Killing the journalist won’t kill the story.

Pegasus Project

Morocco Denied Using Pegasus. Documents and Insider Accounts Tell a Different Story

Trailing targets, monitoring internet cafes, deploying spyware: Morocco has mobilized a massive arsenal of surveillance tools against journalists and dissidents in recent years. At the forefront is Pegasus, a spyware that has been used to target foreign heads of state and government, among others. For the first time, Forbidden Stories and its partners — drawing on previously unpublished documents and testimonies about Pegasus — reveal the inner workings of this crackdown orchestrated by Morocco’s domestic intelligence agency.

Credit: Mélody da Fonseca

Key findings
  • A former agent of the DGST, Morocco’s domestic intelligence agency, provides unprecedented insight into mass surveillance targeting journalists and opponents of the regime.
  • Forbidden Stories and its partners have gained access to previously unpublished internal documents, describing pre-hacked phones, closely monitored journalists and infiltrated internet cafes.
  • The investigation reveals details of the use of the Pegasus software, along with screenshots of its interface.
  • The consortium is publishing the names of several DGST officials involved in these operations.

By José Bautista, Eloïse Layan, Hicham Mansouri and Guillaume Vénétitay

July 16th, 2026

The cop reminded Omar Radi of James Bond. “He thought he was a big shot. He’d ask two questions, leave for four hours, then come back with two more questions,” the journalist recounted.

Before his interrogation, the police had confiscated his belongings upon taking him into custody on Sunday, July 5, 2020, in Casablanca. One item in particular captured their attention. “I still had my phone in my hand. They snatched it from me and said, ‘We’ll turn it off ourselves,’” Radi recalled.

That smartphone had become a veritable obsession for Moroccan security services, which had been monitoring Radi since at least 2017. Long before this arrest, his home had been bugged with microphones and small cameras; his mother, his friends and even his cigarette vendor were also followed or spied on, and his black Dacia Sandero was regularly tailed.

Radi had learned to navigate his life under surveillance. He’d turn off his phone when meeting with sources and didn’t hesitate to hang up on callers as soon as he felt he was being eavesdropped on. “We couldn’t find anything on Omar Radi. Nothing. He was almost ‘too’ cautious; that forced us to go further,” said Safir*, a former agent tasked with tracking Radi down for the General Directorate for Territorial Surveillance, Morocco’s domestic intelligence agency, also known as the DGST.

Journalist Omar Radi being interviewed by the consortium (Credit: Amnesty International’s Security Lab)

On that summer evening, they seized Radi as he was leaving the Vertigo, a bar he frequented in Casablanca. His iPhone was locked and unusable without his fingerprint. “I felt like I was in a movie — but one of Hollywood’s worst,” Radi recalled.

The phone was then sent to the security services’ offices. To unlock the device, the police used Cellebrite, software that extracts all data from a smartphone and organizes it in a dedicated interface. The process takes one hour and 45 minutes, and the device restarts without leaving any visible trace of the intrusion. Radi got his phone back and was released after just 24 hours, instead of the 48 hours typical for police custody in Morocco.

Since then, the journalist has endured a legal ordeal, receiving a six-year prison sentence in 2022 for two entirely separate charges — “espionage” and “rape” — while he was investigating land expropriations and the enrichment of associates of Moroccan King Mohammed VI.

Pardoned in 2024, Radi embodies the security apparatus’s relentless crackdown on dissenting voices. As revealed by Amnesty International and the Forbidden Stories consortium in June 2020, the reporter was also a victim of one of the most well-known tools of cyber-surveillance: Pegasus, a spyware that pulls the entirety of a phone’s data without needing to interact with its owner. This revelation only intensified the suppression Radi faced from Morocco.

“In Omar’s case, we turned to Pegasus after exhausting all other surveillance methods, both at his home and in his car. It’s an almost scientific process. Pegasus is the final tool — one of the most powerful,” Safir said. Following his involvement in operations against Radi and other journalists and human rights defenders, he eventually fled his country.

