We’ve all been sent a scam text – but this one led to the assassination of Jamal Khashoggi

Jamal Khashoggi
Jamal Khashoggi

Every step you take, they’ll be watching you... This is the story of how a piece of spyware called Pegasus – originally designed for tech support – became a weapon for authoritarian governments and the organisation working to shut it down

Omar Abdulaziz looked up from his computer and glanced at the text message. He grunted in satisfaction:

‘Dear Customer, DHL shipment No, #1751455027 is scheduled for delivery on 28/06/2018, Manage delivery at https://sunday-deals.com/xxxxxxx, DHL’*

He had ordered something from Amazon just the day before. He clicked on the link and then returned to his work.

That click was a mistake.

As Omar continued working, an infection – known in the trade as an exploit – began to pry open his phone, probing its operating system and apps for vulnerabilities that the phone’s manufacturers were themselves unaware of. Once an exploit finds a vulnerability then the operator – the person or organisation that had sent the link – can do anything with the phone that the phone’s owner can do. And more.

Omar Abdulaziz in 2018
Omar Abdulaziz in 2018 - The Washington Post

Whoever sent this exploit to Omar could turn on his phone’s microphone and camera, and could monitor everything that was going on with the device. They could intercept communications sent or received by Omar before they were encrypted or after they had been decrypted. They could alter the phone’s security settings. In fact, they had full control. In Omar’s line of work, that meant that he and anyone he was communicating with were severely compromised. The consequence of Omar clicking on the DHL link was the creation of one more link in a chain of events that, through no fault of his own, would prove catastrophic.

On 1 November 2017, eight months before Omar clicked on the DHL link, the Oregon Investment Council (OIC) – which manages the state pension fund – met to approve a series of proposed investments. It was their job to grow funds as much as possible.

Item III on the agenda was a pitch by a company called Novalpina Capital. Its founders had all worked together at TPG – one of the biggest private-equity buyout companies in the world – and had created Novalpina as an investment vehicle to buy ‘mid-size’ companies. Their first target in a $1 billion fundraising round was an Israeli-owned company called NSO. The Oregon meeting was an important one for Novalpina; they were pitching for an investment of $232.9 million.

Novalpina told the OIC, ‘As investors, we assume we have to be contrarian. We have to find deals that other people don’t see or don’t want to do for various reasons.’

This hint of risk didn’t deter the OIC, which took just 30 minutes to approve the investment, but they couldn’t say they hadn’t been warned.

Fresh from two failed tech startups, three Israeli school friends – Niv Karmi, a veteran of military intelligence and Mossad, Shalev Hulio and Omri Lavie – finally got a break. It was one that would make them rich beyond their dreams and see them become the darlings of their own government as well as some of the most authoritarian regimes on Earth.

Conversely, they would be both reviled and feared by anyone furthering the interests of democracy and freedom of speech. Their invention was a superweapon.

The second of their ventures, CommuniTake, was innocent enough and a good idea. It would enable a cellphone company’s customer-support staff to take control of their clients’ smartphones – with their permission, of course – to help them sort out problems. The idea didn’t take off but it did attract the attention of a European spy agency, because they had a problem. Governments and others had been able to intercept phone and other communications for decades, but new, commercially available encryption – one of the key components of WhatsApp, Signal and other instant-messaging services, for example – was so strong that government agencies couldn’t penetrate them.

Alive to this new use of their benign creation, the three Israelis formed a spyware company. They named it using the first letters of their forenames: NSO. They called their main product Pegasus.

Ron Deibert, a Canadian academic, founded Citizen Lab – part of the University of Toronto – in 2001. He has become one of the world’s leading combatants in the battle against the misuse of cyber espionage. Ron can likely count some of the world’s most brutal authoritarian governments among his enemies, perhaps including China, given that China-based servers were used to hack the Dalai Lama’s government in exile in Tibet, as exposed by Citizen Lab in 2009.

Ron Deibert founded the public laboratory Citizen Lab in 2001
Ron Deibert founded the public laboratory Citizen Lab in 2001 - Toronto Star

One of the next targets for Citizen Lab was the commercial market for spyware, private companies selling super-sophisticated software to government agencies. There was big money to be made and, of course, any companies involved would be on the side of the angels, because they would be helping governments catch crooks, intercept terrorists and keep their citizens safe. Or so the theory went.

Trumpeting their credentials as companies that could help governments tackle organised crime and terrorism, they had a dirty secret and it came with serious risks. Two companies, Hacking Team and FinFisher, went out of business amid scandals relating to the use of their software by oppressive regimes to target journalists and human-rights activists – scandals exposed by organisations like Citizen Lab.

