1730 1741 1010 1619 1044 1838 1400 1572 1429 1791 1641 1407 1864 1891 1817 1756 1743 1281 1676 1250 1580 1146 1277 1119 1834 1177 1804 1774 1948 1476 1334 1309 1730 1831 1491 1126 1168 1051 1992 1151 1080 1300 1914 1552 1738 1625 1261 1149 1525 1396 1060 1086 1795 1675 1308 1612 1154 1273 1986 1930 1855 1796 1489 1105 1926 1029 1023 1215 1254 1605 1716 1952 1128 1939 1050 1838 1422 1020 1579 1925 1628 1492 1069 1470 1598 1886 1291 1183 1061 1533 1991 1017 1004 1324 1164 1088 1202 1443 1287 Parasite that Smiles: Pegasus Spyware Targeting Dissidents in Thailand | Freedom of Expression Documentation Center | ศูนย์ข้อมูลกฎหมายและคดีเสรีภาพ

Parasite that Smiles: Pegasus Spyware Targeting Dissidents in Thailand

 

 

PARASITE THAT SMILES: PEGASUS SPYWARE TARGETING DISSIDENTS IN THAILAND

 

KEY FINDINGS

•          The Pegasus spyware, dubbed the most sophisticated cyber-espionage weapon in the world, was found to have been used against Thai dissidents, many of whom were alerted by Apple in November 2021 that their devices may have been infected by state-sponsored attackers.

•          In an ongoing investigation, 30 individuals have so far been found to have been infected with Pegasus in 2020-2021.

•          The majority of the targeted individuals have roles in the 2020-2021 pro-democracy protests that demanded political and monarchy reform.

•          The use of Pegasus against dissidents is believed to have been motivated by three main aims: to monitor the online activities of dissidents; to monitor the protests; and to seek information about the funding sources for the protests.

 

2447 A protestor displayed the three-finger salute while participating the protest on Aug 8, 2020

 

EXECUTIVE SUMMARY

 

Pegasus is a highly sophisticated spyware produced by the Israel-based cybersecurity company NSO Group, and is licensed only to government agencies with the approval of the Israeli government. Once a device is infected, Pegasus can turn the infected phone into a remote surveillance device. Attackers are granted complete control over the phone. It can access all data – photos, videos, text messages and call records – and can also turn on, without the owner's knowledge, the phone’s camera and microphone to observe the surroundings in real time.

 

Pegasus is known for its advanced technology, some versions of which use zero-click exploits. The infection is done remotely and requires no action from the victim, who is therefore unaware that their device has been infected. Unfortunately, Pegasus has often been used for political reasons, where authoritarian regimes have deployed it against dissidents such as human rights defenders, political activists, journalists, and lawyers.

 

In November 2021, a number of Thai dissidents who are iPhone users were alerted by Apple that their devices may have been infected by state-sponsored attackers. The ongoing investigation by Internet Law Reform Dialogue (iLaw), DigitalReach, and the Citizen Lab at the Munk School of Global Affairs & Public Policy, University of Toronto, later found that the phones of at least 30 individuals have been infected by the spyware from 2020-2021, peaking during the period of nationwide pro-democracy protests centered on Bangkok. 

 

Although forensic evidence collected thus far of Pegasus do not allow a strong attribution to a particular Pegasus operator, it can be circumstantially concluded that the use of Pegasus against dissidents would be of significant benefit to the Thai government. This is because the protests were an expression of opposition to the government, and the authorities have tried to control the situation in different ways including prosecuting protestors, visiting their homes, and putting them on a watchlist. According to the report by the Citizen Lab, it does not conclude the Pegasus hacking operation in Thailand to a specific government operator. However, the report states that the use of Pegasus spyware indicates the presence of a government operator.  The use of Pegasus also indicates that the digital surveillance capabilities of the state may be beyond what one can imagine.

 

This report first details the political situation in Thailand since the 2014 coup d’état, which ignited the nationwide pro-democracy protests and the government’s attempts at digital surveillance. The second part presents the findings, including a list of those who have been infected by the spyware. It also provides a correlation between protest dates and infection dates. The investigation leads to the conclusion that the dissidents may have been targeted or infected for three reasons: to monitor their online activities; to monitor the protests; and to seek information regarding the protests’ funding sources. The report ends with a summary of the situation of Pegasus attacks in Thailand.

