— Edition 1.247 52 verified trackers
ES EN
Politics · Technology · Digital regulation  ·  where data speaks before headlines
Snapshot data
AML/OFAC enforcement against banks and fintech — 418 penalties documented 418 AML/OFAC penalties documented across 177 countries and 379 regula… Corporate bankruptcy and insolvency (Chapter 11) — 4 major corporate bankrup… Corporate bankruptcies hit decade highs: over 717 in the year per S&P… High-impact litigation risk index — 4 high-impact litigations… The risk index (0-100) aggregates five objective factors —procedural … Merger control: multi-jurisdiction competition … — 9 decisions and jurisdict… Merger control diverges by jurisdiction in 2026: the Trump administra… PEPs and sanctions networks · Ibero-American graph — 40 PEP/company nodes with … Ibero-American PEP→company→sanction graph (core: Mapa del Poder, 424 … Sovereign debt distress and restructurings — 5 distress/restructuring … The IMF's 6th Global Sovereign Debt Roundtable report (April 15, 2026… Forced labor in supply chains: entity lists — 4 forced-labor exposure i… Upstream exposure intelligence densifies: the UFLPA Entity List reach… EU AI Act — designation of national authorities — 3/10/14 / 27 Member States Tracker's first event: 3 states with both authorities / 10 partial / … AI Act · Notified bodies for conformity assessment — 1 body with AI-specific a… Ecosystem 'not ready' as of Mar-2026 (standards unpublished, insuffic… Scandal → conviction gap — — milestones logged +1 mirror case: Uribe — 7 years to convict, 8 weeks to reverse, open-… Technology ↔ regulation gap — 26 regulatory milestones +1: Peru closes the generative-AI gap in ~3 years (DS 115-2025-PCM), … CNMC Spain · the Digital Services Coordinator g… — 6 documented milestones The gap becomes chronic: Congress struck down the CNMC's legal empowe… Corporate data breaches: from incident to response — 11 breaches documented +1: Canvas/Instructure, the largest known education breach (≈275M rec… Migration friction in corporate and event mobility — 3 incidents and policies … The 2026 World Cup works as a live stress test: 39 countries under fu… Power and corruption in the courts in Ibero-Ame… — 29 documented cases Jun-2026 review: Uribe updated — first-instance conviction overturned… Crypto · Licenses and authorizations by jurisdi… — 40+ CASPs with full MiCA au… July 1, 2026 cliff: the transitional regime expires (ESMA, Apr 17) wi… Data breaches · Class-action settlements — 5 settlements and mass ca… 271 million dollars across four settlements approved or with deadline… Digital regulatory risk index by country — 16 countries profiled Jun-2026 review: Brazil updated on two layers (EU adequacy Jan 26, 20… Digital services taxes (DST) by country — 3 tax-map milestones docu… About half of European OECD countries have a DST announced, proposed … Global election risk 2026: democracy and digita… — 32 elections profiled 32 electoral processes of 2026 profiled by political regime and digit… ESG · Greenwashing enforcement — 3 enforcement milestones … The legal floor arrives Sep 27, 2026 (ECGT across the 27; transpositi… EU · Digital & sustainability regulatory deadli… — 6 calendar milestones doc… Next critical deadlines: Jun 23, 2026 closes the high-risk classifica… Export controls · Entity List and advanced chips — 6 regime milestones docum… The 2026 shift: licensing for H200/MI325X and equivalents to China mo… GDPR · International transfers and adequacy dec… — 6 framework milestones do… The EU-US DPF remains in force after surviving its first judicial cha… LATAM · AI bills in legislative process — 150+ bills identified 150+ count re-verified; milestones: Peru only country with a regulate… LATAM · Judicial and regulatory sanctions on pl… — $5,2M USD · fine on X Corp. i… Paradigm shift: the STF declared Art. 19 of the Marco Civil partially… Digital political ad spending 2026 — 6 country-platform observ… AdImpact's revised projection (Jun 11): $11.6bn for the 2026 cycle — … Shadow fleet · Sanctioned vessels and enablers — 632 vessels designated by t… +46 vessels in the 20th package (Reg. 2026/506/509/511) to 632; Art. … Whistleblower awards · SEC, CFTC and equivalent… — 3 program milestones docu… The SEC awarded over $60M to 48 whistleblowers in fiscal year 2025 (2… AI Act · Sanctions regime and its actual enforc… — 0 documented AI Act fines… 0 AI Act penalties issued to date: enforcement of high-risk obligatio… Beneficial ownership transparency (UBO / CTA / … — 4 transparency milestones 4 beneficial-ownership transparency milestones documented; the EU req… Crypto industry: collapses, sanctions and convi… — 13 documented cases 13 cases of collapses, sanctions and convictions in the crypto sector… AI harms in court — litigation, rulings and set… — 103 documented cases 103 AI-related harm and rights lawsuits documented; 2026 