However, another spyware company didn’t just survive, it thrived – the NSO Group.

Ahmed Mansoor was understandably cautious. In 2011 he had been sentenced to three years in prison. He and several others in the United Arab Emirates were being silenced for their peaceful campaigns defending press freedoms and calling for democratic reforms. Although reviled by his own government, Mansoor was celebrated by leading human-rights organisations; and, following an international outcry, was pardoned by the country’s president, Sheikh Khalifa bin Zayed Al Nahyan. He was well aware that from that point on the government were watching his every move, so when he received a suspicious-looking text message promising ‘new secrets’ relating to the torture of people imprisoned in the UAE, he knew exactly what to do.

He asked Citizen Lab to take a look. Ron’s team clicked on the link and obtained three ‘zero-day’ exploits – so-called because of the time frame in which a software developer must fix the problem – on Mansoor’s iPhone, as well as a copy of Pegasus spyware. Microsoft defines a zero-day vulnerability ‘as a flaw in software programming that has been discovered before a vendor or programmer has been made aware of it. Because the programmers don’t know this vulnerability exists, there are no patches or fixes, making an attack more likely to be successful.’

In other words, zero-day exploits were something that companies like Apple or WhatsApp didn’t know about. Citizen Lab immediately notified Apple, who created a patch to block the spyware.

Between 2016 and 2018, Citizen Lab ‘fingerprinted’ the exploit link and the behaviour of the command-and-control servers connected to the attack on Mansoor. They discovered 237 servers, but within a week the NSO Group – Pegasus’s creators – took down the servers Citizen Lab had detected. When a few of these came back online, they no longer matched the fingerprint Citizen Lab had created. Not to be deterred, Ron’s data scientists developed new fingerprints in a technique they christened Athena because, according to Greek myth, Athena had tamed Pegasus.

Ahmed Mansoor was celebrated by leading human-rights organisations – and was targeted with spyware
Ahmed Mansoor was celebrated by leading human-rights organisations – and was targeted with spyware - Bloomberg

As Citizen Lab scanned the internet for the Pegasus fingerprints, Athena clustered the resulting IP addresses into 36 groups. These, Citizen Lab believed, represented 36 operators – distinct NSO clients – in Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia and the United Arab Emirates. Between them, they had infected mobile phones in 45 different countries. Citizen Lab’s interest was piqued because one of these operators, in Saudi Arabia – which they had codenamed KINGDOM – was spying on someone in Canada, Citizen Lab’s home turf.

‘This was in the summer of 2018. At that time, the Canadian government was in the midst of a big diplomatic dispute with Saudi Arabia,’ says Ron. ‘Our foreign affairs minister had criticised the regime publicly for its women’s-rights record. The Saudis retaliated; they kicked out our ambassador – we needed to figure out who they were spying on in Canada.’

The only data Citizen Lab had was the IP address from which the hacked phone was checking in and the internet service providers (ISPs) that it was logging in to. They could see that this was coming from Montreal. Citizen Lab put together a shortlist of people in Montreal that they thought the Saudi government would be interested in and narrowed the search area because they could see that the infected phone routinely connected to two ISPs. One hosted by the University of Quebec, the other a commercial ISP called Vidéotron. Judging by when the target phone logged into these ISPs, they knew they were looking for someone who lived no more than 20 minutes from the university.

As the anti-government protest movement that became known as the Arab Spring spread across the Middle East in the early 2010s, Omar Abdulaziz took to Twitter in his own country, Saudi Arabia, challenging the country’s autocratic regime. In 2014 the authorities were concerned enough to ask that his father bring him to a particular government office in Riyadh. Smelling a rat, Omar went to the airport instead and applied for political asylum in Canada, where he became a prominent human-rights activist and a major thorn in the side of the Saudi government. He started a satirical YouTube channel targeting the regime and its ruler Crown Prince Mohammed bin Salman (MBS) in particular, and built a 340,000 following on Twitter. His influence was such that another dissident, a prominent Saudi Arabian journalist, approached him to suggest combining forces.

They realised that their government had deployed an army of trolls to dominate Saudi social media, so they could quickly obliterate any sign of dissent and hunt down the perpetrators. Omar and his friend called these propagandists ‘the flies’, and in response they built an anti-regime social-media-based youth movement, a Twitter army, which they called the ‘cyber bees’. This army would use social media to broadcast the truth about human-rights abuses to the Saudis who use Twitter – around half of the population. Part of Omar and his new friend’s plan was to raise money and import foreign – and therefore untraceable – SIM cards into the kingdom that could be used by the activists there, a challenge that the state-propaganda machine would go to any lengths to thwart.

