Skip to main contentSkip to navigation

Management of five firms linked to Pegasus maker NSO is moved to London

Change could stoke controversy for spyware company amid calls for UK sanctions

The NSO Group logo
NSO has said its spyware is sold to governments, law enforcement agencies and intelligence agencies to fight serious crime. Photograph: Amir Cohen/Reuters
NSO has said its spyware is sold to governments, law enforcement agencies and intelligence agencies to fight serious crime. Photograph: Amir Cohen/Reuters

The management of several companies linked to NSO Group, the spyware company blacklisted by the Biden administration, has moved to London.

NSO, which sells Pegasus, one of the world’s most sophisticated hacking tools, is based in Israel, but several of the companies that manage some of the group’s operations – including one that NSO has said manages invoices and payments from NSO’s customers – are based in Luxembourg, inside the European Union.

The Guardian has learned that five NSO-linked companies will now be managed in London by two recently appointed UK-based officers. A spokesperson for the groups said the entities would remain “Luxembourg companies” but did not dispute they would be managed from London.

The UK-based directors of the five companies recently asked an NSO Group employee based in Luxembourg to place a notice on the companies’ premises announcing that the companies’ management and activities had moved to London. They have also asked for the companies’ server and electronic files to be moved to the UK as soon as possible.

The move could create political controversy. Privacy and security experts have documented a string of cases in which NSO’s government clients have previously used Pegasus spyware against lawyers, campaigners and other individuals in the UK. The software allows clients to hack into any phone without detection and can turn a mobile phone into a remote listening device.

Last year, after the publication of the Pegasus Project, an investigation into NSO by a media consortium led by Forbidden Stories and including the Guardian, a group of 10 MPs and peers, including the Labour MP Andy Slaughter called on the then prime minister, Boris Johnson, to impose sanctions on NSO.

In their letter, the MPs said documented cyber-attacks against UK-based human rights activists and others in the UK represented “egregious breaches of domestic and international human rights law”.

Researchers at the Citizen Lab at the University of Toronto disclosed in 2022 that it believed Downing Street had been targeted by “multiple” suspected infections using Pegasus. The researchers said the United Arab Emirates was suspected of orchestrating the attacks on No 10 in 2020 and 2021. At the time, NSO said it was being targeted by “politically motivated advocacy organisations” that produced allegedly “inaccurate and unsubstantiated reports”.

NSO was placed on a US blacklist by the Biden administration in 2021, after the commerce department said the company had been used to develop and supply spyware to governments to maliciously target government officials, as well as academics and embassy officials. The US government also said it had evidence that NSO’s tool had enabled governments to conduct transnational repression.

The move to add NSO to the US blacklist, formally known as an entity list, prohibits the export from the US to NSO of any hardware or software that could be used by the company.

News of the relocation of the management of the NSO-linked companies comes as the alleged use of Pegasus by multiple European authorities – in Spain, Hungary and Poland – is facing scrutiny in the European parliament. The parliament is conducting an inquiry into use of the surveillance tool, including whether use of Pegasus or other surveillance spyware by EU states contributed to illegal spying on journalists, politicians, diplomats, lawyers, businesspeople or civil society members.

One person familiar with the matter downplayed the significance of the shift to London and said the companies would remain under the jurisdiction of Luxembourg laws. They argued the changes had been made for administrative purposes.

A US consultancy group, Berkeley Research Group (BRG), took over management of the fund that owns a majority stake in NSO in 2021. The fund has been managed by a subsidiary of BRG, Berkeley Asset Management. The New Yorker recently reported that cooperation between the consultancy and the Israeli company was “virtually nonexistent”.

The Guardian reported in October 2021 that the US consultancy had not at that time been given clearance by the state of Israel to receive any sensitive information about the company, which is regulated by Israel’s ministry of defence. It is not clear whether the managers have subsequently received clearance.

The Luxembourg companies do, however, appear to play a role in the Israeli company’s operations, according to a recent draft report by the European parliament’s inquiry committee into NSO, which was made public. The draft report said more than half of NSO’s sales over the previous two years were booked in Luxembourg.

NSO stated in an October 2021 public letter to Amnesty International that Q Cyber Technologies Sarl, an NSO-linked company based in Luxembourg, acted as a “commercial distributor for the products of the group companies, [and] as such it signs contracts, issues invoices and receives payments from group customers”.

According to a Luxembourg filing, four UK-based officers were appointed to Q Cyber Technologies Sarl on 20 December 2022.

The five companies whose operations are now being managed in London are NorthPole Holdco Sarl, Square 2, NorthPole Bidco Sarl, Emerald LIE and Diamond LIE. Recent filings to the UK’s Companies House show that all but one of the companies – the exception is Square 2 – are now registered in the UK, in offices that overlook St Paul’s Cathedral. They are listed as being “overseas” companies.

NSO did not respond to a request for comment.

Do you have information about this story? Email stephanie.kirchgaessner@theguardian.com, or (using a non-work phone) use Signal or WhatsApp to message +1 646 886 8761.

The moves to London are not the only recent changes. In a notice to investors, BRG said that as of 31 October 2022, it had divested itself of Berkeley Asset Management, which managed the fund that owns a majority stake in NSO. The group’s interests were divested to a company called TREO Capital Advisors LLC, an entity that was formed, the notice said, by Finbarr O’Connor, who previously served as managing director of BRG in New York.

A spokesperson for TREO, which holds several investments, said: “The entities are and will remain Luxembourg companies. Where they are managed from has no bearing on whether they are Luxembourg companies or not.”

NSO has said its spyware is sold to governments, law enforcement agencies and intelligence agencies to fight serious crime, such as terrorism. It has said it investigates credible allegations of abuse and that it has no information about how its government clients use the spyware.

More on this story

More on this story

  • No safe haven? The Bahraini dissident still menaced after gaining UK asylum

  • Pegasus spyware inquiry targeted by disinformation campaign, say experts

  • Dutch MEP says illegal spyware ‘a grave threat to democracy’

  • Biden intelligence adviser previously vetted deals for Israeli NSO Group

  • Jamal Khashoggi’s wife to sue NSO Group over Pegasus spyware

  • Mexico: reporters and activists hacked with NSO spyware despite assurances

  • Dozens of Thai democracy activists targeted with Pegasus phone spyware

  • Use of Pegasus spyware on Spain’s politicians causing ‘crisis of democracy’

Most viewed

Most viewed