Moroccan Government Used Powerful Israeli Pegasus Spyware, Former Intelligence Officer Says

Moroccan Government Used Powerful Israeli Pegasus Spyware, Former Intelligence Officer Says

The Israeli-made software known as Pegasus is one of the most powerful spyware tools in the world. It can be deployed to infect a smartphone without the owner doing anything – no need to trick the victim into clicking a malicious link or downloading a compromised file. Once inside, it sees every file, message, photo, and call, and can even use the microphone and camera to secretly record the user.

The Israeli cyber-intelligence company behind the software, NSO Group, has long maintained that the sale, distribution, and use of Pegasus is tightly regulated. Export licenses for Pegasus are strictly controlled by the Israeli defense ministry, and the company asserts that it sells exclusively to vetted government clients to combat terrorism and serious crime.

That narrative was shattered by the 2021 publication of the Pegasus Project, an investigation coordinated by the Paris-based nonprofit Forbidden Stories and Amnesty International, alongside media partners, including OCCRP. The landmark reporting revealed that the spyware had been systematically deployed worldwide against journalists, human rights activists, and politicians.

At the time, Morocco was one of the governments found by investigative reporters, as well as an analysis by Amnesty International’s Security Lab, to have used the spyware on journalists and civil society activists. In response, the Moroccan government flatly denied the claims, and launched an aggressive defamation lawsuit campaign across European courts against several media organizations. French and German courts rejected or dismissed these cases.

Now, explosive testimony from a whistleblower who worked inside Morocco’s secret services adds new evidence to the allegation that the government was behind the spying on a journalist, shedding light on the inner workings of state-backed surveillance operations and how the tool was used. His account was corroborated by documents and other sources from within Moroccan intelligence.

The whistleblower said a private company acted as an intermediary between Moroccan agents and NSO Group, which avoided creating a paper trail tying the Moroccan state to NSO Group and Pegasus.

A second source from Moroccan intelligence, who spoke on condition of anonymity due to fear of reprisal from Moroccan authorities, confirmed procuring access to Pegasus through an intermediary company and the targeting of a journalist. Reporters also corroborated key details of the intermediary as described by the whistleblower, including the sector it operates in, its location, and its staff.

Moroccan authorities did not respond to requests for comment.

Following the publication of the Pegasus Project in July 2021, NSO Group was blacklisted by the U.S. “for malicious cyber activities.” The Department of Commerce said the company had “developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”

Moroccan journalist Omar Radi outside the Ain Sebaa Court in Casablanca on March 5, 2020. Radi was later identified by Amnesty International as one of the journalists targeted by spyware linked to NSO Group.

Since then, NSO Group has undergone personnel and organizational changes. Its co-founder and CEO Shalev Hulio left the company in 2022, and last year a group of investors based in the U.S. acquired a controlling stake in the Israeli firm.

NSO Group did not respond to a request for comment.

Meanwhile, new reporting by OCCRP’s Panamanian media partner reveals that NSO Group co-founder Shalev Hulio travelled to Panama in 2013 on an Israeli diplomatic passport, calling into question both the company and the Israeli government’s longstanding claims that they have had no official ties. Hulio also told Panamanian immigration he would be staying at the Israeli embassy. In response to questions from reporters, Hulio said “allegations concerning a diplomatic passport and my purported role as a representative of the State of Israel are entirely false and categorically denied.” Israeli officials did not respond to requests for comment.

The Moroccan whistleblower’s testimony includes details about how Moroccan intelligence deployed the spyware that have reignited questions over how much control NSO Group retains over its software once sold, and whether NSO Group sees the material obtained by its clients.

“There are a lot of open questions on what exactly NSO Group knows about how Pegasus customers use the Pegasus systems. While the core of a Pegasus system is physically under the control of the end-user, NSO Group manages and monitors much of the public server infrastructure and accounts needed for the system to operate,” Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, told OCCRP.

NSO Group co-founder Shalev Hulio.

While Ó Cearbhaill noted there is no public evidence NSO Group has direct access to surveillance data collected by Pegasus clients, the company “does acknowledge a remote access capability used to provide technical support, subject to customer approval. This functionality appears to provide NSO Group support staff with deep access to the customer servers, likely necessary to remotely debug issues and perform software upgrades.”

