Two BIRN Journalists in Serbia Targeted with Pegasus Spyware

Posted on

Two journalists from BIRN in Serbia were the targets of a failed attempt to install the powerful Israeli spyware Pegasus on their phones, a forensic analysis conducted by Amnesty International has confirmed.

Photo: BIRN Serbia

By Aleksa Tosic

On February 14, within an hour of each other, two BIRN journalists in Serbia each received a Viber message written in Serbian and sent from the same unknown number.

“Do you have any info that he is next? I heard something completely different…” read one, written as if it could be from a journalistic source. Each message contained a link, which set alarm bells ringing. Neither journalist clicked on it, and BIRN enlisted the digital forensic support of Amnesty International’s Security Lab.

Six weeks later, BIRN can confirm that both messages were part of an attempt to install Pegasus spyware on the journalists’ devices.

“We discovered that the text messages contained hyperlinks to a Serbian language domain name which we have determined with high confidence to be associated with NSO Group’s Pegasus spyware,” said Donncha Ó Cearbhaill, head of the Amnesty Security Lab.

Developed by the Israeli cyber-intelligence firm NSO Group, Pegasus is one of the world’s most sophisticated and invasive digital surveillance tools, providing access to an infected phone’s messages, emails, camera, microphone, and files, all without the owner’s knowledge. Journalists have been frequent targets.

“When I received the message, I was at home, which I consider a violation of my privacy; the constitution guarantees that surveillance and eavesdropping are prohibited in my home,” said one of the targeted BIRN journalists, who asked not to be named.

“As soon as I saw the message, I noticed the sender wasn’t in my contacts, they were communicating directly without introducing themselves, and I wondered who had given them my number.”

Without clicking on the link, the journalist replied to the message, asking for the sender to identify themselves. The message failed to send. When the journalist called the number, it was unavailable.

Amnesty International concluded there was a high probability that one or more actors within Serbia’s state apparatus, or agents acting on their behalf, were behind the ‘one-click’ Pegasus attack.

“Today, it’s me,” the journalist said. “Tomorrow it could be someone else. It’s the story that matters, not me.”

A warning?

Both journalists received the messages on February 14 from a Viber account registered to the Serbian phone number +381 65 994 0263. The number was registered with Serbian state-owned telecommunications operator Telekom Srbija and has been unreachable since that date.

Jelena Veljkovic, an award-winning BIRN journalist, received the message at 12:55 PM on her Android phone and did not open it. The second journalist, who requested anonymity, received their message from the same number less than an hour later, at 1:46 PM on an iPhone. The message contained Serbian text and a link leading to a Serbian-language domain.

Amnesty International’s digital forensic team determined with high confidence that the domain in the link was connected to Pegasus spyware. It is a conclusion based on years of research into the abuse of such spyware, which NSO Group says it sells only to “vetted state clients” to for the purpose of fighting “crime and terrorism”.

Amnesty opened the link in a secure environment; it redirected to a fake version of the N1 news website at https://n1info.com. The experts noted that a previous Pegasus attack in July 2023, which targeted a Serbian anti-government protest leader, used the same fake news site for redirection.

“The message was blurred by Viber as a security measure,” said Veljkovic. “I didn’t dare do anything that might allow installation. I don’t know what was written, but I could see that it had two lines of text in white letters and two lines in blue letters – a link to something.”

Veljkovic immediately blocked the number.

“I wouldn’t have paid much attention to the message, but when I got home and checked our newsroom chat, I saw that another colleague had received a message from the same number at nearly the same time,” Veljkovic said, adding that it felt deeply unsettling, particularly because she used her phone both for work and in her personal life.

Veljkovic said she took it as a warning.

“Knowing that someone had both the motive and the money to deploy such a tool, knowing all that Pegasus can do… it can be interpreted as a warning, as pressure: ‘Watch out, we’re watching you’, because the attacker could count on the fact that BIRN journalists wouldn’t click on the link so easily.”

“We don’t know who is behind this attack. I have my suspicions, but I don’t want to speculate. I don’t even know why they chose me and my colleague specifically – maybe it was a warning to the entire BIRN newsroom.”

Not the first, unlikely to be the last

NSO Group says its products are used exclusively by “state intelligence and law enforcement agencies in the fight against crime and terrorism”.

In a letter to Amnesty International, the Israeli firm said that all its systems are “sold exclusively to vetted state clients”.

In a response to BIRN, NSO Group said it adheres to international human rights regulations and export laws and could not accept Amnesty International’s findings without conducting an internal evaluation.

Amnesty has documented the misuse of Pegasus in Serbia before.

In November 2023, Amnesty International, alongside Access Now, the SHARE Foundation, and Citizen Lab, documented two cases of Serbian civil society members being targeted by ‘zero-click’ Pegasus attacks, requiring no user interaction. The investigation also uncovered a third, previously unreported case in which a Serbian activist was targeted with a ‘one-click’ Pegasus attack in July 2023.

Amnesty contacted Serbia’s Security Intelligence Agency, BIA, for a response in November 2024 and again in March 2025, but received no reply.

Rodoljub Sabic, a lawyer and Serbia’s former Commissioner for Information of Public Importance and Personal Data Protection, told BIRN:

“The illegal use of all these ‘tools’ – when practiced by the authorities – is incompatible with the idea of the rule of law and violates multiple constitutionally guaranteed rights of citizens. From the perspective of media freedom and journalists’ rights, it is especially dangerous because it threatens one of the fundamental standards of journalism – the confidentiality of journalistic sources.”

Milorad Ivanovic, editor-in-chief of BIRN Serbia, said the organisation would not be intimidated.

“Although the espionage attempt was sophisticated, the message it sends is primitive: that we should be silenced, retreat, and be afraid. This will not stop us,” he said.

“On the contrary, we will be even more determined to do what we do best: uncover the truth, protect our sources, and serve the public interest. Because you cannot silence the truth with spyware. You only make the truth more necessary.”

The targeted journalist who requested anonymity said the spying on journalists was unlikely to stop.

“I don’t believe we’ll be the last in the newsroom to experience this; I had sensitive contacts during that period – maybe that’s exactly why we attracted attention,” the investigative journalist said.

“In our job, we all have such sources and stories, so it won’t stop with just the two of us. They don’t need to install spyware on my phone. We publish our texts publicly, so anyone from the intelligence services can read them for free. Investigative journalism is patriotism. We don’t get badges and weapons, we don’t carry repressive power, but we expose what needs to be exposed for Serbia to be better, by uncovering what is wrong.”