Pegasus in Jordan 35+ Journalists and Activists Targeted with NSO Spyware

A joint investigation published in February 2024 by Access Now, Citizen Lab, and

partners including Human Rights Watch documented the systematic targeting of at least

35 journalists, activists, human rights lawyers, and civil society representatives

in Jordan with NSO Group’s Pegasus spyware. The campaign spanned more than

four years, from August 2019 through December 2023, and targeted individuals including

prominent Palestinian-American journalist Daoud Kuttab - who was successfully

hacked three separate times in 2022 and 2023, with seven additional failed infection

attempts documented on his devices - and two Human Rights Watch employees:

Adam Coogle and Hiba Zayadin.

Apple’s threat notification system, introduced in November 2021 to alert users

when the company detects state-sponsored targeting of their devices, played a significant

role in prompting affected individuals to submit their devices for forensic analysis by

Access Now’s Digital Security Helpline and Citizen Lab. Of the 35 confirmed

targets, 16 were journalists or media workers, making the Jordan campaign one of the

most heavily media-targeted Pegasus operations documented outside Saudi Arabia. The

investigation did not formally attribute the operations to a specific Pegasus operator,

but the concentration of targets within Jordanian civil society strongly suggested

a Jordanian government customer.

## Key Facts

• .**What:** NSO Group Pegasus spyware deployed against Jordanian civil society (2019-2023).
• .**Who:** 35+ journalists, activists, and HRW employees in Jordan.
• .**Data Exposed:** Messages, contacts, GPS locations, camera/microphone access on phones.
• .**Outcome:** No formal attribution; no judicial oversight of state surveillance exists.

## What Happened

The Pegasus campaign against Jordanian civil society spanned more than four years, from August 2019 through December 2023. The infections were delivered through NSO Group's zero-click exploit capabilities, meaning targets did not need to click a link or open an attachment - the spyware was installed silently through vulnerabilities in iOS services such as iMessage, often without leaving visible traces on the device.

Once installed, Pegasus provided the operator with complete access to the target's communications, contacts, GPS location, camera, and microphone.

Apple's threat notification system, introduced in November 2021, began alerting Jordanian targets that their devices had been subjected to state-sponsored attacks.

These notifications prompted affected individuals to submit their devices for forensic analysis through Access Now's Digital Security Helpline and the University of Toronto's Citizen Lab.

Using the Mobile Verification Toolkit and analysis of device backup files, researchers confirmed Pegasus infections across at least 35 individuals.

Journalist Daoud Kuttab was successfully infected on three separate occasions in 2022 and 2023, with seven additional failed infection attempts documented on his devices - a pattern indicating sustained, determined targeting by an operator who repeatedly invested resources in maintaining access.

The investigation published in February 2024 by Access Now, Citizen Lab, and partners including Human Rights Watch did not formally attribute the operations to a specific Pegasus operator.

However, the concentration of all 35 targets within Jordanian civil society - 16 journalists, human rights lawyers, activists, and two Human Rights Watch employees (Adam Coogle and Hiba Zayadin) - strongly suggested a Jordanian government customer.

The campaign continued through December 2023 despite the Pegasus Project revelations of July 2021, the U.S. Entity List designation of NSO Group in November 2021, and waves of international lawsuits and investigations.

## What Was Exposed

• .Complete communications histories across all messaging platforms on infected devices - including iMessage, WhatsApp, Signal, Telegram, and encrypted email - with content captured after decryption at the device level, rendering end-to-end encryption irrelevant
• .Contact databases and communication networks of journalists and activists, enabling the identification of sources, informants, and the professional and personal relationships of targeted individuals
• .Draft articles, unpublished investigations, confidential source materials, and legal case files for the human rights lawyers among the targets - categories of data whose exposure directly endangers third parties who trusted the targeted individuals with sensitive information
• .Real-time and historical GPS location data enabling continuous physical surveillance, tracking of movements across Jordan and internationally, and the identification of meetings with sources or colleagues
• .Camera and microphone access, enabling silent ambient recording of meetings, interviews, and private conversations without the target’s knowledge
• .Credentials and authentication tokens for professional and organizational accounts, potentially enabling access to the databases, communications systems, and membership records of the civil society organizations to which targets belonged
• .For HRW employees Adam Coogle and Hiba Zayadin: potential exposure of the organization’s internal communications, investigation databases, and contacts with sources across the MENA region
• .For Daoud Kuttab: journalistic source networks, correspondence with editors and news organizations, and potentially sensitive reporting on Jordanian political and security affairs developed over a multi-decade career

Daoud Kuttab is among the most prominent Palestinian journalists working in the region.

