0:02

Hey, it's Al, and today is the last

0:04

episode of our rebroadcast of Mississippi

0:07

Goddamn. We got a whole slate

0:09

of original shows coming your way this

0:11

fall, and we need your support now

0:14

more than ever. See, Reveal

0:16

is a non-profit. That means we

0:19

can prioritize investigating what

0:21

the public needs to know. It also

0:23

means that we depend on listeners like

0:26

you. To show your support

0:28

for non-profit investigative journalism

0:30

that holds the powerful

0:32

accountable,

0:33

please donate today. Visit

0:36

revealnews.org slash donate.

0:38

Again, that's revealnews.org

0:40

slash donate. Thank

0:43

you.

0:51

This episode is brought to you by Progressive Insurance.

0:54

Whether you love true crime or comedy, celebrity

0:56

interviews or news, you call the shots

0:59

on what's in your podcast queue. And guess what?

1:01

Now you can call them on your auto insurance, too, with the

1:03

Name Your Price tool from Progressive. It

1:05

works just the way it sounds. You tell Progressive

1:08

how much you want to pay for car insurance, and they'll

1:10

show you coverage options that fit your budget. Get

1:12

your quote today at Progressive.com

1:15

to join the over 28 million drivers

1:17

who trust Progressive. Progressive Casualty

1:19

Insurance Company and Affiliates. Price

1:21

and coverage match limited by state law.

1:28

From the Center for Investigative Reporting and PRX,

1:31

this is Reveal. I'm Al Edson.

1:34

This past decade has been brutal for

1:37

journalists. Around the globe, more

1:39

than 500 reporters and media

1:41

workers have been killed in the line of

1:43

duty according to the Committee to

1:46

Protect Journalists. One of the most

1:48

notorious cases was Jamal Khashoggi.

1:50

An explosive new report this morning. The

1:53

Washington Post. Turkish officials have

1:56

audio and video recordings

1:57

of the gruesome murder of Jamal Khashoggi.

2:00

Jamal Khashoggi inside the

2:02

Saudi Arabian consulate in Istanbul. After

2:05

Khashoggi's murder came another disturbing

2:08

revelation. A joint investigation

2:10

has revealed evidence suggesting

2:12

spyware was used to monitor those

2:14

in his inner circle before

2:16

and even after his death. Researchers

2:19

believe the cell phones of Khashoggi's

2:22

wife and friends were infected with

2:24

Pegasus, a military-grade

2:26

surveillance software. It can copy

2:28

your messages, harvest your photos, and

2:31

even record you by controlling your phone's

2:33

own camera and microphone. Pegasus is

2:35

probably the most advanced piece of spyware

2:37

ever developed. It is effectively the most

2:40

invasive form of surveillance imaginable. This

2:43

summer, Khashoggi's widow filed

2:45

a lawsuit against the Israeli company that

2:47

makes Pegasus, the NSO group.

2:50

NSO has denied its software

2:52

was used to target Khashoggi, and

2:54

they say Pegasus is only

2:57

sold to governments for tracking and capturing

2:59

criminals and terrorists. But over

3:01

the years, many confirmed targets

3:03

of Pegasus have not been criminals

3:06

or terrorists. They're human rights activists,

3:08

scholars, journalists. Today

3:12

we're partnering with the podcast series Shoot

3:14

the Messenger, produced by Exile Content

3:17

Studio. Scientists Rose Reed

3:19

and Nando Villa investigate

3:21

how Pegasus was weaponized to

3:24

go after an entire newsroom. Reporters,

3:27

editors, photographers, accountants, all

3:30

working in one of the most dangerous countries

3:32

in the Western Hemisphere, El Salvador.

3:37

Carlos Dada is an award-winning

3:39

journalist who for more than two decades

3:42

has run the newsroom of Alfaro,

3:44

based in the capital San Salvador.

3:46

It's an online media that

3:48

turns 25 years old this year,

3:50

which means we were born

3:53

before Google,

3:54

we were born in a country

3:56

where

3:57

not many people had access

3:59

to the internet. internet in 1998

4:02

and we started it just as an experiment.

4:06

Here we are. El Faro is a special

4:08

newsroom because it was the first exclusively

4:11

digital newspaper in Latin America. In

4:13

English, El Faro means the lighthouse.

4:16

Known for its investigative reporting,

4:19

El Faro has been referred to as,

4:21

quote, a breakthrough digital newspaper

4:24

blazing an independent and ethical

4:26

trail in Central America.

4:28

I think that we were able to attract

4:31

a very talented

4:33

generation of Salvadoran journalists,

4:36

all children of the post-war.

4:40

When Carlos references the war, he's talking

4:42

about El Salvador's civil war in the 1980s and

4:45

early 90s. The

4:49

12-year conflict pitted a leftist guerrilla coalition

4:52

backed by Cuba against the government and

4:54

far-right paramilitary groups, which

4:56

received more than a billion dollars in

4:58

military support from the U.S. The

5:00

Reagan administration in Washington is backing

5:03

the government drive with arms, money and

5:05

advisers.

5:06

It's estimated that more than 75,000 civilians

5:10

were killed.

5:11

Nearly a quarter of the Salvadoran population

5:14

moved to the U.S. The devastating

5:16

effects of the conflict lasted

5:19

for decades, and El Faro

5:21

has reported on all of that, including

5:24

government corruption and gang violence.

5:26

We do long-featured

5:28

stories that deal with

5:30

violence, with organized crime,

5:32

with corruption, with human

5:35

rights violations and with politics.

5:39

Carlos and his colleagues are no stranger

5:42

to threats. Over the years,

5:44

police have made unofficial visits to the newsroom,

5:47

unidentified people in unmarked cars

5:49

showing up unannounced to the El Faro offices

5:52

to intimidate its journalists. We've

5:54

received messages from organized

5:57

crime. We've received real

5:59

threats from public officers. Gangs

6:02

publicly said that if it was up

6:04

to them we should not exist. We

6:07

have been harassed in the form of

6:09

physical harassment of having strange

6:12

people standing out

6:15

of our homes. We have

6:17

received drones standing

6:19

by our windows.

