The scandal over massive espionage of journalists and activists explodes in El Salvador and the Bukele government distances itself: who gave the order?

The revelation that a group of activists and journalists from El Salvador were spied on with the Pegasus malware, developed by the Israeli company NSO Group, was confirmed by a study by Access Now, Front Line Defenders, The Citizen Lab, Amnesty International, Fundación Acceso and SocialTIC.

The first warning signs were raised by journalists from the local media El Faro and Gato Encerrado, who warned that a large part of the infections to their devices occurred in the middle of last year, after it was publicly revealed how the company’s software operated . The question that hangs over this complaint is: who was responsible for ordering the illegal monitoring tasks?

“The use of Pegasus to monitor communications in El Salvador reveals a new threat to human rights in the country. The authorities must stop any efforts to restrict freedom of expression, and carry out an impartial and thorough investigation to identify the possible perpetrators,” declared Érika Guevara Rosas, director of Amnesty International for the region.

Spyware is capable of stealing all the information on a smartphone, as well as turning on the device’s camera and microphone to collect location data and call logs. Although it generally works through booby-trapped links, it is known that on many occasions Pegasus has been installed without user intervention, that is, with a ‘zero-click’ strategy.

How was the espionage discovered?

In September of last year, several journalists contacted Access Now, after putting their devices through a tool to determine if the spyware was present. The cases were referred to Front Line Defenders and, after a analysis forensics conducted by The Citizen Lab, the infection was confirmed.

“The hack occurred while the organizations were reporting on sensitive issues involving the administration of the president [Nayib] Bukele, like a scandal related to the government’s negotiation of a ‘pact’ with the MS-13 gang for the reduction of violence and electoral support”, details The Citizen Lab.

This study was subsequently corroborated by cybersecurity specialists from Amnesty International. At the moment, there are 37 devices belonging to a group of 35 affected: 23 journalists from El Faro, four from Gato Encerrado and the rest to devices used by workers from local media such as La Prensa Gráfica, Revista Digital Disruptiva, El Diario de Hoy. and El Diario El Mundo, as well as two independent reporters.

The common factor among most of those affected is that belong to media that have been critical of the Bukele government, and that they would have been harassed by the president himself or officials of his administration.

In November last year, a group of journalists from El Faro revealed that the Apple company had sent them an email to warn them that their phones may have been victims of “possible espionage”, allegedly perpetrated by “attackers sponsored by the State.”

The Torogoz tab

According to the analysis carried out by The Citizen Lab, the internet scan and the DNS cache (that is, the registry of visited websites) allowed the identification of a Pegasus operator –called Torogoz–, which apparently operates exclusively in El Salvador .

In the investigation, the presence of Torogoz was detected in 2020, but it was already a registered domain from the previous year. For those in charge of the study, although it cannot be concluded with certainty that this operator belongs to the Salvadoran Government, the fact that they concentrate their activities almost exclusively in a single country makes them presume so.

“Furthermore, in the only hacking case in this investigation where we recovered the domain names of the Pegasus servers used, operator Torogoz was implicated“, adds the report.

Other organizations, such as the Fundación Democracia, Transparencia, Justicia (DTJ), consider that “although the information is not definitive yet, everything leads to the conclusion that spying with the Pegasus software against these 35 people can only come from a source close to or from the Salvadoran government itself, “says a statement.

What does the Government of Bukele say?

Although there is no conclusive indication of who would be the main actor who ordered the espionage, the fact that the software used belongs to NSO Gruop is key, since that company has repeatedly said that it only sells its technology to governments.

However, from Bukele’s environment they have already flatly denied that the Executive is involved. The Secretary of Communications, Sofía Medina, sent a statement, cited by local media, in which he states that “the Government of El Salvador is in no way related to Pegasus and he is not a customer of NSO Group either. “

According to Medina, the Salvadoran government “does not have the resources or the licenses to use this type of software.” However, the official did confirm that she is investigating the possible use of Pegasus and other systems, which serve “to tap telephones in the country,” due to the alleged indications that there are members of the Executive who have been “victims of attacks.”

One of those presumed affected by this surveillance would have been the Minister of Justice and Security, Gustavo Villatoro, according to the official text signed by the Secretary of Communications. Apparently, the same email that El Faro journalists received from Apple was sent to Villatoro.

“Why would the current government investigate officials from its own government? It seems totally incoherent to me,” Medina said, hinting that the attacks could come from other entities. In addition, he asserted that Pegasus had operated in El Salvador since 2017, when the country was governed by Salvador Sánchez Cerén, of the Farabundo Martí National Liberation Front (FMLN).

For this reason, he questioned: “So, the question is: what powerful group with interests in this country had access to this system since 2017 and who continues to maintain it now?”


The publication of the reports and the complaints by the journalists provoked an immediate reaction from the US, which in recent months has fueled the rhetoric and sanctions against officials of the Bukele government.

On his Twitter account, the assistant secretary of the Bureau of Western Hemisphere Affairs of the Department of State, Brian Nichols, assured that the reports were “very worrying” and stated his “opposition to efforts to silence critical voices.”

From the arena of the Salvadoran government, the pro-government deputy Guillermo Gallegos tried to dismiss the complaints and considered that the accusations are part of a “strategy to attract attention.”

“I don’t think there is this on the part of the government to be spying on journalists and political activists. It seems to me a strategy to draw international attention and provide them with economic resources, many people live in this type of situation so that they send them resources used for their own activities, “said Gallegos, according to local media.

Bukele, accustomed to media controversy, has not commented on the case so far, not even on social networks, his favorite forum to deal with the constant criticism of his government by the press.