milestones: … DMA · designated gatekeepers and real compliance — 9 documented DMA acts 9 DMA compliance actions documented against gatekeepers; 2026 develop… Documented electoral disinformation 2026 — 7 documented campaigns 7 electoral disinformation campaigns or patterns documented with open… GDPR · which national authority really sanctions — 11 authorities profiled 11 GDPR enforcement country profiles and milestones documented; 2026 … LATAM · Internet shutdowns and platform blocks — 8 documented events · 202… 8 internet shutdown and blocking episodes documented in Latin America… Operational resilience & cyber (DORA / NIS2 / SEC) — 4 regulatory milestones 4 operational-resilience milestones documented; 2026 is the first rea… Digital fines actually imposed — 61 sanctions recorded 61 high-value penalties across 18 jurisdictions and 6 continents; cov… Commercial spyware: documented cases worldwide — 23 documented cases 23 spyware and surveillance cases documented across the Ibero-America… Trade compliance & forced labor (UFLPA) — 4 actions documented 4 trade-compliance actions on forced labor documented; under UFLPA ar… US · the state AI regulation patchwork — 10 laws and milestones 10 state AI laws or milestones documented in the U.S.; 2026 developme… Electoral digital integrity 2026 — 13 elections profiled 13 elections profiled by digital integrity; 5 with transparent politi… Climate: the gap between pledge and action — 12 countries assessed 12 countries assessed by the Climate Action Tracker: 10 with insuffic… Content moderation: appeals and reversals — 19 documented decisions 19 appealed and reviewed moderation decisions, with their policy, ori… Public AI spending — global government contracts — 50 documented contracts 50 public AI contracts across 15 jurisdictions on 5 continents (45 wi… Campaign promises → fulfillment — 29 term evaluations 29 terms evaluated across 25 countries on five continents EU · Consolidated DSA enforcement decisions — €120M first DSA fine · X · 5 … 5 Member States referred to CJEU for insufficient DSC implementation LATAM · Digital spending in 2026 electoral camp… — $14.794M COP · highest declared … Only 8 of 13 campaigns had reported in Cuentas Claras by mid-May Ibero-America · documented public contracts wit… — 3 contracts verified with… DC registry kickoff · ongoing monthly manual sweep RSF · Press freedom in Latin America — 144 Peru's rank (the region… AR -11 · PE -14 · SV -8 · EC -31 · USA -7 AML/OFAC enforcement against banks and fintech — 418 penalties documented 418 AML/OFAC penalties documented across 177 countries and 379 regula… Corporate bankruptcy and insolvency (Chapter 11) — 4 major corporate bankrup… Corporate bankruptcies hit decade highs: over 717 in the year per S&P… High-impact litigation risk index — 4 high-impact litigations… The risk index (0-100) aggregates five objective factors —procedural … Merger control: multi-jurisdiction competition … — 9 decisions and jurisdict… Merger control diverges by jurisdiction in 2026: the Trump administra… PEPs and sanctions networks · Ibero-American graph — 40 PEP/company nodes with … Ibero-American PEP→company→sanction graph (core: Mapa del Poder, 424 … Sovereign debt distress and restructurings — 5 distress/restructuring … The IMF's 6th Global Sovereign Debt Roundtable report (April 15, 2026… Forced labor in supply chains: entity lists — 4 forced-labor exposure i… Upstream exposure intelligence densifies: the UFLPA Entity List reach… EU AI Act — designation of national authorities — 3/10/14 / 27 Member States Tracker's first event: 3 states with both authorities / 10 partial / … AI Act · Notified bodies for conformity assessment — 1 body with AI-specific a… Ecosystem 'not ready' as of Mar-2026 (standards unpublished, insuffic… Scandal → conviction gap — — milestones logged +1 mirror case: Uribe — 7 years to convict, 8 weeks to reverse, open-… Technology ↔ regulation gap — 26 regulatory milestones +1: Peru closes the generative-AI gap in ~3 years (DS 115-2025-PCM), … CNMC Spain · the Digital Services Coordinator g… — 6 documented milestones The gap becomes chronic: Congress struck down the CNMC's legal empowe… Corporate data breaches: from incident to response — 11 breaches documented +1: Canvas/Instructure, the largest known education breach (≈275M rec… Migration friction in corporate and event mobility — 3 incidents and policies … The 2026 World Cup works as a live stress test: 39 countries under fu… Power and corruption in the courts in Ibero-Ame… — 29 documented cases Jun-2026 review: Uribe updated — first-instance conviction overturned… Crypto · Licenses and authorizations by jurisdi… — 40+ CASPs with full MiCA au… July 1, 2026 cliff: the transitional regime expires (ESMA, Apr 17) wi… Data breaches · Class-action settlements — 5 settlements and mass ca… 271 million dollars across four