Israeli Disinformation Expert Linked to Faked Bank Accounts in Serbian Smear Campaign
A leaked report sheds light on the source of a mysterious media attack on the Serbian president’s political rival.
This May, three top OCCRP editors flew to Ankara to meet a woman they hadn’t seen in years.
Khadija Ismayilova is Azerbaijan’s most renowned investigative journalist, a longtime colleague, and a close old friend: practically family. For her pioneering work, she had spent 18 months in prison and five more years under a travel ban. But now she was finally free.
The celebration went late into the night. It was a true feast, the table laden with salads, baked fish, and Turkish appetizers. Ismayilova had made traditional dolma — grape leaves stuffed with beef — and brought them from Azerbaijan just for the occasion.
She told stories about her imprisonment: How she refused to take painkillers from her jailers after a prison doctor pulled her tooth. How she won over the other women — including professional criminals — by sharing food and advice. (She was their “psychiatrist,” she said.) There were sadder, more recent stories too: Her 20-year-old nephew had been killed in last year’s war with Armenia.
But behind the smiles and tears, there was a tension in the air. For months, the OCCRP editors had kept some devastating information from Ismayilova, and now it was time to tell her why they were really there.
For more than two years, Ismayilova’s iPhone had been infected by Pegasus, a sophisticated piece of spyware with frightening capabilities. It can record phone calls and read text messages, access photographs and passwords, track GPS data, and secretly make audio and video recordings. Without the tiniest signal to indicate that anything is amiss, Pegasus can transmit all of this to its secret operators.
The tool was developed by NSO Group, an Israeli cyber-surveillance company, which appears to have supplied it to Azerbaijan, one of the most autocratic governments in the world.
Ismayilova is not the only one. Hundreds of other journalists and activists around the world may have been targeted with Pegasus, as well. Their names were identified from a leak of more than 50,000 phone numbers that appear to have been selected for targeting by NSO Group clients. This list was obtained by Forbidden Stories and Amnesty International and shared with OCCRP and 15 other media outlets.
But for Ismayilova, in the immediate moment, the main concern was whether she had compromised anyone else. She thought about it all night, trying to remember what she had sent and to whom.
“It’s devastating,” she said the next day. “You make everyone a target.”
As she scrolled through the list of more than 1,000 Azerbaijani numbers in the leak, she recognized number after number: A niece. A friend. Her taxi driver.
“Him too,” she cried again and again. “Her too.”
This realization — that government surveillance affects not only the target, but a whole network of friends, loved ones, and colleagues who surround them — is one of the key revelations of The Pegasus Project.
But there are others. NSO Group is so secretive that — though it has long been suspected — there has never been any forensic evidence, until now, that the government is likely one of the company’s clients. The Azerbaijani numbers found in the leaked list show, in chilling specificity, the use to which it may have been put.
Reporters spent months establishing the identity of the people behind the numbers, and succeeded in verifying nearly a quarter. While NSO Group describes itself as a company that helps governments detect and prevent terrorism and crime, the list of Azerbaijanis selected for targeting shows how the tool was systematically abused. All but a few of the numbers identified by reporters belonged to journalists, activists, lawyers, and members of the country’s beleaguered opposition.
There is no definitive proof that the Azerbaijani government is a client of NSO Group or that the leaked list of numbers represent people selected for targeting. However, a preponderance of evidence suggests that this is the case. Forensic analysis confirms that two numbers on the list were infected with Pegasus software. The other numbers on the list include many dissidents, independent journalists, and regime opponents. Moreover, in several cases, people on the list were subjected to public leaks of personal information from their phones. For more information about the data behind this project and how these conclusions were reached, read the “About the Project” page.
NSO Group did not respond to specific questions about Azerbaijan, but generally claimed that the data used by reporters was misinterpreted and that it does not allow its clients to abuse its software, which, it reiterated, is meant only to surveil criminals and terrorists. (Read more about NSO Group’s response here).
Of the 245 Azerbaijani phone numbers on the list that were identified, a fifth belonged to reporters, editors, or media company owners.
This might come as little surprise to the human rights watchdogs and international organizations who have long condemned President Ilham Aliyev’s government for its years-long suppression of press freedom.
But the extent of the spying is shocking.
