NSO claims it sells only to vetted government clients for counter-terrorism and law enforcement. Evidence shows widespread use against journalists and dissidents.

Has Pegasus been banned?

No country has formally banned it. The US Entity Listing restricts US-origin technology and components but does not block use globally.

Pegasus Spyware | Model Diplomat

What It Is

Pegasus is commercial spyware developed by Israel's that enables remote, zero-click compromise of iOS and Android devices. It is the flagship product of Israeli cyber firm , sold exclusively to government clients (per NSO).

Pegasus can compromise iOS and Android devices through zero-click exploits requiring no user interaction, granting access to:

Messages and communications.
Calls and voice recordings.
Microphone and camera (covertly activated).
Location data.
Stored files, photos, and documents.
App data including encrypted messaging apps (WhatsApp, Signal, Telegram).

The technical capability is severe. Once Pegasus is on a target's device, the operator has essentially complete access to the device and the target's digital life.

How Pegasus Works

Pegasus deployment typically follows a sequence:

Target identification: the operator identifies the target's device (typically by phone number or device identifier).
Exploit delivery: a zero-click exploit is delivered to the device via SMS, iMessage, WhatsApp call, or similar channel.
Compromise: the exploit executes without user interaction, gaining elevated privileges.
Persistence: Pegasus installs itself with mechanisms to survive device reboots.
Exfiltration: data is exfiltrated to operator-controlled servers.
Anti-detection: anti-forensic mechanisms attempt to hide Pegasus presence from device users and security researchers.

The zero-click capability is the operational signature. Other spyware typically requires user interaction (clicking a malicious , downloading an app); Pegasus does not.

The Pegasus Project

The Pegasus Project (July 2021) was a consortium of 17 media organizations led by Forbidden Stories and Amnesty International that exposed widespread Pegasus use against journalists, activists, lawyers, and political figures.

The Project's disclosures included:

Forensic analysis of devices found infected with Pegasus.
Database of phone numbers allegedly targeted by Pegasus operators (50,000+ numbers).
Reporting on specific cases: journalists, human-rights activists, politicians, lawyers.
Reporting on operator countries: identifying which governments deployed Pegasus.
High-profile cases: phones associated with French President Macron, Indian opposition figures, Mexican journalists, Saudi dissidents.

The Project demonstrated that Pegasus was being deployed against civilians in democratic and authoritarian states alike. The most explosive specific revelation was the Pegasus targeting of associates of murdered journalist Jamal Khashoggi before his October 2018 assassination.

Consequences and Litigation

The Pegasus revelations produced substantial consequences:

The US Commerce Department added NSO Group to the Entity List in November 2021, restricting NSO's access to US technology.
Apple sued NSO in November 2021, alleging unauthorized use of Apple's infrastructure.
Meta won a 2024 California court ruling holding NSO liable for WhatsApp exploit deployments.
The Israeli government tightened export licensing for Israeli cyber firms in response to international backlash.
The European Parliament's PEGA Committee conducted an investigation into Pegasus use within the EU, producing a substantial 2023 report.
Civil-society documentation centers (Citizen Lab at the University of Toronto, Amnesty's Security Lab) became central to ongoing Pegasus monitoring.

Pegasus Deployment Patterns

Deployment patterns documented through 2026 include:

Authoritarian governments: Saudi Arabia, UAE, Bahrain, Morocco, Hungary, Azerbaijan, Kazakhstan, Vietnam.
Democratic governments with controversial uses: India, Mexico, Spain, Poland.
Targets: journalists, opposition politicians, lawyers, activists, family members of dissidents, foreign diplomats.
Tactical concentration: many Pegasus deployments targeted specific individuals during sensitive moments (elections, opposition campaigns, journalism investigations).

The pattern is one of broad commercial-spyware availability being deployed not just against terrorism suspects but against civilian dissent.

The Pall Mall Process

Pegasus deployment has contributed to a global civil-society push for export controls on commercial spyware and of the Pall Mall Process — a UK- and France-led intergovernmental to develop norms for commercial spyware. The Process aims to address:

Export controls: limiting which states can purchase commercial spyware.
End-use commitments: restricting deployment to legitimate law-enforcement purposes.
Accountability mechanisms: ensuring victims have recourse.
Industry transparency: requiring spyware vendors to publish reports on deployment.

The Pall Mall Process is still in development and is opposed by some governments that benefit from commercial spyware access.

Why Pegasus Matters

Pegasus has become the defining case of the commercial spyware threat to . The combination of state-actor capabilities (zero-click exploits) being made commercially available to dozens of governments has created an unprecedented surveillance landscape for journalists, activists, lawyers, and politicians.

The response to Pegasus is shaping the broader regulatory and political response to commercial spyware. Whether the regulatory can constrain spyware abuse will be one of the central questions of cyber governance through the 2020s.

Common Misconceptions

Pegasus is sometimes assumed to require sophisticated technical operation. The reverse is true — NSO sells Pegasus as a managed service with operator interfaces that make targeting accessible to non-technical government users.

Another misconception is that Pegasus has been blocked or remediated. It has not — Pegasus continues to operate, though with increasing detection and disclosure pressure.

Real-World Examples

The 2021 Pegasus Project disclosures remain the most consequential public exposure of commercial spyware to date. The 2022 European Parliament PEGA Committee investigation documented Pegasus use within EU member states. The 2024 Meta v. NSO Group ruling holding NSO liable for WhatsApp exploit deployments was the first major commercial-spyware liability ruling. The continuing Citizen Lab and Amnesty documentation has provided real-time monitoring of new Pegasus cases through 2026.

Pegasus Spyware