settlements approved or with deadline… Digital regulatory risk index by country — 16 countries profiled Jun-2026 review: Brazil updated on two layers (EU adequacy Jan 26, 20… Digital services taxes (DST) by country — 3 tax-map milestones docu… About half of European OECD countries have a DST announced, proposed … Global election risk 2026: democracy and digita… — 32 elections profiled 32 electoral processes of 2026 profiled by political regime and digit… ESG · Greenwashing enforcement — 3 enforcement milestones … The legal floor arrives Sep 27, 2026 (ECGT across the 27; transpositi… EU · Digital & sustainability regulatory deadli… — 6 calendar milestones doc… Next critical deadlines: Jun 23, 2026 closes the high-risk classifica… Export controls · Entity List and advanced chips — 6 regime milestones docum… The 2026 shift: licensing for H200/MI325X and equivalents to China mo… GDPR · International transfers and adequacy dec… — 6 framework milestones do… The EU-US DPF remains in force after surviving its first judicial cha… LATAM · AI bills in legislative process — 150+ bills identified 150+ count re-verified; milestones: Peru only country with a regulate… LATAM · Judicial and regulatory sanctions on pl… — $5,2M USD · fine on X Corp. i… Paradigm shift: the STF declared Art. 19 of the Marco Civil partially… Digital political ad spending 2026 — 6 country-platform observ… AdImpact's revised projection (Jun 11): $11.6bn for the 2026 cycle — … Shadow fleet · Sanctioned vessels and enablers — 632 vessels designated by t… +46 vessels in the 20th package (Reg. 2026/506/509/511) to 632; Art. … Whistleblower awards · SEC, CFTC and equivalent… — 3 program milestones docu… The SEC awarded over $60M to 48 whistleblowers in fiscal year 2025 (2… AI Act · Sanctions regime and its actual enforc… — 0 documented AI Act fines… 0 AI Act penalties issued to date: enforcement of high-risk obligatio… Beneficial ownership transparency (UBO / CTA / … — 4 transparency milestones 4 beneficial-ownership transparency milestones documented; the EU req… Crypto industry: collapses, sanctions and convi… — 13 documented cases 13 cases of collapses, sanctions and convictions in the crypto sector… AI harms in court — litigation, rulings and set… — 103 documented cases 103 AI-related harm and rights lawsuits documented; 2026 milestones: … DMA · designated gatekeepers and real compliance — 9 documented DMA acts 9 DMA compliance actions documented against gatekeepers; 2026 develop… Documented electoral disinformation 2026 — 7 documented campaigns 7 electoral disinformation campaigns or patterns documented with open… GDPR · which national authority really sanctions — 11 authorities profiled 11 GDPR enforcement country profiles and milestones documented; 2026 … LATAM · Internet shutdowns and platform blocks — 8 documented events · 202… 8 internet shutdown and blocking episodes documented in Latin America… Operational resilience & cyber (DORA / NIS2 / SEC) — 4 regulatory milestones 4 operational-resilience milestones documented; 2026 is the first rea… Digital fines actually imposed — 61 sanctions recorded 61 high-value penalties across 18 jurisdictions and 6 continents; cov… Commercial spyware: documented cases worldwide — 23 documented cases 23 spyware and surveillance cases documented across the Ibero-America… Trade compliance & forced labor (UFLPA) — 4 actions documented 4 trade-compliance actions on forced labor documented; under UFLPA ar… US · the state AI regulation patchwork — 10 laws and milestones 10 state AI laws or milestones documented in the U.S.; 2026 developme… Electoral digital integrity 2026 — 13 elections profiled 13 elections profiled by digital integrity; 5 with transparent politi… Climate: the gap between pledge and action — 12 countries assessed 12 countries assessed by the Climate Action Tracker: 10 with insuffic… Content moderation: appeals and reversals — 19 documented decisions 19 appealed and reviewed moderation decisions, with their policy, ori… Public AI spending — global government contracts — 50 documented contracts 50 public AI contracts across 15 jurisdictions on 5 continents (45 wi… Campaign promises → fulfillment — 29 term evaluations 29 terms evaluated across 25 countries on five continents EU · Consolidated DSA enforcement decisions — €120M first DSA fine · X · 5 … 5 Member States referred to CJEU for insufficient DSC implementation LATAM · Digital spending in 2026 electoral camp… — $14.794M COP · highest declared … Only 8 of 13 campaigns had reported in Cuentas Claras by mid-May Ibero-America · documented public contracts wit… — 3 contracts verified with… DC registry kickoff · ongoing monthly manual sweep RSF · Press freedom in Latin America — 144 Peru's rank (the region… AR -11 · PE -14 · SV -8 · EC -31 · USA -7
/ trackers / spyware-iberoamerica
Surveillance and digital rights

