\r\ncontents of the text were highly customised to the targets and indicated the likely use of other forms of\r\nsurveillance.\r\nJordi Baylina is the technology lead at Polygon, a popular decentralised Ethereum scaling platform. He is also an\r\nadvisor on projects related to digital voting and decentralisation, and\r\nhas built a widely-used privacy toolkit. He was extensively targeted with Pegasus, receiving at least 26 infection\r\nattempts. Ultimately, he was infected at least eight times between October 2019 and July 2020.\r\nBaylina received a text message masquerading as a boarding pass link for a Swiss International Air Lines flight he\r\nhad purchased. Targeting in this case indicates that the Pegasus operator may have had access to Baylina’s\r\nPassenger Name Record (PNR) or other information collected from the carrier.\r\nFake Mobile Boarding Pass\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 12 of 41\n\nAnother common mode of targeting was to masquerade as official notifications from Spanish government entities,\r\nincluding the Tax and Social Security authorities.The messages also used SMS Sender IDs to masquerade as\r\nofficial agency accounts.\r\nNotably, fake official messages were sometimes highly personalized. For example, a message sent to Jordi\r\nBaylina included a portion of his actual official tax identification number, suggesting that the Pegasus operator\r\nhad access to this information.\r\nFake Official Notifications\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 13 of 41\n\nWe also observed regular use of package tracking or delivery notifications. Some were personalised, containing\r\nthe targets’ names.\r\nFake Package Notification\r\nMany messages masqueraded as Twitter or news updates, typically focused on topics of interest to the target.\r\nNews organizations impersonated included international outlets such as The Guardian, Financial Times, and Die\r\nWelt, English language media like the Columbia Journalism Review, as well as regional media like La\r\nVanguardia, Europa Press, El Temps, El Confidencial, and so on.\r\nFake Twitter \u0026 News Updates\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 14 of 41\n\nCross-Border SMS Targeting\r\nCatalans were also targeted outside of Catalonia with Pegasus infection attempts, including SMS messages sent to\r\nnumbers with non-Spanish country codes. For example, Marta Rovira was targeted while in Switzerland on her\r\nSwiss telephone number. Both SMS messages used an SMS Sender ID impersonating Swiss entities: Swisspeace\r\nis an NGO, and the Geneva Center for Security Policy is a foundation established and primarily funded by the\r\nSwiss government.\r\nJordi Baylina was also targeted with infection attempts masquerading as a tweet from European NGO European\r\nDigital Rights and a tweet purporting to be the Swiss telecom provider Swisscom.\r\n7\r\nThe text messages pointed to a cluster of domains pointing to infrastructure previously identified through the\r\nCitizen Lab’s Internet scanning and fingerprinting as belonging to NSO Group’s Pegasus infection infrastructure.\r\nFinding: Catalans Targeted with Candiru\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 15 of 41\n\nIn July 2021, we published “Hooking Candiru,” in which we identified and analysed Candiru’s mercenary\r\nspyware, in cooperation with Microsoft. At the time we did not name the “patient zero” for our analysis. He is\r\nJoan Matamala. As noted above, Matamala was extensively targeted and infected with Pegasus.\r\nWhile conducting a preliminary investigation into Candiru spyware we identified evidence of a live Candiru\r\ninfection on an institutional network backbone used by a consortium of Catalan universities.\r\nWith the help of technicians from the relevant institutions, the infection was localized to a campus of the\r\nUniversity of Girona. Further investigation confirmed that Matamala was the owner of the infected device, and\r\nthat an infection was live.\r\nUsing a pretext, Matamala’s colleagues asked him to step away from the computer and into the hallway. Once the\r\nsituation had been explained, he consented to a forensic analysis of the device.\r\nWe were able to successfully forensically extract the malicious spyware and determine that it was persistently\r\ninstalled on his device.\r\nWith Matamala’s consent, we shared forensic traces of the spyware with Microsoft’s Threat Intelligence Center\r\n(MSTIC), who discovered over 100 victims across ten countries. Microsoft describes the victims of Candiru\r\n(which they refer to as SOURGUM) as including “politicians, human rights activists, journalists, academics,\r\nembassy workers, and political dissidents.”\r\nMicrosoft also discovered two zero-day vulnerabilities (CVE-2021-31979, CVE-2021-33771) employed by\r\nCandiru to infect Windows systems, and patched them in July 2021.\r\nIdentifying Additional Candiru Targets\r\nForensic evidence pertaining to Candiru was obtained from victims who consented to participate in a research\r\nstudy with the Citizen Lab. Victims publicly named in the report consented to being identified as such.\r\nCase Type Number Observed\r\nForensically Confirmed Candiru Infection 1\r\nConfirmed Candiru Targeting 3\r\nTotal Cases 4\r\nTable 3\r\nCase overview for Pegasus infections and targeting.