6:23

And it wasn't just outside

6:25

his windows. Carlos says one

6:27

time a drone actually flew

6:30

into his apartment. It hovered

6:32

for about a minute in his living room

6:34

and then darted away. Because

6:38

they've been operating in such a dangerous

6:41

environment for so long, Carlos's

6:44

team takes extra precautions when

6:46

they're working with their

6:46

sources.

6:48

They're careful with how they communicate

6:50

with each other. And they pay attention when

6:52

something seems a little off.

6:54

In 2021, reporter

6:57

Julia Gavirate noticed something

6:59

was off with her brand-new iPhone.

7:02

I started having a lot of problems. For

7:04

example, the battery was

7:05

very, very loved in

7:08

a short time. And an app

7:10

that she relied on to make encrypted

7:12

calls with her sources wouldn't

7:15

open. The

7:16

phone was overheating and

7:18

the screen started turning off or

7:20

opening apps that she was not opening.

7:22

We were just having this sensation

7:25

of that someone was

7:26

reading or someone was in our phones

7:29

but we never thought about

7:31

Pegasus.

7:33

Julia's phone was

7:35

eventually sent to Citizen Lab. It's

7:38

a digital watchdog group that essentially

7:40

tracks human rights violations on

7:43

the internet.

7:44

The lab had been aware that

7:46

something was up in El Salvador.

7:49

There was something going on with Pegasus there.

7:51

John Scott Raleton is a senior researcher

7:53

with Citizen Lab, which is based at

7:55

the University of Toronto's Munk School.

7:58

A lot of their work focuses on the

7:59

on tracking mercenary spyware

8:02

like Pegasus.

8:04

It's not uncommon for us as researchers

8:06

to know that Pegasus spyware might be being

8:08

used in the country, but to have really no

8:11

idea of who those victims are. And the problem is if you just

8:13

go hunting for those people, you're looking

8:15

for needles in a stack of needles.

8:18

John texted Julia. They

8:20

had found Pegasus on her iPhone. He

8:22

was, you know, overwhelming.

8:25

It starts thinking about, okay, I'm not target

8:28

right now. But the thing was, it's

8:30

obvious that it's not only

8:32

me. There are more people here that

8:34

are targeted as well. They

8:37

then started to put the pieces together

8:39

of what was happening, not just

8:41

with Julia, but with her colleagues too.

8:44

There is a pattern to Pegasus

8:46

cases, which is if you find one in

8:48

a given country, you're probably gonna find

8:50

a lot more.

8:51

Well, since they kept asking for more phones,

8:54

we sent all the phones.

8:56

And when researchers took a closer

8:58

look, John says there

9:00

was something different about how Pegasus

9:03

was being used on El Faro.

9:05

It was just like, can that be right?

9:07

I've never seen anything like that.

9:09

It was that they were really targeted

9:12

just in a radical

9:14

manner.

9:15

It's not something that we'd seen before. In anything like

9:17

this volume or this number of cases.

9:20

Cities and lab were so impressed

9:22

by our case. We thought, well, maybe this

9:25

is really big. This is something extraordinary. And

9:28

that's what it was.

9:31

Since the initial discovery

9:34

of Pegasus, we've been on this journey

9:36

to try to understand where it

9:39

is, how it's evolving, who

9:41

the

9:42

customers are, where the targets

9:44

may be. John

9:46

has worked with Citizen Lab for the past decade

9:49

and has been tracking Pegasus since 2016. That's

9:53

when they made their first discovery of a Pegasus

9:55

infection on the phone of a human

9:57

rights activist from the United Arab Emirates.

10:00

named Ahmed Mansour. He's been

10:02

in prison since 2017.

10:04

That journey has kind of continued unbroken

10:07

since those first findings around Ahmed

10:10

Mansour. And that approach gave

10:12

us a trail of digital breadcrumbs that

10:14

we continue to follow to this day.

10:18

Pegasus is the most sophisticated

10:20

spyware made to date. It

10:23

can bypass any encryption because

10:25

it uses a loophole in a phone's software

10:27

to be a hidden but active parasite.

10:31

The NSO group, the company behind Pegasus,

10:34

has said Mexican authorities use their product

10:36

to help capture the drug lord Joaquin Guzman,

10:39

better known as El Chapo, by tapping

10:41

the phones of people in his inner circle. But

10:44

Citizen Lab has confirmed journalists

10:46

have also been targeted. One

10:49

of the components of our work, of course,

10:51

is this constant effort to

10:53

try to understand where Pegasus

10:56

is located in cyberspace,

10:58

whereas the data that's being taken from phones

11:01

going.

11:02

In some cases, our research

11:04

has been able to determine clusters

11:07

of servers that belong to, we

11:09

could say, a single deployment, and then try

11:11

to understand where in the world the infections

11:14

are that are talking to that

11:16

cluster.

11:18

Pegasus allows an operator in one country

11:20

to steal information from phones in

11:22

multiple countries. In Alfaro's

11:25

case, the hackers seem to be close

11:27

to their target.

11:29

Back in 2020, we

11:31

observed an operator that appeared to

11:33

be involved in El Salvador. So

11:36

this means there's a Pegasus operation

11:38

going on in El Salvador. By the

11:40

next year, we were investigating these cases.

11:46

When the Alfaro journalists learned that

11:48

Julia Gavarrete's iPhone was inspected

11:51

with Pegasus, they suspected

11:53

the Salvadoran government was behind

11:55

the attack. The government

11:58

has denied the use of Pegasus But

12:00

as we've heard, harassment of the media

12:02

by the government is hardly new. Carlos

12:05

has covered the terms of six different

12:07

Salvadoran presidents. And some

12:10

of those administrations have tried to

12:12

intimidate or silence independent

12:14

press in El Salvador or

12:16

just make their business difficult.

12:18

In the form of legal

12:20

harassment,

12:21

we are the subject of

12:24

four different

12:26

tax audits.

12:28

Harassment has intensified

12:30

during this administration

12:32

of President Nayib Bukele. Bukele

12:37

was elected president in 2019 at the age of 37. He

12:41

has a beard, wears skinny jeans, leather jackets,

12:43

and backwards baseball caps. He

12:46

once described himself on Twitter as the

12:48

world's coolest dictator. Fluent

12:51

and prolific on social media, he has said

12:53

that Instagram posts can be more important

12:55

than assembly floor speeches. Bukele

12:58

has led a brutal campaign to crack down

13:00

on gangs, which, since El Salvador's

13:02

civil war, have been a powerful force.

