In the summer of 2021, the world was introduced to Pegasus, the infamous zero-click spyware. Amnesty International, Forbidden Stories, and over 80 journalists from 17 media organizations in 10 countries released the ground-breaking investigative report about the spyware in the Pegasus Project. The investigation revealed that NSO Group, an Israeli-based cyberweapons firm, trademark spyware product Pegasus was used by some governments to facilitate human rights violations on a massive scale, illicitly spying on human rights activists, academic figures, journalists, business executives, lawyers, doctors, politicians, and heads of state.
One of those targeted by the advanced spyware included British human rights lawyer, LGBTQ activist, and Detained International founder David Haigh. After he learned about the infiltration, David launched an extensive media campaign to raise awareness about Pegasus, going as far as personally asking NSO Group employees to remove the spyware from his phone. To illustrate the real-world threats of this invasive spyware, we spoke with David Haigh to share what it means to be the first confirmed British citizen targeted by Pegasus.
(Edited for brevity and clarity)
DPN: Tell us about yourself.
DH: My name is David Haigh. I’m a human rights lawyer and campaigner who focuses on cases of injustice in the Middle East, mostly in Dubai. I made headlines a few years ago because I was helping the daughter of the ruler of Dubai, HRH Princess Latifa Al Maktoum, escape the country, as well as several other senior women in the Dubai Royal family.
What happened with Princess Latifa?
Five years ago, Princess Latifa and her friend Tiina Jauhiainen attempted to escape Dubai. Latifa wanted to flee from her father, Sheikh Mohammed bin Rashid al-Maktoum, Dubai’s autocratic ruler, and the Vice President of the UAE. So, Latifa and her friend went by boat to international waters. However, her boat was hijacked in the Indian Ocean, and the Princess was taken back to the UAE. That’s where my #FreeLatifa campaign began. The movement to free Princess Latifa started in 2018 and continued until she was released in 2021. The campaign gained a lot of attention, even receiving mentions from public figures like Secretary Antony Blinken and a very recent landmark piece in The New Yorker.
Walk us through the day of the cyberattack.
Which cyberattack? Many know I was targeted by Pegasus, the news made front page of the Washington Post and a PBS documentary. However, I was, I’m told, also targeted by a BellTroX / Cyber Route spear phishing campaign beforehand. The BellTroX campaign was technically the first time I was targeted by a cyberattack, or rather told there was clear evidence of such an attack. I have always suspect earlier hacking, but I haven’t mentioned this publicly before.
Let’s start with the BellTroX phishing campaign.
In 2016, I started assisting victims of injustice in the UAE. I had previously run a leading English football club, so I was in the media and able to get media attention to campaigns. In 2020, I helped a lot of people in the UAE who suffered from injustice, this included Princess Latifa and aiding two of her stepmothers. Sheikha Randa Al Banna, the first wife of her father and HRH Princess Haya Bint Hussein, the last wife of Latifa’s father and also the daughter of the former king of Jordan. I was really busy. I didn’t know about the spear phishing hack until Reuters journalist Rafael Satter contacted me over social media and asked if we could chat about a security issue. He told me I was likely targeted by a spear phishing campaign. Some of my emails had appeared on a list of people targeted by hackers working for Ras Al Khaimah, one of the seven emirates in the UAE (Dubai and Abu Dhabi are two of the others). A Ras Al Khaimah government’s investment company had hired a US law firm called Dechert to take legal action against various people of interest. According to various lawsuits in the US and the UK, the firm allegedly utilized the mercenary hacking service BellTroX / Cyber Route to uncover information. He gave me some key terms and email addresses, then told me to search for them in my social media accounts, email inboxes, and so on.
When I started searching, what I found was chilling. Some of these terms and emails brought up very convincing LinkedIn messages in my inbox from people I personally knew. However, these were spoof messages. It was obvious the hackers, or those instructing them perhaps, did a deep dive on me because some of the identities used were friends from my hometown. They must have researched my social media accounts to uncover some of my relationships. One message came from a senior prosecutor and lawyer in the UAE. Another one was from one of my ex-flatmates, a graphic designer. Looking back, I remember thinking my flatmate’s LinkedIn message was a little strange. After reviewing these key terms and emails, I realized I did perhaps click on a link in one of the spoof messages. Luckily, I don’t think the phishing campaign was very effective. I don’t believe they got the information they were looking for, but maybe I am wrong. I always worry that they perhaps did – how would I know?
What about the Pegasus hack?
I was hacked in August 2020, and, oddly enough, I was in a hospital receiving treatment for post-traumatic stress disorder because of UAE-related issues. I was in contact with HRH Princess Haya and her eminent legal team. Princess Haya had escaped to the UK with her children in fear for her life following her visit to a hostage in 2018. She was the stepmother of Latifa, and we in touch with her and her legal team discussing Latifa’s disappearance. Princess Haya was awarded one of the largest settlements in English legal history in her divorce from the ruler of the UAE. The English court even ordered a no-fly zone over her home to protect her from the Dubai ruler. Latifa had instructed us to contact Princess Haya in case she went missing.
