April twenty-second, 2018. Dubai International Airport. A detention room.

A 51-year-old woman named Hanan Elatr is being held by United Arab Emirates authorities. She is a flight attendant — a senior supervisor at a major international airline. She is also the wife of a Saudi journalist named Jamal Khashoggi.

Her devices have been taken into official custody. Her phones are sitting on a desk, somewhere out of her sight, in the possession of UAE security personnel.

At 10:14 in the morning, an unidentified UAE official picks up one of her Android phones. The official opens the Chrome browser. The official types a URL into the address bar — fumbling over the small keys, making two typos along the way, then pressing go.

The address is a Pegasus infection link. The website was constructed specifically for the UAE government's NSO Group account. It exists for one purpose: to silently install surveillance software on a target's phone.

Over the next forty seconds, the phone sends twenty-seven status reports back to the UAE operator's server, updating the progress of installing the spyware.

The total compromise process takes seventy-two seconds.

Hanan Elatr does not know any of this is happening. She is in a separate room, being interrogated about her husband.

She will not learn what was done to her phone for another three years.

Six months later, on October second, 2018, Hanan Elatr's husband walks into the Saudi consulate in Istanbul to retrieve documents he needs for his upcoming wedding. His Turkish fiancée, Hatice Cengiz, waits outside.

He never comes out.

A fifteen-member squad of Saudi operatives, several closely connected to Crown Prince Mohammed bin Salman, has flown to Istanbul on two private jets that morning. They strangle him inside the consulate. They dismember his body. They dispose of the remains in a way that has never been publicly recovered.

The Turkish government, which has secretly bugged the Saudi consulate, captures audio of the murder.

This case file is not about the assassination itself. That has been documented elsewhere.

This case file is about what was done in the months *before* he entered the consulate. About a piece of software developed by a small Israeli company. About the people who built it. About the governments that bought it. And about the institutional mechanism that, more than seven years later, has still not produced full accountability for what it has been used to do.

The software is called Pegasus.

The company is called NSO Group.

This is the case file.

NSO Group was founded in 2010 by three Israelis. Niv Karmi. Shalev Hulio. Omri Lavie. The company name is constructed from their initials.

All three were alumni of the Israel Defense Forces. Karmi had served in both military intelligence and the Mossad. Hulio served as a major in the IDF's Search and Rescue unit. The institutional lineage that mattered most ran through Unit 8200 — the elite signals intelligence unit of the IDF, often described as the foremost technical intelligence agency in the world.

Unit 8200 is the Israeli analog to the U.S. National Security Agency. Its alumni — variously estimated at tens of thousands of veterans by 2026 — have founded a substantial fraction of Israel's cybersecurity industry. NSO Group's research and development team has been described, in multiple sources, as composed almost entirely of former Unit 8200 personnel. The most elite Unit 8200 training program, called ARAM, accepts only a handful of recruits and trains them in advanced cyberweapons programming. NSO Group's most valuable employees are reportedly graduates of ARAM and similar elite programs.

The founders' public origin story, primarily as told by Hulio in numerous interviews, runs as follows.

In the late 2000s, Hulio and Lavie founded a company called CommuniTake. It provided remote phone troubleshooting for cellular operators — software that allowed support technicians to remotely access and operate customer phones to diagnose problems.

Around 2009, Hulio has said in subsequent interviews, an unnamed European intelligence agency contacted them. The agency had a problem. Encryption was making it impossible to read communications from targets they were lawfully authorized to surveil. The agency was interested in CommuniTake's remote-access technology. Could it be repurposed?

Hulio and Lavie recognized the opportunity. They brought in Niv Karmi for his Mossad and military intelligence background. In 2010, they founded NSO Group. The product they developed they named Pegasus.