13:11

This is Bukele describing his war on gangs

13:13

and corruption in a speech to the nation in June.

13:18

He boasted about opening a mega prison,

13:20

possibly the world's largest. During

13:22

his tenure, more than 65,000 people

13:25

have been arrested for being suspected gang

13:27

members. Before becoming

13:29

president, he was a city mayor, and

13:31

El Fado was one of the few Salvadoran outlets

13:33

to cover his unconventional race for president,

13:36

as Bukele ran outside the two main political

13:39

parties. Mainstream media in El

13:41

Salvador will not cover his

13:44

political messages or his political

13:46

conferences. We did. By

13:49

that time, he was only talking to us

13:51

because we were the only ones willing to talk

13:53

to him. As soon as he became

13:55

president, we started reporting

13:58

on his government.

13:59

In Vucalli's first year in office, he

14:02

began to work on consolidating his

14:04

power. In February of 2020, he

14:07

was trying to push through a loan of $109 million for military equipment

14:12

and was meeting resistance from Parliament.

14:14

After speaking for half an hour, the President

14:17

went into the Legislative Assembly. He

14:19

said he would give the members of the Parliament another week

14:21

to approve this loan. And he said if

14:23

they didn't do that, he would return to

14:25

the Assembly.

14:27

A few weeks later, lawmakers were

14:29

in session.

14:30

Heavily armed police and soldiers

14:33

arrived to occupy El Salvador's

14:35

Parliament building. Soldiers entered

14:37

El Salvador's Parliament as the President

14:40

demanded lawmakers approve a $109

14:43

million loan to equip the military

14:45

and police to fight against violent

14:47

gangs.

14:48

He entered Congress followed

14:50

by soldiers armed like

14:53

four conflict to threaten

14:55

the congressmen that he was

14:58

going to sack them that day. He

15:01

didn't in the end.

15:02

He prayed to God sitting in the chair

15:05

of the President of Congress and

15:07

he left the place and he talked

15:09

to the crowd outside Congress and he

15:11

told the crowd,

15:12

God asked me for patience. I

15:18

said, God, I'm not going to pay for patience, but

15:21

I'm going to work for the president. The

15:24

President was

15:24

pushing Congress, which he didn't get

15:26

control, to approve the loan.

15:29

And Congress was asking for more information

15:31

about it. And

15:33

then what he did was to threaten Congress

15:35

that he was going to stage a coup d'etat

15:37

against Congress.

15:39

Not long after Bucalli threatened a

15:41

coup, El Salvador held parliamentary

15:44

elections.

15:44

He won the majority.

15:54

And on the first session of the new Congress

15:56

that he controlled,

15:57

Congress dismissed.

15:59

from Supreme Court justices

16:02

or judges, which is, of course, unconstitutional.

16:05

And that's how Bukele got in

16:07

control of all the institutions

16:09

of the state.

16:11

El Faro pressed on with their coverage

16:14

of Bukele's power grab and the

16:16

harassment intensified. In

16:19

November of 2020, the president criticized

16:22

El Faro on Twitter saying,

16:24

quote, they say they do independent

16:27

and truthful journalism. At least

16:29

the pamphlets are good for ripening avocados

16:32

or cleaning up after pets. And

16:35

this tweet, quote, El Faro

16:37

and friends have become a website with

16:39

opposition content. If there was any

16:42

journalism left there, it's gone.

16:45

Bukele is not only the president, he's the most

16:47

popular president

16:49

in the whole Western hemisphere.

16:51

He has around 85%

16:52

of popular support.

16:55

When a president

16:58

with that traction,

17:00

with that huge percentage of followers,

17:03

which that divisive speech

17:06

declares you a public enemy, that

17:09

means that a lot of that 85% of the people

17:13

will believe him,

17:15

will believe that we are not publishing

17:21

the truth because the truth is what the government

17:24

says.

17:25

All of this raises some questions.

17:28

If Bukele's propaganda machine is so

17:31

powerful and if he enjoys genuine

17:33

popular support, why

17:35

bother spying on journalists? And

17:38

is there any way to figure out if

17:40

Bukele's government really was

17:43

behind the Pegasus attack?

17:49

One of the reasons Pegasus is so

17:51

powerful is because it's very

17:53

hard to trace an attack back to

17:55

the source. But in this case,

17:58

the hacker left behind some important clues. That's

18:01

up next on Revealed.

18:18

I may sound biased

18:19

here, but I think our stories

18:21

are pretty great. And if you're

18:23

listening to this, I have a feeling that, well, you

18:26

might agree. Have you ever

18:28

been left wanting even more? Revealed's

18:31

newsletter goes behind the scenes. Reporters

18:34

describe how they first found out about

18:36

these stories and the challenges they face

18:38

reporting them. Plus, recommended

18:41

reads and more. Subscribe now

18:43

at RevealedNews.org slash newsletter.

18:53

From the Center for Investigative Reporting in PRX,

18:56

this is Reveal. I'm Al Letzen.

18:59

We're following the spread of a virus,

19:01

a human-made information virus.

19:04

Pegasus is spyware, develops

19:07

to help governments crack into smartphones to

19:09

target drug traffickers and terrorists. But

19:12

Pegasus has also been used against

19:15

journalists, activists, and scholars. And

19:17

in the case of the Alfaro newspaper in El Salvador,

19:20

an entire newsroom. Rose

19:23

Reed and Nando Villa from the podcast

19:25

series Shoot the Messenger are tracking

19:27

the efforts to figure out who was behind

19:29

the attack. In

19:32

the months after Citizen Lab found Pegasus

19:35

on the phone of Alfaro reporter Julia Raborrete,

19:37

the newspaper was facing direct and public

19:40

attacks from President Naive Bukele.

19:43

In trying to connect Bukele's government to the

19:45

phone hack, there was some unique

19:48

evidence. Once again, this is Citizen

19:50

Lab's senior researcher, John Scott

19:52

Railton.