So, I was due to meet Princess Haya and her legal team to show her some secret videos and evidence we had obtained, per Latifa’s wishes. I then met with the BBC to work on a BBC Panorama Documentary about these videos. The content was effectively dynamite in terms of exposing the UAE rulers and their lifestyles. Most importantly, the videos exposed their lies to the world related to Latifa. Looking back, these videos, and countless other private information, was accessed by hackers before the BBC was able to air them.
Later, a Guardian journalist contacted me. Normally, we are quite chatty with the Guardian as they have supported our campaign for many years, but this call was different. He said he couldn’t talk over the phone but wanted me to come to London to discuss something important. I live in the countryside by the sea, far from London, so this raised suspicions.
I went to meet with him, and he told me that he’d been made aware of individuals being targeted by military-grade spyware, and he believed that Tiina Jauhiainen and I were compromised. He wanted me to hand over my phone, but I have these secret videos and other documents on there. Of course, I’m not going to hand it over to a journalist. I decided I’d let Amnesty International check my phone because I believed I could trust them. So, they remotely accessed my phone. Within a few hours, I got an email from Amnesty stating they had good evidence I had been targeted by Pegasus.
How did you respond once you discovered you were targeted by these cyberattacks?
After I found out about the BellTroX / Cyber Route campaign, I wasn’t sure what to do. Myself, and my team were more focused on helping others, especially finding Latifa, who was still missing, feared dead at this point. There was no support from anyone, just the journalist who told me about it. There was no big media push then. No one really cared. It was much easier to find support for the Pegasus hack because it became a high-profile case extensively covered in the press. I know quite a bit about Pegasus now, but BellTrox / Cyber Route is still largely a mystery. Did they actually get into my computer? If so, what did they take? Is it because of them that Latifa’s secret phone was found? I still ask myself this question.
For Pegasus, I had NGOs like Amnesty and Human Rights Watch and journalists to turn to, but where do you go afterward? You can look online, but there’s no “I’ve been hacked by an evil dictator dot com.” So where do you start? No one from the British government or police contact me. I spoke with the Guardian journalist, and I decided that the first step was to contact my phone’s network provider O2 because they’re responsible for network security. However, they didn’t have a clue.
Then I contacted my local police, but they didn’t know what to do either. Where I live is very rural, and the police are probably more accustomed to dealing with livestock theft. They suggested I report the incident in London since they would be better equipped to handle it. However, even after I reported the hack, little was accomplished. The police did provide me with a home security system, which included a government-issued GPS tracker / panic alarm connected directly to the police to carry around in case of an emergency. They even sent workmen to add additional security to my home, including building a safe room in my house. I’m not sure how much it would help if an evil dictator, one of the world’s richest and most powerful men, was after me.
No progress has been made in the investigation, and no one has been held accountable. There was no clear organization to turn to, either internationally or locally, then or now.
Can you explain how Pegasus disrupted your professional life?
It had a huge impact. If someone is already paranoid and aware I was hacked, they’ll think twice before asking me for help. I’m trying to help people in very vulnerable situations, some of these individuals are dealing with evil people that would think nothing of hurting them or their loved ones. It was always worrying because, in some cases, there was no other way to contact them except through mobile devices. Was I putting their lives at risk?
Moreover, I feel like I have to defend myself because some people view me with suspicion. I remind people that I fight for human rights — I’m not a terrorist. Even if people don’t say anything to me, they quietly wonder why I was targeted by a government cyber operation, especially from a west-friendly government. They believe there’s no smoke without fire. It didn’t help that the UAE’s news media churned out fake stories about me online to damage my reputation. It’s difficult to deal with.
How about your personal life?
My friends were obviously worried, because they were concerned about how it could impact them. They wondered if someone would try to come after them. Sure, we joke about the hack at times, but I know there’s some seriousness behind the jokes. Those who are likely involved with the hacking have done some very bad things. It’s not just gossip. They have been found guilty in English courts of kidnapping, harassing, and intimidating people.
My relationship with my partner at the time fell apart. We were in a small community in the middle of nowhere in England, and my partner lived a normal life. He couldn’t deal with it, which is understandable. He didn’t know what to do, and he worried. It had a devastating effect, but you can’t let bad guys win, ever. So, you keep pushing forward. But that fear is always there, you know? And I’m sure, even years from now, people will still say things about this whole ordeal.
Why did you decide to come forward about Pegasus?
