From September to December 2021 The Citizen Lab, an interdisciplinary laboratory focused on cybersecurity at the University of Toronto, ran a technical analysis on all the iPhones in El Faro, in collaboration with the digital rights organization Access Now. Their report, certified by Amnesty International, found conclusive evidence that the cell phones of 22 team members were infected with Pegasus, the software of Israeli spyware firm NSO Group. From the editorial board to reporters, board of directors, and administrative staff, El Faro remained under constant surveillance from at least Jun. 29, 2020 to Nov. 23, 2021. A total of 226 infections were detected, as well as evidence of the existence of a Pegasus operator in Salvadoran territory.
The detected infections affected two-thirds of El Faro’s staff and coincided with the timeline of the newsroom’s most sensitive investigative work during the last two years, major events in El Salvador’s national politics, and peak moments of government attacks against the organization. In the cases of 11 employees, the report found conclusive evidence not only of surveillance, but also of extractions of information. While it wasn’t possible to determine what information was stolen, the experts say Pegasus allows for the extraction of anything stored in the phone: photos, conversations, audio files, and contacts. The report doesn’t rule out the theft of information in the other phones.
In December 2020, The Citizen Lab published a report on 25 countries in which it concluded that the Salvadoran government had acquired a surveillance system from the company Circles, an NSO affiliate. They also concluded that the system had been used in El Salvador since 2017, during the FMLN administration. According to John Scott-Railton, senior investigator at The Citizen Lab, the infections found on El Faro’s phones are different from the findings of the 2020 report. This time, the devices tested positive specifically for Pegasus, not other spyware.
Pegasus, according to The Citizen Lab, is a more powerful spyware than that offered by Circles. “Pegasus installs a program on the phone, whereas Circles does not,” said Scott-Railton. “With Circles, there’s only monitoring and interception; with Pegasus, the phones are hacked. [In the case of Circles,] when the government listens to your calls, they’re not hacking the phone, they’re only listening.”
“Learning of the spying against us hasn’t come as a surprise, but the quantity, frequency, and duration of the infections have. Almost all of El Faro has been infected,” said El Faro’s founding director Carlos Dada. “According to the expert reports we’ve reviewed, everything points to the fact that it’s the Salvadoran government who is responsible for these infections, that it’s using the software to spy and to illegally obtain information kept on journalists’ phones,” he continued. “It’s completely unacceptable.”
“After the revelations of the Pegasus Project, we hoped the owners of the software would keep their word and verify that it wasn’t being used to persecute journalists. Obviously, they didn’t,” added Dada, in reference to The Citizen Lab’s finding in 2016 of the mass use of Pegasus against journalists and human rights activists in Mexico, Morocco, Saudi Arabia, Hungary, India, and Azerbaijan. Leading papers like The Washington Post published the revelation.
NSO Group has publicly stated that it only sells Pegasus spyware to governments, and only with the authorization of Israel’s Ministry of Defense. When the international organizations who produced the report on El Faro led similar processes for journalists, activists, and opposition figures in countries such as Poland, Hungary, Egypt, and Mexico, they found that the respective governments were behind the infections. According to John Scott-Railton, senior researcher at The Citizen Lab, “If you find Pegasus, you know that a person has been targeted by a government.”
The expert report on El Faro concluded that the Pegasus infections reached every area of the organization: the newsroom (including the departments of photography and digital strategy), administration, and the executive board. The report concluded that Pegasus not only surveilled El Faro phones in El Salvador, but also in Mexico. “This is one of the most shocking and obsessive cases of targeting that we have investigated,” said Scott-Railton.
On Nov. 23, 2021, the U.S. tech firm Apple sent emails to journalists, politicians, and activists in El Salvador — among them 14 members of El Faro — warning that “state-sponsored attackers may be targeting your iPhone.” The company sent the alerts on the same day it sued NSO Group in federal court in California for allegedly hacking its operating system to conduct espionage.
When El Faro team members received those notifications, this news outlet had already been alerted by other sources that its devices were being surveilled with Pegasus. The external analysis of the phones conducted by Access Now and The Citizen Lab had been underway for two months. Apple’s message was entirely unrelated to the analysis that El Faro had already begun.
