Spain’s High Court has ordered the reopening of an investigation into the Pegasus affair, involving the alleged hacking with Pegasus spyware of the phones of Prime Minister Pedro Sánchez and several government ministers.
The case has been something of a political scandal for Sánchez. Under his government, Spain has been at its weakest in its always tense and complicated relations with Morocco, the country suspected of placing the spyware on the PM’s phone. If Morocco is indeed behind the hacking, which resulted in a data catch as large as thousands of documents, the Muslim country now possesses seriously compromising information about the politician. In a worst-case scenario, Morocco could now be blackmailing Spain through Sánchez.
The investigation was launched in 2022 but then closed in 2023 when investigators hit a dead end largely because Israel—where the corporate home of Pegasus is based—refused to cooperate. Pegasus, which stealthily infects mobile phones and is able to listen in on phone calls, control smartphones’ microphones, and steal documents, is a product of the Israeli NSO group startup. The company needs the permission of the Israeli defense ministry for every sale it makes and, in theory, the product is only sold to democratic governments and should be used to solve crimes or protect citizens against terrorism, not for espionage or political gain.
However, in 2021, journalists revealed the wide use of the Pegasus and similar software against politicians, activists and reporters. French politicians, including President Emanuel Macron, have also been victims of Pegasus hacks. In both the cases, Morocco is suspected of the spying, but investigators have yet to be able to draw any clear conclusions.
A Spanish judge reactivated the investigation after receiving a European Investigation Order (OEI) from French authorities. The French order asks for Spain’s cooperation with the French investigation, but the intel provided by France could help enlighten Spanish investigators as well. With the additional information from the French authorities, Spain will have another line of investigation to follow that warrants reopening the case—according to Judge José Luis Calama’s resolution.
He explained in the ruling that French investigators determined that each service that used the Pegasus software created an infrastructure that could be used to trap multiple numbers.
“It is therefore possible to establish comparisons between the clues found on the different infested phones to identify a single source of infestation,” he wrote.
Additionally, the French file sent to Spain includes “indicators of compromise” (IOCs), data that can indicate a system has been hacked, but that may also include IP addresses, domain names, malicious files, network traffic patterns, and anomalous user behavior. All that information can provide clues about who and where the hackers are.
As the Spanish court explained on Tuesday, “comparing the technical elements gathered in the French investigation” with the one in Spain “may enable the investigation to progress … to trace the origin of the piracy.”