Commercial spyware: documented cases worldwide

Forensically or judicially documented cases of commercial spyware —NSO Group's Pegasus, Intellexa's Predator, Paragon's Graphite, Candiru— used against journalists, activists, opponents and public figures worldwide. The tracker only gathers cases with technical verification (device analysis by Citizen Lab, Amnesty International or equivalent organisations) or judicial verification, not mere suspicions. Each record documents the tool, the vendor, the number of confirmed victims, the affected sector and the confidence level with which it is attributed to an operator. The focus is on the verifiable trace: a country's absence from the map does not mean the absence of surveillance, but the absence of public investigation.

Snapshot · June 8, 2026
23
documented cases
↑ 23 spyware and surveillance cases documented across the Ibero-American and Lusophone space; 2026 development: Amnesty International forensically confirms the first use of Predator (Intellexa) in Angola against a journalist, within the 'Intellexa Leaks' published in December 2025

Evolution

Data analysis

Statistical readings derived from the attributes of each recorded case. All figures come from the documented events; amounts are computed only over cases with a sum expressed in the indicated currency, without converting between currencies.

Cases by country

Distribution of forensically or judicially documented cases by country. Mexico concentrates most of the region's confirmed cases.

Cases by spyware tool

Which spyware tools appear in the documented cases. NSO Group's Pegasus clearly dominates.

Cases by vendor

The companies that develop and sell the spyware behind each case.

Confidence in operator attribution

With what degree of certainty each case is attributed to a specific operator. Spying attribution is rarely conclusive.

Documented cases by year

Temporal evolution of the verified cases, from Panama's 2012 purchase to the most recent.

Global incidence map

Choropleth by number of forensically or judicially documented cases. Countries with no verifiable public cases remain in the base colour — the absence of events does not equal the absence of surveillance. Hover or click a coloured country to see the cases.

Natural Earth 50m · Diálogo Ciudadano

Reading the data

Twenty-two verified commercial-spyware cases in twelve countries on four continents share a pattern: the software is almost always Israeli —NSO Group's Pegasus dominates— and the victims are journalists, activists and opponents. From the hacking of a Polish senator mid-campaign to Khashoggi's circle before his murder, the trace is global.

CT
Celinda S. Tórrez · Correspondent — Colombia · Bogotá
May 25, 2026 · 7 min read

Surveillance with commercial software leaves, unlike almost any other abuse of power, a technical trace. An infected phone retains marks that labs like the University of Toronto's Citizen Lab, or Amnesty International's Security Lab, can analyse and peer-review. This tracker gathers only cases with that kind of verification —forensic or judicial—, not mere suspicions: twenty-two documented cases in twelve countries on four continents, from Mexico to Thailand, from Poland to the United Arab Emirates.

The pattern that emerges is of an almost monotonous uniformity. The software is, overwhelmingly, Israeli: NSO Group's Pegasus appears in the vast majority of cases, occasionally complemented by Candiru, the Intellexa consortium's Predator and Paragon's Graphite. And the victims are almost always the same categories: journalists, activists, lawyers, political opponents and human rights defenders. The tool is sold to pursue 'terrorism and serious crime'; the infected phones belong, again and again, to those who inconvenience power.