 

METHODOLOGY

 

A number of Thai dissidents contacted DigitalReach in November 2021 after they received a threat notification from Apple with a subject line that their iPhone may have been targeted by state-sponsored attackers. Some of the victims did not receive a threat notification from Apple, but the results show that they have been infected by Pegasus. Several additional cases were forwarded to Citizen Lab and other digital security organizations. DigitalReach and The Citizen Lab identified the facts of each infection on the victim’s devices. The cases were then forwarded to iLaw who then conducted a field survey from March to June 2022 in order to identify more victims. Apart from those that were contacted by Apple in November, potential victims were then identified based on their activism. Many of them are already closely associated with the victims identified earlier. When Apple sent a new round of threat notifications in April 2022, more victims also reached out to be part of the investigation. The list of victims comprises political activists, human rights defenders, and academics. 

 

TECHNICAL ANALYSIS

 

DigitalReach assisted iLaw to collect cases of possible Pegasus spyware or other spyware infection that Citizen Lab checks for. The process involved collecting forensic artifacts with consent from individuals with potentially infected devices. Citizen Lab researchers examined the artifacts and made a conclusive determination whether the device had been infected with Pegasus, using a methodology that has been independently verified in a number of previous investigations.

 

Citizen Lab’s technical methodology is described in greater detail here

 

INDEPENDENT VERIFICATION

 

In addition, a selection of forensic artifacts from Pegasus victims were consensually provided to Amnesty International’s Security Lab which independently examined them for evidence of Pegasus infection.  Their analysis validates the identification techniques used by Citizen Lab, as Amnesty International’s Security Lab uses different techniques and tools for analysis.

 

CONTEXTUAL ANALYSIS

iLaw and DigitalReach worked with the infected individuals, and results of the analysis conducted by Citizen Lab, which in many cases included specific confirmed infection dates, to determine whether these dates had relevance to the activities of the victims, and their activities.

 

The dates of infections were then compared to the political events in Thailand during 2020-2021. Interviews were also conducted by iLaw to understand more about the role of each victim during those events, their activities around the dates of infections, and how they used their phones during the period of infections. The information from the interviews was used to conduct an analysis to uncover the pattern of infections.

 

The results show that only iPhones were infected, and there was no sign of infection in other iOS devices. Only iOS devices feature as part of this report owing to technological limitations in analyzing Android devices for retrospective evidence of device compromise. 

 

The entire investigation process was conducted with the victims’ consent. However, each victim also has different preferences in terms of their privacy while being part of the investigation. Some of the victims preferred to be anonymous to maintain privacy in their political activities and involvement. Some of the victims also preferred their cases to contribute to certain parts of the investigations only and not to be mentioned individually.

 

The number of infected individuals shows only one part of the spyware operation in Thailand, as some highly at-risk individuals who were contacted did not consent to be part of the investigation. There are also cases where they had lost or changed their phones by the time they were contacted. Some of them also conducted a factory reset of their devices after receiving a threat notification from Apple which resulted in no trace of infection being found. There may also be infectedindividuals that the study did not identify. 

 

1. THAILAND’S POLITICAL CONTEXT

 

Since a revolution led by a group of middle-ranking military officers and civilian bureaucrats peacefully brought the absolute monarchy to an end in 1932, Thailand’s uneasy relationship with democracy has been plagued with instability and turmoil. Military rule has become the norm alternating with short-lived, elected, civilian governments. In the span of less than 90 years, the country has had 13 successful coups, 20 constitutions, more than half a dozen failed putsches, and countless street protests.

 

The last two decades have been one of the most tumultuous periods in Thai political history. The 1997 reforms gave birth to a highly popular government led by Thaksin Shinawatra, a business tycoon whose policies led him to gain popularity among the rural and urban poor. Despite unprecedented popularity, anti-Thaksin movements broke out in 2005 over allegations of corruption and authoritarianism. After a series of protracted protests spearheaded by conservative royalist factions, the Thai military stepped in to topple the elected government in 2006 in the name of restoring order and protecting the monarchy.

 

The 2006 coup sowed the seeds of yet more turmoil. Following the coup in 2006, Thailand was divided into two main factions: the right-wing conservative “yellow shirts” and pro-Thaksin supporters, known as the “red shirts.” Meanwhile, Thaksin continued to exercise political influence behind the scenes despite being in self-exile. Pro-Thaksin parties continued their dominance of Thai politics by comfortably winning two general elections in 2007 and 2011, the latter sending Thaksin’s sister Yingluck Shinawatra to the premiership. In 2014, large protests were led by the People’s Democratic Reform Committee, a right-wing conservative group that aimed to eradicate all influence of Thaksin from the country. After six months of turmoil in which the democratic process was upended, army chief Gen Prayut Chan-o-cha at the head of the National Council for Peace and Order (NCPO) staged a coup on May 22, 2014, returning Thailand to military rule after eight years.

 

Following the coup, human rights in Thailand have drastically deteriorated. Democratic space has been shrinking as dissidents face arbitrary arrests, enforced disappearances, and unfair trials. After five years of military government, Prayut became an elected Prime Minister in 2019 by an alleged unfair election under the influence of the coup leaders. The military still dominate the country’s administration as key military officials from the coup still hold important seats in the cabinet.