Aside from Ismayilova — who could almost be considered an entire media outlet in her own right — one of the best-known independent Azerbaijani news sources is Meydan TV, an online broadcaster that reaches its audience primarily through YouTube and Facebook, where it has more than 750,000 subscribers.
In the wake of a massive crackdown in 2013, Meydan’s founders decided to establish the organization’s headquarters in Berlin, though it relies on local correspondents and freelancers who must often work in secret.
One of its best-known reporters, and a close friend of Ismayilova, is Sevinj Vaqifqizi. Her number was among those that appeared on the leaked list. Since she is currently in Berlin on a fellowship, OCCRP was able to meet with her to conduct a forensic analysis of her phone.
Just as with Ismayilova, it was ridden with traces of Pegasus software. In fact, the results went even beyond the period covered in the data, showing that her phone was actively infected at least until this May.
Vaqifqizi has long known that she was under surveillance. She has been detained, placed under a travel ban, and harassed for her reporting.
“I thought that our security service followed our phone calls and wanted to get our information,” she said. “But I never imagined that they would follow all my steps on the internet and could get my private photos, my contact lists.”
Like Ismayilova, her main concern was that she could have endangered others, especially her Meydan colleagues who are not publicly affiliated with the outlet. Since Meydan operates undercover in Azerbaijan, revealing their names could have dire consequences.
As it turns out, numbers belonging to four of her current and former colleagues, including Baku-based editor Aynur Elgunash, were also on the leaked list, although no forensic analysis has been done to determine whether they were infected.
A number of other reporters and editors from top Azerbaijani newsrooms were also on the list.
In addition to journalists, OCCRP identified more than 40 Azerbaijani activists and their family members on the list. Their presence on the list begins in 2019, coinciding with mass protests and calls for the release of political prisoners.
Though the demonstrations had some success, with many political prisoners released under a presidential amnesty, the regime appeared eager to keep its enemies under surveillance.
Some of Azerbaijan’s best-known regime critics appeared on the leaked list.
The Azerbaijani government has many digital surveillance tools at its disposal.
“They want to be in control of everything,” said Arzu Geybullayeva, a journalist living in exile and the founder of Azerbaijan Internet Watch, an online platform that tracks internet censorship and surveillance in the country.
Since the crackdown in 2008, Geybullayeva says, she has seen the government use a growing array of sophisticated surveillance technology and documented dozens of cases of misuse.
“They had the money back in the day,” she said. “They spent so much of it on surveillance technology — and it’s not cheap.”
In one case, the state ordered “black boxes” to be installed on equipment belonging to Azercell, a mobile operator then majority-owned by Swedish telecommunications giant TeliaSonera. The boxes allowed police and security services to monitor internet traffic and phone calls in real time — and to identify dozens of people who dared to vote for Armenia, Azerbaijan’s regional rival, in the 2009 Eurovision Song Contest. “‘You have no sense of ethnic pride,’” one of them recalled being told. “‘How come you voted for Armenia?’”
Despite being widely recognized as a repressive government, Azerbaijan was able to acquire surveillance technology from the world’s leading network intelligence and security companies, including U.S.-based Verint Systems, Canada-based Sandvine, and Israeli firm Allot Communications.
The list of intrusive surveillance products acquired by Azerbaijan’s government is a lengthy one.
A 2014 investigation by Citizen Lab suggested that Azerbaijan had acquired software called “DaVinci” from Hacking Team, an Italian cyber intelligence company. Similar to NSO Group’s Pegasus — but targeting computers instead of mobile phones — DaVinci allowed the regime to record instant messaging and audio conversations, copy passwords, and even activate webcams.
A Deep Packet Inspection (DPI) system from Israeli-American company Verint Systems was also used in Azerbaijan. This technology allows digital eavesdropping of internet traffic through an inspection point, enabling real-time monitoring of communications. As reported by Haaretz, a source who worked with Verint products in Azerbaijan said the firm’s technology was being used to "check sexual inclinations via Facebook.”
The government bought several other DPI products as well, including one from a Canada-based company called Sandvine and another from Israeli company Allot Communications. The latter was reportedly bought just before the European Games were held in Baku in 2015.