Inside the secrets of mass surveillance

Today, for the first time, Safir lifts the curtain on the Moroccan government’s secret mass surveillance techniques, including its use of the Pegasus spyware — something the Kingdom has always denied. His previously unpublished account has been confirmed by other sources within the security apparatus and by internal materials from the regime. The documentation of his story was initiated by Hicham Mansouri, a Moroccan investigative journalist in exile and co-founder of the platform Hawamich.info.

Journalist Hicham Mansouri, interviewed by our consortium. (Credit: Amnesty International’s Security Lab)

A victim of the Pegasus spyware himself, Mansouri spent several years investigating the Moroccan secret services’ operations before joining forces with Forbidden Stories — whose mission is to continue the work of journalists who have been killed, imprisoned or threatened — Amnesty International’s Security Lab and 13 international media outlets. Various sources also allowed the consortium to access confidential documents from Moroccan intelligence, as well as data related to NSO, the Israeli company that manufactures Pegasus. Now, Forbidden Stories and its partners are publishing never-before-seen images of the spyware’s interface.

Five years after the publication of Project Pegasus, this investigation reveals new details about the world’s most notorious spyware, as well as its use by Morocco to monitor and crack down on those within and outside its borders.

“As if someone had invaded my privacy”

The dossier is labeled “Op S6_Edge” in the DGST’s internal records. In a file dated 2017, a man wearing a black sweater sets up a cell phone. He is sometimes seen at times lying on his bed, at other times with family members. Another photo shows a box containing a brand-new smartphone, freshly unboxed: a Samsung Galaxy S6 Edge. “Back then, that phone was all the rage. We bought about 50 and infected them,” Safir explained, referring to the DGST’s installation of non-Pegasus spyware.

Photo from internal DGST files showing an infected Samsung Galaxy S6Edge.

Intelligence agents then supplied the devices to cell phone shops in the Rif region, where anti-corruption demonstrations for greater social justice have been ongoing since late 2016. The shop owners sold these pre-infected smartphones to activists in the protest movement, often at low prices. The only downside: the spyware, which was supposed to be invisible, drained the battery on some devices.

“I had to replace the battery twice,” said Sofiane*, the man in the sweater from the DGST photos, who requested anonymity after Forbidden Stories and its partners tracked him down. He was politically active when he was spied on nine years ago, helping to run the committees organizing demonstrations in his city.

Sofiane was also arrested several times before deciding to change his life. He only recently resumed his activist work, this time as a labor union organizer. “The photos of me that you’re showing me — this is the first time I’ve seen them. So yes, it’s as if someone had invaded my privacy,” he said. He confirmed that his phone was brand-new, a gift he had just received.

Photo from internal DGST files taken without the owner’s knowledge, showing the box of a new, pre-infected phone.

According to Safir, the DGST also worked with a service provider to arrange for certain targets to have unlimited internet access: The data extraction couldn’t exceed the limits of their data plans and arouse suspicions.

In tandem, Moroccan domestic intelligence targeted internet cafes. Among the internal documents the consortium obtained is a photo of a small shop with a green facade, along with dozens of web pages viewed by customers. “We infected so many internet cafes. Our field agents would tell us which one the target frequented, and that way we could monitor all their activities,” Safir said.

Photo of an infected cybercafé obtained by the consortium.

The spyware used at the time was the Remote Control System, or RCS, sold by the Milan-based Italian company Hacking Team. Internally, at least within the research and development team, tensions arose regarding the Moroccan client. “We started voicing our concerns. For me, the line was crossed when people were thrown in jail and some were tortured,” recalled a former employee, speaking on condition of anonymity.