El Faro undertook the external analysis in parallel with Salvadoran digital news outlet GatoEncerrado, whose iPhones’ data reveals that three of its journalists — the editor-in-chief, politics editor, and a reporter — were infected with Pegasus 17 times from Sep. 10, 2020 to Nov. 4, 2021.
In El Faro, The Citizen Lab and Access Now determined a range of dates in which a person may have been infected but in some cases was unable to conclude if in that range there was one event, multiple, or continuous spying. The organization doesn’t rule out that other members of El Faro were also victims of cyber espionage, but was unable to conduct the same analysis for those with the Android operating system or who had performed certain recent updates on their devices.
“Instead of being used to fight crime, the licenses were used hundreds of times to surveil journalists,' Scott-Railton said.
“Legitimate Intelligence Agencies”
According to the analysis conducted by The Citizen Lab and Access Now, thirteen staff members of El Faro were infected with Pegasus at least five times each from June 2020 to November 2021. Such is the case of the entire editorial board: editor-in-chief Óscar Martínez (co-author of this article) suffered 42 attacks; deputy editor-in-chief Sergio Arauz, 14 attacks; and José Luis Sanz, editor of El Faro English, 13 attacks in only six months, all during his tenure as director of El Faro before Jan. 1, 2021.
Mexican editor Daniel Lizárraga suffered eight attacks, including once while he was in Mexico after the administration of President Nayib Bukele expelled him from El Salvador on Jul. 7, 2021. At the time, Lizárraga was communicating on his work phone about a publication on the third wave of Covid-19 in El Salvador.
Among the El Faro reporters with 10 or more attacks are: Gabriel Labrador, with 20; Julia Gavarrete (co-author of this article) with 18, including 15 targeting her personal phone; Gabriela Cáceres, with 13; Roxana Lazo, with 12; and Efren Lemus, with 10. When the hacks occurred, the journalists were working on investigations, for example, into the Bukele administration’s negotiation with gangs, the theft of pandemic-related food relief by the director of prisons and his mother, the Bukele brothers’ secret negotiations related to the implementation of Bitcoin, the financial holdings of officials in the current government, the government pandemic response, or a profile of President Nayib Bukele.
The Citizen Lab and Access Now highlighted two cases as unprecedented: the director and president of El Faro’s board of directors, Carlos Dada, and reporter Carlos Martínez each suffered infections for uninterrupted periods of time often surpassing a month. Thus, even though Dada suffered 12 instances, the infections remained active approximately 167 days between July 8, 2020 and June 9, 2021.
In the case of Martínez, who has bylined all of El Faro’s investigations into the pacts between politicians and gangs since 2012, The Citizen Lab detected an active intervention at the time of their analysis on Nov. 15, 2021 — a situation they had never seen before. “It’s rare to catch an infection when it’s live,” said Scott-Railton.
The beginning of the interventions of Martínez’s phone coincides with the first days of June 2020, when the state-controlled media outlet Diario La Página published an anonymous text, promoted on social media by the president himself, falsely accusing him of sexual agression. The defamation was included in the February 2021 report by the Inter-American Commission on Human Rights, which listed a long series of government attacks against El Faro and its journalists to decree precautionary measures for all of the outlet’s employees. 19 of the 22 staff members of El Faro surveilled using Pegasus are currently listed in the precautionary measures.
At the time, Martínez was already investigating the Salvadoran government’s secret negotiations with MS-13, culminating in a story revealing the talks in September of 2020 that echoed around the world. In the following months, he continued investigating the process until he co-published a follow-up in August of 2021 showing that the negotiations included not just MS-13, but the country’s three gangs. Last December, the U.S. Treasury blacklisted two Salvadoran officials leading the talks.
Martínez, with 28 hacks detected, is the member of El Faro who experienced the most days of spying on his phone using Pegasus: an estimated 269 days between Jun. 29, 2020 and Nov. 15, 2021. “What’s remarkable about this case is the intensity of monitoring. What it really highlights is just how much some government wants to get deep into his life,” underscored Scott-Railton. “It’s an intense pressure against a single person, which also tells me that whatever he’s doing is very important.”
In other cases analyzed, the interventions enter the phones and remain for hours, leading The Citizen Lab to conclude that the reason for the intrusion was to extract information from the device. This form of surveillance wielded against Dada, Martínez, and other members of El Faro is, in the experts’ opinion, uncommon and reveals an obsessive use of the tool.