19:59

this infection to a cluster

20:02

of servers that we were monitoring. What's

20:04

interesting about the El Salvador case is we did have

20:07

one case

20:09

where we were able to connect

20:12

one of the infections

20:13

to an operator.

20:15

That case involved an El Faro

20:18

reporter named Carlos Martinez.

20:21

Researchers caught a spyware attack on Carlos's

20:24

phone. The technical term is intermission,

20:27

and they caught it as it was happening,

20:29

in real time.

20:31

We were able to discover that

20:34

there was a failed exploit attempt

20:36

on his device, and we connected that

20:38

failed exploit attempt to the operator that we

20:41

called Torogoz, which had been pretty

20:43

much exclusively targeting within El Salvador.

20:46

They saw the operator live

20:49

in Carlos Martinez's phone. That

20:51

allowed them to geolocate

20:54

the operator. And to no surprise,

20:56

it's based in El Salvador. That's

20:59

who was operating Pegasus in our

21:01

phone.

21:02

Which further adds to the

21:04

suggestive evidence pointing at the likelihood that

21:07

the El Salvadorian government may be the operator

21:09

in this case. With each infection,

21:12

you can kind of hear like a ching in

21:14

the background. As you imagine, the process

21:16

of analyzing the data, the process of targeting

21:18

the person, all of these other pieces it

21:21

would have had to go into it. I imagine just reams

21:23

and reams and reams of paper and documents authorizing

21:26

and requesting infections again and again and again

21:28

and again. And then reports generated

21:30

based on that material.

21:32

The NSO Group, the Israeli company

21:34

behind Pegasus, insists it

21:36

only sells to government agencies like

21:38

security and intelligence services.

21:41

Since Pegasus is classified by Israel as

21:43

a cyber weapon, the NSO Group is

21:45

required to get government approval for

21:47

every sale. It works like a subscription

21:50

service. Countries use a portal and depending

21:53

on the package are allotted a specific number

21:55

of targets. The idea is

21:57

the more you pay, the more targets you get.

22:00

But NSO is very protective about the

22:02

intricacies of their deals. Carlos

22:04

Dada says that makes it all the more difficult

22:06

to figure out who was spying on his

22:09

newspaper. Since

22:12

NSO keeps such a secrecy over

22:15

who they sell Pegasus to, the

22:18

government of El Salvador has

22:20

been able to say it's not ours. Most

22:24

of the time, hacks with Pegasus are

22:26

a single hit, largely because

22:28

of how expensive it is to use. The

22:31

person operating it will break into a phone,

22:33

take a copy of everything and get out. But

22:36

that was not the case with the El Fado hack.

22:39

I'm pretty accustomed to looking

22:42

at the readouts and the number

22:44

of infections that we show when we do an

22:46

analysis. And again

22:48

and again, the results

22:51

from the El Fado would literally fill my

22:53

screen with cases with numbers

22:55

of infections. It was that they were really

22:58

targeted 10, 20, 30, 40 times the same individual. This

23:02

was obsessive every day, constantly

23:05

hacking and rehacking every time this person would restart

23:07

its phone.

23:08

That's really intense.

23:12

In my case, out of a year and a half,

23:14

Citizen Lab says the information

23:16

might have lasted 167 days. That's

23:21

not only getting into your phone, sucking the

23:23

information, that's living with you. Basically,

23:26

I had someone living in my phone next to me, turning

23:28

on the microphone, turning on the camera, knowing

23:31

where I was going and who

23:33

I was meeting with. It

23:36

was more surprising that even people from the

23:39

accounting department, from the managing

23:41

part of the El

23:43

Fado, was also

23:46

contaminated with

23:48

Pegasus,

23:49

which lets you know the

23:51

scope of these intromisions and

23:54

the amount of money they spent

23:57

to find out everything about

23:59

it. our operation and about every

24:02

single one of us.

24:03

It wasn't just one or two people at

24:05

this news organization. It was like somebody

24:07

had done a core sample through the entire organization,

24:10

monitoring people left and right. Journalists,

24:12

editors, publishers, the work.

24:15

Citizen Lab uncovered a total

24:17

of 226 infections detected on 22 members of Alfaro

24:24

over the course of a year.

24:26

We try to get people informed very

24:28

quickly. There

24:29

are times when I will go to sleep knowing

24:31

that the next day I'll have to talk to some people and give them

24:33

some tricky news.

24:35

People often want to know. People

24:38

are relieved to learn that they

24:40

have been hacked. I

24:42

think for a lot of people, it is also

24:45

clarity and truth in

24:47

a scenario where those things are hard

24:50

to come by.

24:54

After the hack was discovered, Carlos

24:57

met with his newsroom to talk about what

24:59

this meant for them personally and

25:01

for their sources.

25:03

Our lifestyle was already different. Everybody

25:06

knew what was going on inside Alfaro. We

25:08

have a very solid team in that sense. I

25:12

felt that my first obligation was

25:15

letting everybody know that

25:18

the healthiest decision would be to leave

25:20

to quit Alfaro and that

25:23

I didn't want anyone to stay

25:26

because they felt some kind of obligation.

25:28

I have been very insistent

25:31

about that. Some people left

25:34

and we all let them

25:36

know they were entitled to that

25:38

and that that was a normal thing.

25:42

But if you wanted to stay, you

25:44

should know that silence is

25:46

not an option. So we

25:48

are not going to let these things

25:51

silence us while we are working

25:53

here.

25:54

You had said that

25:56

people who work at Alfaro that our lives

25:58

are already different. What does

26:00

that mean? How are your lives different working

26:02

at Alfaro?

26:03

I think our public life, meaning

26:06

going out to

26:08

parties, to public places,

26:11

has already diminished a lot.

26:13

Let me give you a good example.

26:15

One day after a tough

26:18

night in HealthWife, I,

26:21

in the morning of Saturday,

26:24

I went to the pharmacy. I think it

26:26

was 8 a.m. to get medicine.

26:28

And I buy a couple

26:31

of Gatorades.

26:32

Fifteen minutes later, the press secretary

26:35

was tweeting a photo of the

26:37

drugstore where I went, saying, Carlos Dada

26:39

was just here,

26:40

buying five Gatorades.

26:43

That's the size of his hangover.