NSO Group's Pegasus is present in fourteen of the sixteen cases. Mexico concentrates six; Spain, four. But the novelty of this update lies at the extremes: Panama, which bought the system as early as 2012 —one of the world's first state uses—, and the Dominican Republic, where a journalist's phone was infected three times.

Panama: the purchase the courts documented

The Panamanian case is singular because it does not rest on a forensic analysis of a phone, but on something even more solid: a court file. Ricardo Martinelli's government acquired Pegasus in 2012, for around eight million dollars, and operated it from the Oceanía building through the National Security Council to surveil at least 150 people between 2012 and 2014. All of it was documented in the 'wiretapping' trial, where prosecutors detailed the negotiation with NSO —installation and training included. It makes Panama one of the world's first states to use Pegasus, years before the global scandal erupted in 2021.

That precedent matters because it illuminates the rest of the tracker. Most cases are known from the victim's side —a phone a lab analyses after an Apple alert—, but it is rarely proven who bought and operated the software. Panama is the exception that shows the full chain: a state, a contract, a building, a target list. And yet the former president was acquitted in 2019 in one of the proceedings, a reminder of how hard it is to translate technical evidence into judicial consequence.

Who pulls the trigger

Attribution is the weak point of almost the entire tracker, which is why one of the charts measures precisely the level of confidence with which each case is linked to an operator. The technical trace proves a phone was infected; it rarely proves, on its own, who ordered the infection. NSO insists it only sells to states, which narrows the circle of suspects, but governments tend to deny being clients —as El Salvador did despite the surveillance of 22 El Faro staff, or as happens with the current control of the Pegasus bought in Colombia, whose whereabouts remain unclear.

Spain illustrates the other side: there, the spying cut in two directions. On one hand, the so-called 'CatalanGate' documented by Citizen Lab, with dozens of Catalan pro-independence figures surveilled; on the other, the phones of the prime minister and several ministers themselves, infected in what the government called an 'external and illicit' attack. That both the watched and the watchers end up on the same victim list says a great deal about how unchecked this market is.

A trace that respects no borders

If the first version of this tracker focused on Ibero-America, its expansion to the rest of the world confirms the phenomenon knows no geography. In Poland, opposition senator Krzysztof Brejza was infected 33 times during the 2019 campaign, and a Senate commission later concluded those elections were unfair: spyware used not in an autocracy, but inside the European Union. In Thailand, the GeckoSpy operation infected at least 30 pro-democracy activists. In the United Arab Emirates, activist Ahmed Mansoor was one of the world's first documented targets, in 2016.

The darkest case is Saudi Arabia's: Citizen Lab found Pegasus in journalist Jamal Khashoggi's circle —on the phone of his confidant Omar Abdulaziz and, later, on his wife's— in the months before his murder in the Saudi consulate in Istanbul. It is the starkest proof that mercenary surveillance is not an abstract privacy matter: it can be the prelude to violence. And the confirmation of infections of exiled Russians and Belarusians inside the EU shows that not even refuge in a democracy protects from these tools' reach.

Methodology note

Only cases with forensic verification (technical analysis of devices by Citizen Lab, Amnesty International's Security Lab or equivalent organisations) or judicial verification (public files and trials) are recorded. A country's absence from the map does not mean the absence of surveillance: it means that, as of this version, there is no verifiable public investigation. Operator attributions are recorded with their confidence level and, when a government denies being a client, it is noted. The outlet does not assert who ordered each infection beyond what the verifiable source maintains.

The charts above —country, tool, vendor, attribution confidence and annual trend— and the regional incidence map are computed from each case's attributes. Main sources: Citizen Lab, Amnesty International, Access Now, Forbidden Stories and each country's press.

Documented events (23)

July 18, 2022 TH confirmed

Thailand · At least 30 pro-democracy activists infected with Pegasus (GeckoSpy operation)

Citizen Lab forensically confirmed that at least 30 activists, pro-democracy protesters and people calling for reforms to the Thai monarchy were infected with Pegasus between October 2020 and November 2021, in an operation dubbed GeckoSpy. Many victims had been prosecuted under the country's strict lèse-majesté laws. Citizen Lab could not definitively attribute the operation to the Thai government, though NSO says it only sells to states.

January 13, 2022 SV confirmed

Project Torogoz: Pegasus against El Faro and Salvadoran press (35 confirmed victims)

Citizen Lab and Access Now confirmed 35 cases of journalists and civil society members whose phones were infected with Pegasus between July 2020 and November 2021. Targets included journalists from El Faro (22 members), GatoEncerrado, La Prensa Gráfica, Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy, and two independent journalists. Civil society affected: Fundación DTJ, Cristosal, and another NGO. Hacking occurred while these outlets reported on the government's MS-13 pact and the Bukele administration. Amnesty International Security Lab independently confirmed findings.