Etienne Maynier, a digital technologist and security researcher at the nonprofit Human Rights Watch who has investigated Pegasus, told OCCRP that NSO Group had made contradictory claims about what it has access to.

“They say they don’t have access to…the list of targeted individuals, or the data, because their system guarantees confidentiality…But at the same time, on several occasions, they have firmly guaranteed that certain numbers or certain individuals were not targeted, so NSO is constantly contradicting itself,” Maynier said.

“We know that Pegasus systems are partly installed at the client and partly managed by NSO Group. NSO Group tells us that it guarantees the confidentiality of what clients do, but we have no way of verifying it,” he added.

About The Pegasus Project

Much of this new evidence comes from a multi-year investigation by Moroccan journalist Hicham Mansouri, whose own device was hacked with Pegasus.

Mansouri partnered with Forbidden Stories, a Paris-based newsroom whose mission is to pursue the work of journalists who have been killed, imprisoned, or threatened for their work. Forbidden Stories organized a media collaboration involving 39 journalists from 14 outlets dubbed the Pegasus Project: Inside the Moroccan Spying Machine.

Amnesty International’s Security Lab provided technical and forensic support to this media collaboration.

The latest investigation builds on the findings of the Pegasus Project, a 2021 investigation involving 17 media organizations and coordinated by Forbidden Stories.

The 2021 collaborative investigation began when Forbidden Stories and Amnesty International gained access to a set of more than 50,000 leaked phone numbers believed to be a list of targets of NSO Group’s phone hacking software.

Reporters identified hundreds of individuals who owned these phones and, after submitting more than 60 of them to forensic analysis, found dozens that showed signs of Pegasus activity.

Many of the phone numbers identified as apparent targets for potential Pegasus infection were consistent with persons of interest to governments, including both legitimate security threats like terrorists but also hundreds of independent journalists, activists, and politicians.

The headquarters of NSO Group in Herzliya, Israel, on April 26, 2021.

Sending Numbers ‘for Infection’

The Moroccan whistleblower Safir (a pseudonym reporters agreed to use to ensure his safety) detailed his decade-long employment at the country’s internal intelligence service, the Direction Générale de la Surveillance du Territoire (DGST), and how he and his colleagues supported surveillance operations using Pegasus and other surveillance tools.

Reporters have independently verified key elements of Safir’s account.

According to Safir, NSO Group demonstrated Pegasus’s capabilities by hacking the phones of DGST officers who volunteered for the test. By cross referencing numbers provided by Safir and a leaked database of cellphone numbers targeted with Pegasus in 2017 and 2018, reporters confirmed that the phone numbers of the specific officers named by Safir had indeed been targeted.

Safir said a private company acting as an intermediary shipped NSO Group-configured servers to Morocco and installed them in DGST data centers, giving Moroccan agents access to a Pegasus user dashboard. Safir’s description of the dashboard matches images of a Pegasus interface made public in a long-running lawsuit brought in 2019 by WhatsApp, the subsidiary of technology company Meta Platforms, against NSO Group over the alleged hacking of WhatsApp accounts.

Israeli activists hold a black banner reading “Stop NSO” during a protest outside the NSO Group headquarters in Herzliya, Israel, on July 25, 2021.

Safir also outlined the DGST surveillance workflow in detail, explaining how officers would first obtain unique identifier numbers — known as the International Mobile Equipment Identity, or IMEI — for local Moroccan cellphones approved for targeting by intelligence chiefs. These unique numbers were then sent to the DGST’s team responsible for executing the Pegasus hacking operations. This team, Safir said, was headed by a director called Abdeljalil Taki. (Taki did not respond to a request for comment.)

Taki’s secretariat would then send the target data to the intermediary company or NSO “for the infection,” Safir said.

“For example, we know that someone is meeting a judge at a certain time. We send NSO the details and they send the config[uration] to the agent [the infiltration software deployed on the target device] to record the conversation at that time,” Safir said.

“We do not have control over the agent’s configuration, we go through NSO to update it. They did not give us access to the back-end where the configuration of the agents takes place. We just list and download the evidence from [the] dashboard.”