26:45

Let's hope he didn't rape any

26:47

women yesterday night. That's

26:50

the kind of things that were happening.

26:53

The most important thing to the reporters

26:55

at Alfaro was what this would mean

26:57

for their

26:57

sources,

26:58

the people who risked their jobs,

27:01

their careers, and even their

27:03

safety to share with them critical

27:05

pieces of information and evidence about

27:08

Bukele's administration and possible

27:11

corruption.

27:12

We talk to a lot of sources

27:15

every week, so it's impossible

27:17

to talk back to all the sources

27:20

that we have dealt with during

27:23

all the time that turned out that we were being

27:25

tagged with Pegasus. We

27:28

asked cities in lab for the date

27:30

of the information into everybody's

27:33

phones, and we crossed this

27:35

information with our news cycles.

27:38

When they looked at the points in time when their phones were

27:41

being targeted, they noticed something

27:43

startling, that the hacks often

27:45

coincided with their stories on corruption

27:47

and Bukele's deals with gangs.

27:50

There was this nexus of timing

27:53

between reporting on corruption

27:55

and reporting on negotiations with

27:58

murderous gangs like MS-13.

27:59

and some of that targeting.

28:26

He

28:30

was also negotiating with the 18th Street

28:33

Gang, which is the other big

28:35

gangs. Those

28:37

were two big red dots when

28:39

we crossed the data.

28:42

What we have were videos, photography,

28:45

and official paperwork from

28:47

the prisons where the leaders were taking out

28:50

or where government officers would visit

28:52

to talk to them. That proved

28:55

that Bo Kelly had been negotiating with them, and

28:57

that's what explained the

28:59

reduction of the homicide rate in the country.

29:04

El Faro published their article about

29:06

President Bo Kelly's negotiations

29:09

with MS-13 on September 3, 2020.

29:13

The article outlined how Bo Kelly was making

29:15

an alliance and brokering deals

29:18

with the leaders of MS-13 to

29:20

reduce silence in exchange for favors,

29:23

better prison conditions, and the

29:25

release of high-ranking gang leaders from

29:27

prison.

29:29

A few weeks later, Bo Kelly struck

29:31

back. He announced El Faro was

29:33

being investigated for money laundering.

29:40

During the month the article was published,

29:43

at least one El Faro employee

29:45

was surveilled with Pegasus every

29:47

single day. The data indicated

29:49

a strong link between Pegasus infections

29:53

and the newspapers

29:53

corruption investigations.

29:56

Carlos says many of El Faro's findings

29:58

were substantiated earlier this year

30:01

in U.S. court as part

30:03

of an investigation into MS-13's

30:05

transnational operations.

30:07

The United States Justice

30:09

Department presented an indictment

30:13

in New York in a federal court against 13

30:17

members of the MS-13

30:19

gang where they detailed the negotiations

30:23

between the gang and President

30:25

Bukele's administration.

30:28

According to this indictment, they

30:30

were negotiating in exchange for

30:33

economic benefits, for

30:35

territorial control, and

30:37

for the refusal of the Bukele administration

30:40

to extradition

30:43

requests from the United States. We

30:46

in the end also knew and published

30:48

that some Bukele administration

30:51

officers personally took

30:53

out of prison MS-13

30:56

leaders and drove them to

30:58

the border with Guatemala. So

31:01

these are the kind of stories we were publishing

31:03

during this cycle.

31:05

What do you think that the people behind

31:07

the attack were looking for?

31:09

My first impression is that they want to

31:11

know who we're talking to.

31:13

They want to know who our sources are, who

31:15

we meet with,

31:16

because

31:17

we've been publishing inside information

31:19

in

31:20

the last years and that's how we found out

31:22

about Bukele's deals with the gangs,

31:25

that's how we found out about some corruption scandals.

31:27

You can imagine the risk for those people.

31:30

So that's my first impression that they wanted to go

31:32

after that. But as we've seen that

31:34

happened to journalists in other orthocratic

31:37

ruled countries, they are looking

31:40

for

31:41

intimate images that

31:43

they can blackmail the reporters with or

31:45

discredit them by handing

31:48

them to the public.

31:51

We knew that in El Salvador it's hard

31:53

to be a journalist, but now you

31:56

have to be stronger

31:58

if you want to make the right decision.

31:59

the type of work that we are doing.

32:02

When it comes to the Pegasus infections at El Faro,

32:05

reporter Julia Raborite was patient

32:07

zero. And she says it got

32:09

under her skin. It affected her mental

32:11

health. She felt paranoid. She

32:14

had to change the way she lived and worked.

32:17

You have to take care of your sources,

32:20

or you have

32:20

to take care of the information that someone

32:22

shared with you. You have to take care of your

32:24

own family. We keep

32:27

analyzing our devices

32:30

just to check if we are

32:32

still victims of Pegasus. But there

32:34

are more. I mean, Pegasus

32:36

is not

32:37

the only program that they can

32:39

use.

32:40

For John Scott Reilton from Citizen Lab, he's

32:43

seen Pegasus used in all sorts of ways

32:45

by governments trying to stop the press or

32:47

to attack human rights defenders. Maybe

32:50

it's used purely strategically, right? They don't

32:52

want to

32:53

do anything that would show that they have it. And

32:55

so instead, they try to use it to frustrate

32:58

the designs or plans or activities of an

33:00

organization. Maybe in other

33:02

cases, it's going to be used to blackmail people. Or

33:04

maybe it'll be used to try to discredit people. Think

33:06

about all the things that you do on your phone. And

33:09

then imagine what would happen if all

33:11

of those things were dumped out on the table. Think

33:14

about what they might do in your personal life

33:16

and your work life.

33:17

That kind of creativity, unfortunately,

33:19

is the stock and trade of security

33:21

services and authoritarian or repressive regimes.

33:26

We saw in the killing of Saudi journalist

33:29

Jamal Khashoggi that Pegasus has been

33:31

connected to murder investigations. Carlos

33:34

Dada knows this firsthand. In 2017,

33:38

his good friend, Mexican investigative

33:40

reporter Javier Valdez, was shot dead

33:43

in his hometown of Culiacal. Javier

33:46

Valdez investigated corruption and drug

33:48

cartels, the same kind of work

33:50

El Faro does. And police

33:52

investigations have revealed he was killed

33:55

for his reporting. Citizen

33:57

Lab discovered something more, that

33:59

his widow... was targeted with Pegasus

34:01

within weeks of his murder.

