Image: Stephen Petrey via Unsplash/Photomosh

Polish Senate investigation recommends potential criminal charges for politicians implicated in Pegasus scandal

Poland's Senate on Thursday released the results of a commission’s investigation into the use of Pegasus spyware to hack an opposition politician in 2019, describing "gross violations of constitutional standards.”

Calling the purchase of Pegasus illegal in Poland, the commission also revealed it has notified prosecutors there of the potential for criminal charges against current and former Polish ministers who have been implicated in the use of the spyware, the report said.

The investigation, which spanned a year and a half, also found that the 2019 elections involving Senator Krzysztof Brejza — the hacked opposition leader — were unfair due to the use of Pegasus, which is developed by the Israel-based NSO Group.

“Pegasus is not an operational tool used by the services, but it is a cyber weapon, i.e. a tool to influence the behavior of other people,” Pegasus Surveillance Committee Chairman Marcin Bosacki said according to a summary report. “We can unequivocally state that Pegasus was used in Poland to an extremely aggressive degree.”

Read more: Apple discloses zero-days linked to NSO Group spyware

Another Senate leader declared the country’s Pegasus scandal far more consequential than Watergate.

“What we have been able to find out over the last year and a half through the work of our committee must scare us as citizens,” said Deputy Speaker of the Senate Michał Kamiński in the report summary. ”This monstrous weapon was not used to protect citizens, but as our committee proved, it was used to persecute people who did not like the authorities.”

The Polish ruling party had reportedly previously acknowledged buying Pegasus, but denied that it had been used against opposition politicians in the 2019 election cycle.

The Senate commission recommended a major shake-up of Poland’s security service, including a change in oversight. The Supreme Court should receive enhanced powers to monitor elections, the report said. Additionally, the commission said Poland's internal security agency should be given greater oversight to protect the cybersecurity of all electoral staff and the Supreme Court.

Poland is one of a few European democracies to have been found using Pegasus and other advanced commercial spyware to eavesdrop on activists, opposition leaders, and journalists. In November the European Parliament released a lacerating report, stating that EU member states had been using advanced spyware like Pegasus against their citizens “for political purposes and to cover up corruption and criminal activity.” That report also said that some states used spyware systematically to support authoritarian rule.

Spain, Greece, and Hungary are among the European countries to have unleashed powerful spyware on citizens.

Americans also have been targeted. In 2021, New York Times reporter Ben Hubbard revealed he was hacked with Pegasus over a three-year-period while reporting on Saudi Arabia.

NSO Group did not immediately respond to a request for comment.

Testifying before the U.S. House Permanent Select Committee on Intelligence in 2022, Citizen Lab senior researcher John Scott-Railton described the experience of Senator Krzysztof Brejza, the Polish opposition leader at the center of the probe who was hacked at least 33 times.

“The hacking timeframe often tracked consequential events and meetings in the run-up to the election,” Scott-Railton testified. “At one point, messages reportedly stolen from his phone were also published in an attempt to discredit him.”

In an interview with Recorded Future News on Thursday, Scott-Railton called the Polish commission’s report significant. “The EU is still reckoning with the damage from unchecked Pegasus proliferation,” he said by text message. “Having a legislative body in a European democracy say these things starkly is a big deal.”

Scott-Railton, who also wrote a Twitter thread on the commission’s findings, said that while it has taken a long time and many reports of abuse to get here, he thinks the “accountability process is just beginning.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Suzanne Smalley

Suzanne Smalley is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.