Our team
@AmnestyTech
is available to support journalists and activists who are concerned about targeted spyware attacks.
Please reach out if concerned and share widely with individuals in your networks who may be at risk.
The mercenary spyware industry is threatening rights defenders and journalists worldwide.
Our experts
@AmnestyTech
can check devices for signs of spyware 🔍.
Contact share
@amnesty
.tech if you're concerned, or if yourself or a colleague has received an attack notification
Super proud of our team at
@AmnestyTech
and everyone who helped in this investigation.
Today, Apple published an emergency update for all iPhones to patch an exploit chain which we, together with
@_clem1
(Google TAG) discovered in the wild.
NEW RESEARCH: Watch how NSO Group's zero-click attacks have evolved over recent years. Joint research by
@AmnestyTech
and
@billmarczak
(
@citizenlab
) presented at
@VirusBtn
.
Exploit archaeology: A forensic history of in-the-wild NSO Group exploits
The "Guacamaya" hacktivist collective has leaked terabytes of emails from state-owned and private extractivist companies in Latin America, aiming to expose the environmental damage caused by this industry. 🧵
PERSONAL NEWS: After a six-month sabbatical, I'm very excited to re-join
@AmnestyTech
to lead the incredible researchers at our Security Lab.
Over the next months we'll expand our team of technologists to help civil society fight back against the global spyware industry!
🚨BREAKING: “Predator Files” investigation reveals catastrophic failure to regulate surveillance trade.
Our team at
@amnesty
's Security Lab are technical partners of
@EICnetwork
(w/
@Mediapart
,
@derspiegel
) on this global investigation into Intellexa and its Predator spyware
NEW:
#PredatorFiles
Day 2 - Technical deep-dive exposing the Intellexa Alliance's secret surveillance capabilities including advanced spyware, mass surveillance platforms, and tactical systems for targeting and intercepting nearby devices with zero-days.
MUST READ: Incredible undercover investigation exposes how hackers-for-hire manipulate elections around the world
With
@FbdnStories
I investigated the hackers behind the attacks.
Here's how civil society can help defend against these threats. THREAD
NEW RESEARCH: Today we
@DonnchaC
(
@AmnestyTech
) and
@billmarczak
(
@citizenlab
) publish a collaborative technical analysis of NSO Group's zero-click exploit capabilities.
New insights into prevalence of zero-click capabilities and countermeasures!
Talk later today at
@VirusBTN
New
@thewire_in
report provides compelling technical confirmation that the email from
@Meta
's
@andymstone
is authentic and unmodified.
Big questions about Meta's rush to insinuate that the reporters from
@thewire_in
were misinformed or even fraudulent..
NEW REPORT: The
@Amnesty
Security Lab has uncovered a large murky web of spyware and surveillance exports to Indonesia from entities tied to NSO Group, Intellexa, Candiru, FinFisher and for the first identifying sales of Wintego Helios spyware..
NEW: Mercenary spyware on the loose! Our team at
@AmnestyTech
is today revealing an extensive spyware campaign targeting Android users with zero-day exploits.
The zero-days are now patched, keeping billions of Android, Chrome, and Linux users safer: 1/
NEW:
@AmnestyTech
confirmed that prominent Sahrawi activist
@aminatouhaidar
was targeted with Pegasus spyware in recent months. NSO Group continues to be recklessly complicit in serious rights violations following
#PegasusProject
revelations. 🧵
NEW 🚨: Leaked documents analysed by
@FbdnStories
and media partners, with support of
@AmnestyTech
, reveal extensive efforts taken by Israeli authorities to shield spyware-maker NSO Group from accountability efforts in US court.
A never-ending wave of Pegasus abuses in the EU. The out-of-control spyware industry needs to finally be reigned in.
Big unanswered question: Who is responsible for these attacks against EU institutions? A fellow EU member state or a foreign customer of NSO Group...
New: Senior European Union officials — including the bloc’s top justice official — were targeted using powerful phone hacking tools,
@Bing_Chris
and I have learned.
Our analysis identifies at least SIX distinct zero-click exploit chains used to install Pegasus on iPhones and Android devices around the world since 2017.
Full technical information in our forensic paper:
🚨 The
#PredatorFiles
spyware scandal continues.