34:03

Javier Valdez was a character.

34:08

He was not a Mexican journalist. He was

34:10

Javier Valdez. There's no one like him. With

34:13

a marvelous pen to describe,

34:15

in a very literary way, the horrors

34:18

of drug trafficking and its

34:20

consequences in a place like Sinaloa,

34:23

in Mexico.

34:24

He was exceptional as a journalist,

34:27

but his ultimate fate

34:29

was not exceptional among

34:31

Mexican journalists.

34:33

But again,

34:35

also Mexico is not an exceptional place.

34:37

It may be the worst, if not

34:39

one of the worst places to do journalism, but

34:42

not the only one

34:43

where journalists are being killed.

34:46

The commonality in these countries

34:48

is a level of impunity,

34:50

which

34:51

allows criminals to think

34:53

we can kill a journalist

34:55

and we won't pay the consequences.

35:00

In January, 2022, Carlos,

35:03

Julia, and their colleagues prepared

35:06

to publish an article about how Alfaro's

35:08

newsroom was targeted by Pegasus.

35:11

They wanted to share with the world the scale and

35:14

intensity of the attack

35:17

and warn their sources.

35:19

I told my family, I told

35:22

my girlfriend, I told some of my friends.

35:26

This is what happened. You should know from me before you know

35:29

from her publication at Alfaro.

35:31

I was alone in my house,

35:35

just waiting for the moment that

35:38

everything was going to be released. And

35:40

yes, I was scared a little bit. We

35:43

were telling our own stories. It

35:47

was the first time that I

35:49

worked on something like that.

35:52

We don't use the talk and we don't like the talk

35:55

ourselves. It's

35:56

a horror. It's like we're telling ourselves that

35:58

we have to be able to do this.

35:59

and the Salvador, for a systematic

36:02

experience with software and Israeli Pegasus.

36:06

We became the story,

36:08

which is very uncomfortable for journalists.

36:11

We tell other people's stories. When

36:15

we published the story that we

36:17

had been infected with Pegasus, we felt

36:19

the obligation to run an editorial, which

36:22

was titled, To Our Sources.

36:25

Basically telling our sources we have done anything

36:28

in our hands to protect you.

36:30

So take your own measures, just know

36:32

what is happening. And of course what

36:34

happened the day after is that no one else wanted

36:36

to talk to us anymore. And it

36:39

has taken a long time to

36:41

construct systems

36:44

of communication with sources that

36:46

are safe.

36:49

Carlos says that it was only after

36:51

they published the article about the Pegasus

36:53

attack that he had the time to

36:55

think about all the personal consequences.

36:59

I felt like so invaded that

37:02

the only thing that I felt

37:04

that I needed to do was get into the

37:06

shower and open it. I needed to like clean

37:09

myself from something very dirty. They

37:12

have all my photos. They have all my

37:14

videos. They have the photos of my

37:17

dear ones.

37:18

They have been listening to

37:21

my conversations in my

37:24

apartment with my girlfriend,

37:26

with my friends, with my not so

37:28

friendly friends. They have been living

37:31

with me

37:32

for many, many days.

37:37

Today the staff at Alfaro remain

37:40

dedicated and they found new

37:42

ways to communicate safely. It

37:44

makes their work more difficult, more

37:47

tedious. They often have to travel

37:49

within El Salvador and outside

37:51

the country to work effectively

37:54

and be safe.

37:56

We are going back and

37:58

forth. going out and going

38:01

back in. Some of them have spent

38:03

months

38:04

out of the country and then they go back. We

38:08

are trying to measure

38:10

the risks

38:11

week by week. These

38:14

people are at such risk. And

38:17

clearly, even though they knew that they were at risk

38:19

at the time, there were risks that they didn't

38:21

fully understand, these digital risks. And

38:24

that made me angry. It made me angry because

38:27

I thought that the work that they were doing was critically

38:29

important. So the world would understand what was going

38:31

on in El Salvador. And yet there was

38:33

this digital subversion going

38:35

on on their devices, trying to make it really

38:38

dangerous for them to do trust healing and

38:40

to talk to sources.

38:43

Pegasus is just one

38:45

element of the harassment and

38:47

attacks against independent presidents in

38:49

El Salvador.

38:50

They passed a law

38:52

criminalizing publication

38:54

about gangs that can bring

38:57

a reporter or a publisher or an editor

39:00

up to 15 years in prison

39:02

for publishing a story about gangs

39:05

with the clear intention of silencing us

39:08

who were publishing book-alette secret negotiations

39:10

with gangs.

39:11

Since we decided that silence is not

39:13

an option,

39:14

when we publish a story about gangs,

39:17

we have faced the need to

39:19

take those reporters out of the country

39:22

for some time. Pegasus

39:24

is just another means that

39:27

this government has to attack

39:29

and harass independent press, but far

39:31

from the only one.

39:36

Coming up, what the Pegasus hack

39:38

of El Faro means for the free press around

39:41

the world. Think about what

39:43

happened to El Faro as a canary

39:45

in the coal mine. It is highlighting

39:48

what happens when an unaccountable

39:50

government gets its hand on a powerful

39:53

surveillance tool. It will

39:55

be abused. You're listening

39:57

to Reveal.

40:16

If you like what we do and you want to help, well

40:19

it's pretty simple. Just write us a review

40:21

on Apple Podcast. It's

40:23

easy and only takes a few seconds. Just

40:26

open the Apple Podcast app on your phone, search

40:28

for reveal, then scroll down to where

40:30

you see write a review. And

40:33

there, tell them how much you love

40:35

the host. Your

40:37

review makes it easier for listeners to

40:39

find us. And it really does make

40:41

a difference. And if you do it, you

40:43

will get a personal thank you from me. Like

40:45

right now. Like thank you. Not

40:48

him, not you. Yes, you.

40:51

Thank you so much. Thank you, thank you, thank you, thank you, thank you. Thank

40:54

you. Thank you, thank you, thank you, thank you. All right.

