An Israeli firm accused of supplying spyware to governments has been linked to a list of tens of thousands of smartphone numbers, including those of activists, journalists, business executives and politicians around the world, according to reports.
The NSO Group and its Pegasus malware -- capable of switching on a phone's camera or microphone, and harvesting its data -- have been in the headlines since 2016, when researchers accused it of helping spy on a dissident in the United Arab Emirates.
Sunday's revelations -- part of a collaborative investigation by The Washington Post, The Guardian, Le Monde and other media outlets -- raise privacy concerns and reveal the far-reaching extent to which the private firm's software could be misused.
The leak consists of more than 50,000 smartphone numbers believed to have been identified as connected to people of interest by NSO clients since 2016, the news organizations said, although it was unclear how many devices were actually targeted or surveilled.
NSO has denied any wrongdoing, labelling the allegations "false."
On the list were 15,000 numbers in Mexico -- among them reportedly a number linked to a murdered reporter -- and 300 in India, including politicians and prominent journalists.
Last week, the Indian government -- which in 2019 denied using the malware to spy on its citizens, following a lawsuit -- reiterated that "allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever."
The Post said a forensic analysis of 37 of the smartphones on the list showed there had been "attempted and successful" hacks of the devices, including those of two women close to Saudi journalist Jamal Khashoggi, who was murdered in 2018 by a Saudi hit squad.
Among the numbers on the list are those of journalists for Agence France-Presse, The Wall Street Journal, CNN, The New York Times, Al Jazeera, El Pais, the Associated Press, Le Monde, Bloomberg, The Economist, and Reuters, The Guardian said.
The use of the Pegasus software to hack the phones of Al Jazeera reporters and a Moroccan journalist has been reported previously by Citizen Lab, a research center at the University of Toronto, and Amnesty International.
Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty originally shared the leak with the newspapers.
The Post said the numbers on the list were unattributed, but other media outlets participating in the project were able to identify more than 1,000 people in more than 50 countries.
They included several members of Arab royal families, at least 65 business executives, 85 human rights activists, 189 journalists and more than 600 politicians and government officials -- including heads of state, prime ministers and cabinet ministers.
Many numbers on the list were clustered in 10 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.
Pegasus is a highly invasive tool that can switch on a target's phone camera and microphone, as well as access data on the device, effectively turning a phone into a pocket spy. In some cases, it can be installed without the need to trick a user into initiating a download.
NSO issued a denial on Sunday that focused on the report by Forbidden Stories, calling it "full of wrong assumptions and uncorroborated theories," and threatening a defamation lawsuit.
"We firmly deny the false allegations made in their report," NSO said.
It said it was "not associated in any way" with the Khashoggi murder, adding that it sells "solely to law enforcement and intelligence agencies of vetted governments".
Roughly three dozen journalists at Qatar's Al-Jazeera network had their phones targeted by Pegasus malware, Citizen Lab reported in December, while Amnesty said in June the software was used by Moroccan authorities on the cellphone of Omar Radi, a journalist convicted over a social media post.
Founded in 2010 by Israelis Shalev Hulio and Omri Lavie, NSO Group is based in the Israeli hi-tech hub of Herzliya, near Tel Aviv.