The Pegasus Project – What the Investigation Has Revealed So Far

In 2020, a list of over 50,000 phone numbers was leaked to Amnesty International and Forbidden Stories, a nonprofit media organization based in Paris, France. The numbers are believed to belong to individuals identified as “people of interest” by clients of the Israeli cyber defense firm NSO Group. The leak set off a worldwide investigative journalism initiative – the Pegasus Project.  

Who is behind NSO Group?

NSO Group was founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio and is based in Herzliya, Israel. The firm is a subsidiary of the Q Cyber Technologies group of companies.

According to NSO’s website, it develops “best-in-class technology” to help government agencies detect and prevent terrorism and crime. It claims its products are used “exclusively by government intelligence and law enforcement agencies to fight crime and terror.” NSO Group also sells Eclipse – a cyber counter-drone platform.

What is Pegasus?

Pegasus is commercial spyware sold by NSO Group to governments and reportedly costs millions to purchase. The earliest versions were spotted back in 2016. Unlike any run-of-the-mill malware, Pegasus is designed solely for spying.

Once on a smartphone (Android or iOS), the software gains access to photos, emails, text messages, WhatsApp messages, incoming and outgoing calls, and past/present location data. It can also activate the phone’s camera or microphone and record conversations. What’s more, Pegasus monitors the keystrokes on an infected device – all written communications and web searches, even passwords – and returns them to the client.

NSO Group says that governments of more than 40 countries are on its client list. It also explicitly states that Pegasus “cannot be used to conduct cyber-surveillance within the United States, and no foreign customer has ever been granted technology that would enable them to access phones with US numbers.”

Our research could not identify which countries were among the clients or whether any of them are on the U.S. sanctions list.

The Pegasus Project

In 2020, Forbidden Stories and Amnesty International gained access to a set of more than 50,000 phone numbers believed to be targets of NSO Group’s software. Forbidden Stories then invited OCCRP, The Washington Post, The Guardian, and 13 other media partners to participate.

The investigation identified hundreds of individuals whose phones have had the Pegasus spyware at some point. The list did not include identifying information, but reporters were able to independently name the owners of more than 1,000 numbers through forensic analysis, additional databases, internal documents, interviews, court documents, and other sources.

Once the investigation results were made public, media outlets, human rights watchdogs, and politicians across the world started paying attention. Associated Press reported that Mexico spent $61 million on Pegasus spyware. The Washington Post reported on 11 Indian citizens who have been spied upon using Pegasus. The Post also said that people close to the murdered Saudi columnist Jamal Khashoggi were targeted.

French President Emmanuel Macron was forced to change his phone after being identified as a spying victim. Macron called an extraordinary national security meeting since France is one of the permanent members of the UN Security Council. European Commission President Ursula von der Leyen said Pegasus spying reports were “completely unacceptable.” According to CNBC, several African governments were also embroiled in the Pegasus spyware saga, which could prompt further diplomatic repercussions. And while Israel has appointed a team of ministers to deal with the fallout, Morocco and Hungary deny using Pegasus.

Meanwhile, in the U.S., the White House raised spyware concerns with Israel. President Joe Biden’s top Middle East adviser Brett McGurk met with Zohar Palti, a senior Israeli Ministry of Defense official, on July 22 and asked him what the Israeli government was doing about the NSO issue.

The full extent of the impact of the Pegasus Project investigation will be seen in time, but the first legal action is already in motion – the Gulf Centre for Human Rights and Reporters Without Borders have filed cases with the French Public Prosecutor.

In the meantime, public investors in the private equity firm that owns a majority stake in NSO Group are abandoning ship. According to The Guardian, Novalpina Capital is in talks to transfer management of that fund to Berkeley Research Group, a U.S. consulting firm.

The full list of people identified as victims of the Pegasus spyware so far is available on the OCCPR website.