January 13, 2022 SV confirmed

El Salvador · 22 El Faro staff surveilled; the editor infected 42 times with Pegasus

Citizen Lab documented that the phones of 22 reporters, editors and staff of El Faro —more than two-thirds of the newsroom— were infected with Pegasus, with data extracted from several devices. The outlet was under constant surveillance for at least 17 months, between June 2020 and November 2021; the editor-in-chief, Óscar Martínez, had his phone infiltrated at least 42 times. The surveillance coincided with El Faro's coverage of the Bukele government's negotiations with gangs. The government denied being an NSO client.

October 1, 2018 SA confirmed

Saudi Arabia · Pegasus in Jamal Khashoggi's circle before his murder

Citizen Lab revealed in October 2018, with high confidence, that Pegasus had infected the iPhone of Saudi dissident Omar Abdulaziz, a confidant of journalist Jamal Khashoggi, months before Khashoggi's murder in the Saudi consulate in Istanbul. A later forensic analysis also found Pegasus traces on the phone of Khashoggi's wife, Hanan Elatr, manually installed while she was detained by UAE authorities. It is the case that most linked the spyware to lethal consequences.

January 1, 2019 PL confirmed

Poland · Opposition senator Krzysztof Brejza hacked 33 times during the 2019 election campaign

Citizen Lab determined, and Amnesty International independently confirmed, that the phone of Polish opposition senator Krzysztof Brejza was infected with Pegasus 33 times in 2019, while he ran the opposition's election campaign. Messages stolen from his phone were doctored and aired by state TV. A Senate commission later concluded the 2019 elections were unfair due to the software's use, in one of the gravest cases for occurring within the EU.

January 1, 2012 PA confirmed

Panama · Martinelli's government bought Pegasus in 2012 and spied on around 150 people

Ricardo Martinelli's government (2009-2014) acquired NSO Group's Pegasus in 2012 for around 8 million dollars, operating it from the Oceanía building through the National Security Council to surveil at least 150 people —opponents, journalists and public figures— between 2012 and 2014. The purchase and use were documented in the criminal 'wiretapping' trial, in which prosecutors presented the negotiation with NSO (installation and training included); Panama also acquired a system from the Israeli firm MLM Protection. Martinelli was acquitted in 2019 in one of the proceedings. It is one of the world's earliest documented state uses of Pegasus.

July 9, 2025 MX reported

Mexico investigation: Attorney General opens case on USD 25M bribery in Peña Nieto's Pegasus purchase

Mexican Attorney General Alejandro Gertz Manero announced in July 2025 an investigation into an alleged USD 25 million bribe paid to Enrique Peña Nieto by businessmen Avishai Neriah and Uri Emmanuel Ansbacher to facilitate the Mexican government's Pegasus purchase. The investigation stems from a report by Israeli outlet The Marker (5 July 2025) based on confidential arbitration between Neriah and Ansbacher finalized in late 2024 in a Jerusalem court. Neriah was Mexico's honorary consul in Haifa since 2014. Ansbacher is a close associate of NSO founder Shalev Hulio.

June 1, 2022 MX confirmed

Pegasus against Alejandro Encinas, AMLO's human rights deputy minister

Alejandro Encinas, Mexico's under-secretary for human rights and a close ally of President López Obrador, was targeted with Pegasus while investigating Army abuses, including the case of the 43 disappeared Ayotzinapa students. The New York Times reported the case in May 2023. It is the first confirmed case of such a senior administration member being targeted with Pegasus in Mexico in over a decade of the tool's use.

October 2, 2022 MX confirmed

Pegasus against journalist Ricardo Raphael (Mexico)

Journalist and political analyst Ricardo Raphael was targeted at least three times with Pegasus in October-November 2019 and again in December 2020. Forensic analysis also revealed a 2016 infection via the HOMAGE exploit. He was targeted while on a media tour promoting his book on the military origins of the Los Zetas cartel. R3D investigation with Citizen Lab technical support.

