Pegasus spyware surveillance of Hungarian journalists

On 18 July 2021, the Hungarian investigative outlet Direkt36, working within the international Pegasus Project consortium, revealed that journalists, lawyers, and critics of Prime Minister Viktor Orban's government had been targeted with Pegasus, the military-grade spyware sold by Israel's NSO Group. More than 300 Hungarian phone numbers appeared on a leaked list of potential surveillance targets.

What happened

Pegasus is a zero-click mobile implant that can silently compromise an iPhone or Android device, exfiltrate messages, photos, location, and contacts, and covertly activate the camera and microphone. Hungary acquired the tool around 2017 — a parliamentary committee exempted the purchase from public procurement on 11 October 2017, and the deal was routed through a Luxembourg-registered NSO subsidiary and a Hungarian intermediary, Communication Technologies Ltd., for roughly €6 million.

The spyware was operated by the Special Service for National Security (NBSZ) on behalf of Hungarian intelligence and law-enforcement agencies. Forensic analysis by Amnesty International's Security Lab and the University of Toronto's Citizen Lab confirmed successful infections — many exploiting Apple iMessage vulnerabilities — primarily during 2018-2019.

Who was targeted

Szabolcs Panyi and Andras Szabo, investigative reporters at Direkt36, and David Dercsenyi, formerly of hvg.hu.
Zoltan Varga, owner of the Central Media Group, and several people who attended a dinner at his home.
Lawyers, opposition figures, the economist and former minister Attila Chikan, and the son of a former Orban ally.

Inclusion on the list does not by itself prove a phone was hacked, but Amnesty's lab confirmed compromise on multiple devices it examined.

The official response

Hungary's government initially said it was "not aware of any alleged data collection." In November 2021, Fidesz MP Lajos Kosa publicly acknowledged that the state had bought Pegasus. The data protection authority NAIH, which opened an ex officio inquiry on 5 August 2021, concluded on 31 January 2022 that the surveillance had been lawful, carried out by the National Security Service with ministerial or judicial authorization on national-security grounds. The detailed findings were classified, and journalists subsequently sued the state.

Why it matters

Hungary was the only EU member state confirmed in the Pegasus Project to have deployed the spyware against journalists, making it a defining case of state surveillance inside the European Union. It triggered a dedicated European Parliament inquiry committee (PEGA), sharpened debate over the export and abuse of commercial spyware, and became a touchstone for press-freedom and rule-of-law concerns about the Orban government.

Timeline

October 11, 2017

Hungary's parliamentary national security committee exempts the Pegasus acquisition from public procurement rules; the deal is routed through a Hungarian intermediary, Communication Technologies Ltd.

2018-2019

Pegasus becomes operational and is deployed against journalists, lawyers and businesspeople, with infections forensically confirmed during this period.

July 18, 2021

Direkt36 and the international Pegasus Project consortium reveal that Hungarian journalists were targeted with NSO Group spyware.

August 5, 2021

Hungary's data protection authority (NAIH) opens an ex officio investigation into the use of Pegasus.

November 1, 2021

Fidesz MP Lajos Kosa publicly acknowledges that the Hungarian state purchased Pegasus.

January 31, 2022

NAIH concludes the surveillance was lawful under national-security grounds; the detailed findings are classified.

Sources

direkt36.huhttps://www.direkt36.hu/en/leleplezodott-egy-durva-izraeli-kemfegyver-az-orban-kormany-kritikusait-es-magyar-ujsagirokat-is-celba-vettek-vele/

direkt36.huhttps://www.direkt36.hu/en/feltarulnak-a-pegasus-kemszoftver-beszerzesenek-rejtelyei/

cpj.orghttps://cpj.org/2021/12/hungarys-szabolcs-panyi-on-how-pegasus-surveillance-has-hindered-his-reporting/

naih.huhttps://www.naih.hu/data-protection/data-protection-reports/file/492-findings-of-the-investigation-of-the-nemzeti-adatvedelmi-es-informacioszabadsag-hatosag-hungarian-national-authority-for-data-protection-and-freedom-of-information-launched-ex-officio-concerning-the-application-of-the-pegasus-spyware-in-hungary

hungarytoday.huhttps://hungarytoday.hu/pegasus-hungary-spyware-data-authority-naih-peterfalvi/

Related incidents

EspionageResolvedMay 24, 2017

Qatar News Agency hack

Attackers planted malware on Qatar's state news agency in April 2017 and exploited it on 24 May to publish fabricated quotes attributed to the Emir, providing the pretext used by Saudi Arabia, the UAE, Bahrain, and Egypt to launch a blockade of Qatar.

Victim: Qatar News Agency (QNA)

EspionageResolvedJune 14, 2016

Democratic National Committee hack

Russian GRU Units 26165 (APT28) and 31165 (APT29) compromised the Democratic National Committee, Hillary Clinton campaign, and DCCC. Stolen emails were selectively released via 'DCLeaks', 'Guccifer 2.0', and WikiLeaks to influence the 2016 U.S. presidential election.

Victim: Democratic National Committee + Clinton campaign + DCCC
Loss: $50.0M
Records: 50.0K

EspionageContainedMarch 16, 2026

LA Metro (LACMTA) Iran-linked breach (2026)

Iran-linked hackers breached Los Angeles' transit agency LA Metro in March 2026, stealing at least 700 GB of internal data and disrupting passenger-information and TAP fare systems.

Victim: Los Angeles County Metropolitan Transportation Authority

EspionageResolvedMay 28, 2025

Czech Ministry of Foreign Affairs APT31 cyber-espionage

The Czech government publicly attributed a years-long cyber-espionage campaign against an unclassified network of its Ministry of Foreign Affairs to APT31, a group linked to China's Ministry of State Security. The intrusion, active since at least 2022, targeted designated critical national infrastructure.

Victim: Czech Ministry of Foreign Affairs