In September 2023, Citizen Lab published a joint investigation with Access Now into the hacking of exiled Russian journalist Galina Timchenko with Pegasus mercenary spyware. Timchenko is the CEO and publisher of Meduza, a widely-respected Russian independent media group operating in exile. After this publication, in collaboration with Access Now and independent digital security expert Nikolai Kvantiliani, we expanded the investigation into the possible targeting of Russian and Belarusian-speaking independent media and political opposition.
Seven New Cases
The latest investigation identifies seven additional Russian and Belarusian-speaking members of civil society and journalists living outside of Belarus and Russia who were targeted and/or infected with Pegasus spyware. Many of the targets publicly criticized the Russian government, including Russia’s invasion of Ukraine. These individuals, most of whom are currently living in exile, have faced intense threats from Russian and/or Belarusian state security services.
Threats at Home
Critics of the Russian and Belarusian governments typically face retaliation in the form of surveillance, detention, threats, violence, death, travel bans, financial surveillance, hacking, censorship, and political repression. After Russia’s 2022 invasion of Ukraine, the repression escalated, including the growing use of “Foreign Agent,” “Undesirable Organization,” “Fake News,” “Extremist,” and “Terrorist” designation laws that severely curtail the ability of designated media and civil society organizations to safely operate, communicate, collaborate, and fundraise. For transparency, we note that in March 2024 the Russian government designated the Munk School of Global Affairs & Public Policy at the University of Toronto (where the Citizen Lab is based) as an Undesirable Organization.
Threats in Exile
Recently, in light of growing repression, many individuals and groups that are perceived as enemies by the Russian and Belarusian governments have left to continue their work from abroad. Today, for example, many Russian and Belarusian independent media organizations operate from outside the country.
While geographic distance and borders provide a degree of protection from daily repression in Russia and Belarus, both regimes have a well-documented history of engaging in transnational repression against diaspora communities. This repression has included violent attacks, threats, suspected poisonings, and surveillance.
Organizing in exile may in fact increase certain digital risks, as groups are forced to rely almost exclusively on third-party platforms and tools to communicate and disseminate information, creating complex challenges for maintaining privacy and security. The shifting practices also introduce new opportunities for malicious actors to probe for and exploit vulnerabilities. There is already evidence of this kind of targeting. For example, Russian independent media organization Meduza reported an intense Distributed Denial of Service (DDoS) attack against their website during Russia’s 2024 presidential elections. Pegasus Confirmations
We conclude with high confidence that the following individuals were targeted and/or infected with Pegasus spyware. We are publishing their names with their consent. More details about these individuals are available in Access Now’s report.
Concerns Around This Pattern of Targeting
There are now eight documented cases of Pegasus mercenary spyware attacks against Russian and Belarusian-speaking opposition voices and independent media who live in exile or in the diaspora. The targets are already under intense threat from Russia and/or Belarus. Many have experienced other forms of surveillance and transnational repression. Several of the targets are renowned, respected members of independent media and opposition groups, raising an obvious concern regarding the legality, necessity, and proportionality of the pattern of hacking described in this report under international human rights law.
As the targeting is happening in Europe, where these individuals have sought safety, it raises important questions regarding whether host states are meeting their obligations under international human rights law to prevent and respond to these human rights violations, and more generally, to address, and not compound, the practice of digital transnational repression.