New Citizen Lab Report: Pegasus vs Predator

A new Citizen Lab report was published yesterday, entitled “Pegasus vs Predator: Dissident’s Doubly Infected iPhone Reveals Cytrox Mercenary Spyware,” authored by Bill Marczak, John Scott-Railton, Bahr Abdul-Razzak, Noura Al-Jizawi, Siena Anstis, Kristin Berdan, and Ron Deibert.


In this report, we detail our investigation into the hacking of the devices of two Egyptians with mercenary spyware technology.

The first – Ayman Nour – is an exiled Egyptian politician now residing in Turkey. Our investigation determined his device was simultaneously hacked earlier this year with Pegasus, the spyware made by the notorious Israel-based NSO Group, and a second piece of spyware called Predator, used by a different government client and made by a less-well-known spyware firm called Cytrox.

The targeting of a single individual with two separate spyware products used by two different government clients shows just how bad the abuse problem around mercenary surveillance technology has become.

The second individual is an exiled Egyptian journalist who chooses to remain anonymous. We determined his phone was also hacked solely with Cytrox’s Predator spyware. We attribute the hacking of the two Egyptians’ phones with medium-high confidence to the government of Egypt.

While NSO Group has received a lot of publicity in recent months, Cytrox has far less exposure outside of the governments it serves. Our report is the first to identify the company’s spyware being abused in the wild by a government client.

We also undertook network scanning for active installations of Cytrox worldwide, and are able to disclose that Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia are likely government clients.

Cytrox – part of the “Star Alliance” of surveillance firms

Our investigation also dug deeply into Cytrox’s extremely complicated corporate history, industry alliances, and registration records. We identified some of the key individuals involved in leadership and executive positions at the firm. Cytrox was reported to be part of Intellexa, the so-called “Star Alliance of spyware,” which was formed to compete with NSO Group. Intellexa describes itself with pride as “EU-based and regulated, with six sites and R&D labs throughout Europe.” That may turn out to be a problem for them.

Digging through these arrangements was like entering into a dark labyrinth of sketchy individuals dodged by various legal improprieties and dubious private intelligence and mercenary surveillance companies spread across several state jurisdictions.

These types of ownership obfuscation techniques – similar to those used by plutocrats and money launderers – make investigation, regulation, and public accountability efforts challenging. We should expect to see these techniques more widely practiced as the heat is turned up on the spyware industry (more on that below).

Vulnerability Disclosure and Meta (Facebook) Enforcement

In accordance with the Citizen Lab’s vulnerability disclosure policy, we shared Predator artefacts with Apple and they confirmed they are investigating. As substantial Predator targeting took place through WhatsApp, the Citizen Lab also shared artefacts with Meta’s security team (WhatsApp’s owners, and formerly known as Facebook).

We are happy to say that our report’s publication is co-timed with Meta’s announcement that it is taking extensive enforcement action against Cytrox, including removal of about 300 Facebook pages and Instagram accounts linked to the firm. Meta is also publishing detailed technical indicators linked to Cytrox’s operations, which greatly assists future efforts of security researchers.

Meta’s security team’s investigation also corroborates the Citizen Lab’s identification of Cytrox customers in Egypt, Armenia, Greece, Saudi Arabia, and Oman, and they add Colombia, Côte d’Ivoire, Vietnam, Philippines, and Germany (Germany!) to the list of other government clients. Meta also confirms abusive worldwide targeting of civil society by Cytrox’s customers. Looking at the list of them, it is no wonder.

In the absence of regulations to the contrary, despotic regimes and other illiberal government agencies will use surveillance technology to go after anyone that is construed as a threat to their malicious aims.

The Mercenary Spyware Industry

NSO Group is definitely on the ropes and wobbling badly…and deservedly so. But our latest report should remind us that the problems around mercenary spyware go well beyond a single company. As one goes down, others will bounce up to make a buck. Rebranding is also always a possibility for an industry that thrives in the shadows and employs many of the same corporate shell games as do the despots and dictators they serve.

This report shows that digital accountability researchers at the Citizen Lab, Amnesty International, and numerous threat teams – working alongside many NGO and investigative journalist partners worldwide – are collectively getting better at tracking and exposing these firms’ malfeasances. Sharing of indicators and other information is getting better too.

However, to avoid playing a constant game of “whack-a-mole”, we need governments to step up and act to control what has effectively become a kind of globally distributed “despotism-as-a-service.”

Fortunately, some government officials appear to be waking up to the threat, and are carving a regulatory path forward:

  • On 3 November 2021, the United State Department of Commerce announced that it was putting NSO Group, Candiru (another mercenary company Citizen Lab has reported on) and other spyware firms on its designated “entity list” for malicious cyber activities.
  • As part of the “Democracy Summit,” on 10 December 2021 the governments of  Australia, Denmark, Norway, and the United States announced a new export control and human rights initiative, noting that authoritarian governments “are using surveillance tools and other related technologies in connection with serious human rights abuses, both within their countries and across international borders.”
  • Last week, the head of GCHQ, Sir Jeremy Fleming, said that the UK government had spyware firms like NSO Group “under close review,” and that their sales were “completely beyond the pale”, adding, “countries or companies that promulgate [spyware technology] in an unconstrained way like that are damaging and should not be tolerated.”
  • And just yesterday, 15 December 2021, a group of U.S. lawmakers, led by Senator Ron Wyden and Representative Adam Schiff, sent a letter to the United States Secretary of the Treasury and the Secretary of State advocating that executives at NSO Group and several others surveillance firms should be sanctioned under the Global Magnitsky Act. That would be a very big problem for those executives: bank accounts frozen, travel disrupted, etc. The lawmaker’s letter specifically highlights the research of the Citizen Lab and our colleagues at Amnesty International.

Now, let’s see if other liberal democratic governments follow suit. (I’m looking at you, Canada).

Read the full report here:

Read about Meta’s Enforcement Action:

News Coverage

P.S. A final comment: this year (2021) mark’s the 20th anniversary of the founding of the Citizen Lab. We haven’t marked the occasion in any special way because we are all more interested in the future than past accomplishments. However, I’m very proud of what we have achieved over the last two decades together, and I feel very lucky to have been surrounded by so many accomplished and ethical researchers over the years.

Now, onto the next twenty!