The pricing structure of Pegasus, documented through court filings in subsequent litigation, was approximately as follows. Five hundred thousand U.S. dollars in setup fees. Six hundred and fifty thousand dollars per ten simultaneous target devices for iOS, similar pricing for Android. Unlimited targeting tiers up to approximately forty million dollars for full-spectrum government deployment.

These prices placed Pegasus within institutional reach of any national intelligence service. They explain why the customer base was exclusively governments.

The company's stated position, repeated in virtually every press response, was that Pegasus was sold only to vetted government customers for use in fighting terrorism and serious crime.

The actual customer behavior, documented by independent researchers over the following decade, was different.

Beginning in approximately 2016, a research group at the University of Toronto called Citizen Lab began documenting individual cases of Pegasus deployment. The principal investigator was a researcher named Bill Marczak. His methodology was forensic: when activists, journalists, or dissidents reported anomalous phone behavior, Marczak would conduct technical analysis of their devices, looking for indicators of Pegasus presence.

The case-by-case findings, accumulated over five years, established a pattern.

Mexico. The Mexican government had been one of NSO Group's earliest clients, signing a twenty-million-dollar contract in 2012. Citizen Lab subsequently identified Pegasus deployments against Mexican investigative journalists who had been reporting on government corruption, including reporters working on the disappearance of forty-three students in Iguala in 2014. One of the Mexican journalists targeted, Cecilio Pineda Birto, was assassinated by gunmen at a carwash in March 2017 — weeks after his phone number had been added to the Pegasus targeting list.

The United Arab Emirates. Documented use against women's rights activists, including Loujain al-Hathloul, who was abducted in 2018 and returned to Saudi Arabia for arrest and torture.

Bahrain. Pegasus deployed against journalists, human rights activists, and dissidents in violation of any reasonable definition of terrorism or serious crime.

Saudi Arabia. The most prolific user. Cases extending across years.

By summer 2018, Citizen Lab had documented compromises in Khashoggi's immediate circle.

Omar Abdulaziz, a Saudi dissident blogger living in exile in Canada, was Khashoggi's primary collaborator on Saudi opposition projects. The two men had been using WhatsApp to discuss plans to counter Saudi state social media propaganda. Abdulaziz's phone was infected with Pegasus in summer 2018. The infection was attributed by Citizen Lab, with high confidence, to an operator linked to Saudi Arabia's government and security services.

The Citizen Lab report on Abdulaziz was published on October first, 2018. One day later, Khashoggi entered the Saudi consulate in Istanbul.

The technical fact of the case is uncontested. For approximately four months before Khashoggi's murder, the Saudi government had real-time access to every WhatsApp message exchanged between him and his closest collaborator. Khashoggi believed his communications were private. They were not.

The forensic analysis of Hatice Cengiz's phone, conducted as part of the subsequent Pegasus Project investigation, confirmed that her phone, too, was compromised by Pegasus during the days surrounding the murder. She was waiting outside the consulate. Her communications were being read.

The forensic analysis of Hanan Elatr's phone, conducted by Bill Marczak and published by *The Washington Post* in December 2021, established that the seventy-two-second installation that had occurred in Dubai airport six months before the assassination had been a UAE government deployment of Pegasus, manually installed during her detention.

NSO Group's response to evidence of Pegasus's role in the Khashoggi case was consistent.

In March 2019, NSO Group CEO Shalev Hulio appeared on the U.S. television program 60 Minutes. The interviewer was Lesley Stahl. Hulio looked her in the eye. He said NSO had checked its records and confirmed that NSO technology had not been used on Khashoggi or his relatives. He said the company had nothing to do with what he called the horrible murder.

In July 2021, when the Pegasus Project investigation was published, Hulio repeated the denial. He told the Israeli technology publication Calcalist that NSO had checked and that Hanan Elatr was not a target. He said: there are no traces of Pegasus on her phone because she was not a target.