New investigation from
@Amnesty
Security Lab in collaboration with
@EICnetwork
reveals brazen targeting of civil society, politicians and officials around the world with “EU-regulated” spyware. 🧵 1/
NEW RESEARCH 📢📢:
@AmnestyTech
has published a investigation revealing a hacker-for-hire style campaign targeting a prominent activist from Togo in West Africa. Lets dive into this curious case.. THREAD
Bombshell new report today from Haaretz (
@omerbenj
) about the spyware industry’s continued efforts to subvert our collective cyber-security, now by turning already invasive ad networks into spyware infection vectors.
Today
@Amnesty
has launched a .onion site on the Tor network to make our human rights research safely accessible 🎉🧅
The
@torproject
is critical infrastructure enabling activists to maintain their rights to privacy and freedom of expression in a digital world.
Amnesty International has today launched its global website as an onion site on the Tor network.
The
@torproject
enables safe access to
@Amnesty
's ground-breaking human rights work in areas where censorship and digital surveillance are rife.
NEW SPYWARE: Researchers at
@kaspersky
have captured and exposed a new iOS spyware campaign which was used to target **Kaspersky employees**.
Kaspersky were able to uncover the attack with
@AmnestyTech
's Mobile Verification Tool (MVT).
Julian Assange is and always has been pursued by the US government for Wikileaks’s journalistic publishing, not for his personal beliefs. Today’s actions are a fundamental attack on journalism. Punishment for exposing war crimes and challenging power. Extradition must be resisted
NEW: Apple have just notified people in 92 countries who were targeted by highly-invasive spyware.
Our experts
@AmnestyTech
Security Lab can check devices for signs of attack 🔍.
Please share widely with any activists or journalists who may have received the latest Apple alert
🚨Apple has sent threat notifications to iPhone users in 92 countries informing them they "are being targeted by a mercenary spyware attack"
If you're a member of civil society + received an alert, you can request forensic support using our Get Help form👇
NSO Group appeared before the European Parliament
@EP_PegaInquiry
today. NSO had the opportunity to come clean on the abuses of their tools against civil society but persisted with their long refuted denials and persisted in deflecting from accountability🧵
Spyware continues to threaten civil society across Europe 🚨
Today, the
@AmnestyTech
Security Lab with partners
@ShareConference
,
@accessnow
+
@citizenlab
identify attempts to target two members of Serbian civil society with advanced spyware
🚨Serbia: civil society threatened by spyware
Together with our partners
@ShareConference
,
@accessnow
and
@citizenlab
,
@amnesty
can reveal evidence that sophisticated spyware is being used to target civil society in Serbia👇
NEW:
@haaretzcom
and
@insidestory_gr
reveal a scary new attack techniques offered by spyware-vendor Intellexa.
Intellexa's Aladdin product uses malicious web ad's to target and silent infect targets as they simply browse the web.
The Mobile Verification Tool (MVT) from
@AmnestyTech
can identify traces of Cytrox Predator infections on Android or iOS. Share widely with activists networks who may be at risk of this spyware (Egypt, Saudi Arabia, Armenia, Serbia and more)
@Meta
@amnesty
@citizenlab
The Mobile Verification Tool from Amnesty Tech can now also be used by civil society to check mobiles devices for traces of the Cytrox spyware. A full set of Cytrox indicators are available at
More bad news for NSO Group and their investors.
Administrator for Novalpina states it is “abundantly clear” that the 400 million euro equity in NSO is “valueless”.
🚨NEW:
@Amnesty
report exposes how state-backed digital violence including highly-invasive spyware is being used against women and LGBTI activists in
#Thailand
in order to silence them. 👇
The
#PredatorFiles
investigation reveals the
#Predator
spyware attack interface for the first time, with invasive capabilities to steal photos, track the victims location and record their microphone
Our team
@AmnestyTech
is available to support journalists and activists who are concerned about targeted spyware attacks.
Please reach out if concerned and share widely with individuals in your networks who may be at risk.
The mercenary spyware industry is threatening rights defenders and journalists worldwide.
Our experts
@AmnestyTech
can check devices for signs of spyware 🔍.
Contact share
@amnesty
.tech if you're concerned, or if yourself or a colleague has received an attack notification
The trouble continues for Novalpina Capital, the private equity firm which bought NSO Group.
Berkeley Research Group, the new administrators of the fund behind Novalpina, have now filled a criminal complaint against two of the Novalpina co-founders in a Luxembourg court.