 

The Prayut administration faces allegations of corruption as well as incompetence. Public debt reached an all-time high as has government spending on military equipment and resources. The NCPO drafted a new constitution in 2016 to maintain their power, while opportunities for corruption increased. Human rights were also undermined in many ways or even eliminated in the new Constitution. Since the time of the NCPO, the Prayut government has consistently cracked down on political dissent and is accused of adopting several tactics to get rid of opposition politicians to maintain its power. This includes the dissolution in 2020 of the Future Forward Party (FFP), a political party with a progressive image.

 

Two years after the NCPO seized power, King Vajiralongkorn (Rama X) ascended to the throne. The administration of the royal services has changed significantly since then. The military-backed 2017 Constitution prescribes in Section 15 that the organization and personnel administration of the Royal Household shall be at the King’s pleasure. The NCPO subsequently adopted the Royal Service Administration Act and the Royal Decree Organizing Governmental Affairs and Personnel Administration in the same year. These laws allow the royal agencies that are funded by the government budget to be independent from any scrutiny of their administration or finances. The situation prompted the issue to be raised in parliament as well as generating criticism from political activists and critics. However, discussion of the monarchy remains largely taboo in Thailand due to the lèse majesté law or Section 112 of the Criminal Code, making it hard to see how change can come about.

 

1.1 THE 2020-2021 PROTESTS

 

The allegations of government corruption and incompetence, the dissolution of the FFP, and the situation related to the monarchy led to protests in 2020. It started with student activists’ reaction to the dissolution of the FFP, perceived asunfair by many, with protests on academic campuses at the beginning of 2020 which then escalated. The FreeYOUTH movement, founded mostly by students, organized a protest at the Democracy Monument in Bangkok on July 18, 2020. The protest was joined by thousands of people and is considered to be the biggest protest since 2014. It soon escalated with different groups of activists organizing protests nationwide. Thai Lawyers for Human Rights (TLHR) records that there were at least 75 protests and activities in 44 provinces from July 18th to August 1, 2020. 

 

On August 3, 2020, the Mahanakorn for Democracy Group (MDG) and KU Daily, both youth groups, organized a Harry Potter-themed protest at the Democracy Monument with the implication of “dark power” to be banished. Arnon Nampa, a prominent human rights activist and human rights lawyer, openly criticized the monarchy in public. This is considered the first public speech in Thailand that was uncompromising towards the monarchy.

 

On August 10, 2020, a protest was held at Thammasat University. Panusaya Sithijirawattanakul, an activist from the United Front of Thammasat and Demonstration (UFTD), read the first ten-point demands for monarchy reform based on the earlier speech by Arnon. The demands are for the government to prohibit the monarchy's role in politics by amending and repealing all the related laws, the abolition the lèse-majesté law, and an investigation into the enforced disappearances of political exiles. The challenges to the government and the monarchy continued. Another large protest organized between September 19-20, 2020, installed a ‘democracy plaque’ symbolizing people’s power at the ‘Royal Field (Sanam Luang)’. This followed the mysterious removal of the democracy plaque that was installed to commemorate the 1932 Siamese Revolution when the absolute monarchy came to an end following a bloodless revolution by the People's Party or Khana Ratsadorn.

 

Throughout 2020-2021, several pro-democracy groups led by young activists were born. All the groups have one thing in common, which is for Thailand to be a truly democratic country. Apart from those already mentioned, there are also We Volunteer (WEVO), Thalufah, ThaluWang, and Bad Student. WEVO, led by Piyarat Chongthep, usually acts as security guards at protests and is usually in charge of setting the route of protest marches and removing all barricades set up by the authorities. Bad Student is formed of high school students who joined the protests to discuss the failures of the Thai education system including its deep-rooted authoritarianism. Thalufah, led by Jatupat “Pai Dao Din” Boonpattararaksa, organized a Thalufah Rally of over 200 km from Nakhon Ratchasima Province to the Democracy Monument in Bangkok in February 2021 to demand the release of jailed activists, the drafting of a new constitution, and repeal of the lèse majesté law. ThaluWang members organized several public opinion polls on issues related to the monarchy including repeal of the lèse majesté law. In October 2020, more than 30 pro-democracy groups joined hands and formed the Ratsadorn group after the Khana Ratsadorn of the 1932 Revolution.

