- Reading time: 10 min.
Codename “Morgan”: how Morocco accessed Pegasus, involving Israel and the United Arab Emirates
From product demonstrations at a secret villa in Rabat to training sessions at NSO’s Herzliya headquarters, Forbidden Stories and its partners retrace the early stages of Morocco’s use of Pegasus. The consortium has documented a seemingly unlikely partnership between the Israeli company NSO, Morocco and an Emirati intermediary, whose parent company is now directly funded by the UAE. This relationship extends to the highest levels of all three governments.
Credit: Mélody da Fonseca
-
NSO representatives held demonstrations of the Pegasus spyware in Rabat in 2017.
-
NSO uses the codename “Morgan” to refer to the Moroccan client.
-
An Emirati intermediary, which Morocco had previously used for other espionage solutions, reportedly facilitated Morocco’s use of the Pegasus software.
-
Shalev Hulio, one of NSO’s co-founders, traveled on an Israeli diplomatic passport, confirming his company’s close ties with Israel.
By José Bautista, Eloïse Layan, Hicham Mansouri and Guillaume Vénétitay
July 16th, 2026
There are places in Morocco almost as secret as the royal palace in Rabat. Just a stone’s throw from Mehdi Ben Barka Avenue and the Canadian Embassy, the Moroccan capital is home to the “Villa FSSYS,” as it’s nicknamed by agents of the country’s domestic intelligence service, the DGST. In late 2017, it was here that the king’s spies discovered a new software with astonishing capabilities: Pegasus.
For 10 days, employees of NSO, the Israeli company behind the revolutionary spyware, demonstrated their technology for DGST agents at the villa. In front of the highest-ranking officials of the Moroccan secret service, the NSO team infiltrated a set of sample cell phones. They remotely activated the cameras. Then, the microphones. With a single click, they extracted all the data, including text messages. Seated around a large table on the ground floor, the Moroccans were impressed.
“We’d never seen anything like it before. NSO’s attacks were remarkable. They exploited vulnerabilities in Android … and iOS systems. In 2017, the target had to click on a link. Later, in 2019, a simple anonymous call sufficed: Within five seconds, the phone was infected,” said Safir*, a former DGST agent. In his opinion, Pegasus is “the monster’s weapon.”
Throughout his time at the DGST, Safir went to the villa on several occasions. During previous visits, he had often run into a “handsome guy” who acted as the host, introducing people to one another without actually attending the highly confidential meetings. “I met Wassim several times there,” Safir said — encounters that Forbidden Stories has not been able to independently verify. A Moroccan national, Wassim F. is a cybersecurity and telecommunications specialist with no ties to the DGST. At the time, he was working for FSSYS Morocco — hence the villa’s nickname — the Moroccan branch of Al Fahad, a company based in the United Arab Emirates.
Israeli software, an Emirati company and Moroccan domestic intelligence: an unexpected trio. Safir’s previously unpublished testimony, corroborated by security sources from Morocco, Europe and across the cyber-surveillance world, tells a story that the protagonists have long sought to hide or deny. According to Safir, Morocco has indeed made extensive use of the Pegasus software — owned by a company closely linked to the highest levels of the Israeli government — with access reportedly gained through the UAE and FSSYS Maroc. However, the consortium could not verify this information.
“An intermediary leaves no trace,” Safir said. “And certain transactions cannot be carried out directly by intelligence services.”
In 2017, the pact between the three countries was by no means a foregone conclusion. Morocco and the UAE only normalized their relations with Israel at the end of 2020, with the signing of the Abraham Accords. Five years after the initial revelations of the Pegasus Project, Forbidden Stories and its partners are uncovering the inner workings of their opaque, spyware-centric relationship, backed by exclusive documents demonstrating the close ties between NSO and the State of Israel.
A long-standing relationship
Understanding the alleged arrangement between the three parties means navigating a cast of characters, some of whom are faceless or identified only by an email address or commercial registry document. Safir and another security source named Wassim as a key component of the system enabling Morocco to use Pegasus. However, he does not appear in Moroccan FSSYS documents, and his online presence is minimal beyond several publications as a cybersecurity researcher for the National Institute of Posts and Telecommunications in Rabat.
