El Salvador journalists hacked with NSO's Pegasus spyware

The smartphones of dozens of journalists and activists from El Salvador have been hacked with a version of the Pegasus spyware.

The malware was found on 37 mobile devices belonging to 35 individuals.

"Targets included journalists at El Faro, GatoEncerrado, La Prensa Gráfica, Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy, and two independent journalists. Civil society targets included Fundación DTJ, Cristosal, and another NGO," Citizen Lab said in a report published last night.

The hardest hit was news site El Faro, where Pegasus was found on the devices of 22 reporters.

Attacks likely carried out by the local government

Citizen Lab said the hacked devices were compromised between July 2020 and November 2021 by a threat actor they were calling Torogoz, with some devices being hacked multiple times.

The investigators, who have a long history of analyzing the Pegasus spyware, said they had "no conclusive technical evidence" about the identity of the attackers, but the focus on El Salvador individuals suggests that Torogoz is most likely an entity associated with the Salvadoran government.

Additional circumstances to sustain this attribution also include the fact that many victims had their devices compromised around the same time they were investigating or reporting on sensitive issues involving the local government, such as a scandal involving alleged negotiations between the administration of President Bukele and the MS-13 criminal cartel.

The Citizen Lab report suggests that the El Salvador administration or someone close to it might have rented access to Pegasus, a hacker-for-hire platform developed by Israeli company NSO Group, and then used it to go after their critics.

The proposed theory is not a far-fetched scenario as NSO Group has done this before, providing its Pegasus spyware to many oppressive regimes across the world, which then used it to track and silence their critics and political rivals.

While NSO Group has always publicly stated that they sell their software only to legitimate law enforcement agencies and that they can't control how their customers use its tools, the rampant abuse of its software by oppressive regimes for human rights abuses has forced the US government to put the NSO Group on its sanctions list in November last year.

A few weeks later, Apple, whose iPhones are the main target of Pegasus attacks, also sued the Israeli company in a US court, hoping to get an injunction against NSO Group developers and block them from using its platform to develop the iPhone hacks needed to keep the Pegasus malware up-to-date.

Hacks discovered using open-source tool

Citizen Lab said it learned of the hacks in September 2021 after some El Salvador journalists used a free security tool developed by Amnesty International, named Mobile Verification Toolkit (MVT), to self-scan their devices for traces of the Pegasus spyware.

The reporters who found signs of a compromise contacted Access Now's Digital Security Helpline, which called on Citizen Lab to investigate the hacks further.

After Apple sued NSO Group, some of the victims of these attacks received confirmation about the hacks from Apple itself when the company notified past victims of Pegasus attacks using a new set of notifications the company rolled out. At the time, similar notifications were also sent to many Apple users in Thailand and Uganda.


The names of most of the El Salvador reporters and activists hacked in this latest campaign are available in the Citizen Lab report.

"NSO Group’s tentacles continue to spread across the globe, crushing the privacy and rights of journalists and activists into oblivion," said Angela Alarcón, Latin America & the Caribbean Campaigner at Access Now. "Revelations that Pegasus software has been used to unjustly spy in El Salvador may not come as a complete surprise, but there is no match to our outrage."

Recent reports indicate that NSO Group is on the brink of bankruptcy and shutting down after the Apple lawsuit. Nevertheless, there is a booming market of many other spyware vendors ready to fill the void left by a potential NSO closure.

    Get more insights with the
    Recorded Future
    Intelligence Cloud.
    Learn more.
    No previous article
    No new articles

    Catalin Cimpanu

    Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.