Plus: Alleged Snowflake hacker will be extradited to US, internet restrictions create an information vacuum in Myanmar, and London gets its first permanent face recognition cameras.
On Thursday, Amnesty International published a new report detailing attempted hacks against two Serbian journalists, allegedly carried out with NSO Group’s spyware Pegasus.
The two journalists, who work for the Serbia-based Balkan Investigative Reporting Network (BIRN), received suspicious text messages including a link — basically a phishing attack, according to the nonprofit. In one case, Amnesty said its researchers were able to click on the link in a safe environment and see that it led to a domain that they had previously identified as belonging to NSO Group’s infrastructure.
“Amnesty International has spent years tracking NSO Group Pegasus spyware and how it has been used to target activists and journalists,” Donncha Ó Cearbhaill, the head of Amnesty’s Security Lab, told TechCrunch. “This technical research has allowed Amnesty to identify malicious websites used to deliver the Pegasus spyware, including the specific Pegasus domain used in this campaign.”
To his point, security researchers like Ó Cearbhaill who have been keeping tabs on NSO’s activities for years are now so good at spotting signs of the company’s spyware that sometimes all researchers have to do is quickly look at a domain involved in an attack.
In other words, NSO Group and its customers are losing their battle to stay in the shadows.
“NSO has a basic problem: They are not as good at hiding as their customers think,” John Scott-Railton, a senior researcher at The Citizen Lab, a human rights organization that has investigated spyware abuses since 2012, told TechCrunch.
There is hard evidence proving what Ó Cearbhaill and Scott-Railton believe.
In 2016, Citizen Lab published the first technical report ever documenting an attack carried out with Pegasus, which was against a United Arab Emirates dissident. Since then, in less than 10 years, researchers have identified at least 130 people all over the world targeted or hacked with NSO Group’s spyware, according to a running tally by security researcher Runa Sandvik.
The sheer number of victims and targets can in part be explained by the Pegasus Project, a collective journalistic initiative to investigate abuse of NSO Group’s spyware that was based on a leaked list of more than 50,000 phone numbers that was allegedly entered in an NSO Group targeting system.
But there have also been dozens of victims identified by Amnesty, Citizen Lab, and Access Now, another nonprofit that helps protect civil society from spyware attacks, which did not rely on that leaked list of phone numbers.
Do you have more information about NSO Grop, or other spyware companies? From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
An NSO Group spokesperson did not respond to a request for comment, which included questions about Pegasus invisibility, or lack thereof, and whether NSO Group’s customers are concerned about it.
Apart from nonprofits, NSO Group’s spyware keeps getting caught by Apple, which has been sending notifications to victims of spyware all over the world, often prompting the people who received those notifications to get help from Access Now, Amnesty, and Citizen Lab. These discoveries led to more technical reports documenting spyware attacks carried out with Pegasus, as well as spyware made by other companies.
Perhaps NSO Group’s problem rests in the fact that it sells to countries that use its spyware indiscriminately, including reporters and other members of civil society.
“The OPSEC mistake that NSO Group is making here is continuing to sell to countries that are going to keep targeting journalists and end up exposing themselves,” Ó Cearbhaill said, using the technical term for operational security.
Keep reading the article on Tech Crunch
Mozilla has fixed a security bug in its Firefox for Windows browser that was “being exploited in the wild.”
In a brief update, Mozilla said it updated the browser to Firefox version 136.0.4 after identifying and fixing the new bug, tracked as CVE-2025-2857, which presents a “similar pattern” to a bug that Google patched in its Chrome browser earlier this week.
Anyone exploiting the bug could escape Firefox’s sandbox, which limits the browser’s access to other apps and data on the user’s computer.
The bug also affects other browsers with the same codebase as Firefox for Windows, such as the Tor Browser, which also received a patch updating the browser to 14.0.7.
Kaspersky researcher Boris Larin, who first discovered the Chrome zero-day, confirmed in a post that the root cause of the Chrome bug also affects Firefox. Kaspersky previously linked the use of the exploits to attacks on journalists, employees of educational institutions, and government organizations in Russia.
Keep reading the article on Tech Crunch
WIRED has found four new Venmo accounts that appear to be associated with Trump officials who were in an infamous Signal chat. One made a payment with a note consisting solely of an eggplant emoji.
Scandal surrounding the Trump administration’s Signal group chat has led to a landmark week for the encrypted messaging app’s adoption—its “largest US growth moment by a massive margin.”
The encrypted messaging app Signal is getting some unexpected attention this week.
High-ranking officials in the Trump administration, including Vice President J. D. Vance and Secretary of Defense Peter Hegseth, communicated the plans for an attack on the Yemeni Houthis via a potentially unauthorized group chat on Signal. However, Atlantic editor-in-chief Jeffrey Goldberg was mistakenly added to the group chat, giving him access to these highly sensitive discussions, which he later published.
The Signal app itself did not malfunction or operate in an unintended way. Rather, it is user error to accidentally add a journalist to a chat about U.S. military plans — an error that government security protocols should be able to prevent if they’re actually followed.
When the Atlantic’s story broke on Monday, worldwide Signal downloads on iOS and Google Play were up 28% from the daily average over the last 30 days, per app intelligence firm Appfigures. In the U.S., downloads were up 45% on Monday, and in Yemen, they were up by 42%. Before the scandal, Signal was ranked No. 50 among social media apps in Yemen, but it climbed to No. 9 on Monday.
Signal did not respond to TechCrunch’s request for comment.
All communications on Signal are encrypted, meaning that only the people in a chat can see the texts — not even people who work at Signal can know what users are talking about. But Signal is intended to be a consumer product for secure messaging, not an iron-clad depository for government military plans.
Although Hegseth said that there were “no war plans” discussed in the Signal chat, the Atlantic published messages that show Hegseth providing details about the timing of attacks, as well as the weapons and aircrafts that would be used.
As of Thursday, the government continues to investigate this monumental security failure.
Keep reading the article on Tech Crunch