Full Report
Citizen Lab senior researcher Bill Marczak served as a key witness in a UK ruling that ordered Saudi Arabia to pay £3m to a London dissident who was targeted with Pegasus spyware. In 2018, Citizen Lab researchers discovered that a Saudi operator called KINGDOM was targeting dissidents abroad with NSO Group’s Pegasus spyware. Saudi activist and […] The post Saudi Arabia Ordered to Pay £3m to London Dissident Over Pegasus Spying appeared first on The Citizen Lab.
Analysis Summary
# Incident Report: Saudi State-Sponsored Pegasus Spying on London Dissident
## Executive Summary
In 2018, Citizen Lab researchers identified a Saudi-linked operator, KINGDOM, targeting dissidents overseas using NSO Group’s Pegasus spyware. One victim, London-based Saudi activist Ghanem Al-Masarir, sued the Kingdom of Saudi Arabia for damages following the compromise of his phone. The case culminated in a January 2026 UK ruling finding Saudi Arabia liable, ordering them to pay £3 million in damages to the victim.
## Incident Details
- Discovery Date: 2018 (Initial discovery of KINGDOM operator activity)
- Incident Date: Targeting began around 2018; Legal resolution in January 2026.
- Affected Organization: N/A (Individual victim, Ghanem Al-Masarir)
- Sector: Political Activism/Dissident Community
- Geography: Victim located in London, UK; Attacker attribution to Saudi Arabia.
## Timeline of Events
### Initial Access
- Date/Time: Prior to or around 2018.
- Vector: Targeted link delivery (implied, common for Pegasus).
- Details: Ghanem Al-Masarir was sent messages containing links controlled by the "KINGDOM" operator, leading to the infection of his phone.
### Lateral Movement
- Details: Not explicitly detailed, but standard Pegasus compromise grants complete control over the mobile device, potentially allowing access to stored data and communications.
### Data Exfiltration/Impact
- Details: The impact included psychological harm and loss of earnings for the victim, leading to a civil suit claiming damages resultant from the unlawful spyware use and associated physical assault by agents.
### Detection & Response
- Date/Time: 2018 (Citizen Lab discovered operator). January 2026 (Legal ruling).
- Response actions taken: Citizen Lab provided expert testimony, with Sr. Researcher Bill Marczak serving as a key witness in the subsequent UK legal proceedings.
## Attack Methodology
- Initial Access: **Targeted Spearphishing/Link Delivery.** (Implied via messages containing links used to infect the victim’s iPhone).
- Persistence: **Pegasus Spyware.** (Maintained full operational control of the victim's iPhone).
- Privilege Escalation: N/A (Pegasus typically achieves high-level access upon successful infection).
- Defense Evasion: N/A (Leveraged NSO Group’s established commercial spyware capabilities).
- Credential Access: N/A (Full device compromise achieved).
- Discovery: N/A (Focus was on exploitation, not network reconnaissance).
- Lateral Movement: N/A
- Collection: Full device access granted by Pegasus.
- Exfiltration: N/A (Specific exfiltration paths not detailed).
- Impact: **Psychological distress, financial loss, and enabling physical assault** stemming from the surveillance.
## Impact Assessment
- Financial: £3 million awarded in damages to the victim (injury, associated costs, and lost earnings).
- Data Breach: Details of exfiltrated data not specified, but complete compromise of a personal iPhone occurred.
- Operational: N/A (Impact focused on the individual dissident).
- Reputational: Significant reputational damage to Saudi Arabia, confirmed liable by a UK court for illegal spying operations against a dissident on UK soil.
## Indicators of Compromise
- Network indicators: N/A (Not provided in summary).
- File indicators: N/A (Not provided in summary).
- Behavioral indicators: **Use of Pegasus spyware** identified by Citizen Lab; **Targeting by the 'KINGDOM' operator.**
## Response Actions
- Containment measures: (Not detailed, likely concerning the victim isolating the compromised device).
- Eradication steps: N/A
- Recovery actions: The primary response action was the **successful civil litigation** against the responsible state actor.
## Lessons Learned
- Successful prosecution of state-sponsored transnational digital espionage is possible within Western courts (UK).
- Expert testimony from digital security researchers (like Bill Marczak) is critical in establishing proof of compromise and attribution in complex cybercrime/espionage cases.
- Sophisticated commercial spyware (Pegasus) continues to be a primary tool for autocratic governments to target dissidents globally.
## Recommendations
- Individuals targeted by state-level actors using zero-click or targeted spyware should immediately seek legal counsel specializing in cyber-tort/human rights, alongside forensic analysis from reputable security organizations.
- Increased scrutiny and liability frameworks must be developed for vendors of offensive cyber tools, ensuring they mitigate misuse against protected individuals.