New Citizen Lab Report: Pegasus vs Predator

A new Citizen Lab report was published yesterday, entitled “Pegasus vs Predator: Dissident’s Doubly Infected iPhone Reveals Cytrox Mercenary Spyware,” authored by Bill Marczak, John Scott-Railton, Bahr Abdul-Razzak, Noura Al-Jizawi, Siena Anstis, Kristin Berdan, and Ron Deibert.


In this report, we detail our investigation into the hacking of the devices of two Egyptians with mercenary spyware technology.

The first – Ayman Nour – is an exiled Egyptian politician now residing in Turkey. Our investigation determined his device was simultaneously hacked earlier this year with Pegasus, the spyware made by the notorious Israel-based NSO Group, and a second piece of spyware called Predator, used by a different government client and made by a less-well-known spyware firm called Cytrox.

The targeting of a single individual with two separate spyware products used by two different government clients shows just how bad the abuse problem around mercenary surveillance technology has become.

The second individual is an exiled Egyptian journalist who chooses to remain anonymous. We determined his phone was also hacked solely with Cytrox’s Predator spyware. We attribute the hacking of the two Egyptians’ phones with medium-high confidence to the government of Egypt.

While NSO Group has received a lot of publicity in recent months, Cytrox has far less exposure outside of the governments it serves. Our report is the first to identify the company’s spyware being abused in the wild by a government client.

We also undertook network scanning for active installations of Cytrox worldwide, and are able to disclose that Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia are likely government clients.

Cytrox – part of the “Star Alliance” of surveillance firms

Our investigation also dug deeply into Cytrox’s extremely complicated corporate history, industry alliances, and registration records. We identified some of the key individuals involved in leadership and executive positions at the firm. Cytrox was reported to be part of Intellexa, the so-called “Star Alliance of spyware,” which was formed to compete with NSO Group. Intellexa describes itself with pride as “EU-based and regulated, with six sites and R&D labs throughout Europe.” That may turn out to be a problem for them.

Digging through these arrangements was like entering into a dark labyrinth of sketchy individuals dodged by various legal improprieties and dubious private intelligence and mercenary surveillance companies spread across several state jurisdictions.

These types of ownership obfuscation techniques – similar to those used by plutocrats and money launderers – make investigation, regulation, and public accountability efforts challenging. We should expect to see these techniques more widely practiced as the heat is turned up on the spyware industry (more on that below).

Vulnerability Disclosure and Meta (Facebook) Enforcement

In accordance with the Citizen Lab’s vulnerability disclosure policy, we shared Predator artefacts with Apple and they confirmed they are investigating. As substantial Predator targeting took place through WhatsApp, the Citizen Lab also shared artefacts with Meta’s security team (WhatsApp’s owners, and formerly known as Facebook).

We are happy to say that our report’s publication is co-timed with Meta’s announcement that it is taking extensive enforcement action against Cytrox, including removal of about 300 Facebook pages and Instagram accounts linked to the firm. Meta is also publishing detailed technical indicators linked to Cytrox’s operations, which greatly assists future efforts of security researchers.

Meta’s security team’s investigation also corroborates the Citizen Lab’s identification of Cytrox customers in Egypt, Armenia, Greece, Saudi Arabia, and Oman, and they add Colombia, Côte d’Ivoire, Vietnam, Philippines, and Germany (Germany!) to the list of other government clients. Meta also confirms abusive worldwide targeting of civil society by Cytrox’s customers. Looking at the list of them, it is no wonder.

In the absence of regulations to the contrary, despotic regimes and other illiberal government agencies will use surveillance technology to go after anyone that is construed as a threat to their malicious aims.

The Mercenary Spyware Industry

NSO Group is definitely on the ropes and wobbling badly…and deservedly so. But our latest report should remind us that the problems around mercenary spyware go well beyond a single company. As one goes down, others will bounce up to make a buck. Rebranding is also always a possibility for an industry that thrives in the shadows and employs many of the same corporate shell games as do the despots and dictators they serve.

