The Battle for the World’s Most Powerful Cyberweapon

A Times investigation reveals how Israel reaped diplomatic gains around the world from NSO’s Pegasus spyware — a tool America itself purchased but is now trying to ban.

Ronen Bergman and 

  • Jan. 28, 2022

To hear more audio stories from publications like The New York Times, download Audm for iPhone or Android.

In June 2019, three Israeli computer engineers arrived at a New Jersey building used by the F.B.I. They unpacked dozens of computer servers, arranging them on tall racks in an isolated room. As they set up the equipment, the engineers made a series of calls to their bosses in Herzliya, a Tel Aviv suburb, at the headquarters for NSO Group, the world’s most notorious maker of spyware. Then, with their equipment in place, they began testing.

The F.B.I. had bought a version of Pegasus, NSO’s premier spying tool. For nearly a decade, the Israeli firm had been selling its surveillance software on a subscription basis to law-enforcement and intelligence agencies around the world, promising that it could do what no one else — not a private company, not even a state intelligence service — could do: consistently and reliably crack the encrypted communications of any iPhone or Android smartphone.

Since NSO had introduced Pegasus to the global market in 2011, it had helped Mexican authorities capture Joaquín Guzmán Loera, the drug lord known as El Chapo. European investigators have quietly used Pegasus to thwart terrorist plots, fight organized crime and, in one case, take down a global child-abuse ring, identifying dozens of suspects in more than 40 countries. In a broader sense, NSO’s products seemed to solve one of the biggest problems facing law-enforcement and intelligence agencies in the 21st century: that criminals and terrorists had better technology for encrypting their communications than investigators had to decrypt them. The criminal world had gone dark even as it was increasingly going global.

But by the time the company’s engineers walked through the door of the New Jersey facility in 2019, the many abuses of Pegasus had also been well documented. Mexico deployed the software not just against gangsters but also against journalists and political dissidents. The United Arab Emirates used the software to hack the phone of a civil rights activist whom the government threw in jail. Saudi Arabia used it against women’s rights activists and, according to a lawsuit filed by a Saudi dissident, to spy on communications with Jamal Khashoggi, a columnist for The Washington Post, whom Saudi operatives killed and dismembered in Istanbul in 2018.

None of this prevented new customers from approaching NSO, including the United States. The details of the F.B.I.’s purchase and testing of Pegasus have never before been made public. Additionally, the same year that Khashoggi was killed, the Central Intelligence Agency arranged and paid for the government of Djibouti to acquire Pegasus to assist the American ally in combating terrorism, despite longstanding concerns about human rights abuses there, including the persecution of journalists and the torture of government opponents. The D.E.A., the Secret Service and the U.S. military’s Africa Command had all held discussions with NSO. The F.B.I. was now taking the next step.

As part of their training, F.B.I. employees bought new smartphones at local stores and set them up with dummy accounts, using SIM cards from other countries — Pegasus was designed to be unable to hack into American numbers. Then the Pegasus engineers, as they had in previous demonstrations around the world, opened their interface, entered the number of the phone and began an attack.

This version of Pegasus was “zero click” — unlike more common hacking software, it did not require users to click on a malicious attachment or link — so the Americans monitoring the phones could see no evidence of an ongoing breach. They couldn’t see the Pegasus computers connecting to a network of servers around the world, hacking the phone, then connecting back to the equipment at the New Jersey facility. What they could see, minutes later, was every piece of data stored on the phone as it unspooled onto the large monitors of the Pegasus computers: every email, every photo, every text thread, every personal contact. They could also see the phone’s location and even take control of its camera and microphone. F.B.I. agents using Pegasus could, in theory, almost instantly transform phones around the world into powerful surveillance tools — everywhere except in the United States.

Ever since the 2013 revelations by Edward Snowden, a former National Security Agency contractor, about U.S. government surveillance of American citizens, few debates in this country have been more fraught than those over the proper scope of domestic spying. Questions about the balance between privacy and security took on new urgency with the parallel development of smartphones and spyware that could be used to scoop up the terabytes of information those phones generate every day. Israel, wary of angering Americans by abetting the efforts of other countries to spy on the United States, had required NSO to program Pegasus so it was incapable of targeting U.S. numbers. This prevented its foreign clients from spying on Americans. But it also prevented Americans from spying on Americans.

NSO had recently offered the F.B.I. a workaround. During a presentation to officials in Washington, the company demonstrated a new system, called Phantom, that could hack any number in the United States that the F.B.I. decided to target. Israel had granted a special license to NSO, one that permitted its Phantom system to attack U.S. numbers. The license allowed for only one type of client: U.S. government agencies. A slick brochure put together for potential customers by NSO’s U.S. subsidiary, first published by Vice, says that Phantom allows American law enforcement and spy agencies to get intelligence “by extracting and monitoring crucial data from mobile devices.” It is an “independent solution” that requires no cooperation from AT&T, Verizon, Apple or Google. The system, it says, will “turn your target’s smartphone into an intelligence gold mine.”

