At least 30 Thai citizens were targeted by the Pegasus phone-hacking software between October 2020 and November 2021, according to a forensic report by the Canadian digital rights organization CitizenLab and Thai NGOs iLaw and DigitalReach. The victims included prominent pro-democracy protesters and their lawyers and supporters. The hack is the latest in a string of documented uses of Pegasus against civil society figures.

NSO Group says that it sells its technology only to governments and law enforcement agencies — meaning that the most likely perpetrator of the hacks is the elected Thai government, CitizenLab said.

Some of the victims were first alerted to the possible hacks of their devices in November 2021, when Apple pinged their phones, warning that they may have been the target of state-sponsored attacks. In the report, corroborated by Amnesty International’s tech initiative, Amnesty Tech, CitizenLab performed forensic analysis of the devices to confirm the hacks were perpetrated using Pegasus, a sophisticated tool developed by the cyberarms-maker NSO Group, an Israeli company that was blacklisted by the U.S. government last year. 

CitizenLab’s report noted that many targets were, predictably, leaders of civil society groups. But even individuals with supporting roles were targeted.

Those targeted by Pegasus included prominent pro-democracy activists from FreeYouth, United Front of Thammasat and Demonstration (UFTD), and We Volunteer (WeVo) as well as their lawyers and supporters, who were targeted during a period of widespread pro-democracy protests. An anti-government rapper, Dechathorn “Hockhacker” Bamrungmuang; a famous Thai actress, Intira Charoenpura; and a political science professor, Prajak Kongkirati, were also among those attacked.

Thailand’s current administration took power through democratic elections in 2019, but many of its members — including the prime minister — are drawn from the military junta that displaced the previous elected government in 2014. Thousands of Thai people took to the streets in waves of protest, and dissent has blossomed online in the form of taboo-breaking mockery of the royal family. The authorities have arrested dozens of protesters on charges of sedition, insulting the monarchy (lèse-majesté), and under a loosely worded “computer-related crimes” law.

CitizenLab’s report noted that many targets were, predictably, leaders of civil society groups. But even individuals with supporting roles were targeted. Lawyers for civil society groups were caught in the net, too, along with fundraisers. Niraphorn Onnkhaow, a donation manager for the UFTD and the group’s Facebook page admin, was infected with Pegasus at least 12 times between February and June 2021.

The report speculates that the attack against Niraphorn may show that the perpetrator had attempted to gather information about how the movement was funded and organized. It could have been triggered by specific transactions that would have been known to financial institutions and the Thai government but not the public, the report said.

“This … shows that there is nonpublic knowledge going into the targeting, further reinforcing that this would have been part of a larger intelligence operation,” John Scott-Railton, a senior researcher at CitizenLab who co-wrote the report, told Rest of World.

“I can’t think of cases with rappers or actresses targeted with Pegasus,” Scott-Railton added.

Pegasus is uniquely able to infect an iOS or Android device even if the user doesn’t click on a compromised link. The user needs to only open a text or email link to unwittingly allow the software to download, which then gives the attacker unrestricted access to the target device, letting them see messages, emails, contacts, and photographs. CitizenLab found that Pegasus’ developers used zero-day exploits — previously unreported system vulnerabilities — including weaknesses in the iOS system dubbed Kismet and ForcedEntry, to infect phones in Thailand.

The same day that it notified victims of the hacks, Apple moved to sue NSO Group — the second company to do so after WhatsApp launched a suit in October 2019 alleging that the group hacked its server.

One of those startled awake by the ping was Yingcheep Atchanont, executive director of iLaw, a human rights NGO in Bangkok, and a defender in protest-related cases. CitizenLab researchers showed he was targeted by Pegasus six times in 2021.

Atchanont told Rest of World he hadn’t suspected a thing and isn’t entirely sure what the attackers were looking for — though he suspects it could be linked to rumors that his organization was funneling money from foreign donors to the protest groups. 

“Maybe the police or military are stupid enough to believe that conspiracy theory; maybe they want to look for more information on the budgeting issue, so they try to attack me,” he said. Atchanont thinks there could be many more infected who are using non-Apple devices and would never have received a warning.

Charoenpura, the outspoken actress known for her public support for the protests and a role in fundraising, never received a notification. She told Rest of World she had thought she was being watched, with plain-clothed authorities visiting her family’s coffee shop, so she moved away temporarily.

Months later, after hearing about other activists receiving notifications from Apple, Charoenpura suspected she might have been a victim. The investigation eventually showed that Charoenpura’s phone was repeatedly infected with Pegasus throughout April and June 2021. 

“Can you imagine? One time I encountered a stranger wandering and looking at my house, around 10 or 11 p.m. … With my phone infected, that [has] just raised my concern to the next level,” Charoenpura told Rest of World.

CitizenLab first observed a Pegasus operator in Thailand in May 2014, then in 2016, followed by 2018. From six years of tracking Pegasus spyware infections, including samples of Pegasus code collected from infected devices, and NSO Group’s infection and monitoring infrastructure, CitizenLab was able to identify Pegasus fingerprints associated with the installation of the spyware on the activists’ iPhones, the report showed. 

Civil society groups and global institutions have stepped up efforts to hold spyware companies like NSO Group accountable. In April, the European Parliament launched a committee to investigate the use of Pegasus in EU member states. In the U.S.,NSO Group has been put on the Department of Commerce’s blacklist, and major U.S. defense firm L3Harris just dropped its bid to acquire the company’s spyware. 

NSO Group’s debt valuation continued to drop in response to the souring public opinion and particularly to government action, like that of the U.S., Scott-Railton noted.

“What really counts is things that make investors realize that they stand to lose everything on investing in spyware and governmental action,” he said. “These things have meaningful impacts on the bottom line of spyware companies. And I think it is probably through that mechanism that we try to slow the global proliferation of this technology.”