 

2449 Student protest on September 2020

2446

 

As the protests proceeded, Bangkok was placed under a Severe State of Emergency, and the authorities responded to the protests with high-pressure water cannons with chemical-laced water, tear gas and rubber bullets. Key activists were charged with violation of the repressive Emergency Decree which had been announced earlier to control the COVID-19 pandemicsedition, lèse majesté and numerous other offenses. The government has also tried to discover the protests’ funding sources with several individuals being targeted. Among them is Inthira “Sai” Charoenpura, a well-known Thai actress who is publicly known for her material and financial support to the protestors.

 

1.2 THE GOVERNMENT DIGITAL SURVEILLANCE EFFORTS

 

Important changes were made to the country’s administration after the NCPO came to power. The government adopted a new National Security Council Act in 2016 replacing the 1959 law. The new law gives a definition of “National Security,” which was not found in the previous version, as “the situation that the country is free from any threat to its independence, sovereignty, territorial integrity, religious institution, [sic] monarchical institution, public safety, and peaceful livelihood that may affect the national interests or its democratic regime of the [sic] government with the King as Head of State.” It also added two more members to the National Security Council (NSC): the ministers of Justice and of Information and Communication Technology.

 

Also in 2016, the Ministry of the Information and Communication Technology (MICT) was renamed the Ministry of Digital Economy and Society (MDES). The junta then amended the 2010 Act on the Organization to Assign Radio Frequency and to Regulate the Broadcasting and Telecommunication Services which prescribes the National Broadcasting and Telecommunication Commission (NBTC). The amendment greatly limits the NBTC’s power to regulate all broadcasting and telecommunication services in the country as an independent body under the Constitution by having the Office of the National Digital Economy and Society Commission (ONDE), an agency subsequently established under the MDES, oversee its operating plan. Following the changes, the NBTC collaborated with the government in efforts to crackdown on dissent on several occasions including shutting down VOICE TV, a channel known for its pro-opposition stance, for 15 days in 2019. In 2021, the NBTC also requested the media in the country not to broadcast content about monarchy reform and the repeal of the lèse majesté law.

 

Surveillance efforts were also supported by a number of repressive laws. The Computer Crime Act (CCA), adopted in 2007 and revised in 2017, allows state authorities to notify or summon any person to give statements, summon traffic data from service providers, order service providers to submit information on their users, duplicate any data from a computer system, decrypt the computer data of any person, and seize or attach any computer system for investigation. It also grants the authorities the power to order service providers to keep data of any particular individual for between ninety days and one year. Internet Service Providers (ISPs) that operate in the country have allegedly supported state surveillance efforts in order to maintain their business in the country. When Thantawut Thaweewarodomkul, a former webmaster of Red Shirt USA, was sentenced for a lèse majesté offense in 2011, it was reported that Triple T Broadband, an ISP in Thailand, disclosed his IP address to the authorities.

 

In 2019, the government adopted two more laws, the Cybersecurity Act and the National Intelligence Act, which makes state surveillance even easier. The Cybersecurity Act allows state authorities to call individuals in for questioning and enter private property without court orders in a situation considered as a ‘severe cyber threat.’ It also grants them power to access computer data and networks, duplicate data, and seize electronic devices without a court warrant in ‘crisis situations.’ Section 6 of the new National Intelligence Act, which replaced the 1985 version, states “When necessary to obtain information or documents regarding [an] intelligence operation, counter-intelligence operation, communications intelligence operation, or civilian security, the National Intelligence Agency may proceed by any means, including using electronic, scientific, telecommunication devices or other technologies, to obtain those [sic] information or documents.” Although the Personal Data Protection Act was also adopted in the same year, the ‘security sector’ is listed as exempt.

 

Even though the government has always denied its involvement, it is believed that there is a link between state surveillance efforts and harassment against dissidents. While at least 100 dissidents have fled the country for their own safety, at least 9 dissidents have disappeared since the NCPO came into power. The most recent case, which was also mentioned during the pro-democracy protests, is that of Wanchalerm Satsaksit, an activist who fled to Phnom Penh after the 2014 coup and disappeared in June 2020 in broad daylight. Other prominent activists included Wuttipong “Ko Tee” Kottham-makhun, Surachai Danwattananusorn, and Siam Theerawut. All of them were known for their anti-establishment political stance. Their whereabouts remain unknown until today.

 

2455

 

In 2020-2021, the government also allegedly tracked and monitored activists by GPS devices. At least four dissidents found a GPS device attached to their vehicles between that period. These include Sriprai Nonsee from the Rangsit and Area Labor Union GroupPiyarat ChongthepPannika Wanich, a former politician from FFP; and one member of the Thalufah group. In August 2021, a leaked official document revealed that 183 individuals are on a government watchlist with personal information such as full name, birthdate, ID numbers or passport numbers, criminal records, and photos. The list has the names of activists, opposition politicians, and civil society members including Arnon, Panusaya, and Piyarat. Almost a year later in June 2022, a leaked document confirmed that the government, through the NSC, had conducted surveillance on a political dissident, believed to be Russ Jalichandra, a former ambassador who is critical of the government, who was targeted by the Council which was tasked with monitoring him and gathering his personal information.