The Phantom presentation triggered a discussion among government lawyers at the Justice Department and the F.B.I. that lasted two years, across two presidential administrations, centering on a basic question: Could deploying Phantom inside the United States run afoul of long-established wiretapping laws? As the lawyers debated, the F.B.I. renewed the contract for the Pegasus system and ran up fees to NSO of approximately $5 million. During this time, NSO engineers were in frequent contact with F.B.I. employees, asking about the various technological details that could change the legal implications of an attack.

The discussions at the Justice Department and the F.B.I. continued until last summer, when the F.B.I. finally decided not to deploy the NSO weapons. It was around this time that a consortium of news organizations called Forbidden Stories brought forward new revelations about NSO cyberweapons and their use against journalists and political dissidents. The Pegasus system currently lies dormant at the facility in New Jersey.

An F.B.I. spokeswoman said that the bureau examines new technologies “not just to explore a potential legal use but also to combat crime and to protect both the American people and our civil liberties. That means we routinely identify, evaluate and test technical solutions and services for a variety of reasons, including possible operational and security concerns they might pose in the wrong hands.” The C.I.A., the D.E.A., the Secret Service and Africa Command declined to comment. A spokesman for the government of Djibouti said the country had never acquired or used Pegasus.

In November, the United States announced what appeared — at least to those who knew about its previous dealings — to be a complete about-face on NSO. The Commerce Department was adding the Israeli firm to its “entity list” for activities “contrary to the national security or foreign policy interests of the United States.” The list, originally designed to prevent U.S. companies from selling to nations or other entities that might be in the business of manufacturing weapons of mass destruction, had in recent years come to include several cyberweapons companies. NSO could no longer buy critical supplies from American firms.

It was a very public rebuke of a company that had in many ways become the crown jewel of the Israeli defense industry. Now, without access to the American technology it needed to run its operations — including Dell computers and Amazon cloud servers — it risked being unable to function. The United States delivered the news to Israel’s Ministry of Defense less than an hour before it was made public. Israeli officials were furious. Many of the headlines focused on the specter of an out-of-control private company, one based in Israel but largely funded offshore. But authorities in Israel reacted as if the ban were an attack on the state itself. “The people aiming their arrows against NSO,” said Yigal Unna, director general of the Israel National Cyber Directorate until Jan. 5, “are actually aiming at the blue and white flag hanging behind it.”

The Israelis’ anger was, in part, about U.S. hypocrisy: The American ban came after years of secretly testing NSO’s products at home and putting them in the hands of at least one country, Djibouti, with a record of human rights abuses. But Israel also had its own interests to protect. To an extent not previously understood, Israel, through its internal export-licensing process, has ultimate say over who NSO can sell its spyware to. This has allowed Israel to make NSO a central component of its national-security strategy for years, using it and similar firms to advance the country’s interests around the world.

A yearlong Times investigation, including dozens of interviews with government officials, leaders of intelligence and law-enforcement agencies, cyberweapons experts, business executives and privacy activists in a dozen countries, shows how Israel’s ability to approve or deny access to NSO’s cyberweapons has become entangled with its diplomacy. Countries like Mexico and Panama have shifted their positions toward Israel in key votes at the United Nations after winning access to Pegasus. Times reporting also reveals how sales of Pegasus played an unseen but critical role in securing the support of Arab nations in Israel’s campaign against Iran and even in negotiating the Abraham Accords, the 2020 diplomatic agreements that normalized relations between Israel and some of its longtime Arab adversaries.

The combination of Israel’s search for influence and NSO’s drive for profits has also led to the powerful spying tool’s ending up in the hands of a new generation of nationalist leaders worldwide. Though the Israeli government’s oversight was meant to prevent the powerful spyware from being used in repressive ways, Pegasus has been sold to Poland, Hungary and India, despite those countries’ questionable records on human rights.

The United States has made a series of calculations in response to these developments — secretly acquiring, testing and deploying the company’s technology, even as it has denounced the company in public and sought to limit its access to vital American suppliers. The current showdown between the United States and Israel over NSO demonstrates how governments increasingly view powerful cyberweapons the same way they have long viewed military hardware like fighter jets and centrifuges: not only as pivotal to national defense but also as a currency with which to buy influence around the world.