In December 2021, *The Washington Post* published Marczak's forensic analysis showing that Elatr's phone had in fact been targeted, manually, by a UAE operator. NSO's attorney Thomas Clare responded that the *Post*'s reporting was deeply flawed and that the technical details made no sense from a technical standpoint. He claimed Pegasus is installed only remotely, and that the manual installation described in the forensic analysis was therefore implausible.

The forensic record contradicted this. Marczak's analysis documented the specific sequence of typed characters, the URL constructed for the UAE client's Pegasus instance, the typos the UAE operator had made on the phone's keyboard, and the twenty-seven status reports the phone had sent back to the server during installation.

The denial pattern across the Khashoggi case file has, on the documentary record, been demonstrated to be inconsistent with the forensic evidence.

In 2020, a list of approximately fifty thousand phone numbers leaked to a Paris-based journalism nonprofit called Forbidden Stories and to Amnesty International.

The list was believed to be a roster of targets selected by NSO Group's government clients. It spanned at least fifty countries. It dated back to approximately 2016. The source of the leak has not been publicly identified.

Forbidden Stories, founded by the journalist Laurent Richard, has historically focused on continuing the work of murdered journalists. The Daphne Project, following the assassination of Maltese journalist Daphne Caruana Galizia in 2017. The Cartel Project, following Mexican drug cartel-related murders. The pattern was the same: continuing the work that organized actors had attempted to silence.

This investigation became the Pegasus Project.

Forbidden Stories invited sixteen additional media organizations to join. *The Washington Post*. *The Guardian*. *Le Monde* and *Radio France*. *Die Zeit* and *Süddeutsche Zeitung*. FRONTLINE PBS. *Haaretz*. Indian, Mexican, Hungarian, Belgian, Syrian, and other regional outlets. Eighty-plus journalists worked on the project. The technical analysis was conducted by Amnesty International's Security Lab.

The Pegasus Project's reporting began publication on July eighteenth, 2021.

The findings were specific. The leaked list included at least one hundred and eighty journalists across twenty countries, working for outlets including Agence France-Presse, Al Jazeera, Associated Press, CNN, *The Economist*, *Le Monde*, *The New York Times*, Reuters, *The Wall Street Journal*, and Voice of America. At least ten governments appeared to have submitted names to the targeting list. Saudi Arabia. The UAE. Bahrain. Morocco. Mexico. Hungary. India. Rwanda. Azerbaijan. Kazakhstan.

The targets included human rights defenders, lawyers, opposition politicians, business leaders, diplomats, union leaders, and several heads of state. The phone number of French President Emmanuel Macron was on the list.

Forensic analysis of sixty-seven of the targeted phones found thirty-seven with traces of Pegasus activity. Twenty-three confirmed infections. Fourteen attempted infections.

The named targets included Khadija Ismayilova, an award-winning Azerbaijani investigative journalist. Szabolcs Panyi, a Hungarian investigative reporter whose phone was compromised for seven months in 2019. Siddarth Varadarajan, founder of the Indian news site The Wire. Omar Radi, a Moroccan investigative journalist subsequently imprisoned. Anand Teltumbde, an Indian human rights defender subsequently imprisoned. Edwy Plenel, founder of the French investigative outlet Mediapart. Hatice Cengiz. Hanan Elatr. Loujain al-Hathloul. Princess Latifa, daughter of the ruler of Dubai.

Approximately forty Indian journalists were on the list, suggesting Indian government use of Pegasus despite official denials.

President Emmanuel Macron of France.

The President of France was on a list of phone numbers that an unidentified NSO client had selected for surveillance.

The institutional response was substantial.

In November 2021, the Biden administration placed NSO Group on the U.S. Department of Commerce Entity List, severely restricting NSO's access to U.S. technology and U.S. business relationships. The designation was widely interpreted as a national security determination — the U.S. government had concluded that NSO Group's activities were contrary to U.S. foreign policy interests.