June 19, 2017 MX confirmed

Pegasus against journalists, lawyers and activists in Mexico — first wave of revelations

Citizen Lab, ARTICLE 19, R3D and SocialTIC published a series of eight reports in 2017 documenting mass surveillance with Pegasus against investigative journalists, lawyers for cartel victims' families, anti-corruption groups, prominent legislators, international Ayotzinapa case investigators, and family members of murdered journalists. The Guardian later described Mexico as a Pegasus 'laboratory'.

March 5, 2024 ES confirmed

US sanctions Intellexa consortium (Predator) — regional impact

The US Department of the Treasury sanctioned in March 2024 Tal Dilian (Intellexa founder, former Israeli military intelligence officer) and commercial entities of the Intellexa consortium for Predator proliferation. While the sanction is US-based, it affects a consortium with documented commercial presence in Europe and operations identified by Insikt Group in over a dozen countries. Ibero-America does not appear in the public list of active Predator operators as of May 2026.

July 18, 2021 HU confirmed

Hungary · Journalists and opposition figures infected with Pegasus, confirmed by the Pegasus Project

The Pegasus Project, the 17-outlet consortium coordinated by Forbidden Stories and Amnesty International, revealed in 2021 that Hungary —an EU member state— was among NSO's confirmed clients. Forensic analysis confirmed infections on the phones of investigative journalists and figures critical of Viktor Orbán's government, sparking mass protests. Hungary was one of the first EU governments flagged for abusive Pegasus use.

July 10, 2024 LT confirmed

EU (Lithuania) · Exiled Russian and Belarusian journalists and activists infected with Pegasus inside the EU

Access Now and Citizen Lab confirmed in 2024 that at least seven exiled Russian, Belarusian, Latvian and Israeli journalists and activists were infected with Pegasus inside the EU, expanding the previous year's case of Galina Timchenko (Meduza). Victims include Belarusian opposition figure Andrei Sannikov, infected in 2021, and editor Natallia Radzina. The cases show that exile in the EU does not protect from mercenary surveillance.

January 31, 2025 ES alleged

WhatsApp notifies possible Spanish victims of Paragon Graphite (2025)

WhatsApp notified approximately 90 users worldwide in January 2025 of being targeted by Graphite, Paragon Solutions' spyware. Targets include journalists and civil society members across two dozen countries. Citizen Lab forensically confirmed at least three European cases (two Italian Fanpage.it journalists and a third anonymous journalist). The exact number affected in Spain has not been published, but Spain appears among countries with notifications per subsequent reports.

May 2, 2022 ES confirmed

Pegasus against PM Pedro Sánchez and ministers (Spain)

The Spanish government confirmed in May 2022 that the phones of PM Pedro Sánchez, Defense Minister Margarita Robles, and Interior Minister Fernando Grande-Marlaska were targeted with Pegasus. Sánchez was the first head of government confirmed worldwide as a Pegasus target. CNI Director Paz Esteban was dismissed in the scandal's context. Attribution for the attack against Sánchez was not made public but excludes the Spanish government itself as operator.

April 18, 2022 ES confirmed

CatalanGate: Pegasus and Candiru against 65 Catalans (Spain)

Citizen Lab identified at least 65 individuals linked to the Catalan independence movement targeted or infected with spyware. 63 with Pegasus, 4 with Candiru, 2 with both. Victims include MEPs, all four Catalan presidents since 2010 (Mas, Puigdemont, Torra, Aragonès), two Parliament presidents, legislators, jurists, and civil society organization members. Most incidents occurred between 2017 (independence referendum) and 2020. Amnesty International Security Lab validated forensic methodology. Spanish government confirmed CNI had prior judicial approval to use spyware against Catalan separatists.

May 2, 2023 DO confirmed

Dominican Republic · Journalist Nuria Piera infected with Pegasus three times

Amnesty International's Security Lab confirmed that the phone of Dominican investigative journalist Nuria Piera was infected with Pegasus at least three times between July 2020 and October 2021. Citizen Lab peer-reviewed and ratified the findings with its independent methodology. Piera was investigating corruption cases involving senior officials and relatives of a former president. It was the first forensically confirmed case in the country and the third in the Americas, after Mexico and El Salvador.

September 4, 2024 CO reported

Colombia: President Petro denounces Pegasus purchase by Duque government (USD 11M, 2021)

Colombian President Gustavo Petro called in September 2024 for an investigation into alleged Pegasus use by the previous government of Iván Duque. According to information shared by the Financial Information and Analysis Unit (UIAF), between July and August 2021 an Israeli bank reported unusual activity after receiving a cash deposit of USD 5.5 million directed to NSO Group Technologies Limited. The payment related to a USD 11 million agreement between NSO Group and the Police Intelligence Directorate (DIPOL). Petro alleged the spyware was brought to spy on youth movements and opposition communications for six months. The accusation is pending judicial investigation; there is no public forensic confirmation of individual victims in Colombia as of May 2026.