“If there’s a software update, for example, the DGST has to call Wassim,” Safir said. “With hacking, on the other hand, I’m not going to ask Wassim for permission. But we’ll let him know afterward, because he has to report to the Emiratis.” Another former intelligence official confirmed Wassim’s role as an accountant, tasked with reporting infiltration figures for invoicing purposes. The intermediary is also said to be the primary point of contact for the office of Fouad el Himma, King Mohammed VI’s powerful advisor, regarding high-level targets, such as heads of foreign governments.
When reached by phone, Wassim claimed he had been a “mere employee” of FSSYS Maroc and knew nothing about the company’s ties to the DGST or Pegasus software.
The relationship between FSSYS Morocco and the DGST dates back several years before the use of Pegasus. Materials leaked in 2015 from the Italian company Hacking Team, developer of the RCS spyware, make it clear: The DGST was already using FSSYS to acquire RCS. Documents refer to the intelligence service as the “end user in Morocco.” For several years, the DGST thus abused the RCS system to target political opponents and journalists.
In Hacking Team emails, the role of FSSYS Morocco — i.e., Al Fahad — as an intermediary is also evident in the services it provided. For example, FSSYS arranged for Abdeljalil Taki and Amine Labbardi — two DGST agents central to the deployment of Pegasus in Morocco — to be invited to Prague for the 2013 ISS, a major cybersecurity gathering teeming with spies from around the world.
A former Hacking Team employee contacted by Forbidden Stories shed light on the key role of intermediaries in the world of cyber-surveillance. “An intermediary is more than just a broker. They manage the entire process and guarantee that the end user is an authorized entity — that is, a government entity,” he said. Al Fahad Smart Systems also pays the invoices, sent to the headquarters in Abu Dhabi: approximately 160,000 euros in maintenance costs in 2012, 2013 and 2014, according to the Hacking Team data leak.
Who paid?
The states involved in the relationship between the DGST, FSSYS and NSO are sometimes plainly divulged and other times implied. The Al Fahad group, the parent company of FSSYS Maroc — founded in 2005 by Khalid Obaid al-Ali — is part of Etimad. This conglomerate was itself acquired three years ago by Edge, the country’s largest defense and aerospace group, owned by the Emirati government.
The question remains as to the exact role the Emiratis play: Are they merely intermediaries? Or do they contribute financially, paying for Morocco to use Pegasus? It is this second hypothesis that is circulating in the corridors of the DGST: “Millions are nothing to the Emiratis. They bought it and redistributed it to friendly agencies. You could say it’s like Netflix: One friend pays for the subscription, and the others use his account,” Safir said. Two other security and diplomatic sources, close to Morocco and the Emirates, also leaned toward this explanation. However, a former NSO employee and a second source within the industry told the consortium that they were unaware of any payments the UAE had made to Morocco.
One thing is certain: Access to Pegasus comes at a very high cost, which varies by client and the volume of phone numbers being compromised. To demonstrate NSO’s pricing, the consortium is publishing a never-before-seen letter that the company sent to the government of Panama, which includes a cost estimate. The document was obtained by Luis Esquivel, a Panamanian journalist with the media outlet Codigo Morse, who has been threatened for his investigative reporting and is a member of the Safebox Network. Signed by “Shalev Holy” — Shalev Hulio, co-founder and CEO of NSO — it states that order 2012.30, placed on July 3, 2012, was followed by “the installation of the Pegasus system in Panama City after receipt of a wire transfer of 8 million dollars.”
Letter from the Israeli company NSO to the Panamanian government (Credit: Luis Esquivel / Codigo Morse).
This sum corresponds to 300 simultaneous targets: 150 on Android, 150 on BlackBerry. Other records of payments transferred to NSO appear on bank statements from the intermediary company. The arrangement can be put into perspective by the number of potential targets — just over 12,000 — attributed to the Moroccan client, according to a list obtained five years ago by Forbidden Stories and Amnesty International. However, it’s possible that not all 13,000 or so numbers were ultimately hacked. Some could have been entered into the database as “tests” to identify vulnerabilities, and numbers under simultaneous surveillance may have been alternated over the months, potentially lowering the cost.