Around this time, Omar was called by someone saying they represented Saudi Arabia’s ruler and invited to return home – with royal protection, of course. Omar politely declined.

Abdulaziz started a youth-centred movement on Twitter criticising the Saudi Arabian regime after the Arab Spring
Abdulaziz started a youth-centred movement on Twitter criticising the Saudi Arabian regime after the Arab Spring - The Washington Post

His countrymen were persistent and in the early summer of 2018 two envoys flew to meet him in Montreal. His fellow campaigner warned Omar to meet these people only in public places. When they met, the two men offered Omar the chance of hosting a TV chat show back home, where he could become the voice of the youth. Omar didn’t think this was very likely. ‘You have just arrested many people who said nothing really. And you’re telling me that you want me back in Saudi and nothing is going to happen to me?’ he recalled in Bryan Fogel’s acclaimed documentary The Dissident.

The two envoys fell back on their last option; they invited Omar to come to the Saudi embassy to renew his passport but, with his friend’s warning fresh in his mind, he refused. Within a few months, the memory of this decision would freeze his blood.

A month or so later, Omar knew that something had gone badly wrong. ‘At the beginning of August 2018, they started to arrest my friends, my brothers, my relatives,’ he said in the documentary. ‘Every two, three hours I was receiving a call from someone in Saudi telling me that someone was getting arrested. I was in shock. I made a YouTube broadcast and I said: “Guys, this behaviour shows me that something bigger than just arresting my brothers and friends is going to happen. I do believe MBS is going to do something huge.”’

Omar knew the risks he was facing, telling The Guardian: ‘The [Canadian authorities] received some information … that I might be a potential target. MBS and his group or – I don’t know – his team, they want to harm me. They want to do something, but I don’t know whether it’s assassination, kidnapping, I don’t know – but something’s not OK for sure. They asked me, “What do you think about it?” I said, “I’m happy. I feel that I’m doing something.” You know, if you’re not doing anything that bothers MBS, that means you’re not working very well.’

Then one of Omar’s contacts told him that the Saudi authorities knew all about the cyber bees. As soon as he could, he told his fellow conspirator. There was a long pause before his friend replied, ‘God help us.’ His name was Jamal Khashoggi.

Meanwhile Citizen Lab’s Bill Marczak arrived in Montreal and went door to door, contacting members of the Saudi diaspora on his list to see if he could track down the one person he knew had been targeted by Pegasus. Eventually, he found a match. Omar Abdulaziz attended Quebec University and the timing of his phone connecting to his home and the university’s ISPs corresponded with the information Citizen Lab had found in the Pegasus infection.

Omar was understandably wary but a mutual connection vouched for Citizen Lab’s bona fides and he met Bill in a cafe. Bill asked Omar if he could check his phone and he came across the link supposedly sent by DHL.

In its October 2018 report ‘The Kingdom Came to Canada’, Citizen Lab stated: ‘We conclude … that a government customer of NSO Group targeted and infected Omar Abdulaziz, a Canadian permanent resident, with Pegasus spyware. The infection took place while he was on Canadian soil, after seeking and receiving asylum from the Canadian government. We further believe that this operator, which we named KINGDOM, is linked to Saudi Arabia’s government and security services.’

Citizen Lab had found the needle in the haystack. Omar was not surprised but now he had something else to worry about. Since he’d clicked on that fateful DHL link, Omar’s phone would likely have been checking in with the Saudi Pegasus operator, who could not have missed the 400 or so WhatsApp messages between Omar and Jamal Khashoggi, which included their plans to send both money and foreign SIM cards to the cyber bees, their fellow activists in Saudi Arabia.

The timing of the report was uncanny. Ron was at a security conference in the Netherlands when he and Bill received a WhatsApp message from Omar: ‘I’m really worried, Jamal has gone missing.’

‘Who’s Jamal?’ asked Ron.

Jamal Khashoggi, a Saudi Arabian Washington Post journalist, vocal critic of his country’s regime and, with Omar Abdulaziz, co-creator of the cyber bees, walked into the Saudi consulate in Istanbul to pick up some documents confirming his divorce, which would enable him to marry his fiancée, Hatice Cengiz, who was waiting for him outside. She didn’t notice the man dressed in the same clothes as Jamal who left the embassy less than an hour later and would probably have put it down to coincidence if she had. She waited outside the consulate for 10 hours for Jamal to reappear but gave up and returned the next day to once more wait in vain. The press began to take an interest.