\r\nOur continuing investigation into Candiru in connection with Catalonia revealed at least three other individuals\r\nwere targeted with Candiru spyware via email messages: Elies Campo,8 Xavier Vives, and Pau Escrich. Escrich\r\nwas also targeted with a Pegasus infection attempt on June 2, 2020. Escrich and Vives are co-founders of Vocdoni,\r\na censorship-resistant secure digital voting protocol that Òmnium used during its internal elections. Elies Campo,\r\nalong with Jordi Baylina, both served as advisors to Vocdoni.\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 16 of 41\n\nCandiru Email Targeting\r\nWe identified a total of seven emails containing the Candiru spyware, via links to the domain name stat[.]email.\r\nThe email messages were well constructed efforts to entice the targets to click on the links. For example, two of\r\nthe three targets (Xavier Vives and Pau Escrich) received an email in Figure 6 in early February 2020, featuring\r\nthe official emblem of the Government of Spain, and reporting that the World Health Organization had declared\r\nCOVID-19 to be a “Public Health Emergency of International Importance” in January.\r\nThe email contained a link to recommendations for what to do in cases of infection with COVID-19. Clicking on\r\nthe link would have infected the targets’ computers with Candiru’s spyware.\r\nOne of the targets, Pau Escrich, received an email impersonating the Mobile World Congress (MWC), with a link\r\nto tickets. Had he clicked on the link, his computer would have been infected with Candiru’s spyware. The email\r\ncontent appears to be copied from a legitimate Mobile World Congress email sent to news105@tutanota[.]com,\r\nwhich may be an email address used by the spyware operators.\r\nInterestingly, Elies Campo was targeted with a well-crafted message purporting to be from Barcelona’s Mercantile\r\nRegistry (Figure 7). The message contained factual information about a company that he administered and\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 17 of 41\n\npurported to be a warning that a similarly-named company was registered in Panama. Such a message indicates a\r\nhigh degree of awareness of Campo’s activities, and would be likely to generate a click. The message was\r\nreceived while Campo was in the US.\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 18 of 41\n\nThe Mobile World Congress email containing a Candiru link is also noteworthy, as it echoes bait content in a\r\nPegasus SMS sent to a separate target, Jordi Baylina:\r\nThis content similarity hints at a potential overlap of knowledge and targeting themes between the Candiru and\r\nPegasus operators.\r\nCandiru’s Capabilities\r\nOur analysis of Candiru’s spyware showed that Candiru was designed for extensive access to the victim device,\r\nsuch as extracting files and browser content, but also stealing messages saved in the encrypted Signal Messenger\r\nDesktop app. Figure 9 shows an excerpt of Windows spyware functionality described in a leaked Candiru contract.\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 19 of 41\n\nMicrosoft’s analysis established that Candiru’s spyware, which they call Devil’s Tongue, also had functionality\r\nallowing the operator to directly use a victim’s cloud accounts on their infected device to send or post messages\r\nusing their accounts. While it can be used as part of infection targeting, the same functionality could be used to\r\nplant evidence that would frame an individual in a way that would be exceedingly difficult for the victim to refute.\r\nAttribution\r\nAttribution to NSO’s Pegasus\r\nThe Citizen Lab regularly conducts large-scale scanning, fingerprinting, and monitoring for evidence of Pegasus\r\ninfections. We observed the following Pegasus domain names used in SMS infection attempts sent to Catalan\r\ntargets:\r\nVersion of Pegasus Infrastructure Domains\r\nVersion 1 nnews[.]co\r\nVersion 3\r\nstatsads[.]co\r\nadsmetrics[.]co\r\nVersion 4\r\nredirstats[.]com\r\nstatsupplier[.]com\r\ninfoquiz[.]net\r\n9\r\nVersion 4.5 123tramites[.]com\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 20 of 41\n\nTable 4\r\nCatalanGate Pegasus infrastructure domains and versions.\r\nOf these domains, only nnews[.]co and 123tramites[.]com were complete matches for our fingerprint, and\r\nstatsads[.]co was a partial fingerprint match. Some of the domains appear to have customised behaviour or\r\nsetup, perhaps in order to make them less visible to our Internet scanning. For example, our Athena method for\r\ndetermining which domain names were operated by a single customer (applicable to Version 3 domains) did not\r\nwork on statsads[.]co or adsmetrics[.]co . Additionally, our Version 3 fingerprint was only a partial match\r\nfor statsads[.]co (the discrepancy was that the server exhibited 300ms of additional latency, perhaps because\r\nthe operator fronted their NSO Group-supplied infrastructure with their own custom server). Our Version 3\r\nfingerprint did not match adsmetrics[.]co at all, perhaps again because of a separate custom server that the\r\noperator used to front their NSO-supplied infrastructure. We also did not detect any of the Version 4 domains, as\r\nthey used SSL certificates issued by cPanel; we only scanned for SSL certificates from specific issuers, of which\r\ncPanel was not one.\r\nDespite the apparent customizations, we have developed evidence that all of the domains are linked to NSO\r\nGroup’s Pegasus spyware.