 

2. PEGASUS IN THAILAND

 

Dissidents were alerted that their phones might be infected in November 2021 when Apple sent a threat notification to their iPhones stating that the devices might be targeted by state-sponsored attackers. Some of them posted about receiving the notification on social media. They became aware of Pegasus spyware later. At the same time, Apple was filing a lawsuit against the NSO Group, the Israeli-based company that manufactures the spyware.

 

Following media coverage about the notification as well as questions from opposition parties, the government denied involvement. Deputy Prime Minister Prawit Wongsuwan responded by saying that the government is conducting an investigation on it, while MDES Minister Chaiwut Thanakamanusorn said he had not known about it before but would check. Government spokesperson Thanakorn Wangboonkongchana stated “We insist this is untrue, the government respects individual liberties.”

 

The pro-democracy protests that talk about political and monarchy reform are apparently considered by the government as threats to national security as defined by the 2016 National Security Council Act. There is therefore reason to believe that Pegasus has been deployed against the activists for this reason. 

 

2.1 FINDINGS

 

The investigation found that 30 individuals have been infected with Pegasus to date. All the infections were in 2020 and 2021, and the majority of those who have been infected are activists who have had a role in the pro-democracy protests in those years. The list of infected individuals comprises 24 activists, 3 academics, and 3 NGO workers. The first infection occurred on October 21, 2020, and the last infection that can be found was on November 19, 2021. Activists including Arnon Nampa, Panusaya Sithijirawattanakul, Jatupat Boonpattararaksa and Piyarat Chongthep, have all been infectedwith Pegasus. Apart from the frontliners, those who have had a backstage role have also been infected. As the government has been trying to find the protests’ sources of funding, individuals who donated financially to the protests have also been infected. Among them is Inthira Charoenpura. There are a few cases where it is difficult to conclude why they were infected because the individuals involved had only weak links to the protests during the time their phones were infected.

 

Apart from that, the pattern of infections targeting only selected individuals can lead to the conclusion that the spyware is not used for an organization-level attack. Individuals from Amnesty International Thailand and Thai Lawyers for Human Rights (TLHR) have had their phones checked, and the results show that they have not been targeted. Amnesty International Thailand, in fact, was working with Panusaya in October 2021 on a #FreeRatsadon campaign which aimed to gather signatures through Change.org demanding that the government release and stop prosecuting political dissidents. In November 2021, Amnesty International Thailand was also the target of protests demanding that the organization leave Thailand. TLHR is well-known for its role in providing legal assistance to the activists when they have been arrested, detained, or prosecuted by the authorities. It can be concluded that the attackers targeted selected individuals with Pegasus in order to gather particular information rather than using it for mass surveillance against dissidents in general. This matches with what Apple states about a state-sponsored attack which is unlikely to be used against the majority of people.The findings also show that the information sought is strongly related to the pro-democracy movements of 2020-2021.

 

Table I: List of Infected Activists and Dates of Infections

 

No.

Name

Affiliations

Approximate Dates of Infection 

(year-month-date)

1

Poramin Rassameesawas

FreeYOUTH

- On or around 2021-09-12

2

Katekanok Wongsapakdee

FreeYOUTH

- On or around 2021-09-05

3

Jutatip Sirikhan

FreeYOUTH

- On or around 2020-10-21

- On or around 2020-10-26 

- On or around 2021-02-15 

- On or around 2021-02-20 

- On or around 2021-03-18 

- On or around 2021-09-06

 

4

Jatupat Boonpattararaksa

Thalufah

- On or around 2021-06-23

- On or around 2021-06-28

- On or around 2021-07-09 

 

5

Arnon Nampa

Independent Activist/Human Rights Lawyer at TLHR

- On or around 2020-12-03

- On or around 2020-12-15

- On or around 2021-07-10

- On or around 2021-07-14

- On or around 2021-08-31  

 

 

6

Pansiree Jirathakoone

Salaya for Democracy

- On or around 2021-08-17

7

Chatrapee Artsomboon

Salaya for Democracy

- On or around 2021-08-30

- On or around 2021-09-09

8

Panusaya Sithijirawattanakul

United Front of Thammasat and Demonstration

- On or around 2021-06-15

- On or around 2021-06-20

- On or around 2021-06-23

- On or around 2021-09-24

9

Niraphorn Onnkhaow

United Front of Thammasat and Demonstration

- On or around 2021-02-16

- On or around 2021-03-16

- On or around 2021-04-26

- On or around 2021-04-30

- On or around 2021-05-11

- On or around 2021-05-14

- On or around 2021-05-20

- On or around 2021-05-31

- On or around 2021-06-08

- On or around 2021-06-15

- On or around 2021-06-20

- On or around 2021-06-23

- On or around 2021-07-01

- On or around 2021-07-07

10

Nutchanon Pairoj

United Front of Thammasat and Demonstration

- On or around 2021-11-18

11

Chonlatit Chottsawas

United Front of Thammasat and Demonstration

- On or around 2021-09-23

12

Benja Apan

Independent Activist/United Front of Thammasat and Demonstration (Former)