41:04

From the Center for Investigative Reporting in PRX,

41:07

this is Reveal. I'm Al Ledson.

41:10

When Pegasus was developed, it was marketed

41:13

secretly to intelligence agencies

41:15

as a tool for tracking terrorists and

41:17

drug traffickers. Its creators have

41:19

said that sometimes that necessitates

41:22

spying on innocent people. Pegasus

41:25

is the NSO Group's former CEO,

41:27

Shalef Julio, on 60 Minutes, talking

41:29

about how Pegasus helped authorities

41:32

in Mexico capture Joaquin Guzman,

41:34

aka El Chapo.

41:37

They had to intercept a journalist,

41:39

an actress, and a lawyer. Now

41:42

by themselves, they, you

41:44

know, they're not criminals, right? But

41:47

if they are in touch with a drug

41:49

lord, and in order to catch them, you

41:52

need to intercept them. Okay, so

41:54

let's assume that in the right hands, Pegasus

41:58

can help catch the bad guys.

41:59

But in the wrong hands, well, we've seen

42:02

what happened at El Faro and around the globe.

42:05

Traces of Pegasus have been discovered

42:07

on the phones of journalists, human rights activists,

42:10

and politicians. Some of the people spied

42:12

on were either killed or put in prison, but

42:15

to this day, no one knows the

42:17

full story of Pegasus. With

42:19

me to talk about all of this is Shoot

42:22

the Messenger co-host Rose Reed.

42:24

Hey Rose.

42:25

Hey Al, it's great to be here.

42:27

So I gather that one of the many

42:29

frustrations for El Faro and other

42:32

media outlets goes beyond the extensive

42:34

spying and the damage it's caused.

42:37

Yeah, it's really about the total

42:39

lack of accountability for all

42:41

of this. You know, as we mentioned, El Salvador

42:44

has denied using Pegasus. And

42:46

since NSO Group's contracts protect

42:49

the identity of its customers, we

42:51

can assume it's the government of Naibukkali,

42:54

but we don't have exact confirmation.

42:57

Although we did learn that Citizen

43:00

Lab saw in real time

43:02

an operator in El Salvador

43:05

targeting a journalist at El

43:07

Faro. So no one has been

43:09

held accountable in El Salvador for these

43:11

hacks. What else can a media

43:14

organization like El Faro do? Well,

43:16

there's one thing El Faro has done.

43:18

They've teamed up with the Knight First Amendment

43:20

Institute at Columbia University, and

43:23

they are actually suing the NSO

43:25

Group. Their case says

43:27

the attacks violated the Computer

43:30

Fraud and Abuse Act, which is an anti-hacking

43:33

statute that dates back to the 80s. And

43:36

the act itself does say that it

43:38

can extend beyond US soil.

43:41

And I think what's really interesting about this case

43:43

is that if Carlos Dada and

43:46

the 17

43:47

other folks in the newsroom who have sued

43:49

the NSO Group, if they win, the

43:52

client of the NSO Group who targeted

43:55

them will

43:55

be revealed.

43:57

With such intrusive spyware like

43:59

this,

43:59

They can't be the only ones suing the

44:02

NSO group. That's right.

44:03

The legal cases against the NSO group are

44:06

mounting. We mentioned at the top

44:08

of the show that the widow of Jamal Khashoggi

44:10

has filed legal action. There's

44:13

another lawsuit on behalf of META and

44:15

specifically WhatsApp. They alleged

44:18

that Pegasus was used to exploit

44:20

a bug in WhatsApp and target more than 1,400 people.

44:24

That also included activists and journalists. And

44:27

most importantly, Apple is

44:30

suing the NSO group. Apple is saying

44:32

that the NSO group violated

44:35

their infrastructure

44:36

to target these people. And

44:38

that's actually how Pegasus works.

44:41

The whole idea about Pegasus is that it

44:43

finds an exploit in either your iPhone

44:45

or your Android. NSO

44:47

has asked the courts to dismiss

44:50

these cases. The courts have

44:52

not ruled in their favor. So

44:55

it's possible that these cases will

44:57

proceed. And why is that important?

44:59

NSO's business model relies

45:02

on secrecy. And that means keeping

45:05

all of their clients, aka

45:07

governments, countries hidden.

45:10

If the case proceeds and

45:12

moves to court,

45:14

something called the discovery

45:15

phase begins. And

45:17

discovery could bring a lot of

45:20

problems for the NSO group because their

45:22

contracts, documents, emails,

45:25

phone calls, text messages

45:28

could all be subpoenaed. If

45:31

Carlos Dada and Alfaro win their

45:33

lawsuit against the NSO group and

45:35

the client is revealed, it

45:38

would create a strong deterrent for countries

45:40

around the world from using Pegasus and

45:42

spyware like it because they couldn't

45:45

assume protection and secrecy.

45:49

I hear all these stories and see all

45:51

the research has been compiled. It's

45:53

really hard for me to accept the NSO's

45:55

claims that Pegasus isn't involved

45:58

in these attacks.

45:59

One thing I wonder a lot about too, and I

46:02

think a lot of people have given this a lot of thought,

46:04

and you know, there's evidence that Citizen

46:07

Lab and other research groups have collected

46:09

that's really compelling, that Pegasus

46:12

is involved. Now, the executives

46:14

at the NSO group have declined to speak with

46:16

us, but in their defense they've

46:18

said that Pegasus is classified as a cyber

46:21

weapon. So every sale has

46:23

to be approved by the Israeli government.

46:26

Its contracts with other governments and intelligence

46:29

agencies have all kinds

46:31

of restrictions. And so NSO

46:33

also says if a government abuses

46:35

their software and targets

46:38

illegitimate targets, that they're cut off as

46:40

clients. This is Omri Lavi,

46:43

one of NSO's co-founders,

46:44

speaking in an interview that

46:46

was posted on YouTube. We do

46:48

everything within our power to

46:51

prevent and make sure that this

46:53

technology is not misused. We're

46:55

taking the regulation that

46:57

is put on our shoulders and

46:59

taking it even further by having

47:02

our own regulatory leaps and bounds and committees

47:05

and people involved that try and prevent

47:07

as much as possible misuse

47:09

of this technology. But I

47:12

just want to add that nothing

47:15

will ever be 100%.