\r\nDomain Evidence of link to Pegasus\r\nnnews[.]co Matched our “Version 1” fingerprint\r\nstatsads[.]co\r\nPartially matched our “Version 3” fingerprint. Pegasus forensic\r\nindicators on device shortly after SMS containing link was read (and\r\npresumably clicked on)\r\nadsmetrics[.]co\r\nSimilar bait content (message from “twitter” posing as tweet from\r\n“@ScotNational”) as message containing link to\r\nstatsupplier[.]com\r\nredirstats[.]com\r\nCertain setup characteristics match statsupplier[.]com :\r\nnameserver hosted on kualo.net, and SSL certificate from cPanel\r\nstatsupplier[.]com\r\nPegasus forensic indicators on device shortly after SMS containing\r\nlink was read (and presumably clicked on)\r\ninfoquiz[.]net\r\nCertain setup characteristics match statsupplier[.]com :\r\nnameserver hosted on kualo.net, and SSL certificate from cPanel\r\n123tramites[.]com Matched our “Version 4.5” fingerprint\r\nTable 5\r\nCatalanGate domains and attribution to Pegasus.\r\nMost Domains Appear to be Operated by a Single Customer\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 21 of 41\n\nWe link each domain (except nnews[.]co) to a single Pegasus customer. We link the domain names infoquiz[.]net,\r\nstatsupplier[.]com and redirstats[.]com to a single customer, because they shared setup characteristics\r\n(nameserver hosted on kualo.net and SSL certificate from cPanel). We further believe that 123tramites[.]com was\r\noperated by the same customer, because an SMS with a link to 123tramites[.]com used identical bait content to an\r\nSMS with a link to statsupplier[.]com.\r\nWe further believe that adsmetrics[.]co represents the same customer, as we saw similar bait content (message\r\nfrom “twitter” posing as tweet from “@ScotNational”) in an SMS with a link to statsupplier[.]com. We further\r\nbelieve that statsads[.]co represents the same customer, as we saw similar bait content (message from “twitter”\r\nposing as tweet from “@elconfidencial”) in an SMS with a link to statsupplier[.]com. We are unsure if nnews[.]co\r\nrepresents the same customer, although we suspect that even if the customer is separate, it is at least a related\r\ncustomer: we did locate one individual who received Pegasus links from: nnews[.]co, statsads[.]co and\r\nstatsupplier[.]com.\r\nAttribution to Candiru\r\nIn our July 2021 Hooking Candiru report, we listed 764 domain names that we linked to Candiru. Our initial\r\nground truth was a self-signed TLS certificate mentioning an email address on the domain name\r\ncandirusecurity[.]com, which is registered to Candiru.\r\nThree of the domain names in our list of 764, adtrack[.]link, cortana[.]cloud, and rbtlnk[.]net were interesting,\r\nbecause they initially matched our Candiru fingerprint CF1, but around April 2018, began to exhibit an unusual\r\nbehaviour that we believe represents customization employed by the Candiru customer using these domain names.\r\nStarting from around May 2018, any HTTPS traffic on port 443 to these three domain names was routed to a Tor\r\nclient running on the server (identifiable by the distinctive TLS certificates it returned), but only if the SNI was set\r\nto adtrack[.]link, cortana[.]cloud, rbtlnk[.]net, or any other domain name configured on the server. The Tor\r\nbehaviour simply appeared to be a “decoy” behaviour designed to confuse or mislead researchers who happened\r\nupon these domain names or their IP address. The spyware did not appear to use Tor for data exfiltration, nor was\r\nthe IP, 185.181.8[.]155, used as a relay by legitimate Tor users. Because this “Tor behaviour” was different from\r\nthe behaviour of other customers’ Candiru servers around this time, we hypothesised that the Candiru customer in\r\nquestion was attempting to “customise” their servers, perhaps in order to make them less visible to our Internet\r\nscanning. We scanned the Internet for other IPs exhibiting this same “Tor behaviour,” and found only one,\r\n185.193.38[.]113, which was pointed to by a single domain name at the time, stat[.]email.\r\nWe attributed stat[.]email not only to Candiru, but also to the same Candiru customer that was using the other\r\n“Tor behaviour” domain names. Indeed, we located a Catalan target (Matamala) whose computer was\r\ncommunicating with domain names pointing to 185.181.8[.]155, and recovered a sample of Candiru’s spyware\r\nfrom his computer. Additionally, all of the Candiru emails sent to Catalan targets used the domain stat[.]email.\r\nAttribution to a Government\r\nAt this time the Citizen Lab is not conclusively attributing these hacking operations to a particular government,\r\nhowever a range of circumstantial evidence points to a strong nexus with one or more entities within Spanish\r\ngovernment, including:\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 22 of 41\n\nThe targets were of obvious interest to the Spanish government;\r\nThe specific timing of the targeting matches events of specific interest to the Spanish government;\r\nThe use of bait content in SMSes suggests access to targets personal information, such as Spanish\r\ngovernmental ID numbers; and,\r\nSpain’s CNI has reportedly been an NSO Group Customer, and Spain’s Ministry of Interior reportedly\r\npossesses an unnamed but similar capability.\r\nWe also judge it unlikely that a non-Spanish Pegasus customer would undertake such extensive targeting within\r\nSpain, using SMSes, and often impersonating Spanish authorities. Such a multi-year clandestine operation,\r\nespecially against high profile individuals, has a high risk of official discovery, and would surely lead to serious\r\ndiplomatic and legal repercussions for a non-Spanish government entity.