Report: Pegasus spyware targeted Thai democracy activists

Two years ago, Thai student activist Jutatip Sirikhan, then 21, became famous for pouring a bucket of white paint over her head in front of a Thai court, moments after her release from jail on charges stemming from a pro-democracy rally. Weeks later, Sirikhan became a target of Pegasus – one of the most sophisticated cyber-espionage weapons in the world – according to a forensic investigation published Monday by Toronto-based Citizen Lab and Thai organizations iLaw and DigitalReach. In all, dozens of Thai activists’ phones were infected with Pegasus, the groups found.  

Since October 2020, Sirikhan’s phone has been infected with Pegasus a total of six times. In all, the investigation identified at least 30 Pegasus victims monitored by an unnamed entity during the 2020-2021 pro-democracy protests calling for reforms to the monarchy in Thailand.

The probe began after Apple sent out notifications to iPhone users targeted by state-sponsored cyberattacks, including activists and researchers in Thailand, in November 2021. Some of the recipients of the notifications then contacted local rights organizations.

Pegasus is a spyware strain developed and sold by Israeli surveillance company NSO Group. The tool is marketed as a surveillance-as-a-service package that can infect users of both Android and iOS devices, retrieve data from their phones, and monitor their movements and online activity in real-time. NSO Group did not respond to a request for comment.

Pegasus was sanctioned by the U.S. in 2021 after years of reports of the software being used to hack activists, journalists, and other civil society groups. In February this year, EU privacy watchdogs urged European officials to ban the use of Pegasus across Europe due to violations of personal freedoms.

Since Pegasus first came to light in August 2016, NSO Group has claimed that it has only sold the tool to official law enforcement agencies. However, over the past few years, investigations have found the spyware infecting the phones of politicians and activists in Hungary, Poland, El Salvador, Finland, and Israel.

Citizen Lab said it could not definitively tie the spyware attack to the Thai government, however, NSO Group has said repeatedly that its technology is sold exclusively to governments. 

Many of the victims infected with Pegasus have been the subject of prosecutions under Thailand’s strict lèse-majesté laws, which criminalize criticism of the Thai royal family. 

One of them, Panusaya Sithijirawattanakul, has been charged with at least 10 lèse-majesté offenses and was detained for a total of 85 days between 2020 and 2021. She’s famous for publicly reading a document challenging the role of the monarchy in Thailand.

Another prominent activist, Jatupat Boonpattararaksa, was detained at least three times between 2020 and 2022 and spent some eight months in prison, due to lèse-majesté and other charges. He was repeatedly infected with Pegasus in 2021.

This isn’t the first report of Pegasus spyware found in Thailand. Citizen Lab has recorded the presence of Pegasus operators since 2014. There is currently at least one Pegasus operator active in Thailand, according to the report, though researchers are unsure which specific agency it represents.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.