Former NSO employee steals, flogs Pegasus mobile hacking tool for $50 million

The staff member stole Pegasus spyware code and attempted to sell it in the Dark Web.
Written by Charlie Osborne, Contributing Writer

A former employee of Israeli cybersecurity contractor and software developer NSO Group stole software used for mobile surveillance and attempted to sell it for $50 million.

As reported by local publication Globes, the senior programmer -- hired in November 2017 -- stole the software, worth hundreds of millions of dollars, and attempted to sell the code on after being dismissed from his position for an unrelated reason.

NSO Group, in the same manner as many cybersecurity firms, had protections in place to prevent the external transfer of its intellectual property and software. The employee's role permitted him access to the firm's servers, tools, and source code, but he was still restricted in the same way.

Globes reports that it was "made clear" to the defendant that he was "forbidden to remove the information belonging to the company from work, was forbidden to transfer it to another, and it is forbidden to connect external storage devices to the company's computers without obtaining prior approval."

However, a quick Google search performed in February by the 38-year-old employee allowed him to circumvent these barriers, connect an external hard drive to his workstation, and swipe a copy of the Pegasus software right from under the firm's nose.

NSO, commonly linked to the sale of surveillance solutions to government entities, is the creator of Pegasus, one of the most sophisticated forms of mobile spyware known to exist publicly.

Pegasus has been used in the past to monitor activists in the Middle East, and while originally confined to Apple iPhones, an Android version called Chrysaor has been detected spying on individuals in Israel, Georgia, Mexico, Turkey, the UAE, and other areas.

The malware is able to extract keylogs, texts, emails, images, live audio and data stored through apps including WhatsApp, Skype, Facebook, and Twitter. If user behavior suggests it has been detected, Pegasus may self-destruct.

The report suggests that the transfer raised an alert at the cybersecurity firm, but no action was taken at the time.

The employee kept the software on an external drive under a mattress in his apartment for three weeks, before once again turning to Google to find out how to sell his stolen prize.

See also: LuckyMouse threat group strikes national data center to exploit government websites

This search led him to the Dark Web, the Internet's underbelly which can only be accessed through the Tor network, where he set himself up as a vendor and offered to sell the software to a "foreign party," according to the publication.

However, he only attempted to sell Pegasus after a hearing and dismissal from NSO.

An indictment filed by the State Attorney's Cyber Department, published on Thursday, alleges that the asking price was $50 million in cryptocurrency. This may sound steep but when you consider software which has the potential to devastate both personal and state security worldwide, it may be seen by some parties as a bargain investment.

Fortunately for NSO, the employee's dreams of cashing in did not go as planned. A potential buyer instead tipped off NSO, leading to the arrest of the vendor in June.

TechRepublic: Smartphone fingerprint sensor checks body temperature to boost biometric security

The defendant has been charged with attempting to damage property in a manner which would harm state security, employee theft, carrying out a "marketing operation" without a license, and disruption of computer material.

NSO said in a statement that no use was made of the stolen material and no third parties have compromised the software due to the theft.

"We will continue to support the prosecution of the perpetrator to the full extent of the law and pursue all available legal actions," the company told Reuters.

A lawyer acting on behalf of the defendant claims that the former employee never intended to place national security at risk.

A basic guide to diving in to the dark web

Previous and related coverage

Editorial standards