\r\nIndependent Validation\r\nA selection of four Pegasus victims provided forensic artefacts from their devices to technical experts with\r\nAmnesty International’s Security Lab, which independently examined them for evidence of Pegasus infections\r\nand targeting.\r\nElisenda Paluzie and Sònia Urpí Garcia of ANC\r\nJournalist Meritxell Bonet\r\nPolitician \u0026 professor Jordi Sànchez\r\nIn each case, Amnesty’s Security Lab independently confirmed our findings that these individuals were infected,\r\nusing their own forensic methodology. This independently validates the soundness of the forensic methods that the\r\nCitizen Lab used in this report to identify Pegasus infections and targeting.\r\nConclusion\r\nThis report details extensive surveillance directed against Catalan civil society and government using mercenary\r\nspyware. According to NSO Group, Pegasus is sold exclusively to governments, and finding such an operation\r\ninevitably implicates a government. While we do not currently attribute this operation to specific governmental\r\nentities, circumstantial evidence suggests a strong nexus with the government of Spain, including the nature of the\r\nvictims and targets, the timing, and the fact that Spain is reported to be a government client of NSO Group.\r\nCall for an Investigation\r\nThe seriousness of the case clearly warrants an official inquiry to determine the responsible party, how the hacking\r\nwas authorised, what legal framework governed the hacking and what judicial oversight applied, the true scale of\r\nthe operation, the uses to which the hacked material was put, and how hacked data was handled, including to\r\nwhom it may have been provided.\r\nWindow into a More Extensive Operation?\r\nThe list of confirmed victims and targets is striking. Our research has uncovered at least 65 Catalans whose\r\ndevices were either infected or targeted with spyware. The investigation was labor-intensive, and there are many\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 23 of 41\n\nindividuals who have not had their devices checked. Furthermore, our methods have limited insight into Android\r\ninfections, which represent a large proportion of users in the region. Thus, we suspect that the total number of\r\nvictims and targets is much higher.\r\nThis extraordinarily high number of confirmed mercenary spyware victims and targets in a single case is by far the\r\nlargest in all of the Citizen Lab’s prior research, including our reports on Al Jazeera (36 victims) and El Salvador\r\n(35 victims).\r\nOur investigation gives a window into what is likely a larger effort to place a significant slice of Catalan civil\r\nsociety under targeted surveillance for several years. This effort has resulted in the total surveillance of Catalan\r\npoliticians in certain categories, such as multiple members of the European Parliament and every Catalan\r\npresident since 2010.\r\nUnrestrained, Unnecessary, and Disproportionate?\r\nThe case is notable because of the unrestrained nature of the hacking activities. The list includes numerous\r\nelected officials of Catalonia’s government, as was every Catalan member of the European Parliament that\r\nsupported independence. Staff members and friends are also among the list. So, too, were numerous members of\r\nCatalan civil society, as well as lawyers representing Catalans (raising questions of attorney-client privilege\r\nviolations).\r\nEgregiously, family members of apparent targets were also targeted and infected. For example, two physicians\r\nwho use their devices to handle confidential and sensitive patient information were likely infected because they\r\nare the parents of the true target. Indeed, the prominent physician Dr. Elias Campo (the father of Elies Campo)\r\nwas infected on his official hospital-issued device.\r\nThe hacking also extended beyond Spain into other EU countries, including Belgium and Germany, suggesting\r\npossible breaches of appropriate conduct for lawful cross-border investigations, or violations of local law.\r\nTargeting was also observed in Switzerland, which notably included impersonating Swiss organisations, including\r\na government-supported foundation, raising further questions about the disregard for Swiss law.\r\nThis very wide target list raises questions about whether the principles of necessity and proportionality have\r\nbeen fulfilled. Many of the victims were not charged with serious crimes, and most were neither criminals and\r\ncertainly not terrorists—the typical justifications mercenary surveillance companies employ for sales of their\r\nspyware to government clients.\r\nIt is also concerning that this surveillance occurred as the Spanish government and Catalan officials were\r\nundertaking negotiations around political autonomy. If Spanish authorities are responsible, clandestinely\r\neavesdropping on the opposite side of a negotiation, including in some cases their legal representatives or\r\nrelatives, is a clear act of bad faith.\r\nHacking in the EU: Lack of Rules and Judicial Oversight?\r\nIf the Spanish government is responsible for this case, it raises urgent questions about whether there is proper\r\noversight over the country’s intelligence and security agencies, as well as whether there is a robust legal\r\nframework that authorities are required to follow in undertaking any hacking activities. Formally, the operations of\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 24 of 41\n\nSpain’s security agencies are overseen by the judiciary and the relevant minister. However, it is hard to conceive\r\nhow a properly functioning oversight mechanism would permit extensive and, in some cases, reckless hacking of\r\nnumerous elected officials at such a sensitive time. It is also unclear what safeguards were in place, if any, to\r\nensure the protection of any hacked data, and how it was handled.