NSO Lawyer Names Mexico, Saudi Arabia, and Uzbekistan as Spyware Customers Behind 2019 WhatsApp Hacks

NSO Lawyer Names Mexico, Saudi Arabia, and Uzbekistan as Spyware Customers Behind 2019 WhatsApp Hacks

In a shocking turn of events, the governments of Mexico, Saudi Arabia, and Uzbekistan have been named as customers of NSO Group's Pegasus spyware, according to a lawyer working for the Israeli company. This revelation comes in a lawsuit between WhatsApp and NSO Group, which was filed in 2019 alleging that NSO Group had hacked around 1,400 WhatsApp users using the spyware.

The news emerged during a hearing last Thursday, where NSO Group's lawyer Joe Akrotirianakis named the three governments as customers of the spyware maker. This is the first time that representatives for NSO Group have publicly acknowledged who their clients are, after years of refusing to discuss their clientele.

According to Akrotirianakis, there were at least eight customers whose names were part of a discovery in the case, but only three were named during the hearing. The lawyer also hinted that a list of countries included in a court document unsealed last week was also a list containing NSO Group's customers.

The list of 51 countries includes Bahrain, India, Morocco, Spain, United Kingdom, and the United States, although Saudi Arabia did not appear on the list. This could be due to the fact that some NSO Group's customers can target individuals outside of their own territory. For example, in 2017, Citizen Lab reported that there was "circumstantial evidence" to suggest that one or more of NSO Group's government customers in Mexico targeted several individuals.

NSSO Group spokesperson Gil Lainer declined to comment on the allegations, but did not dispute that Mexico, Saudi Arabia, and Uzbekistan were three company customers at the time of the WhatsApp spyware campaign.

WhatsApp's spokesperson Zade Alsawah told TechCrunch that the company is looking forward "to the upcoming trial to determine damages, and securing an injunction against NSO to protect WhatsApp and people's private communication." The judge presiding over the lawsuit said that while NSO Group said that documents provided as part of the lawsuit's discovery period identified "at least four countries as NSO customers," the company had not yet publicly confirmed that those countries were its customers.

For years, organizations like Citizen Lab and Amnesty International have documented cases where Pegasus was used to target or hack journalists, dissidents, and human rights defenders in some of the countries mentioned in the victim list, such as Mexico, Hungary, Spain, and the United Arab Emirates. TechCrunch reached out to the embassies of Mexico, Saudi Arabia, and Uzbekistan in the U.S. for comment, but no response was received.