UK spyware victims file criminal complaint against NSO Group

Four people surveilled with Pegasus spyware in the U.K. have filed a criminal complaint with London police against its manufacturer as well as a dissolved private equity firm that previously held a majority stake in the spyware company.

The hacking of the activists and journalist phones occurred between 2018 and 2020, according to the Global Legal Action Network (GLAN), which helped the victims bring the complaint Wednesday against Pegasus maker NSO Group, former parent Novalpina Capital and other entities. 

The countries responsible for the Pegasus infections are believed to be the Kingdom of Saudi Arabia (KSA), the United Arab Emirates (UAE) and the Kingdom of Bahrain, GLAN said in a blog post.

The alleged perpetrators violated the U.K.’s Computer Misuse Act, according to a GLAN summary of the complaint. That law delineates legal and illegal access to computer systems and their data. 

“Each of the accused had responsibility for the decision to sell Pegasus software to states which are notorious for their human rights abuses and persecution of human rights defenders,” the blog post said. Unnamed individuals are also targets of the complaint.

The victims include the leader of a British foundation that has been critical of the UAE; a journalist who is a prominent critic of the Saudi monarchy; a mosque leader who has publicly opposed UAE; and an activist who publicly highlights human rights abuses in Bahrain, the blog post said.

"The fact that technological developments are now being used to breach what was only recently regarded as sacrosanct, for the benefit of persecuting political activists, must be of great concern to everyone,” victim Anas Altikriti said in a statement.  

“Should this go unprosecuted, we can bid farewell to public and personal freedoms, civil liberties and to human rights, especially but not exclusively, in countries that are ruled by autocratic and authoritarian regimes,” the statement added.  

The filing of the criminal complaint was first reported by The Intercept.

In addition to the NSO Group the complaint names its parent company Q Cyber Technologies and Novalpina — a London-based firm that  acquired a majority stake in the spyware company in 2019. Novalpina  was liquidated in 2021. 

Pegasus was reportedly used to spy on journalist Jamal Khashoggi, who was murdered by Saudi agents in 2018, as well as human rights activists worldwide. NSO Group says that it sells its software for purposes like fighting crime and terrorism.

The spyware also was used to attack individuals working for the British Prime Minister’s Office and Foreign, Commonwealth and Development Office, according to the blog post. A phone belonging to Fiona Shackleton, now a member of the country’s House of Lords, was infected when she was working as a lawyer for a princess divorcing a member of the UAE ruling family.

The U.K. government has taken no action against NSO Group for the role it played in those hacks, the blog post noted.

GLAN’s forensic investigation of the hacks was aided by Bill Marczak of the Citizen Lab, a prominent organization based at the University of Toronto which has surfaced and documented spyware cases worldwide.

Civil claims against KSA, UAE and Bahrain have been filed by Bindmans LLP, a law firm working with GLAN.