The flow of money underpinning Morocco’s dealings remains a mystery — as does the identity of whoever footed the bill.
Codename “Morgan”
Hulio’s name appears again in another document Esquivel obtained, which illuminates the close ties between NSO and the State of Israel. When he arrived in Panama on Dec. 3, 2013, the company co-founder presented an Israeli diplomatic passport, as attested by his information form filled out by the country’s immigration services. He stated that he was staying at the Israeli Embassy in Panama City during his visit.
This special treatment raises questions about the privileges Hulio enjoyed, especially since his name does not appear on the list of diplomatic passport holders published that year by the Israeli Ministry of Foreign Affairs, following a request from the Movement for Freedom of Information. According to Tel Aviv, these diplomatic passports are normally reserved for senior officials, state emissaries on missions abroad, members of the Knesset — the Israeli parliament — and individuals carrying out assignments deemed necessary for national security. Although he did not respond to the numerous questions the consortium sent him, Hulio has categorically denied ever having held a diplomatic passport.
This is not the only time the Israeli government has shown itself to be particularly accommodating toward NSO. A data leak from the Ministry of Justice, shared with Forbidden Stories by DDoSecrets in 2024, had already revealed the measures implemented to protect the cyber-surveillance company. In the summer of 2020, as part of a lawsuit between Meta subsidiary WhatsApp and NSO, the Israeli government ordered a preventive seizure of documents from the company’s offices, claiming that they might contain state secrets.
NSO officials are equally secretive when confronted by foreign judges. Appearing before a French investigative judge on Jan. 29, 2026, as part of the investigation launched following complaints from several Pegasus victims, Hulio told the judge 11 times that he was not authorized to answer “under Israeli law,” according to a document reviewed by the consortium. He was particularly tight-lipped when asked about the list of countries that had purchased Pegasus. When pressed further on the specific case of Morocco, Hulio once again cited his country’s laws before adding, “I know that Morocco has denied purchasing it.”
NSO Founder and Director Shalev Hulio, with Eyal Blum and Ramon Eshkar, in the Arava District, Israel (Credit: Ministry for the Development of the Periphery, the Negev and the Galilee)
But the evidence is mounting. For example, several sources within the cyber-surveillance industry have confirmed that Morocco’s codename at NSO is “Morgan.” It follows a classic structure: Pegasus aliases regularly reuse the first letters of a country’s name and tend to be inspired by car brands. The codename “Morgan” also appears in a document from the NSO Group made public as part of a lawsuit in the United States.
“Bullshit!”
The Moroccan government’s denials over its use of Pegasus make a former NSO employee chuckle. Over the phone, he dismissed them with a simple “Bullshit!” An acquaintance of NSO president Shiri Dolev also claimed that management was in contact with the Moroccan client even after the publication of the Pegasus Project and reports of the country’s misuse of the software.
In France, a memo dated Dec. 26, 2022, from the Directorate-General for External Security, included in the French court file, confirms that French foreign intelligence “is aware of 38 countries that have purchased the Pegasus solution.” Most importantly, this document — revealed by Mediapart and reviewed by the consortium — specifies that “the United Arab Emirates and Morocco have been using NSO products since at least 2017.” Unlike the other countries, these two are surprisingly mentioned in the same sentence, which seems to further reinforce the hypothesis of a partnership. The same note “considers it highly likely that NSO, and possibly Israel, know which phones its tools target, and even what data is extracted from them.” In other words, there appear to be no secrets too well-kept between Israel, Morocco and the UAE.
Following the revelations of the Pegasus Project, the trio revised its modus operandi. In Morocco, the most recent traces of Pegasus hacks date back to November 2021, according to Amnesty International’s Security Lab. Israel has seemingly updated its export regulations, limiting the countries to which spyware can be exported. For Safir, it feels like the end of an era. “In 2022, companies came to present their products to the DGST because rumors were circulating that NSO was out of the picture. It was a situation similar to that of 2017 with Hacking Team,” he said. According to Safir, FSSYS Maroc referred several companies to Moroccan intelligence agencies, including a firm founded by two other former NSO employees. New rules, same players.
*Name changed to protect anonymity.
Credit: Google Maps / Forbidden Stories screenshot