Asked for comment from El Faro on the use of Pegasus against journalists from this outlet, NSO Group offered a response via email to be attributed to a spokesperson:
“NSO provides its software only to vetted and legitimate intelligence agencies as well as to law enforcement agencies, who use these systems under warrants by the local judicial system to fight criminals, terrorists and corruption. These systems are sold following a vetting and licensing process by the Israeli MOD [Ministry of Defense].
“NSO is a software provider. The company does not operate the technology [n]or is [it] privy to the collected data. The company does not and cannot know who the targets of its customers are, yet implements measures to ensure that these systems are used solely for the authorized uses. While we have not seen the report mentioned in your inquiry, and without confirming or denying specific customers, NSO’s firm stance on these issues is that the use of cyber tools in order to monitor dissidents, activists and journalists is a severe misuse of any technology and goes against the desired use of such critical tools. The international community should have [a] zero tolerance policy toward such acts, therefore a global regulation is needed. NSO has proven in the past it has zero-tolerance for these types of misuse, by terminating multiple contracts.”
NSO added a second part to its answer and asked to be cited only “on background, attributed to sources familiar with the company.” El Faro never reached such an agreement with NSO Group and thus decided to publish the Israeli company’s full reply:
“There is no active system in El Salvador. When the company will receive [sic] the numbers related to the allegations, it will perform an investigation to determine if a misuse of its system occurred in the past in the country. If the numbers will be received [sic], and the investigation will show [sic] that the system was misused in the past by any of its customers, the company will act with all measure[s] at its disposal based on the contractual agreements.”
El Faro also requested an interview via email with a representative of Apple about the message that the company sent to members of El Faro in November. By the time of publication, the company did not respond.
On Jan. 12, El Faro wrote an email to both the Press Secretariat and the Communications Secretariat of the Salvadoran President’s Office explaining that the outlet had irrefutable proof of Pegasus surveillance against 22 staff members and requesting an interview with a government representative on the subject. By the time of publication there was no reply.
After ten years of studying surveillance of this kind, Scott-Railton says he has seen a pattern in government responses about the use of Pegasus: “In my experience, it’s the norm for them to deny it.”
At the end of September 2021, The Citizen Lab and Access Now detected the first case of a Pegasus attack against the iPhone of a member of El Faro: the personal cell phone of Julia Gavarrete. Alongside GatoEncerrado reporter Xenia Oliva, who was also warned of espionage by the organizations, both journalists submitted their phones to a deeper analysis that entailed submitting a copy of the files stored in them.
Once the use of Pegasus on her phone was verified beyond any doubt, Gavarrete alerted El Faro, who then ordered the analysis of the devices of 11 more of its journalists. The analysis found that all of them had been infected. By December, El Faro had submitted 30 iPhones of its staff to the technical analysis.
The Citizen Lab soon commented that the use of Pegasus against the organization was unprecedented. Scott-Railton has led investigations of this type for ten years, but says he was shocked to find that almost all of the phones in El Faro were testing positive for Pegasus. “I remember calling my colleagues and expressing shock. We all expressed shock and surprise at how dramatic this targeting was, how much it was happening and how many people were targeted at the organization,” said the University of Toronto researcher. He added: “It was like opening a door.”
To reach their “high-confidence” conclusions, in the words of Citizen Lab, they began by analyzing forensic indicators from devices. This included close examination of backups from devices to identify forensic traces uniquely identified with a Pegasus spyware infection. These indicators have been validated and developed since Citizen Lab first began investigating Pegasus in 2016. Researchers at Amnesty International’s Security Lab independently peer reviewed a selection of the cases and confirmed the infections using their own analysis techniques and tools.
Paolo Nigro Herrero, digital security helpline shift manager at Access Now, said that in the case of El Faro “the investigations show that there’s an intensive and sustained use of Pegasus.”
“How do you know if a phone is infected with Pegasus?” El Faro asked the Access Now expert.
“Pegasus has different points or vectors of infection,” Nigro Herrero replied. “They exploit vulnerabilities in the operating system or the apps installed in the phone.”
“Are there people behind the scenes directly operating Pegasus?”