January 1, 2021 CO confirmed

Colombia · 11-million-dollar Pegasus purchase under Duque's government, under investigation

President Gustavo Petro revealed in 2024 that during Iván Duque's government around 11 million dollars in cash were flown out of the country, on one or two planes, to buy Pegasus from NSO in Israel, and asked the Attorney General's Office to investigate. According to Petro, the software was allegedly used to spy on the opposition, journalists and human rights defenders during the 2021 National Strike. Later investigations linked Colombian operators to the Pegasus structure in Panama. The software's whereabouts and current control remain unclear.

February 19, 2026 AO confirmed

Angola · First forensic confirmation of Predator spyware against a Lusophone journalist

An Amnesty International investigation established that Predator spyware was used in 2024 against Teixeira Cândido, a prominent Angolan journalist, jurist and press-freedom activist, former Secretary General of the Syndicate of Angolan Journalists. It is the first forensic confirmation of Predator's use in Angola. The attack occurred amid a tightening authoritarian environment under João Lourenço's administration. Predator is a highly invasive mobile spyware developed and sold by Intellexa for government surveillance operations. Amnesty sent a letter to Intellexa on January 27, 2026 with no response; the case fits within the 'Intellexa Leaks' published in December 2025 alongside Inside Story, Haaretz and the WAV Research Collective.

August 1, 2016 AE confirmed

United Arab Emirates · Activist Ahmed Mansoor targeted by Pegasus in one of the first documented cases

In August 2016, Citizen Lab and Lookout documented that the iPhone of Emirati human rights activist Ahmed Mansoor was attacked with Pegasus via a message asking him to click a link about prisoners tortured in the UAE. It was one of the world's first publicly documented Pegasus cases and revealed NSO's 'zero-click' exploits. Mansoor was later sentenced to 10 years in prison for his social media posts.

Methodology

Type
event-log
Construction
Multi-source verified
Cadence
monthly

Sources consulted

  1. Citizen Lab · Munk School · University of Toronto ↗ academic

    World-leading forensic research center on commercial spyware. Its reports are the primary source for most documented cases. Technical methodology with open publication, regular peer review by Amnesty Tech Lab.

  2. Amnistía Internacional · Security Lab ↗ civil-society

    Amnesty's technical lab. Independently confirms Citizen Lab forensic investigations. Develops and maintains the Mobile Verification Toolkit (MVT) used for device self-scans.

  3. Access Now · Digital Security Helpline ↗ civil-society

    Helpline and technical triage for threatened activists and journalists. Collaborates with Citizen Lab on investigations of cases identified via its helpline.

  4. R3D — Red en Defensa de los Derechos Digitales · México ↗ civil-society

    Mexican digital-rights organization. Forensic investigation in collaboration with Citizen Lab for the Mexican cases. Covers Pegasus, Predator and Paragon in LATAM.

  5. ARTICLE 19 · México y Centroamérica ↗ civil-society

    Co-author of investigations on Pegasus in Mexico alongside R3D, SocialTIC and Citizen Lab.

  6. SocialTIC · México ↗ civil-society

    Mexican social-technology organization. Co-author of investigations on Pegasus in Mexico.

  7. Apple · notificaciones de ataque state-sponsored ↗ official

    Apple has notified users targeted by state-sponsored attacks since November 2021. These notifications have been the entry point for subsequent forensic investigation of many cases.

  8. WhatsApp · notificaciones de ataque (Meta) ↗ official

    WhatsApp notifies users targeted by spyware attacks. In January 2025 it notified roughly 90 users worldwide attacked with Paragon's Graphite.

  9. U.S. Department of the Treasury · sanciones a Intellexa Consortium ↗ official

    The US Treasury sanctioned Tal Dilian (founder of Intellexa) and associated entities of the Intellexa consortium in March 2024 for the proliferation of Predator. Formal sanction with official publication.

  10. Carnegie Endowment for International Peace · Global Inventory of Commercial Spyware ↗ academic

    Global academic inventory of commercial spyware. Documents that between 2011 and 2023 at least 74 governments signed contracts with commercial spyware or digital-forensics firms.

Related pieces