On September 6, The New Yorker published an exposé, authored by Pulitzer-winning journalist Ronan Farrow, chronicling both the hitherto unknown depth of Jeffrey Epstein’s involvement in fundraising for MIT’s Media Lab and the extent to which a small group of individuals sought to conceal this relationship. Farrow reported that, despite Epstein having been added to MIT’s list of “disqualified” donors following his 2008 conviction for solicitation and procurement of a minor for prostitution, “the Media Lab continued to accept gifts from him, consulted him about the use of the funds, and, by marking his contributions as anonymous, avoided disclosing their full extent, both publicly and within the university.” While Reif had apologized for accepting $800,000 from Epstein in known donations, the director of the MIT Media Lab, Joi Ito, later admitted to secretly accepting $7.5 million secured by Epstein from other donors, including Bill Gates, and over a million dollars from investment funds controlled by Epstein himself. According to Signe Swenson, an MIT fundraising coordinator turned whistleblower, the Media Lab kept donations from the blacklisted financier off-the-books in order to hide the relationship from MIT’s central fundraising office. Ito also hid meetings with Epstein, who would visit the lab accompanied by young female “assistants,” from critical faculty members. The day after the New Yorker article was published, Joi Ito resigned and Reif released another letter, this time promising an independent fact-finding investigation. Reif stated that MIT’s administration is “actively assessing how best to improve our policies, processes and procedures to fully reflect MIT’s values and prevent such mistakes in the future.”

The Epstein scandal has thrown the policy failures of numerous campus fundraising departments into sharp relief. As a September 9, 2019 article from the Associated Press noted, a number of other schools are struggling with how to handle tainted funds from Epstein. Ohio State University is reviewing over $2.5 million in gifts, and Harvard reported that it has already spent over $6.5 million in donations. Meanwhile, both the University of Arizona and the University of British Columbia were reportedly unaware that gifts they received from charitable foundations were linked to Epstein. The article noted that, while more universities “have been crafting policies to guide them when concerns about donors arise” and appointing “ethics boards to screen donors,” few hard and fast guidelines exist to help schools and other nonprofit entities protect their reputations. The case of MIT, wherein the University’s main fundraising office was unaware of the source of the monies solicited by the Media Lab, is a prime example of the need for stronger fundraising policies and oversight structures.

Some Strings Attached
In addition to corporate social responsibility issues deriving from unsavory sources of funding, charities and other not-for-profits must also be aware of unethical incentives and potential legal pitfalls created by reliance on major corporate donors. Such risks are exemplified in an ongoing federal whistle blower suit (United States of America et al v. Davita Health Care Partners et al) in which David Gonzalez, a long-time employee of the American Kidney Fund (AKF), contended that the AKF was providing preferential recommendations to its largest corporate donors, including DaVita Health Care Partners and Fresenius Medical Care. According to the complaint, which was filed in September 2016 and unsealed this August, the advantages that the AKF conferred on its major donors ran afoul of recommendations made by the Department of Health and Human Services’ Office of the Inspector General (OIG) and amounted to “illegal referrals and payments under the Anti-Kickback Statute.”

Allegedly, as part of its 1997 agreement with the OIG, the American Kidney Fund pledged to provide funding to people engaged in end stage renal dialysis based solely upon assessed need, without taking the identity of the referring facility into account as part of the assessment. The OIG’s requirements sought to ensure that donations made by dialysis facilities to the American Kidney Fund would function as gift contributions and would not be used as a means of influencing the AKF’s recommendations when guiding patients in selecting dialysis facilities.

According to the whistleblower’s complaint, the American Kidney Fund’s adherence to the OIG’s stipulations began to break down in 2008 and 2009 as the AKF struggled to maintain adequate funding. Reportedly, the AKF would frequently turn to DaVita and Fresenius, both of whom are major national administrators of outpatient dialysis clinics, when short on funds. According to Gonzalez, “DaVita and Fresenius were asking why the AKF was letting all the [dialysis] providers use the program, when they were the one providing most of the funds” which led Gonzalez’ superiors to begin tracking the identities of its corporate donors in 2009 and linking this information to the individual grants awarded to patients and the facilities where these patients received treatment. Ultimately some patients were labelled as “Free Riders” because their treatment grants exceeded the money brought in to the AKF as donations by their treatment providers. To eliminate the so-called “Free Riders,” the AKF began to restrict grants based upon the patient’s treatment provider, in violation of its agreement with the OIG.

