Bahrain faces legal action after planting Pegasus spyware on UK blogger
A court has given the go-ahead to UK-based blogger Yusuf Al-Jamri to seek damages from the Kingdom of Bahrain after it deployed spyware from Israel’s NSO Group to hack his phone
The High Court in London has ordered that a blogger who was tortured over his political views can take legal action against the Kingdom of Bahrain because his mobile phone was hacked by Pegasus spyware after he fled to the UK.
The court has given Yusuf Al-Jamri permission to serve a claim for damages against the Kingdom, which has a track record of human rights abuses against political opponents, over allegations that the administration hacked his mobile phone.
The case is the first to be filed from the UK against Bahrain over the Kingdom’s use of Pegasus software, supplied by Israeli company NSO Group. By granting the application, the UK High Court has agreed there is an arguable case against the Kingdom of Bahrain.
According to analysis by the University of Toronto’s Citizen Lab, Al-Jamri’s mobile phone – an iPhone 8 – was hacked with Pegasus spyware in August 2019 after he had been granted asylum status in the UK.
The spyware is believed to have allowed Bahraini authorities to access Al-Jamri’s personal data, including text messages, calls, location details, photos, and medical and banking records.
It also gave Bahraini authorities the ability to intercept voice calls, use microphones in the phone as a bugging device to record ambient sounds, take photos and track his movements.
Al-Jamri is claiming damages for misuse of private information, personal injury, harassment and trespass to goods. The case raises questions about the sale of spyware by western companies and Israel’s NSO Group to countries with poor human rights records.
According to Amnesty International, Bahrain’s National Security Agency has tortured, threatened and sexually assaulted human rights activists in an attempt to silence criticism of the regime.
The country’s government censors the internet using blocking software supplied by Canadian company Netsweeper and uses targeted internet disruptions to impede political protests, according to research by The Citizen Lab.
The regime has blocked websites and social media accounts of political opponents, human rights organisations and online newspapers. A 2018 investigation by Haaretz revealed that Verint Systems provided Bahrain with technology for social media monitoring.
Bahrain’s use of spyware
The Kingdom of Bahrain is known to have used spyware to monitor political opponents since at least 2010 when the administration bought licences to use FinSpy and other spyware software sold by the Gamma Group.
Yusuf Al-Jamri outside the High Court
In 2013, the Kingdom bought spyware from Italian spyware company Hacking Team.
Bahrain has been using Pegasus spyware since at least 2017. Researchers at The Citizen Lab found a cluster of servers used to deploy Pegasus servers with domain names ostensibly linked to Bahraini political organisations.
Its victims include political activists living in exile in London, a Bahraini lawyer and human rights defender, a psychologist who fled Bahrain to seek asylum in the UK, and seven unnamed Bahraini activists and journalists.
How Bahrain victimised Yusuf Al-Jamri
28 September 1981: Al-Jamri is born in Bahrain.
1990s: As a teenager, Al-Jamri’s older brothers are imprisoned in retaliation for their involvement in political activities in Bahrain.
August 1997: Al-Jamri, age 16, is arrested, tortured and detained for several months without explanation. His passport is confiscated, leading him to lose his place at school. He is able to continue his education for two years in Kuwait following the return of his passport.
September 2000: Al-Jamri returns to Bahrain and works in sales and civil service roles.
2011: Al-Jamri becomes politically motivated following the anti-government uprising in 2011. Horrified by human rights abuses carried out by the Bahraini authorities against protestors, he becomes more involved in Al Wefaq, the largest opposition party in Bahrain, and attends and helps in organising anti-government protests.
2011: Al-Jamri starts taking photographs of the anti-government protests and shares them with Al Wefaq. He goes on to join an Al Wefaq committee dedicated to documenting human rights abuses.
Al-Jamri renames his Facebook account “Days of the Roundabout”, a reference to the Pearl Roundabout at the centre of anti-government protests in Bahrain’s capital Manama, and begins posting political comments. May 2011: Al-Jamri’s Facebook page attracts 1,500 followers, including prominent figures in Bahrain. He sets up a Twitter account which gathers a similar following. Al-Jamri is now regularly summoned for questioning and harassed by Bahraini police.
Feb 2012: Al-Jamri is detained after marching to the Pearl Roundabout. 2012 to 2017: The Kingdon of Bahrain restricts political rights and curbs political opposition. 2017: Bahrain’s National Security Agency detains Al-Jamri on multiple occasions at the Muharraq Security complex and subjects him to acts of torture. 5 October 2017: Al-Jamri flees to Bahrain with his wife and children. 6 October 2017: Al-Jamri flees to the UK. 22 March 2018: Al-Jamri is granted refugee status in the UK. 3 to 5 August 2019: Al-Jamri’s iPhone is successfully hacked using Pegasus software supplied by Israeli company NSO Group Technologies. 22 July 2021: A journalist contacts Al-Jamri to inform him that his phone number is on a “leaked list” obtained by Amnesty International, which shows more than 50,000 phone numbers of people identified as “persons of interest” and potential targets of Pegasus spyware. 24 August 2021: The Citizen Lab, based at the University of Toronto, publishes a report about the use of Pegasus software against Bahraini activists. The report identifies Al-Jamri as one of nine Bahrani activists to have their phones hacked with Pegasus. September 2024: Al-Jamri is granted British citizenship. 14 November 2024: The High Court in London grants permission for Al-Jamri to serve a claim for damages against the Kingdom of Bahrain.
