GeckoSpy: Pegasus Spyware Used Against Thailand’s Pro-Democracy Movement

August 17, 2022

By John Scott Railton, Bill Marczak, Irene Poetranto, Bahr Abdul Razzak, Sutawan Chanprasert, Ron Deibert

Key Findings

In this report, we detail our discovery of an extensive espionage campaign targeting Thai pro-democracy protesters and activists. Through careful forensic methods, we confirm that at least 30 individuals’ phones were hacked with NSO Group’s Pegasus spyware. The hacking took place between October 2020 and November 2021, a period of time coinciding with intense pro-democracy protests in Thailand.

All the infections involved the use of two different “zero-click” versions of Pegasus, which involve no interaction with the victim and allow a government operator to silently and remotely hack a device in ways that are nearly impossible for a user to detect. Once infected with Pegasus, an operator can turn on the camera and microphone, intercept all text messages, read emails, track location, review contacts, history and archived photos, and much more.

In November 2021, coinciding with their announcement of a lawsuit against NSO Group, Apple started to send notifications worldwide to victims of Pegasus infections, including in Thailand. Our investigation began after several Thai activists received these notifications and reached out to us and other civil society partners. (More on Apple’s notifications below).

Under an approved research ethics protocol from the University of Toronto, we checked forensic artifacts shared by individuals who received a notification from Apple. Then, with the support of Thai NGOs iLaw and DigitalReach, we worked with victims to solicit forensic artifacts from their contacts, and then checked those.