A co-founder of Community Media Network in Amman, a former adjunct professor at

Princeton, and a contributor to major international media outlets, Kuttab has spent

decades reporting on Palestinian affairs, Jordanian politics, and the broader Arab world.

His documented infection on three separate occasions in 2022 and 2023 - with

seven additional failed attempts - indicates not a casual opportunistic targeting

but a sustained, determined campaign by an operator who repeatedly invested resources

in attempting to maintain access to his devices even after infections were cleared.

This level of persistence is characteristic of intelligence operations against targets

deemed to have ongoing operational significance.

The targeting of Human Rights Watch researchers Adam Coogle and Hiba Zayadin carries

implications that extend far beyond the individuals themselves. HRW’s research

on Jordan, the West Bank, and the broader Middle East depends on the ability of its

researchers to communicate confidentially with sources, maintain the security of

investigation files, and protect the identities of individuals who speak to the

organization at personal risk. A successful Pegasus infection of an HRW researcher’s

device potentially exposes every source who communicated with that researcher via

the compromised phone, every document stored on the device, and every meeting

attended while the device was infected. This is not merely a personal privacy

violation; it is an attack on the institutional capacity of one of the world’s

most significant human rights documentation organizations.

The four-year timeline of the documented campaign - August 2019 to December 2023

• .is significant for several reasons. It demonstrates that the Jordanian civil

society Pegasus operation was not a short-duration tactical response to a specific event

but a sustained strategic intelligence program. It also spans the period during which

NSO Group faced increasing international scrutiny: the Pegasus Project revelations

of July 2021, the U.S. Entity List designation of NSO Group in November 2021, and

the subsequent waves of lawsuits and government investigations that placed NSO under

unprecedented pressure. Despite this scrutiny, the Jordan campaign continued through

December 2023, suggesting that the operator assessed the operational value of the

surveillance program as outweighing the reputational and political risks of continued

use.

Apple’s threat notification system, which began alerting users in November 2021,

catalyzed the investigation by prompting targets to seek forensic assistance. The system

represents one of the few scalable mechanisms through which commercial spyware victims

can receive actionable warning of targeting. Without Apple’s notifications, the

majority of the 35 confirmed victims would likely have remained unaware that their

devices had been compromised. The notifications did not stop the targeting - as

Kuttab’s continued infections demonstrate - but they provided the evidence

trail that enabled Citizen Lab and Access Now to document the campaign and bring it

to public attention. The forensic methodology employed by Citizen Lab, including the

Mobile Verification Toolkit (MVT) analysis of device backup files, is the current

gold standard for Pegasus detection on iOS devices.

The concentration of media workers among the targets - 16 of 35 confirmed victims

• .reflects a global pattern in Pegasus deployments where journalists covering

sensitive topics are prioritized targets. Jordan has a restricted media environment:

Freedom House consistently rates Jordan’s press freedom as “Not Free,”

and the Jordanian government has used the Cybercrime Law and other legislation to prosecute

journalists for online publications. The use of Pegasus against journalists represents

a technological escalation of a pre-existing pattern of press freedom restriction,

enabling surveillance of journalistic activities that occur beyond the reach of conventional

monitoring - encrypted communications, in-person meetings, and foreign travel.

## Regulatory Analysis

The Pegasus targeting of Jordanian civil society creates a regulatory paradox that is

structurally similar to the Bahraini Pegasus case: the primary suspect operator of the

spyware is the government itself, the same entity responsible for enforcing the laws

that the surveillance violates. Jordan’s Cybercrime Law No. 17/2023, while

comprehensive in its treatment of unauthorized system access and data interception,

contains exceptions and prosecutorial discretions that effectively exempt government

intelligence activities from the law’s scope. The public prosecutor’s

new powers under the 2023 law to initiate proceedings without victim complaints for

government-related offenses are not designed to be used against the government itself.

Jordan’s constitutional framework provides the most principled basis for

challenging state surveillance of this type. Article 18 of the Constitution guarantees

privacy of communications, requiring judicial authorization for interception. Pegasus

infections that capture all communications from a target’s device without judicial

oversight engage this constitutional guarantee directly. However, the absence of a

judicial oversight mechanism for executive surveillance operations - and the

absence of an independent constitutional court with the mandate and willingness to

adjudicate complaints against intelligence agencies - means that Article 18’s

protection is declaratory in nature for most affected individuals. Civil society

organizations have raised Article 18 arguments in public advocacy, but no Jordanian

court has issued a ruling on the constitutionality of Pegasus-type surveillance.

