WhatsApp chief weighs in on Pegasus spyware investigation

Details: The Pegasus Project worked from a leaked list of 50,000 phone numbers that, its members concluded, represented likely targets of surveillance by NSO's Pegasus product. NSO says the investigation is wrong and such a list of phone numbers can't exist.

• "There should not be a list like this at all anywhere. Our customers have an average of 100 targets a year," NSO told the BBC. "Since the beginning of the company, we didn't have 50,000 targets total."

Yes, but: In an interview in the Guardian, Will Cathcart, the head of Facebook-owned WhatsApp, said the Pegasus Project reports matched what WhatsApp found when it investigated a single 2019 attack and found 1400 users were hit.

• "That tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high,” Cathcart told the Guardian.

The other side: NSO says its smartphone-hacking tools are used only by governments, armed forces, and intelligence and law enforcement agencies, and if its tools were abused, its customers are at fault.

Go deeper:

• In 2019 Axios reported NSO was implementing a new set of human rights protections it claimed would prevent abuse of Pegasus.

• Axios' Dan Primack looks at the series of private-equity funders who have backed NSO.
• For a thorough look at the issues and questions surrounding the list of phone numbers at the heart of the Pegasus Project investigation, read this article by cybersecurity journalist and Zero Day newsletter author Kim Zetter.