47:17

He says nothing will ever be 100%, but

47:20

that's quite a caveat when you're talking

47:22

about spyware this powerful. And

47:25

it makes me wonder, how would the

47:27

NSO know if a government

47:29

is violating terms of their contract? Does

47:32

the NSO require its clients to

47:34

reveal the identity of a potential

47:36

target or are these

47:38

just rogue operations?

47:40

Yeah, I think this is where the NSO group

47:42

has really tripped up because

47:45

they basically have said conflicting

47:48

messages. On one hand, they say,

47:50

you know, we do a lot of due diligence

47:53

and we really investigate

47:55

our clients before we sign them onto a contract.

47:58

And they've also said, we...

47:59

We don't know exactly who our

48:02

clients are targeting. We give them

48:04

a portal and they're the ones who are

48:06

operating it. And they don't have control

48:09

over what their clients are doing.

48:12

So basically, you could sum up their

48:14

business model as, trust

48:16

us, we'll investigate. But

48:18

they don't want to give a definitive statement

48:21

on how involved they are with the

48:23

targeting and infections with

48:25

their customers. And I think

48:28

what's really important

48:28

for us to remember is that the

48:30

abuses are still proliferating.

48:35

The NSO group has become so

48:37

controversial, it's been blacklisted by

48:39

the Biden administration, but it's

48:41

also hugely profitable.

48:43

That's right. The co-founders, Shalav

48:45

Julio and Omri Lavi, when they started out

48:47

in the mid 2000s, cybersecurity

48:50

was a budding industry, you

48:53

know, measured in the millions. And

48:55

today, the cyber warfare industry and

48:57

the mercenary companies that support it

49:00

represent more than $43 billion. And

49:03

those are just the reported numbers. Bloomberg

49:06

projects that there are more than 200 companies

49:09

in this space. And the NSO

49:11

group is just one of the most famous

49:14

or infamous.

49:15

Okay, so let's say the lawsuits

49:18

are successful and Pegasus is eventually

49:20

shut down. Even how much money

49:22

is at stake? Could this kind of technology

49:25

just find a new life in some other form?

49:28

People who have thought deeply about this say that

49:30

Pegasus is just a first iteration,

49:34

like so much of how technology evolves,

49:37

so does something like Pegasus. I mean, we've even

49:39

seen it go from one click to

49:41

zero clicks. So I think

49:44

that we're already seeing this

49:46

kind of evolution happen.

49:48

I think a lot about what John Scott

49:51

Reilton from Citizen Lab had to

49:53

say about how the NSO group

49:55

was trying to market Pegasus.

49:58

Think about what happened.

49:59

to El Faro as a canary in

50:02

the coal mine. It is highlighting

50:04

what happens when an unaccountable

50:06

government or unaccountable security

50:08

service gets its hand on a powerful

50:11

surveillance tool. It will

50:13

be abused. We are seeing early

50:16

cases, high-risk places, places

50:18

with maybe, you know, security services

50:21

that are not as good at hiding their tracks. But

50:23

that's not where this ends. It ends in a

50:25

police department near you, and that should

50:27

concern

50:28

all of us.

50:32

So I think the key word

50:35

is vigilance for all of us.

50:38

We need to be vigilant about the nexus, the

50:40

close connections between private industry

50:43

and the government, especially in

50:45

the area of technology. We can't simply

50:47

trust what any government tells

50:49

us, because we've seen how

50:52

some of this advancing technology

50:53

can pose direct threats to democracy

50:56

in places where democracy is struggling or

50:59

where it's under threat to keep it

51:01

that way.

51:03

Rose, thanks so much for talking to me.

51:06

It's a pleasure, El. Thank you for having me.

51:09

Rose Reed is a co-host and executive

51:11

producer of Shoot the Messenger, a podcast

51:14

from Exile Content Studio and PRX.

51:20

So we just heard about how spyware like Pegasus

51:22

continues to evolve. And as

51:24

we're finishing this show, as if on cue,

51:27

there was some news. Citizen Lab

51:29

reported that Pegasus found a new way

51:31

to take over an iPhone through its messaging

51:34

app. No clicks. Pegasus just

51:36

took control. The reported

51:38

target of the hack was a person

51:40

working at an international NGO

51:43

based in Washington, D.C. Apple

51:46

quickly responded with an emergency software

51:48

update. We know the Alfaro

51:51

newspaper is just the tip of

51:53

the iceberg when it comes to Pegasus.

51:55

For deeper dive, you can binge the entire 10

51:58

episode series. murder,

52:01

and Pegasus spyware. That's on

52:03

Shoot the Messenger. Find it anywhere you

52:05

get your podcasts. This

52:13

week's show was produced by Michael Montgomery and Steven

52:15

Rascone. Michael also edited the

52:17

show. Special thanks to Nando Villa, Sabine

52:20

Jansen, Gail Reed, Carmen

52:22

Graderol, Isaac Lee, and the entire

52:24

team at Exile Content Studio. Thanks

52:27

also to the Committee to Protect Journalists.

52:30

Nikki Frick is our fact checker. Victoria Baranetsky

52:32

is our general counsel. Our production manager

52:35

is Zulema Cobb. Score and sound

52:37

designed this week by Pachi Quinones.

52:40

With help from Jay Breezy, Mr. Jim Briggs,

52:42

and Fernando Mamayo Arruda.

52:44

Our CEO is Robert Rosenthal. Our COO

52:47

is Maria Feldman. Our interim executive

52:49

producers are Taki Telenides and Brett Myers.

52:51

Our scene music is by Kamarato, Lightnin.

52:54

Support for reveals provided by the Reeve and David

52:56

Logan Foundation. The Ford Foundation,

52:58

the John Dee and Catherine T. MacArthur Foundation,

53:00

the Johnson-Logan Family Foundation, the Robert

53:03

Wood Johnson Foundation, the Park Foundation,

53:05

and the Hellman Foundation. Reveal is

53:07

a co-production of the Center for Investigative Reporting

53:09

and PRX. I'm Al Letzen,

53:12

and remember, there is always more to

53:14

the story. From

53:33

PRX.