The European Parliament established a Committee of Inquiry on Pegasus and Equivalent Spyware to investigate use of commercial surveillance technology by EU member states. The committee's final report, in 2023, documented Pegasus deployments by Hungarian, Polish, Spanish, and other EU governments against opposition politicians and journalists.

Israel's Defense Ministry tightened export restrictions, reducing the list of countries to which Israeli surveillance companies could sell from one hundred and two to thirty-seven.

Spain's intelligence agency CNI saw the resignation of its director, Paz Esteban, after the Catalangate scandal in which dozens of Catalan independence leaders had been targeted with Pegasus.

Mexico initiated investigations and prosecutions against former officials who had purchased Pegasus.

The most consequential single legal action was filed by WhatsApp.

In May 2019, WhatsApp had identified a vulnerability in its application that NSO had been exploiting to deliver Pegasus to over fourteen hundred WhatsApp users globally — including journalists, human rights activists, and political dissidents. WhatsApp filed suit in October 2019 in the U.S. District Court for the Northern District of California.

The case took five years.

NSO Group attempted multiple defenses. Foreign sovereign immunity, on the grounds that NSO should be treated as an agent of a foreign government. The District Court rejected this in 2020. The Ninth Circuit affirmed. The U.S. Supreme Court declined to hear NSO's appeal in January 2023. Foreign-law restrictions on discovery, on the grounds that Israeli law prevented NSO from producing source code. Judge Phyllis Hamilton ruled in November 2023 that the foreign-law claims did not excuse NSO's discovery obligations. Personal jurisdiction. Records released in November 2024 revealed that NSO used U.S.-based technology, including AWS infrastructure, to deliver Pegasus payloads. The court concluded NSO was subject to U.S. jurisdiction.

On December twentieth, 2024, Judge Hamilton issued summary judgment finding NSO Group liable on all claims. It was the first U.S. court decision establishing NSO Group's liability for Pegasus-related conduct.

A jury trial on damages was held in spring 2025. On May sixth, 2025, the jury awarded WhatsApp four hundred and forty-four thousand dollars in statutory damages and one hundred and sixty-seven point two five million dollars in punitive damages.

Total: approximately one hundred and sixty-eight million dollars.

In a parallel case, Apple had filed suit against NSO Group in November 2021. In September 2024, Apple voluntarily dismissed its case. The reasoning, articulated in court filings: continuing the litigation would require disclosure of details about Apple's security infrastructure that could hamper its efforts to fight spyware. Apple argued that the commercial spyware market had expanded substantially since 2021, with multiple competitors entering the space, and that even complete victory in the Apple case would not have the systemic impact it would have had three years earlier.

The Apple withdrawal was widely interpreted as a strategic loss — and as evidence of NSO Group's success in using discovery as a weapon against plaintiffs whose litigation could expose internal security operations.

Pegasus is the most documented commercial spyware product. It is not the only one.

By 2026, the commercial spyware industry included at least Predator, developed by the Intellexa Consortium — a multinational network of companies based in Greece, Cyprus, Hungary, North Macedonia, and Israel, founded by former IDF intelligence officer Tal Dilian. The U.S. Treasury added Intellexa entities to the OFAC sanctions list in March 2024.

Candiru, an Israeli company specializing in Windows-based exploitation, added to the U.S. Commerce Entity List alongside NSO Group in November 2021.

QuaDream, founded by former NSO employees, developed REIGN, a similar product to Pegasus. Officially shut down in April 2023 after Citizen Lab and Microsoft Threat Intelligence reporting.

Hacking Team, the Italian vendor, breached and exposed in July 2015 by an anonymous hacker called Phineas Fisher.

Gamma Group, the Anglo-German makers of FinFisher, breached by Phineas Fisher in 2014, filed for insolvency in 2022 amid German criminal investigation.

The post-Pegasus generation of commercial spyware vendors has continued operations. The market that NSO Group pioneered has not disappeared. It has fragmented across more vendors, more jurisdictions, and more sophisticated corporate structures designed to better resist accountability mechanisms.