\r\nThe hacking of the devices of relatives of principal targets, such as innocent spouses and parents, is especially\r\ndisturbing. Such extensive clandestine hacking by a state against these types of targets is almost certainly outside\r\nof the scope of what would be permissible under international human rights law.\r\nWhile Europe has recently made great strides around privacy and data protection, such as with the General Data\r\nProtection Regulation (GDPR), the picture is less bright around the independent oversight of intelligence\r\nagencies, which remain largely cloaked in secrecy and may be exempt from rules around privacy applied to other\r\nentities. The possibility that an EU member state is responsible for a massive domestic surveillance operation with\r\npolitical overtones should serve as a wake-up call for a collective inquiry into the need for effective oversight.\r\nFinally, the case is also notable because Spain is a democracy, and this case adds to the growing number of other\r\ndemocracies we have discovered that have abused mercenary spyware, including Poland, India, Israel, and El\r\nSalvador. While it is true and widely acknowledged now that spyware and commercial surveillance technologies\r\nembolden authoritarian regimes and are contributing to the spread of authoritarian practices worldwide, this case\r\nis a good reminder that all countries are prone to abusing spyware when safeguards and oversight are absent—\r\neven democratic ones, like Spain.\r\nHacking: A Risky Tool for Criminal Investigations and Prosecutions\r\nThe objective behind the hacking we uncovered is unknown at this time. However, the potential application of\r\nPegasus or Candiru spyware to extract information to use in the context of criminal investigations and\r\nprosecutions is risky because it may facilitate the use of tainted or planted evidence by state authorities. These\r\nrisks are particularly prevalent in countries where government hacking is not subject to a rigorous legal framework\r\nand effective judicial oversight, and there are few or no requirements for ensuring the integrity of information\r\ncollected.\r\nSpyware such as Pegasus modifies the operating system and files on an infected device. It is common guidance\r\nthat once a device has been remotely penetrated and infected, the integrity of data on the device may be tainted\r\nand could certainly be challenged in court.\r\nFurthermore, we observed that Candiru spyware has the capability to send messages under the identity of the\r\nvictim, from their device. Forensically determining that the victim did not send the messages would be extremely\r\ndifficult. Such a powerful capability could easily be misused to plant evidence. For example, in a recent case in\r\nIndia where incriminating evidence was allegedly planted by hackers on an activist’s device who was then charged\r\nwith terrorism.\r\nAnother Indictment of the Mercenary Spyware Industry\r\nThis remarkable combination of high volume and unrestrained abuses points to a serious absence of regulatory\r\nconstraints, both over sales by the mercenary companies involved and the use of such powerful surveillance tools\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 25 of 41\n\nby the government client or clients. It is now well established that NSO Group, Candiru, other companies like\r\nthem, as well as their various ownership groups, have utterly failed to put in place even the most basic safeguards\r\nagainst abuse of their spyware. What we find in Spain is yet another indictment of this industry.\r\nAcknowledgements\r\nWe would like to thank all of the civil society organisations, political groups, and individuals who graciously\r\nagreed to share forensic artefacts with this investigation, and everyone who assisted in gathering materials.\r\nWithout the participation of targeted groups, and their willingness to come forward, this investigation and report\r\nwould not have been possible.\r\nSpecial thanks to Sharly Chan, Émilie LaFlèche, Miles Kenyon, Adam Senft, and Mari Zhou for communications,\r\ngraphics, editing, and research support.\r\nSpecial thanks to Amnesty International’s Security Lab for the methodological validation.\r\nSpecial thanks to the Domestic Data Streamers team for graphical work.\r\nAppendix A: Targets\r\nForensic evidence was obtained from victims who consented to participate in a research study with the Citizen\r\nLab. Further, victims publicly named in this report consented to be identified as such, while other targets chose to\r\nremain anonymous.