This report shows that digital accountability researchers at the Citizen Lab, Amnesty International, and numerous threat teams – working alongside many NGO and investigative journalist partners worldwide – are collectively getting better at tracking and exposing these firms’ malfeasances. Sharing of indicators and other information is getting better too.

However, to avoid playing a constant game of “whack-a-mole”, we need governments to step up and act to control what has effectively become a kind of globally distributed “despotism-as-a-service.”

Fortunately, some government officials appear to be waking up to the threat, and are carving a regulatory path forward:

  • On 3 November 2021, the United State Department of Commerce announced that it was putting NSO Group, Candiru (another mercenary company Citizen Lab has reported on) and other spyware firms on its designated “entity list” for malicious cyber activities.
  • As part of the “Democracy Summit,” on 10 December 2021 the governments of  Australia, Denmark, Norway, and the United States announced a new export control and human rights initiative, noting that authoritarian governments “are using surveillance tools and other related technologies in connection with serious human rights abuses, both within their countries and across international borders.”
  • Last week, the head of GCHQ, Sir Jeremy Fleming, said that the UK government had spyware firms like NSO Group “under close review,” and that their sales were “completely beyond the pale”, adding, “countries or companies that promulgate [spyware technology] in an unconstrained way like that are damaging and should not be tolerated.”
  • And just yesterday, 15 December 2021, a group of U.S. lawmakers, led by Senator Ron Wyden and Representative Adam Schiff, sent a letter to the United States Secretary of the Treasury and the Secretary of State advocating that executives at NSO Group and several others surveillance firms should be sanctioned under the Global Magnitsky Act. That would be a very big problem for those executives: bank accounts frozen, travel disrupted, etc. The lawmaker’s letter specifically highlights the research of the Citizen Lab and our colleagues at Amnesty International.

Now, let’s see if other liberal democratic governments follow suit. (I’m looking at you, Canada).

Read the full report here:

Read about Meta’s Enforcement Action:

News Coverage

P.S. A final comment: this year (2021) mark’s the 20th anniversary of the founding of the Citizen Lab. We haven’t marked the occasion in any special way because we are all more interested in the future than past accomplishments. However, I’m very proud of what we have achieved over the last two decades together, and I feel very lucky to have been surrounded by so many accomplished and ethical researchers over the years.

Now, onto the next twenty!

Testimony Given to the House of Commons on Parliamentary Duties and the COVID-19 Pandemic

The following is testimony provided by Ronald Deibert to the Standing Committee on Procedure and House Affairs (PROC) on April 29, 2020.

I am Ron Deibert, Professor of Political Science and founder and director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs & Public Policy. Our research at Citizen Lab includes investigating digital espionage against civil society, documenting Internet filtering and other technologies and practices that impact freedom of expression online, analyzing privacy, security, and information controls of popular applications, and examining transparency and accountability mechanisms relevant to the relationship between corporations and state agencies regarding personal data and other surveillance activities. I submit these comments in a professional capacity representing my views and those of the Citizen Lab.

As much of the world moves into work-from-home rules and self-isolation, technology has become an essential lifeline. However, this sudden dependence on remote networking has opened up a whole new assortment of security and privacy risks. In light of these sudden shifts in practices, it is essential that the tools relied on for sensitive and high risk communications be subjected to careful scrutiny.