Image

Credit…Photo illustration by Cristiana Couceiro

Selling weapons for diplomatic ends has long been a tool of statecraft. Foreign-service officers posted in American Embassies abroad have served for years as pitchmen for defense firms hoping to sell arms to their client states, as the thousands of diplomatic cables released by WikiLeaks in 2010 showed; when American defense secretaries meet with their counterparts in allied capitals, the end result is often the announcement of an arms deal that pads the profits of Lockheed Martin or Raytheon.

Cyberweapons have changed international relations more profoundly than any advance since the advent of the atomic bomb. In some ways, they are even more profoundly destabilizing — they are comparatively cheap, easily distributed and can be deployed without consequences to the attacker. Dealing with their proliferation is radically changing the nature of state relations, as Israel long ago discovered and the rest of the world is now also beginning to understand.

For Israel, the weapons trade has always been central to the country’s sense of national survival. It was a major driver of economic growth, which in turn funded further military research and development. But it also played an important role in forging new alliances in a dangerous world. In the 1950s, when the nation was still young and essentially powerless, its first prime minister, David Ben-Gurion, established covert links with countries and organizations that lay just outside the ring of hostile Arab states that surround Israel. He called this approach “the periphery doctrine,” and his foreign intelligence agency, the Mossad, began weaving a network of secret contacts inside countries throughout the Middle East, Asia and Africa, including many that publicly sided with Arabs. Offering advanced weapons was a key to making those connections.

By the mid-1980s, Israel had firmly established itself as one of the world’s top arms exporters, with an estimated one in 10 of the nation’s workers employed by the industry in some way. All of this bought good will for Israel from select foreign leaders, who saw the military aid as essential to preserving their own power. In turn, those countries often voted in Israel’s favor at the United Nations General Assembly, the Security Council and other international forums. They also allowed the Mossad and the Israel Defense Forces to use their countries as bases to launch operations against Arab nations.

As cyberweapons began to eclipse fighter jets in the schemes of military planners, a different kind of weapons industry emerged in Israel. Veterans of Unit 8200 — Israel’s equivalent of the National Security Agency — poured into secretive start-ups in the private sector, giving rise to a multibillion-dollar cybersecurity industry. As with purveyors of conventional weapons, cyberweapons makers are required to obtain export licenses from Israel’s Ministry of Defense to sell their tools abroad, providing a crucial lever for the government to influence the firms and, in some cases, the countries that buy from them.

None of these firms have been as wildly successful, or as strategically useful to the Israeli government, as NSO. The firm has its roots in a former chicken coop in Bnai Zion, an agricultural cooperative just outside Tel Aviv. In the mid 2000s, the building’s owner, realizing that coders might deliver a better profit than chickens, gave the space a light makeover and began renting it to technology start-ups looking for cheap office space. Among the start-up founders there, Shalev Hulio stood out from the veteran programmers around him: He was charismatic and easy to spend time with, but he also gave the impression — at least initially — of being somewhat naïve. He and his partner, Omri Lavie, an old friend from school, had each done their mandatory military service in combat units, rather than intelligence or technology, and for years they struggled to find a product that would connect. They developed a video marketing product, which briefly took off but then crashed with the 2008 global recession. They then started another company, called CommuniTake, that offered cellphone tech-support workers the ability to take control of their customers’ devices — with permission.

That idea met with little enthusiasm, so the two friends pivoted to a very different kind of customer. “A European intelligence agency found out about our innovation and contacted me,” Hulio recalled in an interview. What quickly emerged was that their product could solve a much bigger problem than customer service.

For years, law-enforcement and intelligence agencies had been able to intercept and understand communications in transit, but as powerful encryption became widely available, that was no longer the case. They could intercept a communication, but they could no longer understand what it said. If they could control the device itself, though, they could collect the data before it was encrypted. CommuniTake had already figured out how to control the devices. All the partners needed was a way to do so without permission.

And so NSO was born. Hulio and Lavie, lacking the contacts they would need to scale their product, brought in a third partner, Niv Karmi, who had served both in military intelligence and in the Mossad. They took the company name from their first initials (Niv, Shalev and Omri) — that it sounded a little like “N.S.A.” was a happy coincidence — and began hiring. Recruitment was the essential ingredient of their business plan. The company would eventually employ more than 700 people in offices around the world and a sprawling headquarters in Herzliya, where individual labs for Apple and Android operating systems are filled with racks of smartphones undergoing constant testing by the firm’s hackers as they seek and exploit new vulnerabilities.

