Key Findings from Citizen Lab
Our latest report uncovers a massive hacking campaign against media and civil society in El Salvador using NSO Group’s Pegasus spyware.

Together with our colleagues at Access Now, and in collaboration with Frontline Defenders, SocialTIC and Fundación Acceso, we are confirming 35 cases of journalists and members of civil society whose phones were successfully infected with NSO’s Pegasus spyware between July 2020 and November 2021.

We shared a sample of forensic data with Amnesty International’s Security Lab which independently confirms the findings.

Among the targets are journalists from the news organizations El Faro, GatoEncerrado, La Prensa Gráfica, Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy, and two independent journalists. Civil society targets include Fundación DTJ, Cristosal and another NGO.

The hacking we uncovered took place while the organizations were reporting on sensitive issues involving President Bukele’s administration, including the government’s negotiation of a “pact” with the MS-13 gang for a reduction in violence and electoral support.

While we are certain the victim’s phones were hacked with Pegasus, it is often difficult to attribute Pegasus to a particular government operator. However, there is substantial circumstantial evidence linking the hacking campaign to El Salvador:

Our network scanning identified a Pegasus customer operating almost exclusively in El Salvador since at least November 2019 that we call TOROGOZ, and we have connected this operator to an infection attempt against El Faro. The operator had a near-total focus of infections within El Salvador, which is strongly suggestive of a domestic Pegasus operator
The victims were all engaged in sensitive reporting and advocacy around the administration of President Bukele and on other domestic political issues in El Salvador.

Read the report here.