In what follows, I first provide a summary of the Citizen Lab’s recent investigation into the security of Zoom’s video conferencing application, and the company’s responses. I then discuss a broader range of digital security risks that are relevant to the work-from-home routines that MPs and their staff are following. Finally, I conclude with six recommendations.1

Citizen Lab Research on Zoom Security

On April 3, 2020, the Citizen Lab published a report on a technical analysis of the confidentiality of communications on the popular video chat application Zoom.2 On April 8, we released a followup report with details of a security vulnerability in Zoom’s waiting room feature.3

Our initial report found that the encryption in Zoom did not seem to have been well-designed or effectively implemented, and that its public documentation made several misleading claims about Zoom’s encryption protocols that did not match what we observed in our analysis. I invite those with interest to see the full details as outlined in our report.4

We also found potential security issues with Zoom’s generation and storage cryptographic information. While based in Silicon Valley, Zoom owns three companies in China where its engineers develop the Zoom software. In some of our tests, our researchers observed encryption keys being distributed through Zoom servers in China, even when all meeting participants were outside of China. A company primarily catering to North American clients that distributes encryption keys through servers in China is very concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China.

In our report published on April 3, we noted that we also discovered a security issue with Zoom’s “waiting room” feature. Specifically, we found Zoom servers provided both the encryption keys and a live video stream of the Zoom meeting to all users in the meeting’s waiting room, even if the waiting users had not been approved to join the meeting. This issue would enable an arbitrary, unauthorized Zoom user in a waiting room to intercept and decrypt the “encrypted” video content.

In response to our research and concerns raised by other parties, Zoom has taken a number of actions regarding security.5 Zoom has committed to a 90-day process to identify and fix security issues, including a third-party security review, enhancing their bug bounty program and preparing a transparency report.

In direct response to our research, Zoom acknowledged the concerns we raised about their use of non-industry standard encryption and committed to making improvements, including working towards the implementation of end-to-end encryption. Zoom also acknowledged that some Zoom users based outside of China would have connected to data centres within China, and indicated they had immediately put in place measures to prevent that from happening.

On April 8th, Zoom released a new version of their client that added additional security features. Zoom CEO Eric Yuan indicated in a video webinar that this new version fixed the waiting room security issue we identified.6 He also announced that Zoom had established a CISO Council and Advisory Board to assist with their privacy and security practices, and had hired former Facebook Chief Security Officer Alex Stamos as an advisor.

It is important to underscore that we did not test Zoom’s HIPAA/PIPEDA-compliant healthcare plan, or the ZoomGov software that is used by some government agencies. These platforms would require additional analysis.

While it is encouraging that Zoom is working to improve their product, the sudden reliance by a very large number of people on a platform that was never designed for highly-sensitive communications is symptomatic of a much larger set of problems related to work-from-home routines.7 It is imperative that we evaluate all of the risks associated with this sudden change in routines, and not just those associated with one particular application.

Security Risks Related to Work-From-Home Environments

Legislators working from home are connecting using devices, accounts and applications through widely differing home network setups, as are their staff. These networks may be shared with roommates and family members, whose own digital security practices could collaterally affect their own security, and the devices which are being used are likely loaded with applications that can access large volumes of sensitive information. Whereas in the pre-COVID era, these devices were routinely brought back into the government’s security perimeter where sensors might detect aberrant network behavior, this will no longer be the case. Consequently, adversaries might linger on networks and devices indefinitely, and obtain more data from targets than in a pre-COVID world.

The communications systems that we rely on have rarely been designed with security in mind. Security has either routinely been regarded as slowing the speed of innovation or impossible to impose on essential systems that have chronic failings and which would require total redevelopment of communications infrastructures to become “secured.” The consequence is that there is a vast array of unpatched systems that leave persistent vulnerabilities for malicious actors to exploit. These risks extend right down into the most fundamental layers of our shared infrastructure. For example, telecommunications and cell phone networks still rely on a decades-old information exchange protocol, called SS7, that has been shown to be highly insecure and prone to abuse and illegal surveillance, including when sending second-factor authentications over mobile phone networks.8