\r\nName Organization(s)\r\n2019\r\nWhatsApp\r\nPegasus\r\nNotification\r\nPegasus\r\nSMSes\r\nForensically\r\nConfirmed\r\nPegasus\r\nInfection\r\nTargeted\r\n/ Infected\r\nwith\r\nCandiru\r\nAlba Bosch Political activist    \r\n– On or\r\naround 2020-\r\n05-14\r\n \r\nAlbano\r\nDante\r\nFachin\r\nJournalist,\r\nFormer Member\r\nof the Parliament\r\nof Catalonia\r\n   \r\n[Unable to\r\ndetermine\r\nspecific\r\ninfection\r\ndate(s)]\r\n \r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 26 of 41\n\nName Organization(s)\r\n2019\r\nWhatsApp\r\nPegasus\r\nNotification\r\nPegasus\r\nSMSes\r\nForensically\r\nConfirmed\r\nPegasus\r\nInfection\r\nTargeted\r\n/ Infected\r\nwith\r\nCandiru\r\nAlbert Batet\r\nMember of the\r\nParliament of\r\nCatalonia,\r\nJunts per\r\nCatalunya\r\n  2\r\n– On or\r\naround 2019-\r\n10-24\r\n– On or\r\naround 2020-\r\n07-07\r\n \r\nAlbert\r\nBotran\r\nMember of the\r\nCongress of\r\nDeputies of Spain,\r\nCandidatura\r\nd’Unitat Popular\r\n   \r\n– On or\r\naround 2020-\r\n12-01 10\r\n \r\nAndreu Van\r\nden Eynde\r\nLawyer for\r\nJunqueras,\r\nTorrent, Romeva,\r\nand Maragall\r\n   \r\n– On or\r\naround 2020-\r\n05-14\r\n \r\nAnna\r\nGabriel\r\nFormer Member\r\nof the Parliament\r\nof Catalonia\r\nCandidatura\r\nd’Unitat Popular\r\nYes      \r\nAnonymous\r\n1\r\n    1\r\n– On or\r\naround 2020-\r\n05-26\r\n \r\nAnonymous\r\n2\r\n     \r\n– On or\r\naround 2019-\r\n12-12\r\n \r\nAnonymous\r\n3\r\n     \r\n[Unable to\r\ndetermine\r\nspecific\r\ninfection\r\ndate(s)]\r\n \r\nAnonymous\r\n4\r\n      – Sometime\r\nbetween\r\n \r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 27 of 41\n\nName Organization(s)\r\n2019\r\nWhatsApp\r\nPegasus\r\nNotification\r\nPegasus\r\nSMSes\r\nForensically\r\nConfirmed\r\nPegasus\r\nInfection\r\nTargeted\r\n/ Infected\r\nwith\r\nCandiru\r\n2018-10-04 –\r\n2019-11-05\r\nA…. C….      \r\n– Sometime\r\nbetween\r\n2019-08-16 –\r\n2020-01-18\r\n \r\nArià Bayé\r\nBoard Member\r\nAssemblea\r\nNacional Catalana\r\n  1    \r\nArnaldo\r\nOtegi\r\nGeneral Secretary,\r\nEuskal Herria\r\nBildu\r\n   \r\n[Unable to\r\ndetermine\r\nspecific\r\ninfection\r\ndate(s)]\r\n \r\nArtur Mas\r\nPresident of\r\nCatalonia (2010-\r\n2015)\r\n   \r\n[Unable to\r\ndetermine\r\nspecific\r\ninfection\r\ndate(s)]\r\n \r\nCarles Riera\r\nMember of the\r\nParliament of\r\nCatalonia,\r\nCandidatura\r\nd’Unitat Popular\r\n  4\r\n– Sometime\r\nbefore 2019-\r\n06-11\r\n \r\nDavid\r\nBonvehi\r\nPresident Partit\r\nDemòcrata\r\nEuropeu Català\r\nFormer Member\r\nof the Parliament\r\nof Catalonia\r\n  32 – Sometime\r\nbetween\r\n2018-09-30 –\r\n2019-01-30\r\n– On or\r\naround 2019-\r\n02-15\r\n– On or\r\naround 2019-\r\n04-05\r\n \r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 28 of 41\n\nName Organization(s)\r\n2019\r\nWhatsApp\r\nPegasus\r\nNotification\r\nPegasus\r\nSMSes\r\nForensically\r\nConfirmed\r\nPegasus\r\nInfection\r\nTargeted\r\n/ Infected\r\nwith\r\nCandiru\r\n– On or\r\naround 2019-\r\n04-09\r\n– Sometime\r\nbetween\r\n2020-02-08 –\r\n2020-06-16\r\nDavid\r\nFernández\r\nFormer Member\r\nof the Parliament\r\nof Catalonia,\r\nCandidatura\r\nd’Unitat Popular\r\n  1    \r\nDavid Madi\r\nBusinessman\r\nFormer advisor to\r\nPresident Artur\r\nMas\r\n   \r\n[Unable to\r\ndetermine\r\nspecific\r\ninfection\r\ndate(s)]\r\n \r\nDiana Riba\r\nMember of\r\nEuropean\r\nParliament,\r\nEsquerra\r\nRepublicana de\r\nCatalunya\r\n   \r\n– On or\r\naround 2019-\r\n10-28\r\n \r\nDolors Mas\r\nBusinesswoman,\r\nevent organizer.\r\n   \r\n– Sometime\r\nbetween\r\n2018-09-27 –\r\n2019-08-28\r\n– On or\r\naround 2019-\r\n08-28\r\n \r\nDr. Elias\r\nCampo\r\nSenior Consultant,\r\nHospital Clínic de\r\nBarcelona,\r\nMember, U.S.\r\nNational Academy\r\n    – On or\r\naround 2019-\r\n12-18\r\n \r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 29 of 41\n\nName Organization(s)\r\n2019\r\nWhatsApp\r\nPegasus\r\nNotification\r\nPegasus\r\nSMSes\r\nForensically\r\nConfirmed\r\nPegasus\r\nInfection\r\nTargeted\r\n/ Infected\r\nwith\r\nCandiru\r\nof Medicine\r\nDirector, August\r\nPi i Sunyer\r\nBiomedical\r\nResearch Institute\r\n(IDIBAPS)\r\nElena\r\nJimenez\r\nInternational\r\nAdvocacy and\r\nmember of Legal\r\nteam,\r\nÒmnium Cultural\r\n   \r\n[Unable to\r\ndetermine\r\nspecific\r\ninfection\r\ndate(s)]\r\n \r\nElies\r\nCampo\r\nFormer Growth,\r\nBusiness\r\nDevelopment and\r\nPartnerships,\r\nTelegram\r\nMessenger\r\n      Targeted\r\nElisenda\r\nPaluzie\r\nPresident\r\nAssemblea\r\nNacional Catalana\r\nProfessor of\r\nEconomics at the\r\nUniversity of\r\nBarcelona\r\n  4\r\n– On or\r\naround 2019-\r\n10-29\r\n \r\nElsa Artadi\r\nFormer Minister\r\nof Presidency of\r\nCatalonia,\r\nJunts per\r\nCatalunya\r\n  1    \r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 30 of 41\n\nName Organization(s)\r\n2019\r\nWhatsApp\r\nPegasus\r\nNotification\r\nPegasus\r\nSMSes\r\nForensically\r\nConfirmed\r\nPegasus\r\nInfection\r\nTargeted\r\n/ Infected\r\nwith\r\nCandiru\r\nErnest\r\nMaragall\r\nMember of the\r\nParliament of\r\nCatalonia,\r\nEsquerra\r\nRepublicana de\r\nCatalunya.\r\nYes      \r\nFerran Bel\r\nMember of the\r\nCongress of\r\nDeputies of Spain,\r\nPartit Demòcrata\r\nEuropeu Català\r\n  2    \r\nGonzalo\r\nBoye\r\nLawyer for\r\nPresident\r\nPuigdemont,\r\nPresident Torra\r\nand MEP Antoni\r\nComín.\r\n  18\r\n– On or\r\naround 2020-\r\n10-30\r\n \r\nJaume\r\nAlonso\r\nCuevillas\r\nLawyer\r\nrepresenting\r\nmultiple\r\nprominent\r\nCatalans\r\nMember,\r\nParliament of\r\nCatalonia,\r\nFormer Member\r\nof the Congress of\r\nDeputies of Spain.\r\n   \r\n[Unable to\r\ndetermine\r\nspecific\r\ninfection\r\ndate(s)]\r\n \r\nJoan\r\nMatamala\r\nBusinessman,\r\nPresident of the\r\nFundació Llibreria\r\nLes Voltes.