“Yes, there are people,” Nigro Herrero said. “But they’re not usually watching your data in real time or reading your messages one by one. What they look to do with Pegasus is take out all the information they can, in a short period of time, to use it.”
“What do they have access to?” El Faro asked.
“Everything, everything. It’s as if they were using an unlocked phone. Basically, it’s a program that permits remote access to practically all of the information on your device.”
Nigro Herrero explains that a Pegasus attack offers unfettered access to the phone, including extraction of messages, images or any other stored file, activation of the camera and microphone, and access to the attachments of text messages, messaging apps, emails, geolocation, call logs, and internet browser history.
He adds that a new feature of Pegasus is the theft of credentials or “tokens” saved in the device, allowing the attacker to continue accessing accounts even when the device is no longer infected.
According to the expert, entry methods vary: it can occur when the user clicks on an infected link, but also through a “zero-click” attack — for example, “FORCEDENTRY,” a form of intrusion that The Citizen Lab began detecting in February of 2021, allows the attacker to remotely take control of the phone without needing its owner to click on a link.
“FORCEDENTRY has been used against you extensively,” underscored Scott-Railton. He doesn’t rule out, though, that some of the infections in El Faro may have occurred by clicking on fraudulent links.
Obsession with El Faro
The Pegasus attacks against members of El Faro were not only constant for more than a year, but also coincided with the publication of important investigations, transcendent government actions, and moments in the personal lives of the targeted staff members.
The first of the registered infections, according to the technical report received by El Faro, happened to journalist Carlos Martinez on Jun. 29, 2020, three days before an anonymous publication in the government-controlled website La Página accusing him of sexual aggression. The last known Pegasus attack happened to photojournalist Victor Peña on Nov. 23, 2021, the same day Apple sent the emails about the possible espionage “on behalf of the State” to 14 members of El Faro and others in El Salvador.
July 2020 was the first of 17 months of generalized and systematic espionage against El Faro journalists. That month, El Faro devices were compromised for a cumulative total of 85 days. July 4 marked the first Pegasus attack against José Luis Sanz, director of El Faro at the time and now Washington correspondent. It happened just two days after La Página published its anonymous and defamatory article against Martínez. On the day the article was published, two individuals broke into the home of Julia Gavarrete and stole her computer while she was covering a presidential press conference. Gavarrete reported the theft to the Attorney General’s Office, but to date has received no updates about the investigation. At the time, Gavarrete was working for GatoEncerrado. She joined El Faro in January of 2021, and has since suffered 18 Pegasus attacks lasting a total of 25 days.
In the case of Sanz, a Spanish national, The Citizen Lab found an important incident: on July 4, 2020, the day that first intrusion against him was detected, he received three text messages of unknown origin, which simulated news alerts from sites that ended up being fake. They had deceiving headlines, such as: “Prosecutor going after journalists from El Faro,” or “President comes out in defense of his political godson.” It’s unclear whether these messages were the source of infection, but The Citizen Lab notes that the series of infections of his device began right after these messages, lasting approximately 22 days on different dates and stopping when he moved to the United States in January 2021. Sanz did not open the messages, but with Pegasus it’s not necessary to open them for an infection to occur.
Two months later, September 2020 was the month when the phones of El Faro staff were most compromised, with approximately 149 cumulative days infected. There was not a single day that month without at least one El Faro employee surveilled using Pegasus. Five employees were surveilled for at least 20 days that month.
September 3 marked the publication of the investigation titled, “Bukele has been Negotiating with MS-13 for a Reduction in Homicides and Electoral Support.” Following the revelation, as documented in a second investigation published in 2021, Prisons Bureau officials tried to cover up the talks by removing critical logbooks and hard drives from public offices, right when the Special Antimafia Group in the Attorney General’s Office began investigating the matter. Three of the four authors of the investigation were infected throughout the month, according to The Citizen Lab. The fourth author didn’t have an iPhone at the time, making it impossible to know if he was also targeted.
The month of attacks against El Faro by President Bukele ended with an escalation. On Sept. 24, during a national television broadcast the president baselessly announced — while displaying a photo of director Carlos Dada on a giant screen — that the media outlet was under investigation for money laundering: “Now they face an investigation for serious money laundering,” Bukele said.
