Who Made the Spyware Used to Hack Jeff Bezos’ Phone?

Experts are debating who helped Saudi Arabia hack the phone of the richest man on Earth.
Image: David Ryder/Getty Images

The United Nations is at odds with the world’s most notorious spyware company over an age-old question: Who built the tech that hacked Amazon CEO Jeff Bezos’s cell phone, allegedly by sending him a poisoned WhatsApp message from the Crown Prince of Saudi Arabia?

A new statement from a UN team investigating the assassination of Saudi journalist Jamal Khashoggi says they believe Bezos “was subjected to intrusive surveillance via hacking of his phone as a result of actions attributable to the WhatsApp account used by Crown Prince Mohammed bin Salman.”


Bezos has a conflicted relationship with the Saudi royal family. As the owner of the Washington Post, he’s called for justice for Khashoggi, who wrote for the paper, and who was assassinated by Saudi agents the CIA believes were acting on bin Salman’s orders, though bin Salman denies involvement.

We do know that Saudi Arabia uses software created by NSO Group, a notorious Israeli company that leases spyware to governments. Ostensibly, that software is designed for tracking criminal groups and terrorists, though in practice it’s been repeatedly used against journalists and dissidents.

In its statement, the UN released a timeline that had Bezos and bin Salman dining together on April 4, 2018, and exchanging phone numbers that correspond to their WhatsApp accounts. Four weeks later, bin Salman’s account messaged Bezos with a video, which “infects Mr. Bezos’ phone with malicious code,” the UN said.

In November, that account messaged Bezos with a photo of a woman that the UN described as “resembling [Laura Sanchez], the woman with whom Bezos is having an affair, months before the Bezos affair was known publicly.” In February 2019, after the National Enquirer acquired some of Bezos’s texts and photos—the source of which still isn’t completely clear—Bezos went public with a candid Medium post, explaining that he was the victim of “extortion and blackmail.” The next month, Bezos’s own hired investigator wrote in an opinion column at the Daily Beast that the scandal originated from the fact “that the Saudis had access to Bezos’ phone, and gained private information.”


What’s still unclear is who provided the method to hack Bezos’s phone. The UN cites a forensics report created by FTI Consulting and obtained by Motherboard, as well as other experts. An FTI spokesperson declined to comment for this story, saying “We do not comment on, confirm or deny client engagements or potential engagements.”

Citing its experts, the UN noted that the culprit was likely one of the two of the most notorious spyware companies in the world. “The most likely explanation for the anomalous data egress was use of mobile spyware such as NSO Group’s Pegasus or, less likely, Hacking Team’s Galileo, that can hook into legitimate applications to bypass detection and obfuscate activity,” it found.

But confirming that is tricky. In an initial statement sent to Motherboard, NSO initially denied any involvement, in part by insisting its software by design can’t be used to target US numbers, and threatened legal action against “any suggestion” that it was involved. In a subsequent statement published to its website, NSO wrote that it is “shocked and appalled by the story” and that it’s “happy to engage with the UN, Mr. Bezos or any other body in trying to fully understand these issues.”

In the past, NSO has made misleading public statements. But nothing in the UN’s statement or FTI’s report ties Bezos’s hack to NSO. And FTI never contacted WhatsApp for its investigation, a source with direct knowledge of the situation told Motherboard. That’s surprising, because WhatsApp is no fan of the spyware company: in October, it became the first American tech company to sue NSO over its alleged abuse of its platform.

The other option it names, Italy’s Hacking Team, sold spyware to some of the most repressive countries in the world. But it has lost its public presence—its own website no longer even loads. As Motherboard reported in 2018, it received an investment, seemingly from an investor with ties to the Saudi government, but is otherwise off the grid. Saud Al-Qahtani, a royal advisor for Saudi Arabia who specializes in online surveillance, was directly in contact with Hacking Team back in 2015. Al-Qahtani was well-known on hacking forums and was suspected of shopping around for hacking tools. At this point, it’s hard to say whether either Hacking Team or NSO Group had anything to do with this hack without more information.

Regardless of who created the software that hacked Bezos's phone, how those texts would have gone from a spyware creator to potentially the Saudi government to the National Enquierer is still a mystery.

Update 3:07 p.m.: Hacking Team has been purchased and rebuilt by Memento Labs, which didn't immediately respond to a request for comment.