Field Notes · Regional · 2 May 2026

A Phone Number on a List

Rob Pinna Morocco / Global Surveillance · Mobile Security · MENA

In July 2021 a list of fifty thousand phone numbers became public. The Pegasus Project consortium described the numbers as having been selected as persons of interest by clients of NSO Group; inclusion on the list did not itself prove device infection. Among the names traced to those numbers were a Moroccan historian, a journalist who had reported on corruption, a French president, several French ministers, and relatives or close contacts of political figures.

The technical analysis focused on the spyware, which was sophisticated, and on the device infections, which were forensically demonstrable. The spyware itself has been analysed in depth by Citizen Lab and Amnesty Tech. Their reports are public.

The operationally interesting part received less attention: specifically, what the presence of relatives and close contacts on such lists can reveal about the architecture of collection.

The operational reading is not that every associated person was independently significant. It is that mobile surveillance against a primary target can produce, as a byproduct, a map of that target's social and familial graph, and contacts who appear with sufficient frequency may become candidates for collateral selection. The cost of adding another number to a list is low, and the intelligence value of the second-degree contact can be higher than the first, particularly when the primary target has taken precautions that the people around them have not.

For any individual operating in a region where targeted surveillance is a known capability, the threat model that focuses on the journalist, the activist, the lawyer, the diplomat, misses what happens around them. The driver, the cousin, the editor's assistant, the source who has only ever met them twice, can all become the surface where the collection actually occurs. They do not know they are part of it. The primary target may not know either.

Operational security as an individual practice is incomplete because the surface is not individual; it extends through the network of people reachable through proximity to the target. Hardening one device leaves that network unchanged.

Surveillance against a person is rarely a single arrow. It is a pattern of light cast on everyone standing close enough to be illuminated by accident.

Sources
  1. The Pegasus Project, coordinated by Forbidden Stories and published in July 2021.
  2. Technical analysis by Amnesty International Security Lab and the University of Toronto's Citizen Lab.
  3. The Moroccan-side targets identified in the investigation include Omar Radi and Maati Monjib, both publicly documented.
  4. The French-side disclosure regarding senior officials was reported across Le Monde, The Guardian, and the wider consortium.
  5. The structural observation about graph-based collateral selection draws on the broader literature on lawful intercept and contact chaining methodology.