Whistleblower Reveals Morocco Used Pegasus Spyware to Target Journalists, Activists and Spanish Officials
Whistleblower says Morocco used Pegasus spyware to monitor journalists, human rights defenders and Spanish officials, citing leaked data and internal records.
Whistleblower provides inside account of Moroccan intelligence use of Pegasus
A former Moroccan intelligence officer, using the pseudonym Safir, has told investigators that Morocco deployed Pegasus spyware against a wide range of targets. The account was published on Thursday in an investigation led by Forbidden Stories with Amnesty International and 13 media partners. Safir said he witnessed the introduction of Pegasus into the Direction Générale de la Surveillance du Territoire (DGST) and its operational use against perceived critics and foreign officials.
Safir, who worked at the DGST for nearly a decade, described both technical and organisational aspects of Morocco’s engagement with the Israeli-made tool. His testimony was paired with emails, targeting logs, internal training material and data analysed by Amnesty’s Security Lab. Those corroborating materials form the backbone of the investigation’s findings.
Investigation cites leaked records and victim testimony
The consortium’s report relies on multiple forms of evidence, including leaked targeting records and communications that the investigators say show how Pegasus was deployed. Victims’ testimony and internal documents were also analysed to map who was targeted and how the operations were carried out. Amnesty International’s Security Lab conducted forensic analysis of leaked data that the report says matches signatures of known Pegasus activity.
Investigative partners told readers that the documentation included evidence linking particular operations to Moroccan users and to the technical footprint of NSO Group’s product. The combined material is presented as a corroboration of Safir’s account, rather than solely relying on his recollection.
Pegasus introduced at Rabat villa in 2017, according to whistleblower
Safir said the spyware was first presented to Moroccan intelligence in 2017 at a luxury villa in Rabat known informally as the “FSSYS villa.” He described a detailed presentation by representatives of NSO Group to senior DGST officers and technical staff. The event, he told investigators, marked the beginning of Morocco’s formal relationship with the Pegasus platform.
Following that introduction, the report indicates that DGST personnel were trained and advised on operational use. Safir told investigators that Pegasus was treated as a high-cost, high-capability tool reserved for specific cases after cheaper surveillance methods had failed.
Targets included journalists, human rights defenders and Spanish officials
According to the leaked data and testimonies, Moroccan journalists and human rights activists were among the earliest targets. The report names Sahrawi activist Aminatou Haidar and Spanish journalist Ignacio Cembrero as examples, and it says more than 200 Spanish mobile numbers were flagged for potential targeting by a user believed to be Moroccan. Senior Spanish political and security figures, including the defence minister Margarita Robles and interior minister Fernando Grande-Marlaska, are also listed among those targeted.
The investigation further alleges that the DGST used Pegasus against Spanish Guardia Civil officers who visited Morocco for counter-terrorism cooperation, despite diplomatic ties and the officers’ own security precautions. Sources in the Spanish security services told investigators they had not expected an ally to conduct such surveillance.
Allegations of UAE role and redistribution of access
Safir suggested to investigators that the initial Pegasus access may have been provided to Morocco through intermediaries linked to the United Arab Emirates. He described the arrangement in practical terms, saying the Emiratis bought costly access and redistributed it to allied services. The report identifies the villa as associated with FSSYS Maroc, described as the Moroccan branch of an Emirati surveillance intermediary.
Investigators noted that the expense of Pegasus meant that Moroccan intelligence often used lower-cost methods before escalating to the spyware platform. Those techniques, Safir said, included physical interception, infecting devices through third-party sales and targeting internet café terminals.
Apparent pause in known deployments after late 2021
The investigation states that there are no traces of Moroccan Pegasus deployments after late 2021, a timeline that aligns with external pressure on NSO Group and regulatory actions. The report highlights that the United States placed NSO Group on a trade blacklist in 2021, and that Israeli authorities later curbed exports of certain cyber-surveillance tools to a list of countries that investigators say included Morocco and the UAE.
Sources involved in the consortium’s reporting suggested those policy moves and international scrutiny coincided with a cooling of overt Pegasus operations attributed to Morocco. The report does not establish whether alternative tools or covert channels replaced the documented use of Pegasus.
A final paragraph without a section title
The investigation adds a new chapter to longstanding allegations about the global proliferation of commercial spyware, placing Morocco’s alleged use of Pegasus in a broader pattern that implicates private vendors, regional intermediaries and state intelligence services. Governments and civil society groups have said the disclosures underline the need for clearer export controls and stronger oversight of how intrusive surveillance tools are sold and used.