Nearly every member of NSO’s research team is a veteran of the intelligence services; most of them served with AMAN, the Israeli Military Intelligence Directorate, the largest agency in the Israeli espionage community — and many of them in AMAN’s Unit 8200. The company’s most valuable employees are all graduates of elite training courses, including a secretive and prestigious Unit 8200 program called ARAM that accepts only a handful of the most brilliant recruits and trains them in the most advanced methods of cyberweapons programming. There are very few people with this kind of training anywhere in the world, and soon enough, few places would have a higher concentration of them than NSO’s headquarters in Herzliya — where there were not just a few top specialists but hundreds. This would provide NSO with an incredible competitive advantage: All of those engineers would work daily to find “zero days,” i.e., new vulnerabilities in phone software that could be exploited to install Pegasus. Unlike rival firms, which generally struggled to find even a single zero day and therefore could be shut down if it were made public, NSO would be able to discover and bank multitudes of them. If someone locked one back door, the company could quickly open another.

In 2011, NSO engineers finished coding the first iteration of Pegasus. With its powerful new tool, NSO hoped to quickly build a stable of clients in the West. But many countries, especially those in Europe, were initially wary of buying foreign intelligence products. There was a particular concern about Israeli companies that were staffed by former top intelligence officials; potential customers feared that their spyware might be contaminated with even deeper spyware, allowing the Mossad access to their internal systems.

Reputation mattered, both for sales and for holding onto the well-trained coders who had made Pegasus a reality. Hulio appointed Maj. Gen. Avigdor Ben-Gal, a Holocaust survivor and a highly respected combat officer, as NSO’s chairman, and established what he said would be the company’s four main pillars: NSO would not operate the system itself. It would sell only to governments, not to individuals or companies. It would be selective about which governments it allowed to use the software. And it would cooperate with Israel’s Defense Export Controls Agency, or DECA, to license every sale.

The decisions NSO made early on about its relationship with regulators ensured that it would function as a close ally, if not an arm, of Israeli foreign policy. Ben-Gal saw that this oversight was crucial to NSO’s growth — it might restrict which countries the company could sell to, but it would also protect the company from public blowback about what its clients did. When he informed the Defense Ministry that NSO would voluntarily be subject to oversight, the authorities also seemed happy with this plan. One former military aide to Benjamin Netanyahu, at the time Israel’s prime minister, explained the advantages quite clearly. “With our Defense Ministry sitting at the controls of how these systems move around,” he said, “we will be able to exploit them and reap diplomatic profits.”

The company quickly got its first major break. Mexico, in its ongoing battle against drug cartels, was looking for ways to hack the encrypted BlackBerry messaging service favored by cartel operatives. The N.S.A. had found a way in, but the American agency offered Mexico only sporadic access. Hulio and Ben-Gal arranged a meeting with Mexico’s president, Felipe Calderón, and arrived with an aggressive sales pitch. Pegasus could do what the N.S.A. could do, and it could do so entirely at the command of Mexican authorities. Calderón was interested.

Israel’s Ministry of Defense informed NSO that there was no issue with selling Pegasus to Mexico, and a deal was finalized. Soon after, investigators at an office of the Center for Investigation and National Security, or CISEN — now called the Center for National Investigation — went to work with one of the Pegasus machines. They fed the mobile phone number of a person connected to Joaquín Guzmán’s Sinaloa cartel into the system, and the BlackBerry was successfully attacked. Investigators could see the content of the messages, as well as the locations of different BlackBerry devices. “Suddenly we started to see and hear anew,” says a former CISEN leader. “It was like magic.” In his view, the new system had revitalized their entire operation — “Everyone felt like maybe for the first time we could win.” It was also a win for Israel. Mexico is a dominant power in Latin America, a region where Israel for years has waged a kind of diplomatic trench warfare against anti-Israeli groups supported by the country’s adversaries in the Middle East. There is no direct evidence that Mexico’s contracts with NSO brought about a change in the country’s foreign policy toward Israel, but there is at least a recognizable pattern of correlation. After a long tradition of voting against Israel at United Nations conferences, Mexico slowly began to shift “no” votes to abstentions. Then, in 2016, Enrique Peña Nieto, who succeeded Calderón in 2012, went to Israel, which had not seen an official visit from a Mexican president since 2000. Netanyahu visited Mexico City the following year, the first visit ever by an Israeli prime minister. Shortly after, Mexico announced that it would abstain from voting on several pro-Palestinian resolutions that were being considered by the United Nations.

In a statement, Netanyahu’s spokesman said that the former prime minister never sought a quid pro quo when other countries wanted to buy Pegasus. “The claim that Prime Minister Netanyahu spoke to foreign leaders and offered them such systems in exchange for political or other measures is a complete and utter lie. All sales of this system or similar products of Israeli companies to foreign countries are conducted with the approval and supervision of the Ministry of Defense, as outlined in Israeli law.”