Similarly, every day the following October, at least one El Faro reporter was surveilled using Pegasus. Carlos Martínez’s phone was hacked for each of the 31 days of the month, according to the expert report. Another three employees were hacked for at least 20 days.
A new spike in hacks took place in April and May of 2021, when El Faro’s phones were infected a total of 52 times. On May 1, the Bukele-controlled Legislative Assembly took office and illegally removed and replaced the attorney general and Constitutional Court magistrates with Bukele loyalists. On May 17, the United States cited the legislative coup in naming Bukele’s chief of cabinet Carolina Recinos, and others involved in the affair, in a list of corrupt officials.
The espionage wasn’t limited to the editorial team. The administrative staff was also infected at key moments. The general manager of El Faro, Carlos Salamanca, was hacked in September and October 2020, just as the Treasury Ministry audits were in their most intense phase and government inspectors were working in person at El Faro’s offices. The administrative manager, Mauricio Sandoval, was also infected several times. One of them was on July 2, 2021, as he was returning from international meetings to ensure El Faro’s stability in the face of government attacks. He was also infected July 6, the same day he received the letter from immigration authorities ordering editor Daniel Lizárraga to leave the country within 24 hours. Marketing manager Ana Bea Lazo was also infected once in October 2021.
El Faro’s Chief Technology Officer Daniel Reyes (and one of the authors of this article) was hacked twice for a total of 11 days. One of the interventions happened in October 2020 while he was preparing the graphics for the investigation titled: “Company of Nuevas Ideas candidate won a million dollars in contracts for the Pandemic.” The other hack happened that same year, on a day that Reyes discussed over the phone and by email with the editorial board how to handle threats on social media that proposed attacking El Faro with a car bomb.
In the case of editor-in-chief Óscar Martínez, his phone was breached 42 times over 49 days. The phone of Sergio Arauz, deputy editor-in-chief, suffered 14 interventions lasting approximately 28 days. The attacks against Martínez and Arauz occurred near the publication dates of a number of complex investigations such as the government negotiations with gangs, various corruption cases, or political decisions about the implementation of Bitcoin. It also matches with numerous days in which they held sensitive editorial meetings and calls.
As for El Faro’s reporters, Gabriela Cáceres, who revealed Operation Cathedral — one of the most significant corruption cases published by El Faro last year — received 13 Pegasus attacks on 13 different days, starting on June 6, 2021, just as she began working on the investigation. Nelson Rauda was victim of six attacks, one of them in April 2021, on the last day of his coverage in San Francisco Gotera of expert testimony for the El Mozote trial. Roxana Lazo’s phone received 12 attacks and Efren Lemus’ received 10 attacks, as they collaborated together on an investigation showing that former Minister of Security and Justice was fired in 2021 for secretly mounting his own presidential candidacy without Bukele’s support. Lazo was infected on April 19, 2021, one day after publishing; five days later, on the first day he received an iPhone from El Faro for his work, Lemus was infected. After publication, one of Lemus’ sources wrote to him hinting that their conversations had been discovered by the government.
Journalist Gabriel Labrador, with 20 attacks totaling about 101 days, was infected six times in April 2021, while contacting sources, including relatives of Nayib Bukele, his former high school and university classmates, and former government officials, for a profile of the president for the Colombian magazine Malpensante. Labrador’s phone was infected again on Jun. 1, 2021, when he arrived — accompanied by U.S. journalist Jon Lee Anderson, from the magazine The New Yorker — at the Legislative Assembly to cover the session in which Bukele gave his second annual state-of-the-nation address.
French-American journalist Roman Gressier, of El Faro English, was targeted four times with Pegasus, in attacks lasting four days. Two of the infections happened in June 2021: on the 21, the day he traveled to National Civil Police headquarters to submit to a background check; and on the 23, the day after he presented himself before immigration authorities to file for a work permit. Shortly after, he left El Salvador, and, despite the issuance of a temporary permit allowing him to enter and exit the country while his paperwork was under review, the government denied the permit under the argument that he left Salvadoran territory.
Opinion coordinator María Luz Nóchez was victim of three hacks on three different days in 2021; reporter Valeria Guzmán had eight infections of Pegasus lasting 18 days; digital strategy coordinator Rebeca Monge, in charge of El Faro’s social media, was infected one day in 2021.