Meanwhile, governments and criminal enterprises have dramatically increased their capabilities to exploit this ecosystem for a variety of purposes. Almost all nation-states now have at least some “cyber espionage” capabilities, with many in the top-tier being exceedingly well-resourced and routinely spending billions of dollars on clandestine influence and intelligence-gathering operations. There is a vast and poorly regulated private market for cyber security that includes numerous companies that provide “off-the-shelf” targeted espionage and mass surveillance services.9 Citizen Lab’s research has shown that the market for commercial spyware in particular is proflierating widely, and is highly prone to abuse (including being linked to targeted killings),10 with sophisticated hacking tools ending up in the hands of despots and dictators.11 These relationships may well open the door to the same tools being deployed against legislators and their staff in jurisdictions like Canada. As a result, the government must be wary of seemingly less competent adversaries punching well above their weight by using private and commercial hacking tools.

At the best of times, these problems present extraordinary challenges for network defenders. But parliamentarians and their staff are now at even greater risk. Not surprisingly, threat actors are already capitalizing on this new environment. Phishing and malware attacks have targeted and disrupted hospitals in the Czech Republic, the U.S. Department of Health and Human Services, and the World Health Organization. On April 14, a leading U.S. cybersecurity firm revealed that a “Canadian government health organization actively engaged in COVID-19 response efforts, and a Canadian university conducting COVID-19 research,” had been victims of ransomware attacks.12 These reports are likely only scratching at the surface.

While it is laudable that a platform like Zoom has received a lot of attention about security risks, we should not lose sight of the fact that our entire communications ecosystem contains numerous insecurities, and that there are a multitude of bad actors searching for and seeking to exploit them.

Recommendation #1: Where possible extend digital security resources developed for the House of Commons (HoC) to all Canadians

Remote work for the HoC will require a significant investment in additional digital security support, resources, and capacity. These teams were already engaged in actively protecting members of the HoC and are now dealing with a significantly broader set of home network and device setups, while simultaneously defending against a tsunami of targeted malware and other attacks that are outside of the government’s formal security perimeter.

To partially combat new threats, the CSE’s Canadian Centre for Cyber Security has begun sharing information with infrastructure providers to reduce the likelihood of phishing or malware successfully exploiting devices and systems.13However, the details of this program (and others like it) presently lack public accountability or transparency, and it has not been independently audited. If these are rolled out without proper safeguards, such systems can end up undermining free expression, privacy, and other rights. Wherever possible, the HoC and the rest of government could share mitigation techniques or signatures to Canadian infrastructure owners in a transparent and accountable way to both improve the home security of MPs and HoC staff, as well as all other residents of Canada.

Additionally, distributing and encouraging the use of educational tools to all parliamentarians, their staff, and all residents of Canada could help boost awareness and help mitigate risks.14

Recommendation #2: Evaluate and issue guidance on work-from-home best practices, including those for video conferencing applications.

The Government of Canada should issue detailed guidance on work-from-home best practices that includes a detailed evaluation of video conferencing applications. The latter could include recommendations on scenarios for use of some applications for specific purposes but not others. Such guidance could be made available to Canadians to assist medium and small businesses, as well as individual residents of Canada, make decisions that are informed by security expertise from the government. Although some guidance has been issued already,15,16these are dated, and largely insufficient to the tasks at hand.

By way of contrast, the U.S.’s NSA has issued public guidance that identifies various criteria to consider when using a video conferencing service.17 These criteria include, inter alia, whether the service uses end-to-end encryption; whether they share data with third parties; and whether or not the service’s source code has been shared publicly. Other assessments consider questions of transparency and privacy, for example whether firms issue transparency reports or have clear privacy policies.18

Recommendation #3: Support independent research on digital security and the promotion of secure communications tools.

At a time when daily life significantly depends on technological systems, there should be more high quality, independent research that scrutinizes these systems for privacy and security risks. To assure Canadians that the digital appliances and networks upon which they depend are secure, researchers must have the ability to dig beneath the surface of those systems, including into proprietary algorithms, without fear of reprisal.