The Mexico example revealed both the promise and the perils of working with NSO. In 2017, researchers at Citizen Lab, a watchdog group based at the University of Toronto, reported that authorities in Mexico had used Pegasus to hack the accounts of advocates for a soda tax, as part of a broader campaign aimed at human rights activists, political opposition movements and journalists. More disturbing, it appeared that someone in the government had used Pegasus to spy on lawyers working to untangle the massacre of 43 students in Iguala in 2014. Tomás Zerón de Lucio, the chief of the Mexican equivalent to the F.B.I., was a main author of the federal government’s version of the event, which concluded that the students were killed by a local gang. But in 2016 he became the subject of an investigation himself, on suspicion that he had covered up federal involvement in the events there. Now it appeared that he might have used Pegasus in that effort — one of his official duties was to sign off on the procurement of cyberweapons and other equipment. In March 2019, soon after Andrés Manuel López Obrador replaced Peña Nieto after a landslide election, investigators charged that Zerón had engaged in torture, abduction and tampering with evidence in relation to the Iguala massacre. Zerón fled to Canada and then to Israel, where he entered the country as a tourist, and where — despite an extradition request from Mexico, which is now seeking him on additional charges of embezzlement — he remains today.

The American reluctance to share intelligence was creating other opportunities for NSO, and for Israel. In August 2009, Panama’s new president, Ricardo Martinelli, fresh off a presidential campaign grounded on promises of “eliminating political corruption,” tried to persuade U.S. diplomats in the country to give him surveillance equipment to spy on “security threats as well as political opponents,” according to a State Department cable published by WikiLeaks. The United States “will not be party to any effort to expand wiretaps to domestic political targets,” the deputy chief of mission replied.

Martinelli tried a different approach. In early 2010, Panama was one of only six countries at the U.N. General Assembly to back Israel against a resolution to keep the Goldstone Commission report on war crimes committed during the 2008-9 Israeli assault on Gaza on the international agenda. A week after the vote, Martinelli landed in Tel Aviv on one of his first trips outside Latin America. Panama will always stand with Israel, he told the Israeli president, Shimon Peres, in appreciation of “its guardianship of the capital of the world — Jerusalem.” He said he and his entourage of ministers, businesspeople and Jewish community leaders had come to Israel to learn. “We came a great distance, but we are very close because of the Jewish heart of Panama,” he said.

Behind closed doors, Martinelli used his trip to go on a surveillance shopping spree. In a private meeting with Netanyahu, the two men discussed the military and intelligence equipment that Martinelli wanted to buy from Israeli vendors. According to one person who attended the meeting, Martinelli was particularly interested in the ability to hack into BlackBerry’s BBM text service, which was very popular in Panama at that time.

Within two years, Israel was able to offer him one of the most sophisticated tools yet made. After the installation of NSO systems in Panama City in 2012, Martinelli’s government voted in Israel’s favor on numerous occasions, including to oppose the United Nations decision to upgrade the status of the Palestinian delegation — 138 countries voted in favor of the resolution, with just Israel, Panama and seven other countries opposing it.

According to a later legal affidavit from Ismael Pitti, an analyst for Panama’s National Security Council, the equipment was used in a widespread campaign to “violate the privacy of Panamanians and non-Panamanians” — political opponents, magistrates, union leaders, business competitors — all “without following the legal procedure.” Prosecutors later said Martinelli even ordered the team operating Pegasus to hack the phone of his mistress. It all came to an end in 2014, when Martinelli was replaced by his vice president, Juan Carlos Varela, who himself claims to have been a target of Martinelli’s spying. Martinelli’s subordinates dismantled the espionage system, and the former president fled the country. (In November, he was acquitted by Panamanian courts of wiretapping charges.)

NSO was doubling its sales every year — $15 million, $30 million, $60 million. That growth attracted the attention of investors. In 2014, Francisco Partners, a U.S.-based global investment firm, paid $130 million for 70 percent of NSO’s shares, then merged another Israeli cyberweapons firm, called Circles, into their new acquisition. Founded by a former senior AMAN officer, Circles offered clients access to a vulnerability that allowed them to detect the location of any mobile phone in the world — a vulnerability discovered by Israeli intelligence 10 years earlier. The combined company could offer more services to more clients than ever.

Through a series of new deals, Pegasus was helping to knit together a rising generation of right-wing leaders worldwide. On Nov. 21, 2016, Sara and Benjamin Netanyahu welcomed Prime Minister Beata Szydlo of Poland and her foreign minister, Witold Waszczykowski, for dinner at their home. Shortly after, Poland signed an agreement with NSO to purchase a Pegasus system for its Central Anti-Corruption Bureau. Citizen Lab reported in December 2021 that the phones of at least three members of the Polish opposition were attacked by this spy machine. Netanyahu did not order the Pegasus system to be cut off — even when the Polish government enacted laws that many in the Jewish world and in Israel saw as Holocaust denial, and even when Prime Minister Mateusz Morawiecki, at a conference attended by Netanyahu himself, listed “Jewish perpetrators” among those responsible for the Holocaust.

