NEW DELHI: When 'Anna', an investigative journalist covering government corruption, noticed her phone battery draining rapidly and her calls dropping mid-sentence, she assumed a technical fault. Weeks later, forensic analysis confirmed she had been infected with Pegasus spyware - the same tool used by intelligence agencies worldwide to silently penetrate the phones of journalists, activists and dissidents. She asked to remain anonymous, fearing she would be targeted again.
Her story mirrors that of hundreds of journalists across the world, surveilled not for crimes, but for doing their jobs.
A landmark new study ‘Global Surveillance of Journalists: A Technical Mapping of Tools, Tactics, and Threats’ commissioned by the International Federation of Journalists (IFJ) has mapped, in unprecedented technical detail, the global infrastructure through which journalists are monitored, tracked, and intimidated using digital tools.
The findings are damning. Surveillance of the press has become industrial in scale, commercially available, and largely unaccountable, spanning democracies and authoritarian states alike, with South Asia emerging as one of the most heavily targeted and most forensically under-served regions on earth.
The report, prepared by digital security and digital rights expert Samar Al Halal and revised by cybersecurity researcher Lukasz Olejnik, draws on interviews with cybersecurity experts, forensic analysts and journalists from across the world, alongside technical documentation and verified investigations conducted between 2021 and 2025.
Its central finding is that surveillance against journalists is now industrial in scale. Sophisticated spyware, once confined to state intelligence agencies, has been repackaged as "lawful intercept" technology and sold to governments around the world, with few meaningful controls on how it is used, against whom, or why.
Three platforms dominate what the report calls the commercial spyware market: Pegasus, developed by Israel's NSO Group; Predator, produced by the European Intellexa alliance; and Graphite, built by Paragon Solutions.
Together, what the report dubs "the 3 Ps" offer capabilities that would, a decade ago, have been the preserve of the most advanced intelligence agencies. They can penetrate iPhones and Android phones without any action by the target. With no click, no link, no warning, they can silently extract messages, call audio and photographs, and activate microphones and cameras in real time.
In 2021, Pegasus was found on the devices of at least 180 journalists in more than 20 countries. In 2022 alone, Pegasus operators deployed at least three distinct iOS exploit chains in quick succession. Graphite, Paragon's newer platform, was confirmed by Citizen Lab in 2025 to have infected the phones of journalists in Italy.
Predator, marketed by a European corporate alliance, has been deployed via network injection attacks, meaning targets did not even need to click a link for their phones to be compromised. The spyware was simply injected into their web traffic by a device inside their internet service provider.
These tools, the report emphasises, have been deployed in democracies as readily as in authoritarian states. The reasons given for targeting journalists are, in the report's words, "often vague, insufficiently substantiated, or not made public."
The report maps four interlocking layers of surveillance infrastructure, each capable of operating independently or in combination.
At the top sit the commercial spyware platforms. Below them, low-cost methods have proliferated alongside state-grade tools: phishing emails crafted to look like legitimate communications, social media honeypots using fake personas to build trust before delivering malware, commercial stalker ware apps available for a few hundred dollars, and insider access at telecom companies, where engineers are bribed or coerced into handing over call logs, location data, and internet traffic records, leaving no trace on the journalist's device.
The third layer is telecommunications infrastructure itself. Weaknesses in the SS7 signalling protocol - a system dating from the 1970s that connects telephone networks globally - allow attackers to intercept calls, redirect SMS messages, and geolocate phones without any device infection at all. IMSI catchers, portable devices that impersonate cell towers, can sweep the unique identifiers of every phone in a protest zone or press centre, forcing connections through them and enabling eavesdropping.
During Belarus's 2020 presidential election protests, authorities deployed IMSI catchers across demonstration zones, intercepted journalists' private calls, and broadcast them on state television to discredit reporters.
The fourth and most alarming layer is data fusion. Surveillance agencies are increasingly combining spyware output, telecom metadata, social media scraping, facial recognition, travel records, and AI-driven analytics platforms to build continuous, multilayered profiles, not just of individual journalists, but of entire newsrooms and journalistic networks.
The threat is no longer only a targeted spyware attack, the report warns, but a shift toward what one expert described as "mass profiling on dashboards." A journalist might evade one form of surveillance only to be caught by another, with all the data ultimately pooled together. In conflict zones, this convergence becomes lethal.
Independent investigations confirmed that Reuters cameraman Issam Abdallah, killed by an Israeli tank strike in Lebanon in October 2023, had been in the continuous view of multiple Israeli surveillance assets - drones, an Apache helicopter, and five ground surveillance towers - for more than 75 minutes before the strike, all while he and his colleagues wore clearly marked press vests.
India: Repeated Infections, Official Silence
Against this global backdrop, the situation in South Asia is particularly acute.
The 2021 Pegasus Project - a joint investigation by Forbidden Stories, Amnesty International and media partners worldwide - identified numerous Indian journalists as potential targets of NSO Group's spyware. Then, in December 2023, Amnesty International's Security Lab published forensic evidence of repeated Pegasus infections specifically targeting high-profile Indian journalists, with technical traces indicating zero-click iMessage exploits deployed between August and October 2023.
The pattern is not new. Indian journalists received WhatsApp threat notifications as early as 2019, when a voice-over-IP vulnerability exploited by NSO Group was patched by the company. Researchers have observed that surveillance targeting in India tends to spike around elections and sensitive investigations, suggesting systematic, politically timed deployment.