Beginning in 2010, the AKF was allegedly steering patients toward its largest funding providers, including DaVita and Fresenius, and blocking the applications of patients using non-contributing providers, with one of Gonzalez’ superiors specifically referring to the system as “pay to play.” By some time around 2012, the AKF was allegedly conducting weekly “training calls” with non-donating dialysis providers. As the complaint stated, “The substance of the training… was really a quid pro quo solicitation of a donation in exchange for patient support.” Internally the AKF referred to these calls as the “Recoupment Effort.” Patients who transferred from a sanctioned provider to a “blocked” non-donating provider, were also allegedly unable to transfer their AKF coverage, also in violation of the OIG’s stipulations. The complaint contended that the AKF’s efforts to tie patient grants to the contributions made by their providers, coupled with steering patients toward their largest contributors amounted to a kick-back scheme in the guise of a charity, (which received donations to the tune of $275 million in 2015). Additionally, since each AKF grant “triggers vast amounts of payments to the providers” via government programs, the complaint alleged that the Defendants were also acting in violation of the False Claims Act.

The Takeaway
As seen in the above two examples, dependence on charitable donations as a source of funding presents a unique set of risks. On the one hand, the promise of large sums of money can lead to what MIT President Rafael Rief described as a “mistake in judgment” in accepting large sums from controversial donors or from charities or foundations with unknown financial backing. On the other hand, dependence on a few demanding donors may create internal pressure or incentives to bend policy in order to ensure the continued support of these donors. While various organizations will have different levels of tolerance with regard to these risks, all not-for-profit entities should have clearly articulated social responsibility and ethics policies with regard to fundraising in order to provide guidance and structure to the fundraising process and to minimize exposure to unethical or controversial funding sources.

Recent years have seen numerous scandals revolving around high profile philanthropists. This spring, the Guggenheim, the New York Metropolitan Museum of Art, and the Tate Modern Museum in London all returned funds donated by the Sackler family (whose ownership of Purdue Pharma, maker of OxyContin, has proven controversial following growing concern over Purdue’s role in the opioid crisis).  In 2017, the University of Southern California’s School of Cinematic Arts rejected a $5 million endowment for female filmmakers from Harvey Weinstein, following a petition which described the donation as “blood money.” Meanwhile, Harvard has notably bucked the trend by refusing to return funds from Epstein and Sackler, as well as Saudi Prince Mohammed bin Salman, despite public pressure and student consternation. These organizations were forced to make the difficult choice of turning away valuable, and perhaps already spent funds, or keeping the money at the risk of public outrage. As Texas A&M Law Professor Terri Lynn Helge pointed out in The Conversation, returning tainted funds can prove to be a daunting task. By giving back donated funds, charities can run afoul of state regulators; gift agreements, which may include naming rights, e.g. for dedicated buildings, can be legally binding as well. Clearly delineated best practices, including a robust screening process for potential donors, can preempt these no-win situations. In certain circumstances it may be wise to look a gift horse in the mouth. The security of your organization’s hard-earned reputation may depend upon it.

The Kreller Hot Topics Report is a monthly publication dedicated to insights on international issues and incidents.

About Kreller Consulting
For over 30 years, Kreller Consulting has helped companies control the annual costs of their data subscriptions. If your organization relies on Dun & Bradstreet, Equifax, Experian, TransUnion, LexisNexis, WestLaw, or others – and you suspect you might be overcharged – contact us here.

Our services are contingency only – and we have helped thousands of companies manage their data vendor costs.

Share on facebook
Share on twitter
Share on linkedin