In July 2017, Narendra Modi, who won office on a platform of Hindu nationalism, became the first Indian prime minister to visit Israel. For decades, India had maintained a policy of what it called “commitment to the Palestinian cause,” and relations with Israel were frosty. The Modi visit, however, was notably cordial, complete with a carefully staged moment of him and Prime Minister Netanyahu walking together barefoot on a local beach. They had reason for the warm feelings. Their countries had agreed on the sale of a package of sophisticated weapons and intelligence gear worth roughly $2 billion — with Pegasus and a missile system as the centerpieces. Months later, Netanyahu made a rare state visit to India. And in June 2019, India voted in support of Israel at the U.N.’s Economic and Social Council to deny observer status to a Palestinian human rights organization, a first for the nation.

The Israeli Defense Ministry also licensed the sale of Pegasus to Hungary, despite Prime Minister Viktor Orban’s campaign of persecution against his political opponents. Orban deployed the hacking tools on opposition figures, social activists, journalists who conducted investigations against him and families of former business partners who had become bitter enemies. But Orban has been Israel’s devoted supporter in the European Union. In 2020, Hungary was one of the few countries that did not publicly speak out against Israel’s plan at the time to unilaterally annex swaths of the West Bank. In May of that year, European Union foreign ministers tried to reach unanimity when calling for a cease-fire between Israel and the Palestinian Islamic group Hamas, as well as for increased humanitarian aid for Gaza. Hungary declined to join the other 26 countries.

Image

Credit…Photo illustration by Cristiana Couceiro

Arguably the most fruitful alliances made with Pegasus’s help have been those between Israel and its Arab neighbors. Israel first authorized the sale of the system to the U.A.E. as something of an olive branch, after Mossad agents poisoned a senior Hamas operative in a Dubai hotel room in 2010. It was not the assassination itself that infuriated Crown Prince Mohammed bin Zayed, the de facto Emirati leader, so much as it was that the Israelis had carried it out on Emirati soil. The prince, widely known as M.B.Z., ordered that security ties between Israel and the U.A.E. be severed. In 2013, by way of a truce, M.B.Z. was offered the opportunity to buy Pegasus. He readily agreed.

The Emirates did not hesitate to deploy Pegasus against its domestic enemies. Ahmed Mansoor, an outspoken critic of the government, went public after Citizen Lab determined that Pegasus had been used to hack his phone. When the vulnerability was made public, Apple immediately pushed out an update to block the vulnerability. But for Mansoor, the damage had already been done. His car was stolen, his email account was hacked, his location was monitored, his passport was taken from him, $140,000 was stolen from his bank account, he was fired from his job and strangers beat him on the street several times. “You start to believe your every move is watched,” he said at the time. “Your family starts to panic. I have to live with that.” (In 2018, Mansoor was sentenced to 10 years in prison for posts he made on Facebook and Twitter.)

The messy outcome of the Dubai assassination aside, Israel and the U.A.E. had, in fact, been growing closer together for years. The calcified animosities between Israel and the Arab world that for years drove Middle East politics had given way to a new uneasy alliance in the region: Israel and the Sunni states in the Persian Gulf lining up against their archenemy, Iran, a Shia nation. Such an alliance would have been unheard-of decades ago, when Arab kings proclaimed themselves to be the protectors of the Palestinians and their struggle for independence from Israel. The Palestinian cause has less of a hold on some of the next generation of Arab leaders, who have shaped much of their foreign policy to address the sectarian battle between Sunni and Shia, and they have found common cause with Israel as an important ally against Iran.

No leader represents this dynamic more than Saudi Arabia’s Crown Prince Mohammed bin Salman, the son of the ailing king and the kingdom’s de facto ruler. In 2017, Israeli authorities decided to approve the sale of Pegasus to the kingdom, and in particular to a Saudi security agency under the supervision of Prince Mohammed. From this point on, a small group of senior members of the Israeli defense establishment, reporting directly to Netanyahu, took a lead role in the exchanges with the Saudis, all “while taking extreme measures of secrecy,” according to one of the Israelis involved in the affair. One Israeli official said that the hope was to gain Prince Mohammed’s commitment and gratitude. The contract, for an initial installation fee of $55 million, was signed in 2017.

