Politics
Morocco Pegasus revelations put spyware regulation back on the policy docket
A new whistleblower-backed investigation into Morocco’s alleged Pegasus use shows why commercial spyware remains a hard test for export controls, platform security and democratic oversight.

A new whistleblower-backed investigation into Morocco’s alleged use of Pegasus spyware has reopened the central policy question that governments have spent years trying to dodge: whether commercial hacking tools can be regulated like ordinary security exports when their real-world use can reach ministers, journalists, dissidents and police officials across borders.
The reporting, published Thursday by the Guardian as part of a Forbidden Stories-coordinated consortium, says a former member of Morocco’s domestic intelligence service described how the Direction Générale de la Surveillance du Territoire began using Pegasus in 2017 and deployed it over four years against domestic and foreign targets. The investigation says the account was supported by leaked material, targeting records, victims’ testimony, training material and technical analysis by Amnesty International’s Security Lab.
Morocco has repeatedly denied using Pegasus against critics or foreign officials. NSO Group, the Israel-based maker of Pegasus, has long said it sells the tool only to governments for lawful investigations into terrorism and serious crime. Those denials now sit beside a more detailed claim about procurement, training and operational use: according to the Guardian’s report, NSO representatives demonstrated Pegasus to Moroccan intelligence officers and technical experts in Rabat in 2017, showing how phones could be remotely infected and their cameras, microphones, messages and data accessed.
That is why this is not just another spyware scandal. It is a test of the regulatory model around offensive cyber tools.
Pegasus is not a normal app, and its policy problem is not mainly that it is “private sector” software. The issue is that it packages state-grade intrusion capability into a product sold through a commercial chain, often with intermediaries, licensing, support and opaque end-user controls. A government buyer does not need to build a zero-click exploit team from scratch if a vendor can provide a platform that compromises phones, extracts communications and turns a device into a sensor.
The Guardian report says the whistleblower described Pegasus as the “monster’s weapon,” used for high-value targets after cheaper methods were exhausted. That phrase is blunt, but it captures the regulatory gap: the most intrusive systems are treated as exceptional in public debate, while in procurement they can become another line item in a security-service toolkit.
The newest allegations also matter because the reported targeting crossed borders. The consortium says Pegasus Project records show more than 200 Spanish mobile numbers were selected for targeting by a user believed to be Morocco. Spain said in 2022 that the phones of Prime Minister Pedro Sánchez and Defense Minister Margarita Robles had been infected with Pegasus in 2021. The Guardian reports that later material, including court documents, points to an attacker account assigned to Morocco’s Pegasus system that was also used to target senior Spanish politicians.
Spanish courts have struggled to complete the accountability loop. According to the Guardian, an investigating judge shelved the Spanish inquiry again in January, citing a lack of cooperation from Israeli authorities, including failure to respond to a request to take a statement from NSO’s chief executive. That is the enforcement problem in one sentence: the target may be in one country, the alleged operator in another, the vendor in a third and the evidence dependent on highly technical device forensics.
Europe has not ignored the issue. The European Union’s 2021 dual-use regulation explicitly covers export controls for cyber-surveillance items and says authorities should consider the risk that such tools may be used for internal repression or serious human-rights violations. The European Parliament’s Pegasus inquiry later called for tighter spyware controls after examining alleged abuses involving Pegasus and equivalent surveillance software.
But Thursday’s reporting shows why written controls have not ended the market. Export-control systems are built around licensing decisions, end-use declarations and government-to-government enforcement. Spyware abuse can be easier to deny than to prove, especially when the best evidence is buried in mobile logs, infrastructure traces, leaked targeting records or closed court files. The product is designed not only to break into a phone, but to make accountability technically and diplomatically expensive.
The technical record is stronger than it was five years ago. Amnesty International’s 2021 forensic methodology report described indicators left by Pegasus infections, including traces from zero-click attacks that required no action from the target. Citizen Lab separately peer-reviewed Amnesty’s methods and said the core methodology for identifying Pegasus infections was sound. That matters because spyware investigations often begin with the same predictable counterattack: the target is political, the evidence is too technical, and the finding is therefore framed as speculation. Independent forensic methods have made that defense harder.
Still, stronger forensics do not automatically create stronger law. A journalist can publish evidence. A lab can validate infections. A parliament can hold hearings. None of that by itself forces a vendor to disclose customers, a government to admit targeting, or an export authority to explain why a license was granted.
For technology companies, this is also a platform-security story. Pegasus abuses vulnerabilities in the same mobile ecosystems used by billions of people. Apple and Google can harden devices, ship emergency patches and notify targeted users, but they cannot regulate the foreign-policy incentives that make governments want these tools. Device security can raise the cost of intrusion. It cannot decide who gets to buy a commercial exploit platform.
That is why the policy response has to be more specific than a broad call to “ban spyware.” Governments do have legitimate needs for lawful interception and targeted hacking in serious criminal investigations. The question is whether the commercial market can be constrained with rules that are visible, enforceable and tied to individual accountability. That means export licensing with real human-rights due diligence, public reporting where possible, penalties for vendors that misrepresent end use, and procurement rules that keep agencies from buying through cutouts when direct purchase would draw scrutiny.
It also means treating transnational targeting as a diplomatic and legal harm, not a private dispute between a phone owner and a vendor. If cabinet ministers, journalists or rights defenders in one country are targeted by a tool operated from another, the response cannot be limited to patch notes and after-the-fact notifications. It needs court cooperation, vendor records and consequences for agencies that refuse oversight.
The Morocco allegations are still allegations, and the named governments and companies are entitled to respond. But the public record around Pegasus is now too large to treat each new case as an isolated breach. The policy pattern is visible: surveillance tools move through a global market faster than oversight systems move through courts, parliaments and export agencies.
Thursday’s investigation puts that pattern back in front of regulators. The issue is not whether Pegasus is powerful. That has been clear for years. The issue is whether democratic oversight can catch up to a market built around making phones, people and borders easier to penetrate than the rules meant to protect them.
Sources
- The Guardian: Moroccan intelligence insider reveals widespread use of Pegasus hacking software
- Amnesty International: Forensic Methodology Report — How to catch NSO Group’s Pegasus
- Citizen Lab: Independent peer review of Amnesty International’s forensic methods for identifying Pegasus spyware
- EUR-Lex: Regulation (EU) 2021/821 on dual-use export controls
- European Parliament: Recommendation following the investigation of Pegasus and equivalent surveillance spyware
Shadowfetch is a technology publication. Explore Shadowfetch Linux — our own Linux build — and the Shadowfetch apps on the App Store.
Sources
- The Guardian: Moroccan intelligence insider reveals widespread use of Pegasus hacking software
- Citizen Lab: Independent peer review of Amnesty International’s forensic methods for identifying Pegasus spyware
The article says the reporting relied on a whistleblower account supported by leaked material, targeting records, victims’ testimony, training material and technical analysis, alongside named public reports and regulations.
Evidence types: whistleblower account, leaked material, targeting records, victims’ testimony, training material, technical analysis
Links verified
See a problem in this story? Report an error · Corrections policy · Our methodology
The Daily Newsletter
One morning email: the day’s biggest technology stories — AI, new devices, and the companies shaping them.
Related coverage
politicsTwelve states just turned the Paramount-Warner fight into a tech antitrust case
Kimmy Conner ·
politicsAI’s Next Washington Fight Is Not Whether to Regulate. It Is Who Gets the Clock.
Layla Mansoor ·
politicsEurope’s AI disclosure rules are about to leave the policy seminar and hit the product screen
Kimmy Conner ·