📢Job: Help us protect activists and journalists from spyware attacks.
@AmnestyTech
's Security Lab is hiring a Full Stack Developer to build out our ground-breaking forensic tools and services which protect civil society from digital attacks 1/
Important and well-sourced story today from the New York Times (
@satariano
,
@Aaron_Krolik
,
@paulmozur
) about how Russia exploits metadata leaks to track the users of encrypted messengers and services.
Lets see how this can be a risk: 1/
NEW: The global supply chain for digital surveillance tech is growing thanks to Russian companies building tools to track people online and on phones. One tool logs metadata for calls on encrypted apps like Signal & WhatsApp. w/
@Aaron_Krolik
&
@paulmozur
🚨 JOB OPPORTUNITY 🚨
Do you want to lead our research and advocacy on unlawful targeted surveillance and digital repression? We're looking for a (one year sabbatical cover) Researcher/Adviser in the team behind the Pegasus Project technical investigation
Our team at the
@AmnestyTech
Security Lab is available to support human rights defenders and others in civil society who may have received the recent spyware notification from Apple.
🚨Apple has sent another round of notifications to iPhone users to inform them that they are being targeted by "mercenary spyware attacks". Here's what this means and what you can do if you're a member of civil society + received an alert 👇
The Security Lab at
@AmnestyTech
will publish a number of
#PREDATORFILES
reports in the coming days including a technical deep-dive and an comprehensive report on abuses with Intellexa spyware tools.
More from partners
Great report from Google TAG (
@maddiestone
,
@_clem1
@ShaneHuntley
) on the range of commercial spyware actors they are tracking and finding deploying zero-day exploits in the wild
We're naming names 🔥 because the harm is not hypothetical.
Today we share "Buying Spying", our new report diving into the commercial surveillance/spyware industry. We dive into the players, the campaigns, the spyware, & the harm it perpetuates.
Job opportunity 📢: Help us protect activists and journalists from spyware and targeted surveillance.
My team at
@AmnestyTech
's Security Lab is hiring two Technologists to expand our work exposing unlawful surveillance from companies and governments. 1/
The revelations call into question Israel's commitment to impartially regulate NSO Group and casts doubt on its ability to provide justice, truth and reparation to those affected by Pegasus spyware.
Read the findings from the
@FbdnStories
@Meta
@amnesty
@citizenlab
The Mobile Verification Tool from Amnesty Tech can now also be used by civil society to check mobiles devices for traces of the Cytrox spyware. A full set of Cytrox indicators are available at
Incredible news this week as Carine Kanimba is reunited with her father. Many congrats to Carine and her family for their extraordinary campaign for the release of her father, unjustly detained by Rwandan authorities
MUST READ: Incredible undercover investigation exposes how hackers-for-hire manipulate elections around the world
With
@FbdnStories
I investigated the hackers behind the attacks.
Here's how civil society can help defend against these threats. THREAD
Some messages sent to Ryszard Brejza included a fake message about a political party meeting and a fake message about discount offers for his HTC phone
Free expert tip for the Modi government on avoiding the “PR problem” from forensic discovery of Pegasus abuses…
⛔️Stop hacking journalists, lawyers, and human rights activists
NEW 🚨India is hunting for alternatives to Pegasus spyware, in response to the “PR problem” caused by revelations about its maker NSO. Around a dozen rival firms circle contract worth up to $120mn.
Super reporting in
@FT
by
@MehulAtLarge
@kayewiggins
Both were targeted with malicious SMS messages on their Android devices. The customer used tailored social engineering messages to entice the targets into opening the suspected Pegasus links.
We have not seen many Pegasus social engineering messages in recent years. These new messages give an insight into how customers use detailed and personal information about the target to make the messages more convincing.
The
@Europarl_EN
Security Team found that a Greek opposition MEP was targeted with the Cytrox Predator spyware in 2021.
This case shows the value of public indicators and usable forensic tools such as
@AmnestyTech
's MVT to help investigators researching targeted attacks.
As the number of politicians, activists and journalists hacked with spyware grew to include prime ministers and dissidents in the E.U., the European Parliament started checking its members’ phones. About 200 devices in, it hit its first positive.
Google Project Zero has posted an insightful technical deep-dive into an Android exploit chain used in a mercenary spyware campaign uncovered earlier this year by
@AmnestyTech
with
@_clem1
of Google TAG.