A further problem emerged as Morocco pushed the system to its limits. “They were trying to extract absolutely everything that was happening on the computers of the people they were spying on: every file opened. Literally everything,” explained the former Hacking Team employee. “But if the software is deployed on hundreds of devices, an anomaly will inevitably be flagged at some point, and the antivirus will eventually detect it.” Memento Labs, founded after IntheCyber Group acquired Hacking Team, stated that the entire team has changed internally since that acquisition. The company claims to no longer have any ties to the DGST or to Hacking Team’s former clients.

The Pegasus revolution

The DGST shifted its focus to another piece of software starting in late 2017. In August and September, engineers and intelligence officers attended a demonstration of Pegasus. A revolutionary product, it appeared to be the ultimate weapon for intelligence agencies. “The selling point was silent infection, without any physical intervention,” Safir said.

After years of invading devices via RCS and conducting field operations, domestic intelligence agents no longer needed to leave their offices. NSO provided a console accessible online and hosted on a local server, allowing its clients to manage the system and ensuring a high degree of confidentiality for each infiltration.

Pegasus’s interface, which is surprisingly easy to use, is captured in screenshots that Forbidden Stories and its partners are publishing for the first time. Originating from Panama, which purchased the software in 2014, these images were gathered by journalist Luis Esquivel of Codigo Morse, a participant in the investigation with several years of experience working on this topic. After being threatened and fearing for his safety, Esquivel, a member of Forbidden Stories’ Safebox Network, was forced to leave Panama. The screenshots he obtained corroborate information from Safir, who drew sketches of the interface from memory and recalled a logo featuring the winged horse from Greek mythology, which appears as the icon for the software’s installation file. 

A 2013 NSO brochure, leaked from Hacking Team emails, provides similar photos of the dashboard. More recent imagery is included in the court case WhatsApp Inc. v. NSO Group Technologies Limited, which contains internal documentation from the NSO Group and some of its clients.

Credit: Luis Esquivel / Codigo Morse

At the top of the screen are about 10 tabs: “Calls,” “Messages,” “Location,” “Contacts,” “Apps” and “Photos.” Clicking on “Calls” brings up the victim’s entire call log. The “Commands” page allows users to activate the microphone and record the target at any given moment — perhaps during a meeting with a source, in the case of a journalist — or to send a screenshot of the device. “As soon as they found out about Pegasus, they chose it because it’s easy. And the DGST has always preferred the easy way out,” Safir said.

The ease of NSO’s software, capable of infecting a phone through a “zero-click” attack, quickly hooked Morocco. A target no longer needed to click on a link; instead, they could be infected by a simple missed call. According to data obtained during the Pegasus Project, the Kingdom alone has targeted close to 13,000 phone numbers — though the consortium is unable to say how many targets were actually infiltrated, as some targets may have been added to the database to test for vulnerabilities. Shalev Hulio, co-founder of NSO, told the consortium that “several key claims made by the Pegasus Project” were “factually incorrect and simply false.”

The software meets the intelligence services’ overwhelming demand. Within the DGST, a department is in charge of spyware operations. Its head is Abdeljalil Taki, a man with dark glasses and a thin mustache, who can be seen once a year in Strasbourg at meetings of the Council of Europe’s Cybercrime Convention Committee.

Introduced as a “police commissioner,” Taki was part of the Kingdom’s delegation at roundtable discussions aimed at upholding the convention’s affirmation of “the right not to be harassed for one’s opinions, the right to freedom of expression.” When asked about Taki’s attendance, the Council of Europe replied that “the selection of participants” in these meetings is “the sole responsibility of the Moroccan authorities.”

As early as Sept. 10, 2017, Taki and Amine Labbardi — the DGEI’s chief IT specialist, according to Safir — tested the spyware on their own phones. In fact, their Moroccan numbers were identified in the list of phones targeted by Pegasus, obtained by Amnesty International and Forbidden Stories in 2021. They repeated this process several times: Labbardi’s phone was tested on 26 occasions between 2017 and 2019, likely during further demonstrations or to try out the software’s various features.

