Emirati princess phone number appears on list that included targets of powerful spyware
The princess had been careful, so she left her phone in the cafe’s bathroom. She’d seen what her father could do to women who tried to escape.
She hid in the trunk of a black Audi Q7, then jumped into a Jeep Wrangler as her getaway crew raced that morning from the glittering skyscrapers of Dubai to the rough waves of the Arabian Sea. They launched a dinghy from a beach in neighboring Oman, then, 16 miles out, switched to water scooters. By sunset they’d reached their idling yacht, the Nostromo, and began sailing toward the Sri Lankan coast.
Princess Latifa bint Mohammed al-Maktoum, the 32-year-old daughter of Dubai's fearsome ruler, believed she was closer than ever to political asylum — and, for the first time, real freedom in the United States, members of her escape team said in interviews.
But there was one threat she hadn't planned for: The spyware tool Pegasus, which her father’s government was known to have used to secretly hack and track people’s phones. Leaked data shows that by the time armed commandos stormed the yacht, eight days into her escape, operatives had entered the numbers of her closest friends and allies into a system that had also been used for selecting Pegasus surveillance targets.
“Shoot me here. Don’t take me back,” she’d screamed as soldiers dragged her off the boat, roughly 30 miles from the shore, according to a fact-finding judgment by the United Kingdom's High Court of Justice. Then she disappeared.
Latifa’s failed 2018 escape from her father — Sheikh Mohammed bin Rashid al-Maktoum, the United Arab Emirates’ prime minister, vice president and minister of defense — sparked outrage and gave life to a troubling mystery: How, given all her precautions, had the princess been found?
An investigation by the Washington Post and an international consortium of news organizations may offer critical new insight: Their numbers appear on a list that includes phones targeted for surveillance with Pegasus, the hacking tool from the Israeli spyware giant NSO Group, amid the sprint to track her down.
Associates added to list
Numbers for Latifa and her friends were added to the list in the hours and days after she went missing in February 2018, the investigation shows. The UAE was believed to have been an NSO client at the time, according to evidence discovered by the research group Citizen Lab.
It is unknown what role, if any, the phone-hacking software ultimately played in the princess’s capture. Their phones were not available for forensic examination, and the list does not identify who put the numbers on it or how many were targeted or compromised. In multiple statements, NSO has denied that the list was purely for surveillance purposes.
“It is not a list of targets or potential targets of NSO’s customers, and your repeated reliance on this list and association of the people on this list as potential surveillance targets is false and misleading,” NSO said in a letter Tuesday.
But when Amnesty International’s Security Lab examined data from 67 phones whose numbers were on the list to search for forensic evidence of Pegasus spyware, 37 phones showed traces, including 23 phones that had been successfully infected and 14 others that showed signs of attempted targeting.
The forensic analyses of the 37 smartphones also showed that many displayed a tight correlation between time stamps on the list and the beginning of surveillance — sometimes as little as a few seconds.
In the year after Latifa’s chase, operatives appear to have entered numbers onto the list for another Dubai princess: one of the sheikh’s six wives, Haya bint Hussein, who had voiced concerns about Latifa’s confinement before fleeing with her two young children to London.
Princess Haya, her half sister, her assistants, her horse trainer, and members of her legal and security teams all had their phones entered onto the list in early 2019, both in the days before and in the weeks after she, too, fled Dubai, the investigation shows. Around that time, Haya later told a British court, she’d faced threats of exile to a desert prison and twice discovered a gun in her bed.
An NSO attorney said the company “does not have insight into the specific intelligence activities of its customers” and that the list of numbers could have been used for “many legitimate and entirely proper” purposes “having nothing to do with surveillance.”
But a person familiar with the operations of NSO who spoke to the Washington Post on the condition of anonymity to discuss internal operations says the company terminated its contract with Dubai within the last year after it learned of the princesses’ surveillance and other human-rights concerns.