The international human rights framework provides a more tractable avenue for analysis.

Jordan is a party to the International Covenant on Civil and Political Rights (ICCPR),

Article 17 of which prohibits arbitrary interference with privacy. The UN Human Rights

Committee’s General Comment No. 16 and subsequent interpretations establish that

surveillance must be prescribed by law, necessary, proportionate, and subject to

independent oversight to comply with Article 17. The targeting of journalists, human

rights lawyers, and civil society representatives for surveillance - absent any

publicly articulated legal basis or demonstrated national security justification -

would fail this standard under established ICCPR jurisprudence. Jordan’s periodic

reviews before the Human Rights Committee have included recommendations to strengthen

privacy protections, though implementation has been limited.

The targeting of HRW employees creates additional dimensions of legal exposure under

international law. Human Rights Watch conducts its operations under the protection

of the Declaration on Human Rights Defenders, which establishes the right of human

rights defenders to conduct their work without interference, and under the Vienna

Convention protections applicable to staff of international organizations operating

in Jordan. While these instruments do not create directly enforceable legal rights

in Jordanian courts, they establish the international normative framework against

which Jordan’s conduct is assessed in UN human rights mechanisms and diplomatic

contexts. The targeting of an international NGO’s researchers also engages the

bilateral relationships between Jordan and HRW’s member states, whose governments

have formally protested Pegasus targeting of their own nationals in similar contexts.

## What Should Have Been Done

Addressing Pegasus-class threats requires a layered response combining individual

device security measures, organizational security protocols, civil society capacity

building, and international regulatory and legal pressure. No single measure provides

complete protection against a zero-click exploit backed by a state-level budget,

but the combination of multiple defenses significantly raises the cost and risk

of sustained surveillance campaigns.

Apple’s Lockdown Mode, introduced in iOS 16 in September 2022, is the single

most effective available defense against Pegasus zero-click exploits. Lockdown Mode

disables the attack surfaces most commonly exploited by NSO Group, including most

iMessage attachment types, link previews, FaceTime calls from unknown contacts,

and several web browsing features. Every journalist, activist, lawyer, and civil society

representative who is a plausible target of state-sponsored surveillance should

enable Lockdown Mode on their iOS devices as a baseline requirement, not an optional

enhancement. Organizations such as HRW and the Community Media Network should adopt

formal policies mandating Lockdown Mode for all staff devices used in Jordan or other

high-risk operational environments.

Organizational security training for journalists and activists must be specific to

the Pegasus threat model, not merely general digital hygiene. The Access Now Digital

Security Helpline and similar resources provide forensic device analysis and tailored

security guidance for at-risk civil society members. Organizations operating in

Jordan should establish formal relationships with these services, conduct regular

collective security workshops, and create internal protocols for what to do when

an Apple threat notification is received. The notification should trigger immediate

device submission for forensic analysis and transition to a temporary clean device,

not merely a precautionary update.

Communication security must be designed on the assumption that any smartphone may

be compromised. Sensitive source communications, investigation planning, and legal

advice should not be conducted on devices that are routinely connected to mobile

networks, even when using end-to-end encrypted applications. Physical separation

of sensitive discussions from all mobile devices - placing phones in Faraday

bags or in a separate room - provides meaningful protection against microphone

activation. The use of air-gapped computers for drafting sensitive documents, with

manual transfer of non-sensitive outputs only, creates a separation between the

communication devices (which may be compromised) and the document processing environment.

At the policy level, Jordan should establish a judicial authorization requirement for

all forms of electronic surveillance, including the use of commercial spyware.

This would bring Jordan’s legal framework into alignment with its ICCPR

obligations and the constitutional guarantee in Article 18. An independent oversight

body - potentially a parliamentary committee with security clearance or a

specialized judicial panel - should be established to review surveillance

authorizations and audit the use of surveillance tools. Jordan’s National

Cybersecurity Strategy 2024-2028 should explicitly address the regulatory

framework for state use of surveillance technology, establishing proportionality

requirements and independent oversight as core principles.

The four-year Pegasus campaign against Jordan’s journalists and civil society

exposes the fundamental inadequacy of treating privacy as a constitutional aspiration

without enforcement mechanisms - without a judicial authorization requirement,

an independent oversight body, and a data protection authority with the mandate

to investigate state surveillance, Article 18 of Jordan’s Constitution offers

no more protection to a targeted journalist than the paper it is written on.