- On or around 2021-11-17

 

13

Individual #1

Independent Activist

- On or around 2021-11-19

14

Rattapoom Lertpaijit

WEVO

- On or around 2021-08-21

- On or around 2021-11-04

15

Wichapat Srigasipun

WEVO

- On or around 2021-08-30

- On or around 2021-09-13

16

Piyarat Chongthep

WEVO

Infection confirmed, but no dates known. 

17

Individual #2

WEVO

- On or around 2021-08-18

18

Elia Fofi

Free Arts

- On or around 2021-08-17

19

Dechathorn “Hockey” Bamrungmuang

Rap Against Dictatorship

- On or around 2021-08-18

20

Inthira Charoenpura

Independent Activist

- On or around 2021-04-09

- On or around 2021-04-26

- On or around 2021-06-04

21

Nuttaa Mahattana

Independent Activist

- On or around 2021-09-23

22

Individual #3

The Mad Hatter*

- On or around 2021-05-15

- On or around 2021-05-31

- On or around 2021-06-07

- On or around 2021-06-16

- On or around 2021-06-19

- On or around 2021-06-23

- On or around 2021-06-27

- On or around 2021-07-02

- On or around 2021-07-05

23

Individual #4

The Mad Hatter*

- On or around 2021-05-14

24

Individual #5

The Mad Hatter*

- On or around 2021-05-14

- On or around 2021-05-19

- On or around 2021-06-05

25

Yingcheep Atchanont

iLaw

- On or around 2020-11-28

- On or around 2020-12-01

- On or around 2020-12-08

- On or around 2021-02-10

- On or around 2021-02-16

- On or around 2021-03-04

- On or around 2021-03-16

- On or around 2021-04-23

- On or around 2021-06-20

- On or around 2021-11-12

26

Bussarin Paenaeh

iLaw

- On or around 2021-02-17

27

Pornpen Khongkachonkiet

Cross Cultural Foundation

- On or around 2021-11-16

28

Puangthong Pawakapan

Academic

- On or around 2021-05-31 

- On or around 2021-06-10

- On or around 2021-06-25 

- On or around 2021-06-30 

- On or around 2021-07-02

29

Sarinee Achavanuntakul

Academic

- On or around 2021-09-15

30

Prajak Kongkirati

Academic

- On or around 2021-06-14

- On or around 2021-07-02

*A pseudonym

 

 

2.2 PEGASUS AGAINST THE DISSIDENTS

 

Using the findings of the targeting of dissidents by Pegasus, a timeline of major political rallies and infection dates were compared. The results show that activists were infected both on the days of protests and during the lead-up periods when they were likely to be holding preparation meetings. This allows the conclusion that Pegasus was used for three main reasons: (2.2.1) to monitor activists’ online activities; (2.2.2) to monitor protests; and (2.2.3) to seek information on protest funding.

 

2453 The protest on August 16, 2020

 

Table II: Comparison between Dates of Protest and Infection Dates

 

Dates of Protests

Protest Details

Protest Locations

Infection Dates and Targets

October 17-31, 2020

Leaderless, in response to the protest crackdown from October 13-16, 2020

Many provinces

October 21 and 26, 2020: Jutatip Sirikhan 

December 2, 2020

By Ratsadorn, in response to the constitutional court’s verdict on Gen Prayut’s residence

Lat Prao Intersection, Bangkok

December 1, 2020: Yingcheep Atchanon; 

December 3, 2020: Arnon Nampa

February 10, 2021

By Ratsadorn, calling for abolish article 112 and release the jailed activists

Pathumwan intersection, later marched to Pathumwan Police station, Bangkok

February 10, 2021: Yingcheep Atchanont 

February 20, 2021

By the United Front of Thammasat and Demonstration, in parallel with the motion of no confidence

Parliament, Bangkok

February 16, 2021: Niraphorn Onnkhaow and Yingcheep Atchanont

February 17, 2021: Bussarin Paenaeh

 

February 28, 2021

By REDEM, calling for reform of the monarchy

Victory Monument, later marching to 1st Battalion, 1st Infantry Regiment Base, Bangkok

February 15 and 20, 2021: Jutatip Sirikhan

 

March 20, 2021

By REDEM, calling for reform of the monarchy

Sanam Luang, Bangkok

March 18, 2021: Jutatip Sirikhan

April 29, 2021

By the United Front of Thammasat and Demonstration, in parallel with their members’ bail hearing.

