In a recent U.S. court hearing, a lawyer representing NSO Group, the Israeli maker of the notorious Pegasus spyware, named Uzbekistan as one of the governments that deployed the tool during a 2019 hacking campaign. Mexico and Saudi Arabia were also cited. This marks the first time NSO Group has publicly identified its clients.
Pegasus is a powerful surveillance software developed by the Israeli cyber intelligence firm NSO Group. Once installed on a smartphone, it allows operators to secretly access messages, listen to calls, track locations, and remotely activate the camera and microphone, without the user’s knowledge.
The revelation stems from a lawsuit filed by WhatsApp, a Meta-owned messaging platform, which accused NSO Group of exploiting a vulnerability in the app to target approximately 1,400 users between April and May 2019. Many of those targeted were journalists, human rights advocates, and members of civil society.
Digital rights watchdog Citizen Lab, which collaborated with WhatsApp, helped identify more than 100 victims across multiple countries. NSO’s lawyer acknowledged that at least eight governments were using Pegasus at the time, but only three – Mexico, Saudi Arabia, and Uzbekistan – were named during the hearing.
Uzbekistan’s inclusion raises concerns about the country’s surveillance practices. While the court hearing mentioned just three countries, earlier disclosures suggested that Pegasus had been deployed in as many as 51 nations, including India, Morocco, Spain, the United Kingdom, and the United States.
Interestingly, Saudi Arabia, named in the court hearing, did not appear in prior reports, suggesting that some NSO clients may have used the spyware beyond their own borders. A 2017 investigation by Citizen Lab indicated, for example, that Mexico used Pegasus to surveil individuals located in the U.S.
NSO Group insists that it licenses Pegasus only to governments approved by Israel and that the software is intended for counterterrorism and law enforcement. Nevertheless, the company has faced sustained criticism for enabling authoritarian regimes to spy on dissidents and journalists.
The U.S. court has not yet confirmed which clients were behind the specific attacks outlined in the WhatsApp case. The presiding judge noted that much of the available evidence originates from media investigations rather than direct disclosures by NSO Group. The company has declined to comment publicly.
WhatsApp has stated it looks forward to the trial, where it hopes to secure damages and prevent NSO from using its infrastructure to target users.
Over the years, groups like Amnesty International and Citizen Lab have documented Pegasus’s deployment in numerous countries, including Hungary, the United Arab Emirates, and now, potentially, Uzbekistan. Many of the targets were professionals carrying out legitimate work, raising serious questions about digital privacy and unchecked state surveillance.
TechCrunch, which obtained the court documents, has contacted the embassies of Mexico, Saudi Arabia, and Uzbekistan for comment. As of this writing, none have responded.
