Stop Crying About Pegasus Spyware Because Your Government Wanted It Too

Stop Crying About Pegasus Spyware Because Your Government Wanted It Too

The international press is running its favorite playbook again. French Prime Minister Sébastien Lecornu lands in Morocco for a high-profile diplomatic reset, and right on cue, a consortium of investigative journalists drops a fresh batch of Pegasus spyware revelations. We are treated to the usual performative horror: sovereign states compromised, democratic institutions under siege, and innocent Western politicians violated by foreign cyber-mercenaries.

It is a beautiful, clean narrative of victims and villains. It is also a complete lie.

The real story of the Pegasus project leaks is not that Morocco was spying on French officials. The real story is that while Moroccan operators were allegedly using NSO Group’s code to siphon data from the phones of French ministers, French intelligence agencies were sitting in the exact same showroom, kicking the tires on the exact same software, trying to buy it for themselves.

The moral outrage surrounding commercial spyware is a massive cope. It is a smokescreen designed to hide the uncomfortable truth of modern statecraft: offensive cyber-surveillance is not an aberration. It is the baseline.


The Double-Agent Showroom

Let us look at the facts that the moralizers prefer to gloss over.

In mid-2019, the French state was supposedly the target of a massive, aggressive Moroccan cyber-espionage campaign. Among those targeted was Sébastien Lecornu himself, then serving as the minister for local authorities. Yet, during that exact same period, France’s domestic intelligence service was actively negotiating with NSO Group. French agents met with NSO representatives at least five times. The asking price for the keys to the kingdom? Somewhere between 60 and 80 million euros.

Imagine a scenario where a homeowner discovers a burglar is using a highly specialized, silent lockpick to rob their house. Instead of calling the police, changing the locks, or reinforcing the doors, the homeowner secretly tracks down the lockpick manufacturer and asks: “How much for a set of those? We’d like to use them on our neighbors.”

That is the reality of Western cyber security. The Elysée Palace only walked away from the NSO deal in late 2020, not out of ethical concerns for human rights or global privacy, but because Emmanuel Macron personally ruled that depending on foreign, Israeli-controlled technology was a geopolitical risk. They did not reject the weapon; they rejected the supplier.

This exposes the fundamental hypocrisy of the "defenders of democracy" rhetoric. Western governments do not want to ban spyware. They want a monopoly on it. When a foreign state uses it against them, it is a "grave threat to democratic values". When they use it themselves, or when their close allies do, it is "lawful intercept" and "national security."


Espionage is the Lubricant of Diplomacy

The timing of Lecornu’s visit to Rabat is highly inconvenient for those who believe international relations are governed by moral principles. Here is a French prime minister, whose own phone was targeted by Moroccan operators, traveling to Morocco with a dozen ministers to build "trust" and cement a "strategic partnership".

Why? Because in the real world, an compromised iPhone is a minor cost of doing business.

┌────────────────────────────────────────────────────────┐
│              THE REALPOLITIK HIERARCHY                 │
├────────────────────────────────────────────────────────┤
│ 1. Territorial Sovereignty & Borders (Western Sahara)  │
│ 2. Energy, Trade, and Economic Investment Contracts   │
│ 3. Bilateral Intelligence Sharing & Counter-Terrorism  │
│ 4. ...                                                 │
│ 99. The Privacy of a Minister's Telegram Chat         │
└────────────────────────────────────────────────────────┘

France recently recognized Moroccan sovereignty over the disputed Western Sahara territory. This was a massive diplomatic pivot that ended years of strategic ambiguity. Why did Paris do it? Because Morocco controls critical trade corridors, acts as a vital buffer for migration into southern Europe, and serves as a premier partner in counter-terrorism intelligence.

Do you honestly believe a French prime minister is going to blow up a multi-billion-dollar geopolitical realignment because some Moroccan DGST operator read his WhatsApp messages from seven years ago?

Of course not. Espionage is the oldest tradecraft on earth. The only difference between 1926 and 2026 is that we have replaced wiretaps and honeytraps with zero-click exploit chains. Every state spies on every other state. France spies on its allies; the United States famously tapped Angela Merkel’s phone; Morocco spies on France.

To pretend that this spying is an obstacle to diplomacy is to misunderstand diplomacy entirely. Often, knowing exactly what your counterpart wants—because you hacked their phone the night before—makes negotiations smoother, not harder.


The Myth of the "Clean" Cyber Market

The consensus view, championed by organizations like Amnesty International and Citizen Lab, is that the commercial spyware market can and should be regulated out of existence. They call for a global moratorium on the sale, export, and transfer of surveillance equipment.

