New details emerge in Pegasus spyware scandal in Latvia

The Pegasus spyware program – available only to selected government agencies by its Israeli developer, NSO Group – infected or attempted to infect the phones of at least seven journalists and politicians in Latvia, Lithuania and Poland, an examination by Canada's Citizen Lab (at the Munk School of Global Affairs & Public Policy at the University of Toronto) and the NGO Access Now confirmed May 30.

Those who had their cellphone compromised are mostly Russians and Belarusians, but also include a citizen of the Republic of Latvia and the available evidence tends to indicate that the phones might possibly have been targeted by a Latvian or Estonian security services – though this is not 100% proven by the new research.

Following up on a joint investigation into the use of NSO Group’s Pegasus spyware against Galina Timchenko, co-founder, CEO, and publisher of the Meduza independent Russian news portal – which is based in Rīga – Access Now, the Citizen Lab and independent digital security expert Nikolai Kvantiliani have uncovered how at least seven more Russian, Belarusian, Latvian and Israeli journalists and activists have been targeted with NSO Group’s Pegasus spyware while on EU territory.

Three of the cases occurred in Latvia, two in Lithuania, and two in Poland. 

One victim, who has chosen to remain anonymous, is a member of Belarusian civil society currently based in Vilnius, Lithuania. After receiving an Apple threat notification on June 22, 2023, that their device had been targeted with a state-sponsored attack, they contacted the Citizen Lab for digital security support, who analyzed the device and confirmed that it was infected with Pegasus spyware on or around March 25, 2021.

Another Russian journalist living in exile in Vilnius since Russia’s invasion of Ukraine, and who has also chosen to remain anonymous, received two Apple threat notifications on October 31, 2023, and on April 10, 2024. Access Now’s Digital Security Helpline, with the technical confirmation of the Citizen Lab, identified an attempt to infect the journalist’s device on or around June 15, 2023.

On June 16, the journalist attended an event in Rīga, Latvia, for Russian journalists in exile, which was organized by the Baltic Center for Media Excellence (BCME), DW Academy, and Sustainability Foundation. Ironically, this event highlighted the ongoing vulnerabilities faced by media professionals in the region, underscoring the critical need for robust digital security measures.

Three named targets of Pegasus spyware are all based in Rīga. Evgeny Erlikh, an Israeli-Russian journalist and the author and producer of Baltic Weekly, on Current Time, RFE RL's 24/7 Russian-language TV network (which is also based in Rīga) had his iPhone infected with Pegasus spyware between November 28 and 29, 2022. At the time, Erlikh was vacationing in Austria.

Jevgeņijs Pavlovs, a Latvian journalist, former correspondent for Novaya Gazeta Baltija, an independent news media covering the Baltic countries, and freelance journalist for Current Time’s Baltija program was targeted with Pegasus on or around November 28, 2022, and on or around April 24, 2024 – however researchers were unable to confirm if the attempts were successful.

Maria Epifanova, general director of Novaya Gazeta Europe and director of Novaya Gazeta Baltija had her iPhone infected on or around August 18, 2020 — the earliest known case. Epifanova was chief editor of Novaya Gazeta Baltija at the time, and the attack occurred shortly after she received accreditation to attend exiled Belarusian democratic opposition leader Svetlana Tikhanovskaya’s first press conference in Vilnius.

Two more Belarusian civil society members currently living in Warsaw, Poland also received Apple notifications. The first was prominent opposition politician and former Presidential candidate Andrei Sannikov. According to the Citizen Lab, Sannikov’s iPhone was infected with Pegasus on or around September 7, 2021.

Natallia Radzina is editor-in-chief of independent Belarusian media website and a recipient of the Committee to Protect Journalists (CPJ) International Press Freedom Award. Access Now’s Digital Security Helpline, as confirmed by the Citizen Lab, also identified that Radzina’s device was infected with Pegasus spyware on or around December 2, 2022, December 7, 2022, and January 16, 2023. The first infection took place the day after Radzina’s participation in the Third Anti-War Conference in Vilnius, organized by the Free Russia Forum.

Who is responsible?

While Access Now and the Citizen Lab were able to confirm the attempts to hack the phones of journalists and civil society activists using Pegasus, it remains unclear exactly who is responsible – and even if there is one source of the attempts or more than one.

"Given that Poland has not been documented as targeting victims outside the country with Pegasus spyware, and considering reports that Poland’s government stopped using Pegasus spyware in 2021, it is unlikely that Poland is behind the attacks mentioned in this investigation," reason the researchers.

According to the Citizen Lab, there is also no evidence suggesting that Russia, Belarus, or Lithuania are Pegasus customers.

"Latvia appears to use Pegasus, but the country is also not known for targeting victims outside of its borders. Estonia is another Baltic state that cooperates closely with Latvia and Lithuania on security matters, including regarding Russia and Belarus. According to the Citizen Lab, Estonia does appear to use Pegasus extensively outside their borders, including within multiple European countries," suggested the Citizen Lab, which promised to continue its investigations into the matter.

As previously reported by LSM, Latvia has neither confirmed nor denied that it is on NSO Group's client list.

In the meantime, Access Now is urging governments to establish "an immediate moratorium on the export, sale, transfer, servicing, and use of targeted digital surveillance technologies until rigorous human rights safeguards are put in place to regulate such practices, and to ban the use of spyware technologies such as Pegasus that have a history of enabling human rights abuses."

Some of the journalists who had their phones targeted were contacted by LSM's Russian-language service for comment. They measured in their responses, suggesting that there was no overwhelming evidence pointing to the perpetrator and that some cases might even be attributed to mistaken digital identity.

"It is very logical to come to the conclusion that it could be European or specifically Latvian special services, but I do not draw such conclusions. There are still not enough facts,” Maria Epifanova told

She also does not discount that Russia may bear responsibility –  in which case Latvia's security services should certainly be interested if someone from outside the country is trying to extract information from the phones of Latvian residents – after all, Pegasus is not available to ordinary hackers.

You can read the full report into the case here:

This story is also available in Russian and Latvian.

Seen a mistake?

Select text and press Ctrl+Enter to send a suggested correction to the editor

Select text and press Report a mistake to send a suggested correction to the editor

Related articles


Most important