Years prior, NSO had formed an ethics committee, made up of a bipartisan cast of former U.S. foreign-policy officials who would advise on potential customers. After the Khashoggi killing in 2018, its members requested an urgent meeting to address the stories circulating about NSO involvement. Hulio flatly denied that Pegasus had been used to spy on the Washington Post columnist. Pegasus systems log every attack in case there is a complaint, and — with the client’s permission — NSO can perform an after-the-fact forensic analysis. Hulio said his staff had done just that with the Saudi logs and found no use of any NSO product or technology against Khashoggi. The committee nonetheless urged NSO to shut off the Pegasus system in Saudi Arabia, and it did. The committee also advised NSO to reject a subsequent request by the Israeli government to reconnect the hacking system in Saudi Arabia, and it stayed off.

Then, the following year, the company reversed course. Novalpina, a British private-equity firm, acting in cooperation with Hulio, purchased Francisco Partners’ shares of NSO, with a valuation of $1 billion — more than five times more than it was when the American fund acquired it in 2014. In early 2019, NSO agreed to turn the Pegasus system in Saudi Arabia back on.

Keeping the Saudis happy was important for Netanyahu, who was in the middle of a secret diplomatic initiative he believed would cement his legacy as a statesman — an official rapprochement between Israel and several Arab states. In September 2020, Netanyahu, Donald Trump and the foreign ministers of the United Arab Emirates and Bahrain signed the Abraham Accords, and all the signatories heralded it as a new era of peace for the region.

But behind the scenes of the peace deal was a Middle East weapons bazaar. The Trump administration had quietly agreed to overturn past American policy and sell F-35 joint strike fighters and armed Reaper drones to the U.A.E., and had spent weeks assuaging Israel’s concerns that it would no longer be the only country in the region with the sophisticated F-35. Pompeo would later describe the aircraft deals in an interview as “critical” to obtaining M.B.Z.’s consent to the historic move. And by the time the Abraham Accords were announced, Israel had provided licenses to sell Pegasus to nearly all the signatories.

Things hit a snag a month later, when the Saudi export license expired. Now it was up to the Israeli Defense Ministry to decide whether or not to renew it. Citing Saudi Arabia’s abuse of Pegasus, it declined to do so. Without the license, NSO could not provide routine maintenance on the software, and the systems were crashing. Numerous calls among Prince Mohammed’s aides, NSO executives, the Mossad and the Israeli Defense Ministry had failed to resolve the issue. So the crown prince placed an urgent telephone call to Netanyahu, according to people familiar with the call. He wanted the Saudi license for Pegasus renewed.

Prince Mohammed had a significant amount of leverage. His ailing father, King Salman, had not officially signed on to the Abraham Accords, but he offered the other signatories his tacit blessing. He also allowed for a crucial part of the agreement to move forward: the use of Saudi air space, for the first time ever, by Israeli planes flying eastward on their way to the Persian Gulf. If the Saudis were to change their mind about the use of their airspace, an important public component of the accords might collapse.

Netanyahu apparently had not been updated on the brewing crisis, but after the conversation with Prince Mohammed his office immediately ordered the Defense Ministry to have the problem fixed. That night, a ministry official called NSO’s operations room to have the Saudi systems switched back on, but the NSO compliance officer on duty rebuffed the request without a signed license. Told that the orders came directly from Netanyahu, the NSO employee agreed to accept an email from the Defense Ministry. Shortly afterward, Pegasus in Saudi Arabia was once again up and running.

The next morning, a courier from the Defense Ministry arrived at NSO headquarters delivering a stamped and sealed permit.

In December 2021, just weeks after NSO landed on the American blacklist, the White House national security adviser, Jake Sullivan, arrived in Israel for meetings with Israeli officials about one of the Biden administration’s top foreign-policy priorities: getting a new nuclear pact with Iran three years after President Trump scuttled the original deal.

The visit carried historical weight. In 2012, Sullivan was one of the first American officials to talk with Iranian officials about a possible nuclear deal — meetings that President Obama chose to keep secret from the Israelis out of fear they might try to blow up the negotiations — and Israeli officials were furious when they found out. Now, years later, Sullivan arrived in Jerusalem to make his case for a united front in the next round of Iran diplomacy.

But there was another matter that Israeli officials — including the prime minister, the minister of defense and the foreign minister — wanted to discuss: the future of NSO. The Israelis pressed Sullivan about the reasons behind the blacklist decision. They also warned that if NSO went bankrupt, Russia and China might fill the vacuum and expand their own influence, by selling their own hacking tools to nations that could no longer buy from Israel.

Unna, the former head of the Israel National Cyber Directorate, says he believes the move against the Israeli firms, which was followed by Facebook’s blacklisting of more Israeli cyberweapons and intelligence companies, is part of something bigger, a plan to neuter Israel’s advantage in cyberweapons. “We have to prepare for a battle to defend the good name that we earned honestly,” he says.