Criminal Court, Bangkok

April 26, 2021: Niraphorn Onnkhaow,Inthira Charoenpura

April 30, 2021

By the United Front of Thammasat and Demonstration, in parallel with their members’ bail hearing.

Criminal Court, Bangkok

April 30, 2021: Niraphorn Onnkhaow

May 11, 2021

By the United Front of Thammasat and Demonstration, in parallel with their members’ bail hearing.

Paholyothin Police Station, Bangkok

May 11, 2021: Niraphorn Onnkhaow

June 24, 2021

By Ratsadorn, commemorating the 89th anniversary of the Siamese Revolution

Democracy Monument, later marching to the Parliament, Bangkok

June 15, 2021: Panusaya Sithijirawattanakul and Niraphorn Onnkhaow

June 16, 2021:  Individual #3

June 19, 2021: Individual #3

June 20, 2021: Niraphorn Onnkhaow, Panusaya Sithijirawattanakul and Yingcheep Atchanont

June 23, 2021: Niraphorn Onnkhaow, Panusaya Sithijirawattanakul, Jatupat Boonpattararaksa, Individual #3

July 1, 2021

An anti-government rally

Democracy Monument, Khon Kaen

June 28, 2021: Jatupat Boonpattararaksa

 

July 2, 2021

An anti-dictatorship rally with an open market

Government House, Bangkok

July 1, 2021:  Niraphorn Onnkhaow 

July 2, 2021: Individual #3

July 18, 2021

A rally commemorating the Free YOUTH’s anniversary

Democracy Monument, Bangkok

July 9, 2021: Jatupat Boonpattararaksa

July 10, 14, 2021: Arnon Nampa

 

September 4, 2021

By REDEM, calling for reform of the monarchy, etc.

Swiss Embassy, later marching to Lumpini Park, Bangkok

August 30, 2021: Chatrapee Artsomboon

September 5, 2021: Katekanok Wongsapakdee

September 6, 2021: Jutatip Sirikhan

November 14, 2021

By the Democracy Restoration Group, calling for reform of the monarchy

Pathumwan intersection, later marching to the German Embassy, Bangkok

November 12, 2021: Yingcheep Atchanont

 

 

2.2.1 THE USE OF PEGASUS TO MONITOR ACTIVISTS’ ONLINE ACTIVITIES

 

The use of Pegasus to monitor activists’ online activities means that the attackers are looking for behind-the-scenes information from the activists’ online activities. Infections for this purpose are found in the cases of Arnon Nampa and Benja Apan. Both activists have been infected while they were in detention for their activism conducted during the protests. Their Facebook accounts were active while they were in detention, so it is believed that the reason the devices were infected was due to the attackers wanting to know how the accounts were run or who was behind the accounts.

 

2.2.1.1 ARNON NAMPA

 

Arnon Nampa has been infected five times by Pegasus: December 3 and 15, 2020; July 10, 2021; July 14, 2021; and August 31, 2021. While the first four infections are believed to be because the attackers would like to monitor the protests. The last infection stands out as it happened while he was temporarily detained in prison. 

 

The first two infections came after the demonstrators adopted an "open wound" strategy, which is to rally at places that have symbolic importance to the monarchy. This includes the Siam Commercial Bank Headquarters where the King Rama X is a major shareholder and the 1st and 11th Infantry Regiments that were transferred from the Royal Thai Army to be under Rama X’s personal control in 2019. The third and fourth infection, which occured on July 10 and 14, 2021, was executed before a large-scale protest commemorating the anniversary of the pro-democracy movement. On July 7,2021 he posted on Facebook he was going to join the July 18th protest. Three days later, Arnon was infected by Pegasus. The fourth infection occurred on July 14, 2021.On that date, he was posting on Facebook regarding how to protest in the time of COVID-19.

 

2450

 

The last infection that happened while he was in jail may indicate that the attackers wanted to know who was behind his Facebook account as it was still active. Messages were regularly posted under the title “a letter from the court.” The messages were also about updates on the money donated to jailed political prisoners. Notably, on March 16, 2021, a photo of a handwritten letter claimed to be written by Arnon detailing prison guards’ attempt to separate him and political prisoners from others late at night was uploaded to Arnon’s Facebook account. The letter received widespread public attention as he detailed that the incident was suspicious, and he and other prisoners feared for their lives from what happened. In an official statement issued by the Department of Correction, the authorities claimed that the separation was part of the COVID-19 detection procedure. The Department later filed a complaint against the administrator of Arnon’s Facebook account requesting them to investigate where the account was accessed. The Department also added that there is no communication device in prison and would investigate where the letter came from.