Other Cases of Espionage in El Salvador
After Apple sent out its warning messages on Nov. 23, 2021, about possible “state-sponsored attackers,” El Faro interviewed eight people who received the alert in El Salvador. Two of them claim they underwent technical analyses similar to that of this outlet, allowing them to conclude that their devices had been compromised by Pegasus.
Ricardo Avelar, politics editor at El Diario de Hoy, claims to have confirmed his Pegasus infection in December 2021 thanks to the same international organizations that ran the technical analysis for El Faro. Avelar wasn’t surprised to find ten infections, as the notification from Apple had only increased his preexisting suspicions. “I wanted to live in denial, though I already suspected it and tried to take precautions,” he told El Faro. “If they already broke into journalists’ phones, then you understand that they have no inhibitions. You start to feel a sort of anxiety about what will happen with your information, and why they want it,” he said.
El Faro asked Avelar what state he thought of when Apple alerted him that he was potentially a target of state sponsored espionage. “I thought of this government. I don’t know who else would want to,” he responded. “I don’t know for certain, but I don’t see why another state would want to know about me.”
Like Avelar, independent journalist Mariana Belloso received expert confirmation that she had been targeted using Pegasus. She wrote on Twitter on Nov. 26, three days after Apple sent out the alert, that international organization Frontline Defenders had analyzed her device and confirmed the breach. The Citizen Lab later verified the result: her phone was infected with Pegasus once, on Sep. 5, 2021.
“As a journalist, I feel indignant. It tells me that today more than ever we need to fortify our work,” Belloso told El Faro. “As a person, I feel violated and intimidated.”
On the evening of Apple’s announcement, messages from individuals claiming to have received the alert trickled onto social media in El Salvador. Those who spoke out include Spanish national Arnau Baulenas, legal coordinator for the Central American University’s Human Rights Institute (Idhuca) who also works as one of El Faro’s lawyers; U.S. citizen Noah Bullock, director of the Lutheran human rights organization Cristosal; José Marinero, president of the Foundation for Democracy, Transparency, and Justice (DTJ); Arena party legislator Marcela Villatoro; and San Salvador city councilman Héctor Silva, a member of minority party Nuestro Tiempo.
At least four ruling party legislators also wrote on social media that they had received the same notification from Apple, claiming that the attacks reported by El Faro, civil society members, and opposition politicians hadn’t come from the Salvadoran government.
Nobody else argued that the attacks denounced by Apple were launched by a state other than El Salvador. “[Apple’s message] confirmed to me something that we already knew,” said Baulenas. “I’ve never doubted that this is President Bukele. I’ve never doubted the threats. I never doubted that this was a matter of espionage with funds from the Salvadoran people — funds used illegally,” he underscored.
“It’s no accident,” said Marinero, of DTJ. “It’s a deliberate effort to spy, to intercept the communications of civil society,” he continued. Xenia Hernández, the executive director of DTJ, also received Apple’s alert.
According to Marinero, they both implemented security measures after he received information about the use of Pegasus in El Salvador. “In September someone confirmed to me that the government had Pegasus or that they possibly had another way [to conduct espionage],” he said.
Neither does Silva believe that any attack against him could come from outside of El Salvador: “There was a clear pattern, because Apple specifies that it is sponsored by a state, and I can’t think of anyone in the world that would be interested in this spying other than the government of El Salvador.”
Cristosal’s Bullock was the only one in his organization to receive the alert, he says, because he’s the only one with an iPhone. He doesn’t believe another government could be behind this. “It’s not like the government of Uganda took an interest in me,” he quipped, adding that it’s concerning that there is concerted investment in “constructing, through the [public] communications apparatus, a collective belief that criminalizes human rights.”
Other members of Salvadoran society received Apple’s alert, including at least six executives of the Salvadoran Association of Private Enterprise (ANEP), according to executive director Leonor Silva.
The Citizen Lab’s researcher John Scott-Railton, who led the investigation into the use of Pegasus in El Salvador, says urgent steps must be taken: “We really need to understand who’s doing this, what was done with all of the information that was taken, and it’s so important that there be an independent investigation once this becomes public knowledge.”