Biden administration officials dismiss this talk of a deep conspiracy, saying the decision about NSO has everything to do with reining in a dangerous company and nothing to do with America’s relationship with Israel. There is far more at stake in the decades-old alliance, they say, than the fate of a hacking firm. Martin Indyk, a former American ambassador to Israel, agrees. “NSO was providing the means for states to spy on their own people,” he says. “From my point of view it’s straightforward. This issue is not about Israel’s security. It’s about something that got out of control.

Under the ban, NSO’s future is in doubt, not just because of its reliance on American technology but also because its presence on an American blacklist will probably scare away prospective clients — and employees. One Israeli industry veteran says that the “sharks in the water smell blood,” and Israeli officials and industry executives say there are currently a handful of American companies, some with close ties to intelligence and law-enforcement agencies, interested in buying the company. Were that to happen, the new owner could potentially bring the company in line with U.S. regulations and start selling its products to the C.I.A., the F.B.I. and other American agencies eager to pay for the power its weapons offer.

Israeli officials now fear a strategic takeover of NSO, in which some other company — or country — would take command over how and where the weapon is used. “The State of Israel cannot allow itself to lose control of these types of companies,” a senior Israeli official said, explaining why such a deal was unlikely. “Their manpower, the knowledge they’ve gathered.” Foreign ownership was fine, but Israel had to maintain control; a sale was possible “only under conditions that preserve Israel’s interests and freedom of action.”

But the days of Israel’s near monopoly are over — or soon will be. The intense desire inside the United States government for offensive hacking tools has not gone unnoticed by the company’s potential American competitors. In January 2021, a cyberweapons firm called Boldend made a pitch to Raytheon, the defense-industry giant. According to a presentation obtained by The Times, the company had developed for various American government agencies its own arsenal of weapons for attacking cellphones and other devices.

One slide in particular underscored the convoluted nature of the cyberweapons business. The slide claimed that Boldend had found a way to hack WhatsApp, the popular messaging service owned by Facebook, but then lost the capability after a WhatsApp update. This claim is especially remarkable because, according to one of the slides, a major Boldend investor is Founders Fund — a company run by Peter Thiel, the billionaire who was one of Facebook’s first investors and remains on its board. The capability to hack WhatsApp, according to the presentation, “doesn’t currently exist” in the United States government, and the intelligence community was interested in acquiring that capability.

In October 2019, WhatsApp sued NSO, arguing that NSO tools had exploited a vulnerability in its service to attack approximately 1,400 phones around the world. Beyond the question of who controls the weapons, at stake in that lawsuit is who is responsible for the damage they do. NSO’s defense has always been that the company only sells the technology to foreign governments; it has no role in — or responsibility for — targeting specific individuals. This has long been the standard P.R. line of weapons manufacturers, whether Raytheon or Remington.

Facebook is out to prove that this defense, at least in NSO’s case, is a lie. In its lawsuit, the tech giant argues that the NSO was an active participant in some of the hacks, pointing to evidence that it leased some of the computer servers used to attack WhatsApp accounts. Facebook’s argument is essentially that without NSO’s constant involvement, many of its clients would not be able to aim the gun.

When they first presented their case against NSO, Facebook’s lawyers thought they had evidence to disprove one of the Israeli company’s longtime claims — that the Israeli government strictly prohibits the firm from hacking any phone numbers in the United States. In court documents, Facebook asserted it had evidence that at least one number with a Washington area code had been attacked. Clearly someone was using NSO spyware to monitor an American phone number.

But the tech giant didn’t have the entire picture. What Facebook didn’t appear to know was that the attack on a U.S. phone number, far from being an assault by a foreign power, was part of the NSO demonstrations to the F.B.I. of Phantom — the system NSO designed for American law-enforcement agencies to turn the nation’s smartphones into an “intelligence gold mine.”


Source photographs: Dennis Cooper/Getty Images; Library of Congress, Geography and Map Division; Jorg Greuel/Getty Images; Dave Pattison/Alamy; Nicholas Kamm/Agence France-Presse, via Getty Images.

Ronen Bergman is a staff writer for The New York Times Magazine, based in Tel Aviv. His latest book is “Rise and Kill First: The Secret History of Israel’s Targeted Assassinations,” published by Random House. 

Mark Mazzetti is a Washington investigative correspondent, and a two-time Pulitzer Prize winner. He is the author of "The Way of the Knife: the C.I.A, a Secret Army, and a War at the Ends of the Earth."  @MarkMazzettiNYT

A version of this article appears in print on Feb. 6, 2022, Page 36 of the Sunday Magazine with the headline: The Spyware Wars .