This is a naive fantasy.

Offensive cyber capabilities are a sovereign necessity. If you ban NSO Group, you do not stop the trade. You simply drive it deeper underground, shifting the market from semi-regulated corporate entities to black-market actors and state-sponsored military intelligence units.

The Mechanics of the Market

Let us break down how the zero-day market actually functions. A zero-day exploit is a software vulnerability that is unknown to the vendor (like Apple or Google). Because there is no patch, an attacker can use it to silently compromise a device.

  • The White Market: Security researchers find bugs and report them directly to Apple or Google for a "bug bounty" reward (typically $10,000 to $250,000).
  • The Gray Market: Firms like NSO Group, Intellexa, or Variston buy these vulnerabilities from researchers for millions of dollars, package them into user-friendly platforms (like Pegasus), and sell them exclusively to government clients.
  • The Black Market: Anonymous brokers sell these vulnerabilities to cybercriminals, rogue states, or military intelligence agencies with zero restrictions, often for cryptocurrency.

If the West successfully destroys the gray market through sanctions and blacklists, the supply of vulnerabilities does not vanish. The top-tier exploit developers—the brilliant minds who find these flaws—will simply sell their work to the highest bidder on the black market.

Instead of a company like NSO Group, which at least maintains a nominal (if heavily flawed) compliance framework and can be dragged into court, governments will buy their tools from completely untraceable, shell-company brokers operating out of jurisdictions that laugh at Western sanctions.


The Security Poverty Line

We must also confront a painful truth about our consumer technology. The Pegasus scandal is not a failure of international law; it is a failure of system architecture.

We have built a global communications infrastructure where the most sensitive communications of world leaders run on the exact same commercial operating systems used by teenagers to post videos on TikTok. A standard iPhone or Android device, no matter how updated, is fundamentally insecure against a well-funded nation-state adversary.

       +-------------------------------------------------+
       |         THE STATE-SPONSORED ATTACK VECTOR       |
       +-------------------------------------------------+
                               |
                               v
                     [ Zero-Click Exploit ]
                               |
         +---------------------+---------------------+
         |                                           |
         v                                           v
[ iMessage / WhatsApp Parsing ]              [ Baseband Processor ]
         |                                           |
         +---------------------+---------------------+
                               |
                               v
               [ Kernel Privilege Escalation ]
                               |
                               v
              [ Complete Device Compromise ]
         (Emails, Photos, Microphone, Camera, GPS)

For years, the tech industry pushed the narrative that end-to-end encryption (E2EE) was the silver bullet for privacy. Signal, WhatsApp, and iMessage would protect us from the panopticon.

But Pegasus bypasses encryption entirely. It does not try to intercept data as it travels across the network. It infects the endpoint. It sits on the device itself, reading the messages before they are encrypted and after they are decrypted. It turns the phone's own hardware—its microphone, its camera, its GPS—against the user.

If a state actor is willing to spend $5 million to target your specific phone, and they are using a zero-click exploit delivered via a silent iMessage that requires no action on your part, you are going to get hacked. There is no antivirus, no settings configuration, and no "best practice" that can save you.

The only real defense is absolute physical isolation. If you want a device to be secure, it cannot be connected to the internet, it cannot have a cellular baseband, and it cannot be brought into a room where sensitive conversations are happening.

Yet, Western politicians continue to walk into high-level cabinet meetings with their personal smartphones in their pockets, and then express shock and outrage when they discover their strategic plans have leaked. This is not a cyber-attack problem; it is a basic operational security failure.


The Inevitable Rapprochement

When the dust settles on the latest round of leaks, nothing will change. Sébastien Lecornu will sign defence contracts in Rabat. France and Morocco will continue to share counter-terrorism data. French domestic intelligence will keep looking for a way to acquire high-end mobile surveillance capabilities, whether from Israel, India, or their own domestic defense contractors.

The media will continue to scream about the "death of privacy," but the adult world of geopolitics has already moved on. Spyware is not going away because spyware is too useful to the very people who claim to despise it.

It is time to drop the performative outrage. The Pegasus saga is not a morality play about evil corporations and innocent victims. It is a mirror reflecting the ruthless, hypocritical, and compromised reality of 21st-century power. And in that game, everyone is trying to hack everyone else. The only real sin is getting caught.

MJ

Miguel Johnson

Drawing on years of industry experience, Miguel Johnson provides thoughtful commentary and well-sourced reporting on the issues that shape our world.