Pegasus has been linked to the death of the Saudi journalist Jamal Khashoggi, and it was reportedly used to track a student in Canada who was critical of Saudi Arabia's government.
"His name is Omar Abdulaziz," Scott-Railton said. "He's a Saudi critic going to college in Montreal. We found that his infected phone was bouncing back and forth between his home network and his university gym over last summer."
A similar story played out in Mexico in 2017, according to Scott-Railton:
"We had this crazy case that I found in Mexico back in 2017 where three people — a nutrition activist, a public-health researcher, and a consumer advocate — were all targeted with Pegasus in Mexico.
"The only thing that holds them in common is that they were all advocating to slightly increase the tax on soda beverages. So the most reasonable implication is that somebody from a private interest directed somebody from the government in order to target these people because they were pushing against the soda lobby in Mexico. State-grade malware — it'd be like targeting somebody with Stuxnet because they had suggested there be a 10-cent bottling fee on Coca-Cola."
In the case of Jeff Bezos, the UN report links his ownership of the Washington Post to being targeted by the Saudi Crown Prince. "This was part of a massive, clandestine online campaign against Mr. Bezos and Amazon, apparently targeting him principally as the owner of The Washington Post," it says.
For its part, NSO Group flatly denies that Pegasus software was used to hack Jeff Bezos. "We can say unequivocally that our technology was not used in this instance," a statement on the group's website says.