Moroccan Whistleblower Reveals Widespread Pegasus Spyware Use Since 2017
Moroccan Whistleblower Exposes Pegasus Spyware Use Since 2017

A former member of Morocco's domestic intelligence service, the Direction Générale de la Surveillance du Territoire (DGST), has provided unprecedented insight into how the country used Pegasus hacking software to target journalists, human rights defenders, French politicians, and Spanish cabinet ministers and police officers. The whistleblower, known by the pseudonym Safir, worked for the DGST for nearly a decade.

Pegasus, manufactured by Israel-based NSO Group, allows operators to access everything on a target's mobile phone, including emails, text messages, and photographs. It can also activate the phone's recorder and camera, turning it into a listening device. NSO Group states Pegasus is sold only to governments for tracking criminals and terrorists, but it is alleged to have been used by multiple countries to target dissidents, journalists, diplomats, and politicians.

Whistleblower Testimony and Collaborative Investigation

Safir's testimony forms the basis of a multiyear investigation by Moroccan journalist Hicham Mansouri, leading to a collaborative effort among 14 media organizations, including Le Monde, Haaretz, El Confidencial, Die Zeit, and the Guardian, with technical support from Amnesty International's Security Lab. The consortium analyzed leaked emails, targeting records, victim testimonies, and internal training material. Two other former Moroccan intelligence agents also provided corroborating information.

Wide Pickt banner — collaborative shopping lists app for Telegram, phone mockup with grocery list

According to the consortium, NSO Group representatives demonstrated Pegasus to high-ranking Moroccan intelligence officers and technical experts in an expensive villa in Rabat in 2017. The source said the house was nicknamed "the FSSYS villa" after FSSYS Maroc, the Moroccan branch of UAE-based surveillance intermediary al-Fahad. Those gathered immediately recognized Pegasus's "revolutionary" potential, as its remote-infection capacity eliminated the need for physical access to targets' phones. NSO representatives infected test phones, remotely activating cameras and microphones and accessing data.

Pegasus Deployment and Targeting

The whistleblower suggested the expensive spyware was a gift from the UAE. "Millions for the Emiratis, that's nothing," Safir said. "The Emirates bought it and redistributed it to friendly services. You could say it's like Netflix: a friend pays for the subscription, and the others use their account." Before Pegasus, the DGST relied on human intelligence, targeting terminals in internet cafes, and persuading shopkeepers to sell pre-infected phones to dissidents. According to Safir, Pegasus was reserved for high-value targets after cheaper options were exhausted. "We never start with Pegasus," Safir said. "It's the monster's weapon."

Evidence gathered for the investigation, titled the Pegasus Project: Inside the Moroccan Spying Machine, reveals that four unique Moroccan mobile numbers were selected as Pegasus targets in September 2017, seemingly to test the system. These included numbers linked to two DGST staff members. The leaked database shows that numbers of Moroccan journalists and human rights defenders began to be entered into the Pegasus system that same month. Soon, targeting extended beyond Morocco's borders.

Targeting of Spanish and French Officials

A Spanish mobile number belonging to Aminatou Haidar, a prominent human rights activist from Western Sahara, was targeted by Pegasus dating back to 2018. Traces of the spyware were found on a second phone belonging to Haidar in November 2021. The number of journalist Ignacio Cembrero, whose work focuses on the Maghreb, was also listed in the Pegasus database. In total, Pegasus project records show more than 200 Spanish mobile numbers were selected for targeting by the user believed to be Morocco.

In May 2022, the Spanish government revealed that the mobile phones of Prime Minister Pedro Sánchez and Defence Minister Margarita Robles were infected with Pegasus in May and June 2021. The targeting occurred during a tense diplomatic row over Spain's decision to allow the leader of the Polisario Front, which fights for Western Sahara's independence, to be treated for Covid-19 in a Spanish hospital. It later emerged that the phones of Interior Minister Fernando Grande-Marlaska and Agriculture Minister Luis Planas had also been targeted.

Pickt after-article banner — collaborative shopping lists app with family illustration

Judicial attempts to investigate the Pegasus targeting of the Spanish cabinet have stalled. An investigating judge ended the inquiry in July 2023 but reopened it after French authorities provided information on Pegasus infections of French ministers, MPs, lawyers, and journalists. However, the judge shelved the case again in January 2024, citing a lack of cooperation from Israeli authorities, including failure to respond to a request for a statement from NSO's CEO.

Evidence Linking Morocco to Spanish Targeting

Recent analysis points to the DGST being responsible for targeting senior Spanish politicians. Material assembled by the Pegasus project, including court documents, shows that one attacker account assigned to Morocco's Pegasus system and used to target French politicians, journalists, and human rights defenders was also used to target the phones of Robles and Grande-Marlaska. Despite suspicions, Grande-Marlaska last year presented Abdellatif Hammouchi, the director general of the DGST, with the highest honour bestowed by Spain's Guardia Civil. The move drew criticism from a Guardia Civil union, which said giving the award "to a man who has faced international accusations of human rights violations and spying" was an affront to the force's dignity.

Leaked documents, photographs, and testimony from Spanish security forces and a former Moroccan intelligence agent suggest the DGST sought access to communications of Guardia Civil officers who travelled to Morocco to share counter-terrorism expertise. The personal phone number of one senior Guardia Civil officer appears five times on the list of targets selected for Pegasus surveillance by the end-user believed to be Morocco. "We spy on everyone," one former DGST officer told the consortium, adding that such surveillance was carried out "just in case." A senior Guardia Civil official described the revelations as "a betrayal."

While officers from Spain's Policía Nacional use stringent precautions when travelling to Morocco, including separate mobile devices for sensitive information, the Guardia Civil did not take such precautions. "We didn't do it because we didn't suspect we would be spied on," a senior Guardia Civil intelligence officer said.

NSO Group and International Response

Further evidence of Morocco's Pegasus use emerged when Meta, WhatsApp's parent company, took NSO Group to court in the US. An unsealed, redacted presentation to NSO's parent company board in August 2018 includes a list of Pegasus end-user codenames. According to Haaretz, countries using Pegasus are assigned names based on the first letter of the country and a car manufacturer. Morgan has been identified as Morocco after former NSO employees confirmed Morocco was a Pegasus end-user.

In November 2021, NSO Group was placed on a US blacklist after the Biden administration determined the company acted "contrary to the foreign policy and national security interests of the US." Three weeks later, Israel's defence ministry barred imports of Israeli cyber-technology to several countries, including Morocco and the UAE. The investigation has not found evidence of Pegasus-aided surveillance in Morocco after late 2021.

NSO Group, the Moroccan government, the UAE authorities, and al-Fahad's parent company have been approached for comment, as have the Spanish government and its interior, foreign, and defence ministries.