The DGST and Morocco’s Ministry of the Interior did not respond to requests for comment.

Reporters found no evidence that the intermediary firm was directly involved in carrying out infections of phones with Pegasus. There is also no indication NSO Group staff were manually targeting numbers for Morocco. The process laid out by Safir appears consistent with an automated system in which Moroccan intelligence agents could submit numbers for targeting in the Pegasus system. The software then managed the complex process to install the spyware agent, send new configuration and commands, and send hacked material back to the Pegasus user interface.

Amnesty International’s Ó Cearbhaill said Safir’s account of the DGST’s Pegasus infection workflow appears to broadly mirror the usual automated NSO Group process and matched with how Pegasus is typically set up for NSO Group end-users, including on-site installations, off-site servers, and access to technical experts.

“Pegasus functions as a multi-component surveillance system,” Ó Cearbhaill said. “Its infrastructure includes on-premise client servers, virtual servers set up to hide the customer location, and infection servers that use online domains to distribute exploits via texts or one-click links.”

“NSO technicians typically deploy to customer facilities to set up the necessary Pegasus hardware, and they subsequently build and monitor the complex network of anonymous servers, external services like SMS providers, and attacker accounts (such as iMessage and WhatsApp) required to launch attacks and route Pegasus surveillance traffic to and from the customer system,” he added.

However one specific element of Safir’s account points to a more complex methodology, a so-called “network injection vector,” which may require more involvement on the part of NSO Group.

Ó Cearbhaill explained to OCCRP that the “reference to IMEI identifiers indicates that infections were being launched inside the mobile operator network, rather than over the internet, which is consistent with network injection attacks.” This methodology involves “installing specialized network hardware [at a local telecom network] which can be used to silently redirect the target to the Pegasus infection servers while they are browsing the web.”

The new whistleblower testimony aligns with technical evidence Amnesty International’s Security Lab had previously documented, Ó Cearbhaill said, which found Pegasus infections following presumed network injection attacks.

“As that process happens outside the core Pegasus system, there could be some manual process where the DGST needs to ask NSO to help prepare the two systems to work together,” Ó Cearbhaill said.
‘Psychologically Very Harmful’

According to reporting from the Pegasus Project, evidence suggested Morocco targeted at least two journalists, a human rights activist, and even the number of French President Emmanuel Macron and the King of Morocco.

For some of these targets, the costs have extended beyond the invasion of the surveillance itself.

French President Emmanuel Macron holds an urgent national security meeting in Paris, France, on July 22, 2021, following reports that the Israeli-made Pegasus spyware had been used in France.

Omar Radi, the journalist who Safir confirmed had been targeted for potential spying, was first found by Amnesty International in 2020 to have been targeted by the Moroccan authorities using Pegasus.

The campaign group’s forensic analysis found evidence of so-called “network injection” attacks on Radi’s phone in February and September 2019 and January 2021, that corresponded to a Pegasus hack or infection attempts.

Journalist Omar Radi released after royal pardon in Tiflet, Morocco in July 2024.

A month after Amnesty International and Forbidden Stories revealed the attack on Radi’s phone, the journalist was charged with espionage, rape, and indecent assault. He was sentenced to six years in prison in July 2021 in a judicial procedure marred by breaches of due process, according to Human Rights Watch. (His conviction was confirmed in March 2022.) The EU Parliament called the espionage charges “trumped up” and said “numerous due process guarantees were violated.” Radi was pardoned by Morocco’s king in July 2024.

Moroccan human rights activist Maati Monjib was also targeted by Pegasus, according to an Amnesty analysis that found he was targeted and infected between 2017 and 2019. The Pegasus Project partners found his number was first selected for targeting by the Moroccan end-user in 2017, a pattern that continued on multiple occasions over the following two years.

A subsequent 2021 forensic report by Amnesty International’s Security Lab disclosed digital records of the execution of “BH” software on Monjib’s phone. According to Amnesty’s analysis, BH likely refers to Bridgehead, the first stage component of Pegasus, used at the time to download the full spyware to the device. Unsealed materials from the ongoing court case between WhatsApp and NSO Group include what appears to be internal script used to pitch Pegasus, which says: “We first install the BH and the BH installs the agent on the device.”

