About 35 journalists and activists in El Salvador were spied on via phone hacking, according to a new report published Wednesday by El Faro and The Citizen Lab in Toronto, Canada, and the digital rights organization Access Now.

About 22 of those affected are employees of El Faro. El Faro, founded in 1998, claims to be Latin America’s first digital-only news outlet and primarily covers El Salvador and Central America. Between June 29, 2020 and November 23, 2021, El Faro journalists, administrative staff, and executive board members were all surveilled. El Faro phones were also spied on in Mexico.

Journalists from Salvadoran publications GatoEncerrado, La Prensa Gráfica, Revista Digital Disruptiva, Diario El Mundo, and El Diario de Hoy, as well as two independent journalists, were also hacked and spied on.

“This is one of the most shocking and obsessive cases of targeting that we have investigated,” Citizen Lab senior researcher John Scott-Railton told El Faro.

The journalists’ phones were hacked through Pegasus, a spyware software owned by Israeli tech company NSO Group that installs itself onto a device and is only sold to governments. The report states that it can’t conclusively say El Salvador’s government conducted the surveillance, but the evidence points to a connection with the country’s government.

It’s not known how much money was spent on surveilling El Faro and other journalists, but it is known that Pegasus costs millions of dollars to operate. According to El Faro, when a government starts using Pegasus, it purchases a fixed number of licenses per infection, and the report found a total of 226 infections.

In the case of 11 El Faro employees, The Citizen Lab found evidence that information was also extracted from their devices though it’s not possible to know what exactly was extracted. The hacking timeline aligns with the fact that “the organizations were reporting on sensitive issues involving the administration of President [Nayib] Bukele, such as a scandal involving the government’s negotiation of a “’pact’ with the MS-13 gang for a reduction in violence and electoral support,” according to the report.

“While evidence linking a particular infection to a particular Pegasus customer is often unavailable, in this case we identified a Pegasus customer operating almost exclusively in El Salvador since at least November 2019 that we call TOROGOZ, and have connected this operator to an infection attempt against El Faro,” the report noted.

From El Faro:

“Learning of the spying against us hasn’t come as a surprise, but the quantity, frequency, and duration of the infections have. Almost all of El Faro has been infected,” said El Faro’s founding director Carlos Dada. “According to the expert reports we’ve reviewed, everything points to the fact that it’s the Salvadoran government who is responsible for these infections, that it’s using the software to spy and to illegally obtain information kept on journalists’ phones,” he continued. “It’s completely unacceptable.”

Bukele — who once made his Twitter bio “the world’s coolest dictator” — has attacked press freedom since taking office in 2019. In September 2020, he accused El Faro and other independent Salvadoran news outlets of money laundering. El Faro complied with a tax audit in July 2020 but was never informed about investigations into money laundering, according to the Committee to Protect Journalists.

El Faro had already began its investigation with Citizen Lab and Access Now into Pegasus surveillance around September 2021. But on November 23, 14 employees received emails from Apple saying that state-sponsored attackers might be targeting their iPhones. That same day, Apple filed a lawsuit against NSO Group for allegedly hacking into its operating system for espionage.

Here’s a breakdown of the spying from El Faro (bold by me):

According to the analysis conducted by The Citizen Lab and Access Now, thirteen staff members of El Faro were infected with Pegasus at least five times each from June 2020 to November 2021. Such is the case of the entire editorial board: editor-in-chief Óscar Martínez (co-author of this article) suffered 42 attacks; deputy editor-in-chief Sergio Arauz, 14 attacks; and José Luis Sanz, editor of El Faro English, 13 attacks in only six months, all during his tenure as director of El Faro before Jan. 1, 2021.

Mexican editor Daniel Lizárraga suffered eight attacks, including once while he was in Mexico after the administration of President Nayib Bukele expelled him from El Salvador on Jul. 7, 2021. At the time, Lizárraga was communicating on his work phone about a publication on the third wave of Covid-19 in El Salvador.

Among the El Faro reporters with 10 or more attacks are: Gabriel Labrador, with 20; Julia Gavarrete (co-author of this article) with 18, including 15 targeting her personal phone; Gabriela Cáceres, with 13; Roxana Lazo, with 12; and Efren Lemus, with 10. When the hacks occurred, the journalists were working on investigations, for example, into the Bukele administration’s negotiation with gangs, the theft of pandemic-related food relief by the director of prisons and his mother, the Bukele brothers’ secret negotiations related to the implementation of Bitcoin, the financial holdings of officials in the current government, the government pandemic response, or a profile of President Nayib Bukele.

The Citizen Lab and Access Now highlighted two cases as unprecedented: the director and president of El Faro’s board of directors, Carlos Dada, and reporter Carlos Martínez each suffered infections for uninterrupted periods of time often surpassing a month. Thus, even though Dada suffered 12 instances, the infections remained active approximately 167 days between July 8, 2020 and June 9, 2021.

In the case of Martínez, who has bylined all of El Faro’s investigations into the pacts between politicians and gangs since 2012, The Citizen Lab detected an active intervention at the time of their analysis on Nov. 15, 2021 — a situation they had never seen before. “It’s rare to catch an infection when it’s live,” said Scott-Railton.

More and more journalists around the world are being spied on through Pegasus. In 2017, prominent Mexican journalists Carmen Aristegui and Carlos Loret de Mola and New York Times bureau chief for Mexico, Central America and the Caribbean Azam Ahmed all found Pegasus on their phones around and after the time they were investigating former president Enrique Peña Nieto, The New York Times reported. This past summer, the Pegasus Project brought together 80 journalists from 17 countries to investigate a massive leak of 50,000 phone numbers that NSO Group had selected as targets. The project concluded that more than 200 journalists from nearly two dozen countries had been spied on through Pegasus.

Read The Citizen Lab’s full report here and El Faro’s investigation in English and Spanish.

The software, developed by Israeli espionage contractor NSO Group, has been used by govts around the world to spy on journalists + human rights defenders.

The attacks on @_elfaro_ came as the outlet was exposing major govt corruption scandals. https://t.co/AtAENqW8JL

— Max Granger (@_maxgranger) January 13, 2022

Un espionaje sin precedentes contra @_elfaro_ :
-22 periodistas intervenidos en 226 ocasiones durante 17 meses
-Las intervenciones fueron durante investigaciones periodísticas
-Hay pinchazos en territorio mexicano contra mí y @CarlosDada https://t.co/I812Oal5Dx

— Daniel Lizárraga (@danliza) January 13, 2022

At @_elfaro_ it's been evident for some time that there are outside eyes on our communications. @citizenlab and @accessnow confirmed that we've been a hotbed for Pegasus spyware attacks since 2020. And we're not the only ones in El Salvador… https://t.co/PDqx5hJht9

— Roman Olivier Gressier (@romangressier) January 13, 2022

“I’ve seen a lot of Pegasus cases but what was especially disturbing in this case was its juxtaposition with the physical threats and violent language against the media in El Salvador.” https://t.co/1jFVet6sil

— Matt O'Brien (@mattoyeah) January 13, 2022

“The expert report on El Faro concluded that the Pegasus infections reached every area of the organization: the newsroom (including the departments of photography and digital strategy), administration, and the executive board.” https://t.co/SolvS4ac17

— Freddy Jesse (@freddyjesse) January 13, 2022

.@citizenlab and @amnesty report that journalists from @_elfaro_ in El Salvador have been targeted with Pegasus.

This is a very serious attack on free press.@HRW calls for sanctions against NSO and a global moratorium on this software.https://t.co/4RHwfPDHpI

— Juan Pappier (@JuanPappierHRW) January 13, 2022