I just released a blog post on an Android ITW exploit chain:
A big thanks to Google TAG and the other members of Project Zero who participated in the creation of this blog post and analysis of the chain!
@pwnallthethings
Also the US has been organising election disinformation all over the world for decades. The Snowden docs outlined an efforts to influence Iranian protest movements with Twitter sock puppets.
📢 We're hiring a Full Stack Developer
Last chance to join a unique role with
@AmnestyTech
. Help us build forensic tools and services to expose unlawful government surveillance and protect journalists, activists and civil society.
Applications close tomorrow! ⏳
📢Job: Help us protect activists and journalists from spyware attacks.
@AmnestyTech
's Security Lab is hiring a Full Stack Developer to build out our ground-breaking forensic tools and services which protect civil society from digital attacks 1/
FT's
@kayewiggins
reports that NSO has received no new customers since
@FbdnStories
and
@AmnestyTech
exposed scale of abuse with the
#PegasusProject
Investors should consider these risks before investing in the toxic spyware industry. Terrible for human rights and bad business.
The
@AmnestyTech
Security Lab has peer-review a sample of cases identified by
@CitizenLab
and confirmed targeted and infection with Pegasus in all cases analysed.
These cases add to growing concerns that Pegasus spyware may have been misused for political purposes in Poland. This is not only a threat for politicians, but for the whole of Poland’s civil society in general.
Amnesty is not naming the company behind these attacks while we continue to investigate the activity.
Researchers at Google TAG found links between the new exploits and exploit pages previously developed by Spanish cyber-surveillance company Variston. 4/
Shocking revelations today that Intellexa sold their highly-invasive Predator spyware to al-Sissi's Egypt, and even pitched surveillance tools to Haftar's militia in Libya in violation of a UN weapon embargo.
A company and industry totally out-of-control
@Joey_Galvin
@thewire_in
@Meta
@andymstone
Verifying the DKIM signature is the correct way to authenticate an email. It can prove that signed headers (From;Date;Subject; etc) and message body were unmodified and sent through the FB mail server.
@Joey_Galvin
@thewire_in
@Meta
@andymstone
It's understandable that they can't share the full email for security and source protection reasons. They seem to have been as open as possible in the approach here, including getting independent confirmation from experts.
The
@citizenlab
found additional evidence about a Apple Photos zero-click attack previously described by
@AmnestyTech
as part of the
#PegasusProject
. The Security Lab found this vulnerability used to compromise a human-rights lawyer in France and a journalist in Hungary.
🚨MAJOR NEW INVESTIGATION:
#CatalanGate
state-run hacking operation.
Stunning range of
#Pegasus
&
#Candiru
infections in the EU.
Many political & civil society targets got infected. Multiple 🇪🇺 MEPs.
THREAD 1/
Beim
#37C3
haben
@schluevik
und ich darüber gesprochen wie man Malware wie Staatstrojaner oder Stalkerware auf iOS und Android finden kann. Hier zum nachschauen auf
@AmnestyTech
discovered that Qatar made critical mistakes in the implementation of their contact tracing app. Potentially the entire citizen database (with name, GPS location, citizen ID, health status) was left exposed
Great new reporting from
@PhineasJFR
on the OSINT surveillance market and a player named S2T Unlocking Cyberspace featuring contributions from OCCRP's
@DrWhax
and our own
@tenacioustek
SCOOP
#StoryKillers
:
@FbdnStories
obtained a brochure for an open-source intelligence (
#OSINT
) tool that can also be used for phishing, social engineering and geolocation of targets.
We tied the brochure to Singapore-based firm S2T Unlocking Cyberspace:
The report documents some of the lesser known players such as Cy4Gate and RCS, with a deep dive into their exploits.
We don’t know where they acquire their exploits, but Google suggests Cy4Gate has access to multiple exploit frameworks named “YodaRoot” and “DF1” 🤔
Insightful thread from
@billmarczak
about the
#Triangulation
campaign from
@kaspersky
.
Our own hunting has found related domains back to 2018, including in English, Spanish, Portuguese and Chinese. Likely many more targets out there.. Will we see more targets come public?