A 2017 investigation by Amnesty International indicated that Azerbaijan had developed its own home-grown malware. “AutoItSpy” appears to have been developed by Azeri-language speakers and uses infrastructure inside Azerbaijan, according to Amnesty.
“The government proved that it is not just this classical authoritarian government,” Geybullayeva said. “It is actually a digitally authoritarian government. Because they want to have tabs on everyone and use that information.”
In Azerbaijan, women who stand up to the regime face especially grave personal risks.
A frequent tactic, which has been deployed repeatedly by government agents in the last few years, is to drive dissident women out of the public sphere through sexual shaming.
One recent victim is Fatima Movlamli, a young activist and journalist. While still a teenager, she became a vocal critic of the regime, gaining a large social media following for her daring and creative protests.
“I wanted someone watching me from the other side to say ‘Aha, it is possible to protest. I have to do the same,’” she said.
In April 2019, when she was just 18, Movlamli’s intimate photographs and a video of her dancing on a chair in revealing clothing were released in an orchestrated campaign.
“At an age when I didn’t fully realize I was a woman, I was ashamed that I had a female body and that people saw it naked,” she said.
She even thought of commiting suicide. “In this country, women are doomed to live within the limits of what men want, and they can lynch a woman just because they see her body.”
Movlamli suspected that the authorities had obtained the photos in 2018, when she was kidnapped by plainclothes agents and held incommunicado for five days. She was beaten and forced to give up her phone password.
What she didn’t know was that, just over a month before her images were released, she had been selected for targeting by Pegasus.
In another high-profile case, the authorities’ tactics broke up a new marriage.
Ilkin Rustamzade is a youth activist and leading member of Azad Genclik (“Free Youth”), a pro-democracy movement. An outspoken critic of the government, Rustamzade and his fellow activists used social media to organize peaceful protests.
In 2013, he was charged with “organizing mass violent disorder” and sentenced to eight years in prison.
But though he received an amnesty in 2019, his troubles weren’t over. In March 2020, he was contacted on Facebook by an anonymous account who threatened to publish compromising photos of his new wife, Amina. His only way out, the stranger said, was to take down a Facebook petition calling on the government to provide social assistance to people affected by the COVID-19 pandemic.
After Rustamzade refused, photos of Amina, along with her name and telephone number, were published on social media and on an escort website.
A flurry of stories in the pro-government press followed, with headlines like “Ilkin Rustamzade married a girl with a history” and “Rustamzade’s wife was not a virgin.”
The young woman attempted suicide that summer. According to Rustamzade, the same anonymous account threatened the couple again, writing “If Ilkin is not silent, then what happened earlier will happen again.”
Sure enough, more of Amina’s photos were released in video collages posted on YouTube and Instagram. Absurdly mild by Western standards, they depict the young woman posing on the beach in a bathing suit and kissing an ex-boyfriend. But in conservative Azerbaijan, the social pressure that followed was so intense that the couple divorced.
“It poisoned our relationship with each other,” Ilkin Rustamzade wrote on Facebook. “It has become impossible to tolerate this constant terror. So we decided to break up.”
“I was condemned for ruining the family’s reputation,” Amina Mammadova told OCCRP. “My now ex-husband’s family reacted very negatively. My family was very upset too.”
There is no proof that the leaks of Amina’s photos had anything to do with NSO Group or its Pegasus software. But in the wake of her divorce, conversations she had with others about the situation were leaked online, leading her to suspect her phone had been hacked.
“I spoke to so many people that I can’t even say who exactly could [have leaked it],” she said. “Could it have been recorded from my phone? Or I spoke to someone in person and it was recorded? Maybe my phone is compromised.”
Amina’s number did not appear on the leaked list, perhaps because the data does not cover 2020. But numbers of both Ilkin and his father are there.
For Khadija Ismayilova, who herself endured a humiliating public exposure of her personal life, every such case is a reminder of how important it is for digital communications tools to be “secure from the eyes of the government.”
“Every time [someone was hacked] we thought about that,” she said. “Besides blaming the government… we’ve also been thinking about keeping our communications private and maybe using private tools. We’ve been recommending this or that tool to each other,” she said.
“And yesterday I realized there is no way. Unless you lock yourself in the iron tent there is no way that they will not interfere.”