My involvement running a top English football club has given me a platform to bring attention to important issues, which is why I help people in the UAE. I’m in a fortunate situation to have such a platform, so it’s almost like a duty for me to use my ability to get media attention to stop bad people. Often to my own detriment, I put those that I help first. If you don’t stand up to evil dictators, our world, our democracy, and everything we stand for are at risk.
I always have in my mind Winston Churchill when facing an evil dictator. He said “Never give in. Never give in. Never, never, never, never—in nothing, great or small, large or petty—never give in, except to convictions of honour and good sense. Never yield to force. Never yield to the apparently overwhelming might of the enemy.”
A lot of my friends think I’m crazy for putting my life and career on hold and putting myself in danger to save Latifa and others. They think I am too brave because I speak out. They tell me, “David, you’ll end up dead.” They know about the people responsible for the hack and what they have done to those who go against them. When I get on the subway in London, I keep my back against the wall because I have heard of too many “accidents” that involve people getting pushed in front of trains. However, the only way to stop them is to speak up, go to the media, and make it public.
How do you feel about being targeted by not just one, but two different malware variants?
When I reflect on the hacking incidents, it sends chills down my spine. Let’s take BellTrox / Cyber Route, for example. The fact that someone has obviously conducted very detailed surveillance on you is chilling. How did they manage to get information about a hometown friend that isn’t public? This made me even more worried about having been followed. It makes me wonder what the hackers had seen and how long they had been watching, and what they may do to me or my loved ones next.
At the time, nothing really sank in for me. However, as I delved deeper into the details of Pegasus, I started realizing the extent of control someone can exert over your life, as well as the lives of your loved ones, friends, and colleagues, once they gain access to your phone. Today, for most of us, our phones are our lives. It was alarming to think someone can hijack your home, health, happiness, and everything you are. This realization was truly disturbing. Although my friends and family were supportive, they also expressed concerns about their own safety since their numbers were on my hacked phone. It made me worry not only about myself but also about my parents, my loved ones, friends, those I’m helping, even journalist reporting on the campaigns. I wondered if the hackers had hacked them too.
How much did you know about cyberattacks or cyberwarfare before this occurred?
I knew absolutely nothing. I mean, not in great detail. From my days in football, I was aware that people had ways of using spying devices to monitor teams. So, I had this in the back of my mind, and as I said I felt I had been targeting earlier as well, but of course didn’t have evidence. However, not even in my wildest nightmares could I imagine something like Pegasus existed. You cannot prevent it because it’s no-click technology. Once they have your phone number, they have control. What’s worse is new technology will replace Pegasus, and that new tech will be even more sinister.
Have your online habits changed because of this experience?
Yes, absolutely. However, you don’t know if changing your online habits truly makes a difference. Of course, it is important to follow basic safety measures, such as not keeping all your information on one device and using multiple devices for different purposes. I’ve got more phones than I can cope with at the moment. Not only is that beyond impractical, but it’s also very expensive. iPhones are not exactly cheap. I cover the cameras on my computer, and I am hesitant about using smart devices like Alexa and Google Home.
Everything you know is Wi-Fi enabled. The thought of someone hacking into my home system and controlling everything, from my kettle to my cat litter box, is daunting. I was considering buying a Tesla and having Elon Musk’s Starlink mobile Wi-Fi, but the idea of someone remotely controlling the car concerned me. Could a hacker make it crash? What if a hacker got into my Wi-Fi? You start to get paranoid, and I wonder how many people feel this way.
What would you tell people unaware of the threat of cyberattacks or cyberwarfare?
No one seems to take hacking seriously, and that worries me. Now, you hear about people who are paranoid about AI. You know, like Terminator Skynet. This fear is in the news every day. However, what about the fact that people are, as I say this, hacking into our computers, controlling our politicians and our democracy? Why isn’t that receiving the same level of attention? It’s quite concerning that those in power already have the means to control our lives. We’re all worried about AI taking over the world. Yet, people with keyboards already are, and we’re saying nothing about it.
Is there any message you would like to provide for those impacted by cyberattacks?
A friend told me, “Don’t think of this as a bad thing. You have made a difference. You know you’ve done something good because you impacted the lives of bad people.” You should wear this experience as a badge of honour and wear it proudly. Don’t keep quiet. Stand up and help others. Educate people on the dangers of cyberattacks. Even if you protect one person from being hacked, stop one person from becoming a hacker, or make someone think twice before engaging in corporate hacking, it is worth it. Show these hackers that they will, eventually, face justice. Don’t give up and take the fight to them.
Hmm… I want to say hi to the hackers listening to our conversation or reading this interview. I hope you enjoyed the pictures of cute monkeys and Cornish beaches on my phone.
Thank you for your time.
Have you been personally affected by a cyberattack? If so, we want to hear from you. Let us know by DMing our Twitter account @DigitalPeaceNow.