Jamal Khashoggi was a journalist for The Washington Post
Jamal Khashoggi was a journalist for The Washington Post - AFP

Omar was looking at events unfolding in Istanbul with alarm. As he followed the news coverage, he found a photo in which Hatice is pictured holding what appeared to be Jamal’s phones. Omar had circled these in red, saying, ‘You guys should check these phones,’ and WhatsApped the photo to Ron and Bill. ‘That was how I first heard about Khashoggi…’ Ron told me.

Although Khashoggi’s disappearance was hitting global headlines, the Saudi authorities stuck to the line that he had left the embassy within an hour of arriving, releasing CCTV footage of someone wearing similar clothes – the man Jamal’s fiancée had not noticed as he passed her in the street – leaving the embassy. She vigorously rejected that explanation. The Turkish authorities were peculiarly well informed; they had been illegally bugging the embassy.

The tapes of what went on inside the consulate that day documented the grisly chain of events once the door closed behind Jamal Khashoggi. He had been met by a 15-person assassination squad. After a struggle, Khashoggi was injected with a lethal drug.

A Saudi surgeon, flown over for the purpose, took out his bone saw and dismembered the dissident’s body. No trace of it has ever been found.

There was little doubt internationally that the murder had been ordered by Saudi Arabia’s crown prince, although his government issued various denials. When their ruse about Jamal leaving the embassy fell flat, they finally blamed a Saudi intelligence team for exceeding their brief to bring Jamal back to Saudi Arabia, but the US director of national intelligence was in little doubt as to who the architect of the crime was: ‘We assess that Saudi Arabia’s crown prince Mohammed bin Salman approved an operation in Istanbul, Turkey to capture or kill Saudi journalist Jamal Khashoggi.’

The disappearance remained headline news for weeks and international attention blazed down on Mohammed bin Salman’s corrupt and brutal regime. Citizen Lab meanwhile checked the phone of Khashoggi’s fiancée Hatice Cengiz and found that it too was infected with Pegasus. The use of this spyware had proved that even in exile no one is safe. If a government wanted to keep tabs on its enemies, Pegasus was undoubtedly a good buy.

The US government says Saudi Arabia's crown prince Mohammed bin Salman was behind the murder of Jamal Khashoggi
The US government says Saudi Arabia's crown prince Mohammed bin Salman was behind the murder of Jamal Khashoggi - Getty

Pegasus spyware became a watchword for repression of human-rights activists all over the world. Coordinated by French media non-profit Forbidden Stories and with technical support from Amnesty International’s Security Lab, 17 major global news outlets – including Le Monde, Süddeutsche Zeitung, The Guardian, The Washington Post and PBS – began collaborating on a major investigation into the use of this spyware. They called it the Pegasus Project.

Together they exposed the depth of Pegasus surveillance as they identified a swathe of top-level politicians whose smartphones might have been infected. They included France’s Emmanuel Macron and South Africa’s Cyril Ramaphosa. As a Washington Post headline on 20 July 2021 put it: ‘On the list: Ten prime ministers, three presidents and a king.’

Indeed, Citizen Lab notified the UK that they had detected suspected Pegasus spyware infections in the Prime Minister’s office at 10 Downing Street and the Foreign, Commonwealth and Development Office during 2020 and 2021. They linked these infections to the UAE, India, Cyprus and Jordan.

As the storm grew, so the fortunes of both Novalpina and NSO began to plummet. In addition to being a focus of global media pressure, NSO was hit by an avalanche of lawsuits from companies including Google, Apple and Meta. Meanwhile, on 5 August 2021, Novalpina’s first investor, the Oregon State Treasury, backed a takeover bid by the Berkeley Research Group. Just three months later Novalpina was wound up.

That same month the US government placed NSO on its Entity List – essentially a trade blacklist – for ‘engaging in activities that are contrary to the national security or foreign policy interests’.

But even tough measures like these were not enough to stop Pegasus.

‘As we speak, there are live infections of Pegasus victims,’ Ron Deibert told me in September 2023. ‘They’re definitely supplying government clients with spyware and they are actively hacking.’

A glance at NSO’s website today will tell you that, ‘We hold ourselves to the highest standards for ethical business, taking all reasonable steps to prevent and mitigate the risk of misuse of our products.’

So that’s all right then.

Extracted from Terrible Humans: the World’s Most Corrupt Super-Villains – and the Fight To Bring Them Down, by Patrick Alley (Monoray, £22); order at books.telegraph.co.uk

Alley is a co-founder of Global Witness, a leading investigative organisation that helped pioneer the global anti-corruption movement and now focuses those skills on the root causes of the climate crisis