Automated hacking tool
Israeli company NSO describes Pegasus in marketing material as a “world-leading cyber intelligence solution that enables law enforcement and intelligence agencies to remotely and covertly extract intelligence from any device”.
Users of the software only need to insert a target phone number to initiate a phone hack. “The rest is done automatically by the system, resulting in most cases with an agent installed on the target device,” the company says.
Clients of Pegasus can set “rules”, for example to send an alert when a target leaves or enters a specific location, when one target meets another target, when a target makes a phone call to a specific number, receives a message from a specific number, or when a keyword or phrase is used in a message.
The spyware can be remotely uninstalled without leaving any direct trace of its presence on the targeted device and is fitted with a self-destruct mechanism that allows it to uninstall when there is a risk of exposure.
Bahrain claims sovereign immunity
The Kingdom of Bahrain is attempting to claim sovereign immunity in a similar case brought by two pro-democracy campaigners whose computers were hacked after they sought refuge in the UK.
Saeed Shehabi, a journalist and founder of Bahraini opposition party Al Wefaq, and Moos Mohammed, a pro-democracy activist, had their computers hacked in 2011.
They allege that agents working on behalf of Bahrain remotely infected their computers with FinSpy spyware, enabling Bahraini authorities to collect information from their laptops, including messages, emails, calendar records, contact lists, browsing history, photos, databases, documents and video.
The attack also enabled Bahrain to track the location of their laptops and eavesdrop on conversations by covertly using the laptop’s microphones and cameras.
The activists learned that their computers had been hacked in 2014 when WikiLeaks published documents about Bahrain’s use of FinSpy and a research and advocacy organisation, Bahrain Watch, identified them as victims of hacking.
This legal battle against a powerful and oppressive state sends a resounding message: no matter how wealthy or abusive, no regime is beyond accountability. It affirms that there is a legal path to exposing the truth and standing up to tyranny Yusuf Al-Jamri, UK blogger and spyware victim
A UK court found on the balance of probabilities that their computers were infected by agents of Bahrain, though Bahrain has denied the claims. It failed an attempt to argue the case for sovereign immunity in the Court of Appeal in October 2024, but is expected to pursue the case to the Supreme Court.
Speaking after the court’s decision to allow him to serve a claim for damages, Al-Jamri described the case as a “turning point, opening the door for me to seek justice”.
“This legal battle against a powerful and oppressive state sends a resounding message: no matter how wealthy or abusive, no regime is beyond accountability. It affirms that there is a legal path to exposing the truth and standing up to tyranny,” he added.
Sayed Ahmed Alwadaei, advocacy director at the Bahrain Institute for Rights and Democracy, praised Al-Jamri for his courage in bringing the action against Bahrain, knowing that he was likely to face reprisals.
“Bahrain cannot invade our privacy, trample our rights, or destroy lives on British soil without accountability. While justice takes its course in the courts, the British government must act decisively to confront and deter malicious hacking by foreign states,” he said.
Al-Jamri’s solicitor, Monika Sobiecki, a partner at Bindmans, said the case was the first brought in the UK against Bahrain over its use of the notorious Pegasus spyware.
How Pegasus infects mobile phones
Pegasus covertly installs a spyware “agent” on the targeted device, which extracts data and transmits it to command and control servers used by Pegasus customers. It can penetrate iOS devices, iPhones and Android phones anywhere in the world.
Pegasus spyware can be remotely installed by sending the target an “enhanced social engineering message” by text or email inviting the recipient to click on a link.
Once the link is activated, the target device connects with a website that forwards the request through a series of anonymising notes to a Pegasus server that exploits security vulnerabilities on the device to covertly download the spyware.
Pegasus also uses “zero-click exploits”, which exploit vulnerabilities in mobile devices to install spyware without requiring the user to click on a link.
Pegasus code takes control of the user’s browser and breaks into the lowest levels of the device, known as the kernel, to disable security features and install the Pegasus agent in the device’s flash memory, in a way that allows it to continue operating after the phone has been rebooted.
The spyware can activate the camera, microphone and GPS receiver. It is able to extract text messages, emails, messages sent by apps such as WhatsApp, calendar records, call history and browsing data.
Pegasus is also able to intercept calls or secretly record from a phone’s built-in microphone. It can extract photographs stored on the phone, access the device’s camera and capture screenshots.
Other capabilities include retrieving files from the targeted device, such as databases, documents and video, and location data of the phone by monitoring GPS and identifying cell sites.
The collection is carried out in three phases:
Initial data extraction: Following infection, all data stored on the targeted device can be extracted and sent to the Pegasus user.
Passive monitoring: the spyware agent continues to monitor the device and retrieve new data in real time.
Active collection: the Pegasus user sends requests to the agent to extract data in real time, which can include location tracking, interception and recording of voice calls, retrieval of files from internal storage or the SD card of the device, using the phone’s microphone to listen in and make recordings, and taking photographs or screenshots.