In total, the consortium identified eight Moroccan phone numbers belonging to five DGST agents on the list. Notably, two belonged to another director, Abdelaziz Brachmi. “It costs millions of euros. So, naturally, they had to check using their personal phones … because then they report back to Raji,” Safir said.

High-level targets

Mohammed Raji is one of the most prominent figures in the DGST. The architect of Morocco’s phone-tapping program, a 2025 article in the newspaper Le Monde dubbed him “the king’s ‘Mr. Eavesdrop.’” In a group photo of Moroccan intelligence officials taken in 2018, he appears in the foreground, directly to the king’s left. A senior official at the DGST, he has been seen traveling with Abdellatif Hammouchi, the powerful head of domestic intelligence, as he did last April to Sweden as part of a security partnership between the two countries. Hammouchi was also awarded the Legion of Honor, presented in June 2025 by the French ambassador in Rabat.

The DGST team, dedicated to domestic intelligence, is tasked with targeting internal opponents. However, the list of individuals in Morocco’s crosshairs extends beyond the country’s borders. Among the potential victims are heads of state or government, such as French President Emmanuel Macron and Belgian Prime Minister Charles Michel; foreign journalists, such as Edwy Plenel and Lénaïg Bredoux of Mediapart; and figures from neighboring rival Algeria, such as Saïd Chengriha, chief of staff. “But only the DGST has access to Pegasus,” Safir pointed out. Another former Moroccan intelligence agent confirmed.

When it comes to these high-level foreign targets, Safir says the DGST merely executes requests passed down from Fouad Ali el Himma, Mohammed VI’s most influential advisor — a claim Forbidden Stories has been unable to verify. A childhood friend of the king, Himma founded “Office 21” — not far from the Egyptian embassy, according to three different sources — where the Kingdom’s best-kept secrets are locked away.

The facility also plays a key role in requests to spy on foreign phone numbers, according to Safir and another former member of the Moroccan secret service. The information gathered on the most sensitive targets is forwarded to Himma or to the king himself.

Since the revelations of Project Pegasus in 2021, the Kingdom has consistently and vehemently denied using spyware. In addition to the findings of this initial investigation, a new technical analysis conducted by Amnesty Security Lab confirms that the same set of Apple accounts used to infiltrate the lives of Moroccan journalists and activists also targeted French journalists and French and Spanish politicians. In France, technical investigations by the National Cybersecurity Agency, which Forbidden Stories was able to review, also identified the same accounts and email addresses. This further undermines Morocco’s defense and proves that the Kingdom is behind the attacks on foreign targets, particularly high-ranking ones.

Diplomatic relations between France and Morocco, however, are once again on solid ground. The rift lasted three years, ending when Macron recognized “Moroccan sovereignty” over Western Sahara, which is claimed by the Algeria-backed Polisario Front separatists. This move swept aside harsh words — the French president reportedly called the king a “thug” in private — a reduction in the number of visas Paris granted to Moroccans, and a resolution critical of the Kingdom passed in the European Parliament at the instigation of Macron-aligned lawmakers.

For Radi and the victims of Moroccan surveillance and repression, what remains are the reflexes — the furtive glances over the shoulder on the street, the phone numbers changed every year — the loathing of prison and a sense of wasted potential.

“Why do they follow someone on their bar crawl on a Saturday? Why do they pour incredible resources into such nonsense?” asked the journalist, whose recent request to become a civil party in French legal proceedings — initiated following a complaint by several Pegasus victims — was denied. “Following people, rummaging through their trash … What meaning does that give an officer in his own life? Even though I’m sure he loves the country just as much as I do. And I think they end up hating what’s being asked of them. And maybe even, in the end, their own country.” 

 

Implicitly, Safir painted an even darker picture of what the DGST does to its men: “The people I’ve worked with have no humanity. They have unimaginable freedom to spy. They become cold-blooded monsters.”



The Kingdom of Morocco, the DGST and its agents, NSO, and the Israeli authorities did not respond to the consortium’s questions.

 

*Name changed to protect anonymity.

Read also