Presently, researchers can come under legal threat when they conduct this research, to the detriment of improving security for all users, including MPs and their staff who are at home. As such, we recommend that the Government of Canada pass legislation which explicitly recognizes a public interest right to engage in security research, and prohibits organizations or individuals from legally threatening residents of Canada who are involved in such public interest research.

Recommendation #4: Implement a Vulnerability Disclosure Process for Government Agencies, including the House of Commons

Vulnerabilities disclosure policies (VDPs) establish terms and processes by which researchers can communicate the presence of vulnerabilities in organizations’ systems or networks without fearing legal repercussions. American institutions, such as the Department of Defense,19 have already adopted a VDP and additional American institutions are developing them. Canada should follow this model, so that researchers can identify and work with the government of Canada to mitigate vulnerabilities, instead of declining to communicate them out of fear they may experience legal (or other) threats. This recommendation is in line with a report issued by the HoC Public Safety and National Security Committee in 2019, where it recommended that “the Government of Canada support responsible vulnerability disclosure programs.”20

Recommendation #5: Transparent and Accountable Vulnerabilities Equities Process

The Communications Security Establishment (CSE) currently has a process by which it evaluates whether to conceal the presence of computer software vulnerabilities for use in its own intelligence operations, or to disclose a given vulnerability to ensure that all devices are made secure from it. However, the CSE is formally alone in making decisions over whether to retain or disclose a vulnerability.

We recommend that the Government of Canada broaden the stakeholder institutions who adjudicate whether vulnerabilities are retained or disclosed, especially in light of the enhanced risk that all government workers are at given their work-from-home situation. We also recommend that the Government of Canada follow international best practice and release a full vulnerabilities equities process policy, so that residents of Canada can rest assured that the CSE and its government will not retain vulnerabilities that could seriously compromise the security of Canadians.

Recommendation #6: Support for Strong Encryption

In 2019, the HoC Public Safety and National Security Committee recommended that “the Government of Canada reject approaches to lawful access that would weaken cybersecurity.”21 Given the potential for adversaries to take advantage or poorly-secured devices and systems, we recommend that the Government of Canada support the availability of strong encryption so that MPs, their staffs, and residents of Canada can be assured that the Government is not secretly weakening this life-saving and commerce-enabling technology, to the detriment of all Canadians and our allies.