Monjib’s phone had signs of BH execution between April 2018 and March 2019, according to Amnesty’s analysis.

Monjib was arrested on December 29, 2020, and a month later a Rabat court convicted him of “fraud and undermining the internal security of the State,” and sentenced him to one-year imprisonment. Like Radi, he received a royal pardon in 2024.

Moroccan human rights activist Maati Monjib (center) after being released following a royal pardon in March 2024, in Salé, Morocco.

Using a Company as ‘Cover’

The logistics of Morocco’s surveillance relied on a middleman to maintain plausible deniability, according to Safir.

The former intelligence officer said a private company acted as an intermediary between the DGST and NSO Group in the procurement and administrative management of the spyware.

A second former intelligence source corroborated this set up.

While Safir originally referred to the intermediary as “FSSYS Tech” — a name that doesn’t exist in the official company registry — reporters used Safir’s description of its corporate structure, location, and staff to identify the actual entity: FSSYS Maroc in Rabat.

FSSYS Maroc’s activities are “Information Technology and Telecoms” according to Morocco’s companies register, and it is registered at the exact address Safir gave for the intermediary company.

Safir described FSSYS as the Moroccan branch of a United Arab Emirates venture, and public records reveal that two Emirati companies — part of a UAE-based group specialized in defence, intelligence, and national security — acquired small stakes in FSSYS Maroc in 2019. The UAE group used “FSSYS” as the URL for its website.

The chairman of FSSYS Maroc did not respond to a request for comment.

Safir said the intermediary arrangement with FSSYS Maroc meant there was no paper trail leading back to the DGST.

“The Israelis have a contract with FSSYS for equipment, not with the DGST,” he said. “You won’t find any documents relating to the DGST. The Israelis don’t sign a contract for their system directly with the DGST – that’s not how it’s done.”

The second former intelligence agent confirmed this was a reason for using the intermediary.

Maynier, from Human Rights Watch, told OCCRP that NSO Group was known to have used private companies in the course of business.

“We know that in other cases, NSO has used companies that install the equipment and also help with administrative contract issues…Local companies that often provide contacts that are also interesting for NSO Group,” Maynier said.

NSO Group did not respond to questions about any business it had with Morocco or its state agencies.

Safir alleged the Emirati venture, of which he said FSSYS Maroc was the Moroccan representative, was involved in administering Morocco’s access to Pegasus. Reporters confirmed that an employee named by Safir as a liaison between DGST, FSSYS, and the Emirati party, did indeed work for FSSYS.

“[The liaison] can be considered as a DGST collaborator and also a private contractor through his company in charge of all surveillance technology business in Morocco,” Safir said. “He is also coordinating with the UAE.”

Riccardo Fabiani, North Africa Project Director in the International Crisis Group, a nonprofit focused on resolving conflict, told OCCRP the idea of the UAE and Morocco closely collaborating was “plausible on many levels.”

“The Emirati-Moroccan relationship is particularly special,” Fabiani said. “[UAE President] Mohammed bin Zayed has spent quite a lot of time in his youth in Morocco, and has a personal relationship with the [Moroccan] king himself. There’s a lot of cooperation on the military security level between these two countries.

King Mohammed VI of Morocco in Paris, France on November, 2018.

Need for More Accountability

Behind the debates over the legitimacy of hacking lies a human cost, felt both on the side of those operating the spyware and those targeted by it.

Safir told reporters he found it tough to work as an intelligence agent, even when state surveillance was used against legitimate targets like terrorists.

“I worked on horrible cases. [A] terrorist group…I worked on their phones. I was expecting to see rockets and explosives, but most of it was pornographic,” Safir said. “I try to forget these things in order for me to survive this job.”

For the journalist Radi, whose phone was targeted with Pegasus, it is the job of the intelligence agencies to prevent serious crimes. But he called for more accountability over their use of powerful tools like Pegasus against people who do not pose a threat to the population.

“I think this kind of method must stop,” Radi said. “And for this to stop, we need more democracy, more transparency, and more control. It is out of the question that there are institutions in Morocco that have no counter-power.”