Moroccan Intelligence Whistleblower Confirms Pegasus Spyware Deployed Against Journalists, Politicians Since 2017

Jul 16, 2026 | Whistleblowers & Dissidents

Morocco Pegasus spyware whistleblower

For years, the Kingdom of Morocco maintained a firm public position: it had no relationship with NSO Group, no connection to Pegasus spyware, and no program of digital surveillance targeting critics, journalists, or foreign officials. That position is now directly contradicted by a former insider from Morocco’s own domestic intelligence apparatus — and the evidence backing his account spans leaked documents, forensic analysis, and corroboration from multiple independent sources.

The Whistleblower and the Investigation

The source at the center of this disclosure is a former agent of Morocco’s Direction Générale de la Surveillance du Territoire (DGST) — the country’s domestic intelligence service — who worked within the agency for nearly a decade. Operating under the pseudonym “Safir,” the whistleblower’s testimony forms the foundation of a multi-year investigation led by Moroccan journalist Hicham Mansouri, himself a figure who has previously faced imprisonment in Morocco.

The investigation expanded into a coordinated international effort managed by Forbidden Stories, a nonprofit organization that continues the work of journalists who face censorship or persecution. The resulting consortium comprises 14 media organizations, including Le Monde, Haaretz, El Confidencial, Die Zeit, and The Guardian, with technical forensic support provided by Amnesty International’s Security Lab. Two additional former Moroccan intelligence agents provided information and corroborated key details of Safir’s account.

The consortium’s findings draw on a wide range of material: leaked emails, targeting records linked to Pegasus and other spyware tools, internal training documents, and testimony from individuals who say they were surveilled. Safir’s account is specifically corroborated by the Pegasus Project dataset — the same leaked database of approximately 50,000 phone numbers at the center of the landmark 2021 global investigation — which has been forensically analyzed by Amnesty International’s Security Lab.

The Rabat Demonstration That Changed Morocco’s Surveillance Capabilities

According to information gathered by the consortium, the formal introduction of Pegasus to Morocco’s intelligence community occurred in 2017, when NSO Group representatives traveled to Rabat to give senior Moroccan intelligence officers and technical personnel a detailed demonstration of the software’s capabilities. The demonstration reportedly took place at a villa known internally as “the FSSYS villa,” named after FSSYS Maroc — then the Moroccan branch of a UAE-based surveillance intermediary called al-Fahad, which reportedly used the property regularly for technology showcases.

During that demonstration, NSO representatives are said to have remotely infected a series of test phones in real time — activating cameras, switching on microphones, and accessing stored data and messages. The source told investigators that those present immediately recognized the software’s “revolutionary” potential, specifically because Pegasus’s remote-infection capability meant operators would no longer need physical access to a target’s device.

The use of a private intermediary company for procurement is itself notable. According to Safir’s account — confirmed by a second intelligence source — Morocco’s intelligence agency deliberately routed the acquisition of Pegasus through this intermediary in order to avoid creating a direct paper trail connecting the DGST to NSO Group.

What Pegasus Can Do

Understanding the significance of these disclosures requires understanding what Pegasus actually is. Developed by the Israeli cyber-arms company NSO Group and first publicly analyzed in August 2016 by Citizen Lab and Lookout Security, Pegasus is designed to be covertly and remotely installed on smartphones running both iOS and Android operating systems — without requiring any action from the device’s owner.

Once deployed, Pegasus provides its operator with comprehensive access to the infected device. This includes the ability to read text messages and emails, monitor calls, collect passwords through keystroke logging, track the device’s location, access photographs and files, harvest data from installed applications, and activate both the microphone and camera — effectively converting any smartphone into a covert listening and recording device.

NSO Group markets Pegasus exclusively as a tool for government use in combating terrorism and serious crime. The company states that export licenses for the software are strictly controlled by the Israeli Ministry of Defense, and that it sells only to vetted government clients. The company has maintained this position consistently across multiple investigations and legal challenges.

The Targets: Journalists, Activists, and Foreign Officials

According to the consortium’s investigation, Morocco’s use of Pegasus beginning in 2017 extended across a four-year period and encompassed both domestic and foreign targets. Among those reportedly in the crosshairs were Moroccan journalists and human rights defenders operating inside the country — individuals whose work involves scrutinizing state conduct.

The reach of the alleged surveillance did not stop at Morocco’s borders. The investigation points to targeting of French politicians and Spanish cabinet ministers and police officers — a finding with significant diplomatic implications. Morocco has long denied using Pegasus against critics at home or abroad, and has previously challenged journalists investigating NSO Group, asserting they were incapable of proving any relationship between Morocco and the company.

The consortium’s findings now place direct insider testimony alongside forensic digital evidence to challenge that denial on multiple fronts simultaneously.

A Pattern With Global Dimensions

Morocco’s alleged use of Pegasus does not exist in isolation. The 2021 Pegasus Project investigation — which centered on a leaked list of some 50,000 phone numbers reportedly selected for targeting by Pegasus customers — drew in reporting from organizations across multiple continents and implicated governments in numerous countries. Subsequent investigations have documented alleged Pegasus deployments in Azerbaijan, among other nations.

The pattern that has emerged across these investigations reflects a recurring dynamic: a surveillance technology marketed for use against terrorists and criminals repeatedly surfaces in contexts involving journalists, dissidents, lawyers, and political figures. NSO Group has maintained throughout that misuse of its technology by clients is a violation of contractual terms, and that the company investigates credible allegations of abuse.

The broader question raised by the Morocco disclosure — and by the Pegasus Project as a whole — concerns the systemic architecture that makes such surveillance possible: export licensing by a national defense ministry, acquisition through private intermediaries designed to obscure procurement trails, and the inherent invisibility of zero-click infection methods that leave targets with no indication their device has been compromised.

What the Insider’s Account Adds

What distinguishes the current disclosures from earlier reporting on Morocco and Pegasus is the insider dimension. Previous investigations relied on forensic analysis of devices and leaked datasets. The addition of a former DGST agent willing to describe the internal decision-making process — how the technology was introduced, how acquisition was structured to avoid documentation, and how it was subsequently deployed — provides a layer of institutional detail that forensic analysis alone cannot supply.

Two additional former intelligence agents corroborated aspects of Safir’s account, lending additional weight to a testimony that Morocco has had no opportunity to formally address at the time of this publication.

The investigation represents one of the most detailed public accountings to date of how a state intelligence service adopted and operationalized commercial spyware — from the initial sales demonstration in a Rabat villa to a multi-year targeting program spanning domestic dissidents and the officials of allied and neighboring governments alike.

This article draws on reporting from The Guardian, OCCRP / The Pegasus Project, and Wikipedia: Pegasus (spyware).

Related Posts

David Wilcock Dead at 53 in Apparent Suicide — 48 Hours After Livestream Warning About Missing Scientists

David Wilcock Dead at 53 in Apparent Suicide — 48 Hours After Livestream Warning About Missing Scientists

UFO researcher David Wilcock was found dead April 20, 2026 near Nederland, Colorado in what Boulder County deputies are calling a self-inflicted gunshot. Less than 48 hours earlier, Wilcock livestreamed a three-and-a-half-hour show thanking his audience, warning that scientists are going missing, and saying he would keep going.

read more