  1. Thanks to Christopher Parsons, Lex Gill, and Josh Gold for comments and assistance.
  2. Bill Marczak & John Scott-Railton, “Move Fast and Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings,” The Citizen Lab, April 3, 2020,
  3. Bill Marczak & John Scott-Railton, “Zoom’s Waiting Room Vulnerability,” The Citizen Lab, April 8, 2020,
  4. In our report of April 3, we found that Zoom documentation claimed that the app uses “AES-256” encryption for meetings where possible. However, in our testing, a single AES-128 key was used in ECB mode by all meeting participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption. What this finding means is that the encryption in Zoom does not seem to have been well-designed or implemented.
  5. Colleen Rodriguez, “Zoom Hits Milestone on 90-Day Security Plan, Releases Zoom 5.0,” Zoom Blog, April 22, 2020,
  6. “Ask Eric Anything,” (YouTube Video), Zoom, April 8, 2020,
  7. See John Scott-Railton, “Another Critical COVID-19 Shortage: Digital Security,” Medium. March 23, 2020,
  8. Stephanie Kirchgaessner, “Revealed: Saudis suspected of phone spying campaign in US,” The Guardian, March 29, 2020,
  9. For further detail, see testimony by Ron Deibert on this subject to the Senate of Canada on November 30, 2016, here:
  10. Research by The Citizen Lab has revealed several cases of targeted killings linked to targeted espionage and surveillance software, including the murder of Saudi journalist Jamal Kashoggi. For further information on this, and other cases, see for example: Miles Kenyon, “Dubious Denials & Scripted Spin: Spyware Company NSO Group Goes on 60 Minutes,” The Citizen Lab, April 1, 2019,
  11. Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak, and Ron Deibert, “Hide and Seek: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries,” The Citizen Lab, September 18, 2018,
  12. James McLeod, “Canadian coronavirus response workers targeted in ransomware attack, says U.S. cybersecurity report,” Financial Post, April 14, 2020,
  13. Canadian Centre for Cyber Security, “Canadian Shield – Sharing the Cyber Centre’s Threat Intelligence to Protect Canadians During the COVID-19 Pandemic,” April 23, 2020,
  14. Some resources to consider include the Citizen Lab’s Security Planner ( and the Electronic Frontier Foundation’s Surveillance Self Defense project (
  15. Canadian Centre for Cyber Security, “Considerations when using video-teleconference products and services,” April 3, 2020 (amended April 14),
  16. Canadian Centre for Cyber Security, “Cyber Hygiene for COVID-19,” March 18, 2020,
  17. Existing assessments of various video teleconferencing applications could be built on. See, for example, guidance from the US National Security Agency issued on April 24, 2020: (
  18. See, for example, assessments by Freedom of the Press ( and Google engineer Gary Belvin (
  19. Department of Defense Cyber Crime Center, “DoD Vulnerability Disclosure Program (VDP), November, 2016,
  20. SECU, “Report 38: Cybersecurity in the Financial Sector as a National Security Issue”, Adopted by the Committee June 17, 2019, See recommendation 7, page 38.
  21. SECU, “Report 38: Cybersecurity in the Financial Sector as a National Security Issue”, Adopted by the Committee June 17, 2019, See recommendation 8, page 39.
  22. Lotus Ruan, Jeffrey Knockel, and Masashi Crete-Nishihata, “Censored Contagion: How Information on the Coronavirus is Managed on Chinese Social Media,” The Citizen Lab, March 3, 2020,

Submission of the Citizen Lab to the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression

In 1993, the United Nations Commission on Human Rights established the mandate of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression. The current Special Rapporteur is Mr. David Kaye.

Mr. Kaye recently issued a call for submissions on the topic of the surveillance industry and human rights. The call noted that government and non-governmental actors have increasingly used digital surveillance technologies to undermine human rights and sought information on regulatory frameworks for surveillance technologies, on the use of surveillance technologies against individuals and civil society, and on the policies and practices of private companies in this industry.

Over the years, Citizen Lab research has documented the abusive deployment of spyware manufactured and sold by private companies. Our submission first provides a review of our technical research into the application of sophisticated spyware technology sold by NSO Group Technologies Ltd., Cyberbit Ltd., FinFisher GmbH, and Hacking Team S.r.l (a subset of our research on targeted digital threats). Based on this research, and investigations by other organizations into the spyware industry, we have identified a number of overarching practices of concern within the industry that we believe urgently need to be addressed:

  1. The apparently unchecked sale of spyware to authoritarian and repressive governments with poor human rights records;
  2. The justification of such sales by private companies on the basis that they sell exclusively to sovereign nations and with the sole purpose of clients engaging in lawful use;
  3. A non-transparent business environment which insulates companies in the industry from public scrutiny and effective regulation; and,
  4. Private companies in this industry operating in violation of norms and rights set out in the International Covenant on Civil and Political Rights, the Universal Declaration of Human Rights, and the UN Guiding Principles on Business and Human Rights.

In order to assist the Special Rapporteur, we have also articulated a number of recommendations which we hope will inform the Special Rapporteur’s forthcoming report. These recommendations stress the importance of continued support for research into the spyware industry and the need to identify and define high priority practices of concern within the industry, as well as the broader aims of industry reform. Further, we recommend that the Special Rapporteur issue a report describing a comprehensive accountability framework that considers the effectiveness and changes necessary to all available mechanisms for ensuring accountability (e.g. regulation, litigation, due diligence requirements for companies, and export controls) and call on States to do more to protect against human rights in this area with specific actions that should be taken.

The full report can be found here.