India's government has neither confirmed nor denied procuring Pegasus. The matter has been raised before the Supreme Court and in parliamentary forums without resolution. Meanwhile, researchers and civil society litigants have also documented controversies around older tools, including FinFisher.
In the absence of official accountability, journalists are left to rely on a handful of international forensic organisations whose resources are already stretched thin across dozens of countries simultaneously.
Pakistan: Telecom Access and Assumed Surveillance
Pakistan presents what the report calls a hybrid model - blending deep telecom-layer access with commercial spyware and pervasive low-cost techniques.
Civil society litigation in Lahore's High Court challenged the government's alleged use of FinFisher spyware as far back as 2015, following technical findings that FinFisher infrastructure had operated in the country. Citizen Lab's 2018 global mapping identified Pegasus operators active across 45 countries, with Pakistan listed among locations of likely operational interest.
But unlike Mexico or El Salvador, where spyware infections have been forensically confirmed in multiple documented individual cases, Pakistan-specific device forensics remain sparse in public records - a gap the report attributes not to the absence of surveillance but to the near-total absence of forensic support infrastructure for journalists in the region.
In practice, Pakistani journalists operate under the routine assumption that their calls and messages are monitored. The report notes that, given Pakistan's powerful security establishment, reporters describe widespread phishing and social engineering as standard hazards of the beat, used alongside whatever high-end tools remain out of public view.
Across South Asia, the report identifies a deepening and dangerous asymmetry. The sophistication of surveillance tools is advancing rapidly. The resources available to journalists are not.
Most newsrooms in the Global South, including across India, Pakistan and in Africa, have no forensic capability to detect spyware infections. Journalists who suspect compromise must wait, sometimes for months, to send devices to specialist organisations abroad: Citizen Lab at the University of Toronto, Amnesty International's Security Lab, or Access Now's Digital Security Helpline.
By the time analysis is completed, volatile forensic evidence may have decayed entirely. Sources are already exposed. Investigations already compromised.
The report is pointed in its assessment of this imbalance. Only a handful of organisations worldwide have the expertise to perform forensic analyses of this kind, and their resources are stretched across a global caseload. "This scarcity of technical support leaves journalists in the Global South particularly vulnerable," it concludes. "Many learn about digital security only after an incident, when their sources are already compromised."
The damage is not only technical. The report documents with particular care the human consequences of pervasive surveillance: the fear, the isolation, the erosion of journalism itself.
When journalists suspect their devices are compromised, they begin to withdraw from sensitive investigations, drop sources, and choose self-censorship over exposure. Sources, meanwhile, grow reluctant to speak to journalists at all if they believe their communications may be intercepted. The chilling effect cascades, undermining not just individual reporters but the broader public interest in accountability journalism.
Hungarian investigative journalist Szabolcs Panyi, targeted by Pegasus, captured this effect simply: "Who the hell wants to talk to me after this? I feel ashamed to not be able to possibly protect some of them." His words, quoted in the report, speak to a reality shared by journalists from Mexico City to Mumbai.
In the most extreme cases, surveillance becomes an instrument of propaganda. Private conversations intercepted by authorities in Belarus were edited and broadcast on state television to publicly discredit reporters. In India and Pakistan, while no equivalent case is documented with equivalent forensic detail, the structure of vulnerability is identical.
Underpinning all of this, the report finds, is a near-total absence of meaningful oversight. Spyware exports are often unregulated. Judicial authorisation for surveillance is absent or nominal. Independent bodies with the power to investigate abuses and hold governments accountable barely exist in most of the countries documented. Even where legal frameworks nominally apply, the report notes, "oversight is frequently uneven, incomplete or inconsistently enforced across jurisdictions."
The spyware industry itself compounds this opacity. Commercial vendors sell identical tools to multiple governments, then deny responsibility for how they are used. Governments under scrutiny deny involvement or blame unknown actors. Private contractors carry out hacking operations that state agencies can then disavow. Attribution becomes almost impossible, and without attribution, legal and diplomatic accountability becomes equally so.
What the Report Demands
The IFJ report concludes with a call to action directed at journalists, newsrooms, digital security organisations, and policymakers worldwide.
For journalists individually, it recommends using iPhones with lockdown mode enabled or Google Pixel phones running GrapheneOS, storing sensitive material in encrypted containers, communicating exclusively via Signal for sensitive exchanges, using loaner devices on high-risk assignments, and establishing relationships with forensic support organisations before an incident occurs, not after.
For newsrooms, it calls for mandatory digital security protocols, dedicated cybersecurity budgets, incident response plans, and a culture in which suspected compromises can be reported without fear of blame or professional consequence.
For policymakers, it demands an immediate moratorium on the export, sale, and use of invasive spyware until enforceable human rights safeguards are in place; shield laws protecting journalistic sources in the digital domain; independent oversight bodies with real investigative powers; judicial authorisation requirements for any spyware use; and the rejection of any legislation mandating encryption backdoors.
On the international stage, it calls for a dedicated UN Special Rapporteur on surveillance technology and human rights, transparency reports from governments detailing the scope of surveillance authorisations, and legal remedies for journalists who have been unlawfully targeted.
(Global Surveillance of Journalists: A Technical Mapping of Tools, Tactics, and Threats was prepared by Samar Al Halal, commissioned by the International Federation of Journalists, and co-funded by the European Union as part of the Brave Media project. March 2026.)
Have you liked the news article?