In October 2025, NSO Group itself confirmed that a group of U.S.-based investors led by film producer Robert Simonds had acquired controlling interest in the company. The implications of the ownership transition — whether it indicates regulatory rehabilitation, full transition to U.S. operations, or some other structural change — are unresolved as of April 2026.

NSO Group continues to sell Pegasus. The institutional response, real and substantial, has materially damaged the company. It has not stopped the industry.

Fragment Zero has tracked one principle across the case files of the past several months.

The Stuxnet case, foundational to the channel arc, demonstrated that state actors could build cyber weapons capable of physical destruction at industrial scale. The doctrine — silence, patience, asymmetric capability exercised when the strategic calculus favors it — was first proven by the United States and Israel against the Iranian nuclear program between 2006 and 2010.

The Pegasus case demonstrates the next step.

The capability has been **commodified**. The technology developed by Unit 8200 alumni — substantively the same institutional capability that built Stuxnet — has been productized, priced, and sold to client governments that lack the technical capacity to develop such tools themselves. Any government with forty million dollars can have what previously required NSA or Unit 8200 institutional capacity to build.

This is the commercial dark forest. The Liu Cixin doctrine — revelation as existential hazard, asymmetric capability exercised when the strategic calculus favors it — applies not just to states observing other states. It applies to commercial entities **selling** the asymmetric capability to whoever can afford it.

The Khashoggi case is the clearest single illustration.

Khashoggi could not communicate privately with his closest collaborator. He believed he could. He used end-to-end encrypted applications. He used best-practice operational security. None of it mattered because his collaborator's phone was compromised at the operating system level by a piece of software that had been sold to the Saudi government by an Israeli company founded by Unit 8200 alumni.

The information asymmetry was complete. The strategic advantage was exercised. The consequences propagated independently of Khashoggi's subsequent decisions.

In the language of Fragment Zero's previous case files: he could not un-reveal what he had already revealed. The operation that exploited the revelation had already executed.

The institutional response — the U.S. Commerce Entity List, the WhatsApp one hundred and sixty-eight million dollar judgment, the EU PEGA committee, the Israeli Defense Ministry export restrictions — is real. It is also late. By the time these mechanisms engaged, NSO Group had already deployed Pegasus against approximately fifty thousand documented targets.

The harms to those targets — imprisonment, exile, assassination, divorce, professional destruction, family separation — had already occurred.

Hanan Elatr, who was a senior airline supervisor flying internationally, was working a low-wage restaurant job in the Washington area as of 2023 reporting. She remained afraid for her safety. She lived in hiding in the Washington area. Her work permit had only recently been issued.

Khashoggi's body has not been recovered.

The Saudi government's prosecution of eleven Saudis accused of involvement in the murder produced three acquittals, five death sentences, and three prison sentences in December 2019. Two of the acquitted defendants were senior Saudi security officials. The five sentenced to death were low-level participants and were pardoned by Khashoggi's children in May 2020.

The case file does not close.

What can be established is the precedent. Pegasus is the foundational commercial case. Predator, the next planned Fragment Zero case file, is the second. The third, fourth, fifth cases are presumably in development right now — built by founders learning from NSO's regulatory missteps, structuring corporate entities to better resist sovereign-immunity rejections, pricing their products to evade Entity List thresholds, finding clients in jurisdictions where Israeli, U.S., and EU regulators have less leverage.

The capability that built Stuxnet was state. The capability that built Pegasus was commercial. The capability that builds the next product line will be whatever the regulatory environment of the moment makes profitable.

In the months before he was murdered, Jamal Khashoggi believed his communications were private. His government read them anyway. The technology that allowed this had been built by veterans of one country's intelligence service and sold to another country's government for approximately forty million dollars per full-spectrum deployment.

The technology continues to operate. The market continues to grow. The case file does not close.

Fragment Zero will track the case file.

The case file does not close. It waits.