Source: Spain is Customer of NSO Group

The Guardian and El Pais reported NSO Group's malware was used to target prominent politicians in Spain. Now a former employee says that Spain has been an NSO Group customer.
NSO Group

The cellphones of several politicians in Spain, including that of the president of one of the countries’ autonomous regional parliaments, were targeted with spyware made by NSO Group, an Israeli company that sells surveillance and hacking tools to governments around the world, according to The Guardian and El Pais . Motherboard confirmed the specifics with security researchers who investigated the attempted hack and a Facebook employee who has knowledge of the case.


A former NSO employee has told Motherboard that the Spanish government has been an NSO customer since 2015.

"We were actually very proud of them as a customer," the former employee said. "Finally a European state." Motherboard granted the source anonymity to protect them from retaliation from the company.

We cannot confirm whether these specific attempted hacks were directed by the Spanish government, though one of the politicians targeted believes the Spanish government is behind the attack.

Do you work at NSO Group, did you used to, or do you know anything else about the company? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on, or email You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at, or email

On Monday, the media outlets revealed that someone tried to hack the cellphone of Roger Torrent, the President of the Parliament of Catalonia, using a flaw in WhatsApp, which was discovered last year. Torrent is the president of the Parliament of Catalonia, which governs Barcelona and the surrounding region that has recently attempted to become independent from Spain.

Carles Puigdemont, a member of the European Parliament and the former president of Catalonia, condemned the hacking attempt, and implied that the Spanish government targeted Torrenthim. If that's the case, this would be the first known case of a European government using this type of technology against politicians inside Europe.


"Spain has been using authoritarian methods for a while. I myself had a tracking device on my car which is being investigated by the Belgian authorities,” Puigdemont told Motherboard in an email. “The EU cannot wait anymore to act, we have new proofs every day that the rule of law in Spain is totally wrecked."

"It is not the first time that accusations of spying on political opponents emerge in Spain. In 2009 there was a spying scandal within the center-right Popular Party. In 2012, Catalan lawmakers have accused the Spanish government of espionage,” Mathias Vermeulen, a former aide for a member of the European Parliament who focused on surveillance tech issues, told Motherboard. “But using extraordinary tools like Pegasus against democratically elected politicians is a first in Europe and should be immediately investigated."

"Finally a European state."

Citizen Lab, a research group that has investigated government spyware for a decade, said it could not definitively confirm who actually deployed the NSO spyware.

“Although we can positively verify that Mr. Torrent’s phone was targeted by NSO’s spyware, we are unable to determine by whom,” said Ronald Deibert, the director of the Citizen Lab. A Facebook employee confirmed to Motherboard that Torrent was targeted with NSO spyware on WhatsApp. The employee spoke on condition of anonymity because they were not authorized to talk to the press.


“This is a case where we would infer the customer is Spain but I don't have hard evidence,” said a security researcher who has investigated previous cases of hacks done with NSO spyware. The researcher asked to remain anonymous because he wasn’t allowed to speak to the press.

The former NSO employee said Spain had access to a 0-click version of NSO's Pegasus product. Pegasus is the suite of tools that lets customers remotely break into and surveill phones.

Beyond domestic use, the former employee added that the Spanish customer had a number of different territories unlocked for deploying Pegasus in, including France, Malta, and Mexico. NSO prices its Pegasus product based on how many countries or areas the client is able to hack phones in.

The client also bought products from Circles, another surveillance company related to NSO, the former employee said. Circles focuses on products that exploit the SS7 network and protocol, and which can be used to track the location of phones.

The former employee added that the sale related to a central intelligence agency of Spain. The CNI, or National Intelligence Centre, is Spain’s intelligence agency.

Two NSO executives and a company spokesperson declined to comment on whether the Spanish government was one of their customers. In a statement sent to reporters, NSO said that “Due to the confidentiality constraints, we cannot confirm or deny which such authorities use our Technology.”


"We were actually very proud of them as a customer."

“We are appreciative that this matter has been brought to our attention. In line with our Human Rights Policy we take our responsibilities seriously and if warranted, will initiate an investigation,” the statement read. “We will cooperate with any competent authority investigation if initiated, in parallel to our internal procedures.”

The CNI used to be a customer of Hacking Team, the infamous Italian spyware company that dominated the market in the 2000s. In fact, according to former employees of Hacking Team as well as leaked documents published after the company was hacked in 2015, the CNI became Hacking Team’s first customer outside of Italy after the terrorist attack in Madrid on March 11, 2004.

The CNI and the Spanish government did not respond to a request for comment.

The Spanish prime minister’s office told the Guardian that “the government has no evidence that the speaker of the Catalan parliament, Roger Torrent, the former MP Anna Gabriel and the activist Jordi Domingo have been the targets of hacking via their mobiles."

"Furthermore, we must state that any operation involving a mobile phone is always conducted in accordance with the relevant judicial authorisation."

Update: This piece has been updated to include more information from the former NSO Group employee.

Subscribe to our cybersecurity podcast, CYBER.