The cost of one short visit proved fatal for the entire security system.
The story of the hacking of Spanish Prime Minister Pedro Sánchez's phone using Pegasus has taken a new turn . For nearly five years, investigators have been unable to determine who exactly accessed the device and how, but data cited by intelligence sources points to Moroccan intelligence services and a specific episode during a trip to Ceuta and Melilla in the spring of 2021.
According to this version, the operation took place on May 18, 2021, when Sánchez, along with Interior Minister Fernando Grande-Marlaska, arrived in Ceuta amid the migrant crisis. The following day, May 19, specialists from Spain's National Intelligence Center recorded the largest data leak ever recorded from the Prime Minister's phone. At the same time, Ceuta remained at the epicenter of events following a massive border breach, which Spain linked to Rabat's reaction to the treatment in Spain of Brahim Ghali, the leader of the Polisario Front and an opponent of King Mohammed VI.
Sources identify an IMSI-catcher, also known as a StingRay, as the key element of the attack. This portable device simulates a base station and tricks smartphones into connecting to it, revealing their technical identifiers and allowing traffic to be intercepted. On the day of the visit, the devices of Sánchez and his entourage allegedly entered these "windows" at several points: at the El Tarajal border crossing, during a helicopter overflight of the area, and then in Melilla. The coincidence of geolocations, route, and the small circle of people accompanying them simplified the identification of the targeted devices, including the two phones that Sánchez, according to sources, was carrying.
Next, according to the publication's sources, they used a more stealthy zero-click method , in which infection occurs without clicking a link or opening a file. Preliminary work through an IMSI catcher could have helped to more precisely target the attack, intercept the connection, and create conditions for exploit delivery. A similar pattern was previously linked to the infections of the devices of Moroccan journalists Imar Radi and Maati Monjib, where Pegasus traces , according to sources, were similar to those found on the phones of Spanish officials, including Grande-Marlaska and Defense Minister Margarita Robles.
It is specifically mentioned that Morocco may have had similar systems purchased from Germany's Rohde & Schwarz, as well as more powerful military-grade solutions linked to Israel's Elbit Systems. After the incident was discovered, Spain, according to the publication, engaged representatives from NSO Group , the developer of Pegasus, to investigate the situation, and they were dispatched to the country immediately. However, the investigation was hampered by technical limitations and a lack of international cooperation. Spain's National Intelligence Center declined to comment publicly on the details, citing confidentiality.
The story of the hacking of Spanish Prime Minister Pedro Sánchez's phone using Pegasus has taken a new turn . For nearly five years, investigators have been unable to determine who exactly accessed the device and how, but data cited by intelligence sources points to Moroccan intelligence services and a specific episode during a trip to Ceuta and Melilla in the spring of 2021.
According to this version, the operation took place on May 18, 2021, when Sánchez, along with Interior Minister Fernando Grande-Marlaska, arrived in Ceuta amid the migrant crisis. The following day, May 19, specialists from Spain's National Intelligence Center recorded the largest data leak ever recorded from the Prime Minister's phone. At the same time, Ceuta remained at the epicenter of events following a massive border breach, which Spain linked to Rabat's reaction to the treatment in Spain of Brahim Ghali, the leader of the Polisario Front and an opponent of King Mohammed VI.
Sources identify an IMSI-catcher, also known as a StingRay, as the key element of the attack. This portable device simulates a base station and tricks smartphones into connecting to it, revealing their technical identifiers and allowing traffic to be intercepted. On the day of the visit, the devices of Sánchez and his entourage allegedly entered these "windows" at several points: at the El Tarajal border crossing, during a helicopter overflight of the area, and then in Melilla. The coincidence of geolocations, route, and the small circle of people accompanying them simplified the identification of the targeted devices, including the two phones that Sánchez, according to sources, was carrying.
Next, according to the publication's sources, they used a more stealthy zero-click method , in which infection occurs without clicking a link or opening a file. Preliminary work through an IMSI catcher could have helped to more precisely target the attack, intercept the connection, and create conditions for exploit delivery. A similar pattern was previously linked to the infections of the devices of Moroccan journalists Imar Radi and Maati Monjib, where Pegasus traces , according to sources, were similar to those found on the phones of Spanish officials, including Grande-Marlaska and Defense Minister Margarita Robles.
It is specifically mentioned that Morocco may have had similar systems purchased from Germany's Rohde & Schwarz, as well as more powerful military-grade solutions linked to Israel's Elbit Systems. After the incident was discovered, Spain, according to the publication, engaged representatives from NSO Group , the developer of Pegasus, to investigate the situation, and they were dispatched to the country immediately. However, the investigation was hampered by technical limitations and a lack of international cooperation. Spain's National Intelligence Center declined to comment publicly on the details, citing confidentiality.
