A former member of Morocco’s domestic intelligence service has provided unprecedented insight into how the north African state used Pegasus hacking software to target journalists, human rights defenders, French politicians, and Spanish cabinet ministers and police officers. The whistleblower, known by the pseudonym Safir, worked for Morocco’s Direction Générale de la Surveillance du Territoire (DGST) for almost a decade.
Pegasus spyware capabilities and alleged use
Pegasus, manufactured by the Israel-based NSO Group, allows operators to access everything on a target’s mobile phone, including emails, text messages, and photographs. It can also activate the phone’s recorder and camera, turning it into a listening device. NSO Group states Pegasus is sold only to governments to track criminals and terrorists, but it is alleged to have been used by several countries to target dissidents, journalists, diplomats, and politicians.
Morocco has long denied using Pegasus to target critics at home or abroad, claiming reporters were “incapable of proving [the country had] any relationship” with the company. However, evidence from Safir suggests the DGST began using Pegasus in 2017 and deployed it against domestic and foreign targets over four years.
Investigation consortium and corroborated evidence
Safir’s testimony forms the basis of a multiyear investigation by Moroccan journalist Hicham Mansouri, leading to a collaborative effort among 14 media organizations including Le Monde, Haaretz, El Confidencial, Die Zeit, and the Guardian, with technical support from Amnesty International’s Security Lab. The consortium analyzed leaked emails, targeting records, victims’ testimony, and internal training material. Two other former Moroccan intelligence agents provided information and corroborated facts. The testimony is further corroborated by the Pegasus project dataset, forensically analyzed by Amnesty International’s Security Lab.
NSO Group demonstration in Rabat in 2017
According to the consortium, NSO Group representatives gave high-ranking Moroccan intelligence officers and technical experts a detailed demonstration of new technologies, including Pegasus, in an expensive villa in Rabat in 2017. The source said the house was nicknamed “the FSSYS villa” after FSSYS Maroc, the Moroccan branch of UAE-based surveillance intermediary al-Fahad. Those gathered immediately recognized Pegasus’s “revolutionary” potential, as its remote-infection capacity eliminated the need for physical access to targets’ phones. During the demonstration, NSO representatives infected test phones, remotely activating cameras, switching on microphones, and accessing data and messages.
Spyware as a gift from the UAE
“Millions for the Emiratis, that’s nothing,” said Safir. “The Emirates bought it and redistributed it to friendly services. You could say it’s like Netflix: a friend pays for the subscription, and the others use their account.” Before Pegasus, the DGST relied on human intelligence, targeting terminals in internet cafes, and persuading shopkeepers to sell pre-infected phones to dissidents. According to Safir, the costly spyware was used only for high-value targets after cheaper options were exhausted. “We never start with Pegasus,” they said. “It’s the monster’s weapon.”
Testing and early targeting in Morocco
Evidence reveals that four unique Moroccan mobile numbers were selected as Pegasus targets in September 2017, seemingly to test the system. These included numbers linked to two DGST staff members. The leaked database shows that numbers of Moroccan journalists and human rights defenders began to be entered into the Pegasus system that same month. Targeting soon extended beyond Morocco’s borders. A Spanish mobile number belonging to Aminatou Haidar, a prominent human rights activist from Western Sahara, was targeted from 2018, and traces of spyware were found on a second phone in November 2021. A Spanish number for journalist Ignacio Cembrero, focused on the Maghreb, was also listed.
Targeting of Spanish politicians
Pegasus project records show more than 200 Spanish mobile numbers were selected for targeting by the user believed to be Morocco. In May 2022, the Spanish government revealed that the mobile phones of Prime Minister Pedro Sánchez and Defence Minister Margarita Robles were infected with Pegasus in May and June 2021. The targeting occurred during a tense diplomatic row over Spain’s decision to allow the leader of the Polisario Front, which fights for Western Sahara independence, to be treated for Covid-19 in Spain. It later emerged that the phones of Interior Minister Fernando Grande-Marlaska and Agriculture Minister Luis Planas were also targeted.
Judicial inquiries and lack of cooperation
Repeated judicial attempts to investigate Pegasus use against the Spanish cabinet have stalled. The investigating judge originally ended the inquiry in July 2023 but reopened it after French authorities provided information on Pegasus infections of French ministers, MPs, lawyers, and journalists. However, the judge shelved it again in January 2024, citing a chronic lack of cooperation from Israeli authorities, including a failure to respond to a request to take a statement from NSO’s chief executive, violating “the principle of good faith” between countries.
Attribution to DGST and controversy
Recent analysis points to the DGST being responsible for targeting senior Spanish politicians. Material shows one attacker account assigned to Morocco’s Pegasus system and used to target politicians, journalists, and human rights defenders in France was also used to target the phones of Robles and Grande-Marlaska. Despite suspicions, Grande-Marlaska presented Abdellatif Hammouchi, the director general of the DGST, with the highest honour bestowed by Spain’s Guardia Civil. The move was criticized by a Guardia Civil union, which said giving the award “to a man who has faced international accusations of human rights violations and spying” was an affront to the dignity of officers.
Spying on Guardia Civil officers
Leaked documents, photographs, and testimony suggest the DGST sought access to communications of Guardia Civil officers who travelled to Morocco to share counter-terrorism expertise. The personal phone number of one senior Guardia Civil officer appears five times on the list of targets selected for Pegasus surveillance by the end-user believed to be Morocco. “We spy on everyone,” one former DGST officer told the consortium, adding that such surveillance was carried out “just in case”. A senior Guardia Civil official described the revelations as “a betrayal”. Unlike officers from Spain’s Policía Nacional, who used separate mobile devices for sensitive information while travelling to Morocco, the Guardia Civil did not take such precautions. “We didn’t do it because we didn’t suspect we would be spied on,” a senior Guardia Civil intelligence officer said.
NSO Group blacklisted and codename revealed
Further evidence emerged last year when Meta took NSO Group to court in the US for exploiting WhatsApp. An unsealed presentation to NSO’s parent company board in August 2018 included a list of Pegasus end-user codenames. According to Haaretz, countries are assigned a name based on the first letter of the country and a car manufacturer. Morgan has been identified as Morocco after former NSO employees confirmed Morocco was a Pegasus end-user. In November 2021, NSO Group was placed on a US blacklist after the Biden administration determined the company acted “contrary to the foreign policy and national security interests of the US”. Three weeks later, Israel’s defence ministry barred imports of Israeli cyber-technology to several countries, including Morocco and the UAE. The investigation has not found evidence of Pegasus-aided surveillance in Morocco after late 2021.