\r\n    – On or\r\naround 2019-\r\n08-07\r\n– On or\r\naround 2019-\r\n11-18\r\n– On or\r\nInfected\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 31 of 41\n\nName Organization(s)\r\n2019\r\nWhatsApp\r\nPegasus\r\nNotification\r\nPegasus\r\nSMSes\r\nForensically\r\nConfirmed\r\nPegasus\r\nInfection\r\nTargeted\r\n/ Infected\r\nwith\r\nCandiru\r\naround 2019-\r\n11-20\r\n– On or\r\naround 2019-\r\n11-26\r\n– On or\r\naround 2020-\r\n02-18\r\n– On or\r\naround 2020-\r\n03-02\r\n– On or\r\naround 2020-\r\n04-11\r\n– On or\r\naround 2020-\r\n04-14\r\n– On or\r\naround 2020-\r\n05-06\r\n– On or\r\naround 2020-\r\n05-25\r\n– On or\r\naround 2020-\r\n06-05\r\n– On or\r\naround 2020-\r\n06-17\r\n– On or\r\naround 2020-\r\n06-23\r\n– On or\r\naround 2020-\r\n07-02\r\n– On or\r\naround 2020-\r\n07-09\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 32 of 41\n\nName Organization(s)\r\n2019\r\nWhatsApp\r\nPegasus\r\nNotification\r\nPegasus\r\nSMSes\r\nForensically\r\nConfirmed\r\nPegasus\r\nInfection\r\nTargeted\r\n/ Infected\r\nwith\r\nCandiru\r\n– On or\r\naround 2020-\r\n07-13\r\nJoan Ramon\r\nCasals\r\nFormer Director,\r\nOffice of\r\nPresident Torra\r\nFormer Member\r\nof the Parliament\r\nof Catalonia,\r\nJunts per\r\nCatalunya\r\n   \r\n[Unable to\r\ndetermine\r\nspecific\r\ninfection\r\ndate(s)]\r\n \r\nJoaquim\r\nJubert\r\nMember of the\r\nParliament of\r\nCatalonia,\r\nJunts per\r\nCatalunya\r\n   \r\n– On or\r\naround 2019-\r\n10-28\r\n \r\nJoaquim\r\nTorra\r\nPresident of\r\nCatalonia (2018-\r\n2020)\r\n  8 – On or\r\naround 2020-\r\n04-21\r\n– On or\r\naround 2020-\r\n05-19\r\n– On or\r\naround 2020-\r\n06-11\r\n– On or\r\naround 2020-\r\n06-21\r\n– On or\r\naround 2020-\r\n07-07\r\n– On or\r\naround 2020-\r\n07-09\r\n– On or\r\naround 2020-\r\n \r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 33 of 41\n\nName Organization(s)\r\n2019\r\nWhatsApp\r\nPegasus\r\nNotification\r\nPegasus\r\nSMSes\r\nForensically\r\nConfirmed\r\nPegasus\r\nInfection\r\nTargeted\r\n/ Infected\r\nwith\r\nCandiru\r\n07-13\r\n– On or\r\naround 2020-\r\n07-15\r\nJon Iñarritu\r\nMember of the\r\nCongress of\r\nDeputies of Spain,\r\nEuskal Herria\r\nBildu\r\n   \r\n– On or\r\naround 2020-\r\n12-02\r\n \r\nJordi\r\nBaylina\r\nOpen-source\r\nDeveloper,\r\nTechnology lead\r\nat Polygon\r\n  26\r\n– On or\r\naround 2019-\r\n10-29\r\n– On or\r\naround 2019-\r\n11-15\r\n– On or\r\naround 2019-\r\n11-26\r\n– On or\r\naround 2019-\r\n11-26\r\n– On or\r\naround 2019-\r\n12-11\r\n– On or\r\naround 2019-\r\n12-23\r\n– On or\r\naround 2020-\r\n06-19\r\n– On or\r\naround 2020-\r\n07-11\r\n \r\nJordi Bosch\r\nFormer Board\r\nmember, Òmnium\r\nCultural\r\n   \r\n– On or\r\naround 2020-\r\n07-11\r\n \r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 34 of 41\n\nName Organization(s)\r\n2019\r\nWhatsApp\r\nPegasus\r\nNotification\r\nPegasus\r\nSMSes\r\nForensically\r\nConfirmed\r\nPegasus\r\nInfection\r\nTargeted\r\n/ Infected\r\nwith\r\nCandiru\r\nJordi\r\nDomingo\r\nMember,\r\nAssemblea\r\nNacional Catalana\r\nYes      \r\nJordi\r\nSanchez\r\nFormer President\r\nAssemblea\r\nNacional Catalana\r\n  25\r\n– On or\r\naround 2017-\r\n05-26\r\n– On or\r\naround 2017-\r\n09-11\r\n– On or\r\naround 2017-\r\n09-15\r\n– On or\r\naround 2017-\r\n10-13\r\n \r\nJordi Solé\r\nMember of\r\nEuropean\r\nParlament\r\nFormer Member\r\nof the Parliament\r\nof Catalonia\r\nEsquerra\r\nRepublicana de\r\nCatalunya\r\n  1\r\n– On or\r\naround 2020-\r\n06-11\r\n– On or\r\naround 2020-\r\n06-27\r\n \r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 35 of 41\n\nName Organization(s)\r\n2019\r\nWhatsApp\r\nPegasus\r\nNotification\r\nPegasus\r\nSMSes\r\nForensically\r\nConfirmed\r\nPegasus\r\nInfection\r\nTargeted\r\n/ Infected\r\nwith\r\nCandiru\r\nJosep Costa\r\nLawyer, Former\r\nVice President of\r\nthe Catalan\r\nParliament\r\nFormer Member\r\nof the Parliament\r\nof Catalonia\r\n  4\r\n– On or\r\naround 2019-\r\n07-15\r\n– On or\r\naround 2019-\r\n12-17\r\n– On or\r\naround 2019-\r\n12-21\r\n– On or\r\naround 2019-\r\n12-30\r\n \r\nJosep Lluís\r\nAlay\r\nOffice Director,\r\nPresident\r\nPuigdemont\r\nProfessor of Asian\r\nHistory,\r\nUniversity of\r\nBarcelona\r\n  6\r\n– On or\r\naround 2020-\r\n07-13\r\n \r\nJosep Ma\r\nGanyet\r\nBusinessman\r\nProfessor,\r\nPompeu Fabra\r\nUniversity\r\n  1\r\n– On or\r\naround 2019-\r\n10-23\r\n– On or\r\naround 2020-\r\n01-08\r\n– On or\r\naround 2020-\r\n03-02\r\n \r\nJosep Maria\r\nJové\r\nMember of the\r\nParliament of\r\nCatalonia,\r\nFormer General\r\nSecretary of the\r\nVice-Presidency\r\nof Economy and\r\nFinance,\r\n  1 [Unable to\r\ndetermine\r\nspecific\r\ninfection\r\ndate(s)]\r\n \r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 36 of 41\n\nName Organization(s)\r\n2019\r\nWhatsApp\r\nPegasus\r\nNotification\r\nPegasus\r\nSMSes\r\nForensically\r\nConfirmed\r\nPegasus\r\nInfection\r\nTargeted\r\n/ Infected\r\nwith\r\nCandiru\r\nEsquerra\r\nRepublicana de\r\nCatalunya\r\nJosep Rius\r\nVice President at\r\nJunts per\r\nCatalunya\r\nFormer\r\nPuigdemont’s\r\nOffice Director\r\n   \r\n– Sometime\r\nbetween\r\n2019-07-23 –\r\n2019-10-10\r\n \r\nLaura\r\nBorràs\r\nPresident of the\r\nParliament of\r\nCatalonia,\r\nFormer Member\r\nof the Congress of\r\nDeputies of Spain,\r\nJunts per\r\nCatalunya\r\n  1    \r\nMarc\r\nSolsona\r\nFormer Member\r\nof the Parliament\r\nof Catalonia,\r\nPartit Demòcrata\r\nEuropeu Català\r\n   \r\n[Unknown\r\ninfection\r\ndate(s)]\r\n \r\nMarcel\r\nMauri\r\nFormer Vice\r\nPresident,\r\nÒmnium Cultural\r\n  19\r\n– On or\r\naround 2019-\r\n10-24\r\n– On or\r\naround 2020-\r\n02-25\r\n– On or\r\naround 2020-\r\n05-06\r\n \r\nMarcela\r\nTopor\r\nJournalist   4 – On or\r\naround 2019-\r\n10-07\r\n– On or\r\n \r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 37 of 41\n\nName