NEW: I've come out of self-imposed retirement from my
@Medium
blog to write some thoughts about the FSB and Kaspersky's discovery of the
#Triangulation
attack:
Israeli officials seized documents from NSO Group's offices, in an effort to prevent the company from being forced to comply with legal discovery in it's long-running court battle with
@WhatsApp
, over the targeting of 1400 it's users with Pegasus
#MiningSecrets
exposes tactics used my mining conglomerate to target environmental defenders in Guatamala seeking to protect their communities and their land.
Powerful new reporting by
@FbdnStories
and their partners organizations. A must read:
Welcome to all the hackers in Berlin this week for
@offensive_con
.
DMs are open for anyone who’d like to get a coffee! I’d love to talk about the offensive industry and what we can to do to reduce potential harms for activists and journalists.
#offensivecon
Polish authorities deployed Pegasus spyware in a long-running and politicized investigation targeting former officials linked to the previous Tusk government (story by
@Kokot_Michal
)
So proud of the Amnesty Tech team's amazing work on the
#PegasusProject
, captured in "Pegasus", a new book giving a behind-the-scenes account of the high-stakes investigation from our partners at
@FbdnStories
.
Exciting week for us with the publication of “Pegasus”, the inside story of one of
@amnesty
most ground-breaking investigations of recent years: the
#PegasusProject
I'm very excited to announce I started as a Technologist at
@AmnestyTech
. I've been a long time admirer of the Security Lab's work and I can't wait to hold power to account in this new role.
Different ways to reach me securely here:
Incredible article from
@mer__edith
outlining the great danger of conceding and concentrating more power to an increasingly authoritarian United States in the name of controlling TikTok which currently lies outside of the US hegemonic consensus.
So good
@mer__edith
. Incredible essay. The final SO, WHAT? section is a whole manifesto.
- "The world would be better if these platforms were dismantled and their revenues shared with the people, professions, and communities whose livelihoods and public spaces they’ve worked
The Amnesty .onion website is a special Tor only "onion" website which can be accessed through
@torproject
's Tor Browser software.
The long random-looking .onion domain ensure that you are safely accessing the authentic website and not an imposter site.
Key points from the paper: NSO Group customers deployed at least 6 distinct iOS zero-click chains from iOS 10 (July 2017) until iOS 14 in 2021.
An Android zero-click in WhatsApp has also been exploited much more extensively than previously understood..
Netzpolitik has publish a letter from the European Commission which confirms that multiple individuals at the Commission where compromised with Pegasus spyware..
Die EU-Kommission hat "indicators of compromise" auf mehreren Geräten ihrer Mitarbeiter:innen gefunden. Apple sagte Kommissar
@dreynders
, er könnte mit dem Staatstrojaner NSO Pegasus gehackt sein. Wir veröffentlichen seinen Brief an
@SophieintVeld
.
The Security Lab
@AmnestyTech
proactively investigates mercenary spyware companies and other actors who threaten civil society.
From this work we uncovered a previously unknown mercenary spyware company operating thousands of domains to deliver exploits and hack devices 2/
Important story from
@samfbiddle
highlighting the underappreciated threat of traffic correlation attacks which can reveal metadata about who is communicating with each other even over encrypted messaging apps like WhatsApp and Signal.
NEW: In an internal Meta threat assessment I obtained, WhatsApp engineers warned users are vulnerable to government spying that unmasks who's talking to who. Employees later speculated Israel may be exploiting this to target and kill across the Gaza Strip
Numerous credible reports of misuse and subsequent inaction have proven this industry cannot be trusted to regulate itself. We urgently need global action to stop the human rights crisis enabled by the out-of-control cyber-surveillance industry.
An investigation led by
@FbdnStories
and supported by
@Amnesty
’s Security Lab has revealed that Israel’s government has attempted to sway an ongoing US lawsuit filed by WhatsApp against spyware firm NSO Group 🧵 👇
NSO legal consul discloses around 12,000 annual targets by their government customers. This shows the huge scale of attack from just a single company and tallies with the 50,000 potential targets identified by the Pegasus Project over a number of years.
@kaspersky
@AmnestyTech
Brave (and foolish) decision by a threat actor to target a group of ATP hunters!
We have added the latest indicators for this campaign to MVT for use by the civil society community to detect these attacks.
We shared technical indicators about the suspected targeting of Android users with Google’s Threat Analysis Group allowing TAG (
@_clem1
,
@ShaneHuntley
) to capture a zero-day exploit chain being used in the wild to hack Android devices. 3/