Organization(s)\r\n2019\r\nWhatsApp\r\nPegasus\r\nNotification\r\nPegasus\r\nSMSes\r\nForensically\r\nConfirmed\r\nPegasus\r\nInfection\r\nTargeted\r\n/ Infected\r\nwith\r\nCandiru\r\naround 2020-\r\n01-04\r\nMaria Cinta\r\nCid\r\nSenior Consultant,\r\nHospital Clínic de\r\nBarcelona\r\nProfessor,\r\nUniversity of\r\nBarcelona\r\nSenior Group\r\nLeader, IDIBAPS\r\n   \r\n– On or\r\naround 2019-\r\n12-17\r\n– On or\r\naround 2019-\r\n12-19\r\n– On or\r\naround 2019-\r\n12-23\r\n– On or\r\naround 2019-\r\n12-28\r\n– On or\r\naround 2019-\r\n12-30\r\n– On or\r\naround 2020-\r\n01-03\r\n– On or\r\naround 2020-\r\n01-05\r\n– On or\r\naround 2020-\r\n01-09\r\n \r\nMarta\r\nPascal\r\n“General\r\nSecretary, Partit\r\nNacionalista de\r\nCatalunya\r\nFormer Member\r\nof the Congress of\r\nDeputies of\r\nSpain”\r\n  2    \r\nMarta\r\nRovira\r\nGeneral Secretary,\r\nEsquerra\r\n  2 – On or\r\naround 2020-\r\n \r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 38 of 41\n\nName Organization(s)\r\n2019\r\nWhatsApp\r\nPegasus\r\nNotification\r\nPegasus\r\nSMSes\r\nForensically\r\nConfirmed\r\nPegasus\r\nInfection\r\nTargeted\r\n/ Infected\r\nwith\r\nCandiru\r\nRepublicana de\r\nCatalunya\r\nFormer Member\r\nof the Parliament\r\nof Catalonia\r\n06-12\r\n– On or\r\naround 2020-\r\n07-13\r\nMeritxell\r\nBonet\r\nJournalist    \r\n– On or\r\naround 2019-\r\n06-04\r\n \r\nMeritxell\r\nBudo\r\nFormer Minister\r\nof the Presidency\r\nof Catalonia\r\nJunts per\r\nCatalunya\r\n  8\r\n[Unable to\r\ndetermine\r\nspecific\r\ninfection\r\ndate(s)]\r\n \r\nMeritxell\r\nSerret\r\nMember of the\r\nParliament of\r\nCatalonia,\r\nEsquerra\r\nRepublicana de\r\nCatalunya\r\n   \r\n[Unable to\r\ndetermine\r\nspecific\r\ninfection\r\ndate(s)]\r\n \r\nMiriam\r\nNogueras\r\nMember of the\r\nCongress of\r\nDeputies of Spain\r\nJunts per\r\nCatalunya\r\n   \r\n[Unable to\r\ndetermine\r\nspecific\r\ninfection\r\ndate(s)]\r\n \r\nOriol\r\nSagrera\r\nGeneral Secretary\r\nof the Ministry of\r\nBusiness and\r\nLabor,\r\nFormer Head of\r\nthe Cabinet of the\r\nPresidency of the\r\nParliament of\r\nCatalonia.\r\nEsquerra\r\n  3 – On or\r\naround 2019-\r\n03-22\r\n– On or\r\naround 2019-\r\n04-02\r\n– Sometime\r\nbetween\r\n2019-04-06 –\r\n2019-10-06\r\n– On or\r\n \r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 39 of 41\n\nName Organization(s)\r\n2019\r\nWhatsApp\r\nPegasus\r\nNotification\r\nPegasus\r\nSMSes\r\nForensically\r\nConfirmed\r\nPegasus\r\nInfection\r\nTargeted\r\n/ Infected\r\nwith\r\nCandiru\r\nRepublicana de\r\nCatalunya\r\naround 2020-\r\n07-08\r\nPau Escrich\r\nOpen-source\r\nDeveloper, CTO\r\nAragon Labs\r\n  1   Targeted\r\nPere\r\nAragonès\r\nPresident of\r\nCatalonia\r\n  3\r\n[Unable to\r\ndetermine\r\nspecific\r\ninfection\r\ndate(s)]\r\n \r\nPol Cruz\r\nEuropean\r\nParliament\r\nAssistant\r\n   \r\n– On or\r\naround 2020-\r\n07-07\r\n \r\nRoger\r\nTorrent\r\nMinister of\r\nBusiness and\r\nLabour of\r\nCatalonia,\r\nFormer President\r\nof the Parliament\r\nof Catalonia,\r\nEsquerra\r\nRepublicana de\r\nCatalunya\r\nYes 1    \r\nSergi\r\nMiquel\r\nGeneral Manager\r\nCouncil for the\r\nRepublic of\r\nCatalonia\r\nYes      \r\nSergi Sabrià Former Member\r\nof the Parliament\r\nof Catalonia,\r\nEsquerra\r\nRepublicana de\r\nCatalunya\r\n  17 – On or\r\naround 2020-\r\n04-11\r\n– On or\r\naround 2020-\r\n05-05\r\n– On or\r\n \r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 40 of 41\n\nName Organization(s)\r\n2019\r\nWhatsApp\r\nPegasus\r\nNotification\r\nPegasus\r\nSMSes\r\nForensically\r\nConfirmed\r\nPegasus\r\nInfection\r\nTargeted\r\n/ Infected\r\nwith\r\nCandiru\r\naround 2020-\r\n05-10\r\n– On or\r\naround 2020-\r\n05-13\r\n– On or\r\naround 2020-\r\n07-13\r\nSònia Urpí\r\nBoard Member,\r\nAssemblea\r\nNacional Catalana\r\n  2\r\n– On or\r\naround 2020-\r\n06-22\r\n \r\nXavier\r\nVendrell\r\nFormer Member\r\nof the Parliament\r\nof Catalonia,\r\nEsquerra\r\nRepublicana de\r\nCatalunya\r\n   \r\n– On or\r\naround 2019-\r\n11-04\r\n– On or\r\naround 2020-\r\n04-14\r\n \r\nXavier\r\nVives\r\nCo-founder\r\nVocdoni\r\nOpen-source\r\nDeveloper\r\n      Targeted\r\nSource: https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nhttps://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/\r\nPage 41 of 41", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/" ], "report_names": [ "catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "322a0ef1-136b-400e-89d0-0d62ee2bd319", "created_at": "2023-01-06T13:46:38.662109Z", "updated_at": "2026-04-10T02:00:03.05924Z", "deleted_at": null, "main_name": "Madi", "aliases": [], "source_name": "MISPGALAXY:Madi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "38f8da87-b4ba-474b-83e6-5b04d8fb384b", "created_at": "2024-02-02T02:00:04.032871Z", "updated_at": "2026-04-10T02:00:03.532955Z", "deleted_at": null, "main_name": "Caramel Tsunami", "aliases": [ "SOURGUM", "Candiru" ], "source_name": "MISPGALAXY:Caramel Tsunami", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b07fec96-80cd-4d92-aa52-a26a0b25b7c2", "created_at": "2022-10-25T16:07:23.826594Z", "updated_at": "2026-04-10T02:00:04.760416Z", "deleted_at": null, "main_name": "Madi", "aliases": [ "Mahdi" ], "source_name": "ETDA:Madi", "tools": [ "Madi" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434389, "ts_updated_at": 1775826790, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d3e41945376e51be692997899336ac8acd88b8bb.pdf", "text": "https://archive.orkl.eu/d3e41945376e51be692997899336ac8acd88b8bb.txt", "img": "https://archive.orkl.eu/d3e41945376e51be692997899336ac8acd88b8bb.jpg" } }