 

2451

 

The content that appeared on Facebook prompted the authorities to target the person behind it. When the account was posting about the spread of COVID-19 behind bars and the mismanagement of the Department of Corrections, a representative of the Ministry of Justice stated that the person behind Arnon’s account should be careful when talking about the situation in prison otherwise a prosecution against that person would be authorized for causing damage.

 

12 mobile devices of his colleagues at the Thai Lawyers for Human Rights (TLHR) were also checked, but no trace of infection was found. None of them also received any email notification from Apple. As a result, it can be concluded that Arnon fell victim to Pegasus for his activism and not as a human rights lawyer.

 

2.2.1.2 BENJA APAN

 

2458 Benja Apan gave a speech after learning the Court rejected a bail request of the jailed activists on April 29, 2021

 

Benja Apan is another prominent activist who was formerly with the United Front of Thammasat and Demonstration (UFTD). Her phone was infected on November 17, 2021, while she was in detention for alleged offenses including lèse-majesté. The infection which occured while she was in detention is similar to Arnon’s case as her Facebook was still active while she was detained. 

 

Initially taking a backstage role at the protests, when other key members of the UFTD were arrested and detained, she had to step forward as a frontliner and lead the UFTD along with other fellow activists. Benja is the person who read the second statement of the UFTD in August 2021, one year exactly after the first one that contained the 10-point demands read by Panusaya in August 2020. She also joined Panusaya and Parit Chiwarak in wearing a crop top at a shopping mall in Bangkok and was later charged with lèse majesté for mocking the king.

 

2456 Protestors gathered in front of the Criminal Court calling for release the jailed activists on April 29, 2021

 

Benja was arrested on October 7, 2021, for her activism and spent a total of 99 days in prison after being repeatedly denied bail. She was eventually released on January 14, 2021. During that time, her Facebook account continued to publish messages from her in prison which detailed what happened inside. On November 17, 2021, the date that she was infected by Pegasus, her Facebook account posted a message criticizing those who are in power. 

 

2.2.2 THE USE OF PEGASUS TO MONITOR PROTESTS

 

Pegasus was also used to monitor protests by infecting devices in order to find more information about the protests, including how and where they were organized, and who else was involved. The cases involve UFTD members, Jutatip Sirikhan and the FreeYOUTH movement, and Jatupat and Thalufah.

 

2.2.2.1 UFTD MEMBERS

 

Leading figures of the United Front of Thammasat and Demonstration (UFTD) who organized and participated in various protests have been charged on multiple occasions in relation to the demonstrations and statements on online platforms. Four members were infected by Pegasus: Panusaya Sithijirawattanakul, Nutchanon Pairoj, Chonlatit Chottsawas, and Niraphorn Onnkhaow. Niraphorn was infected the most on 14 occasions between February 16 - July 7, 2021, followed by Panusaya, who was infected four times on June 15, 20, 23, and September 24, 2021.

 

2452 Panusaya was giving a speech on September 19, 2020

 

2464 Panusaya was greeted by her sister after she was released from prison on May 6, 2021

 

Panusaya, the key member of the UFTD who read the UFTD’s first declaration that contained the 10-point demand for monarchy reform, was infected with Pegasus four times. Panusaya faces at least 10 lèse majesté charges and has been jailed at least three times for her activism. The three infections that happened in June 2021 indicate that the attackers might have been looking for information about a planned protest to commemorate the 89th anniversary of the 1932 Siamese Revolution. On September 18, 2021, Panusaya revealed that there was an arrest warrant against her and she did not know when she would be detained by the police On September 22, two days before the infection, police arrested her for allegedly being an administrator of the UFTD Facebook page While she was being arrested, the police tried to seek another page admin and tried to confiscate Chonlatit’s phone. Although Chonlatit's lawyer prevented a warrantless seizure of the mobile device, it was infected by Pegasus the next day on September 23. Panusaya was subsequently granted bail on the day of her arrest, but was infected by Pegasus on September 24. While the first three infections against Panusaya may indicate that the attackers were looking for information about the protest, the infections against her and Chonlatit may indicate that they were infected to monitor their online activities in order to know who is behind the group’s Facebook page. 

 

This also matches with the case of Niraphorn who was infected 14 times which are February 16; March 16; April 26; April 30, May 11, 14, 20, 31; June 8, 15, 20, 23; July 1 and 7. All infections were in 2021. A first-generation UFTD member, she founded the movement along with other activists including Panusaya and Parit Chiwarak. On September 17, 2021, she was also arrested by the authorities for allegedly being the person behind the UFTD page. Her case stands out among other activists as 14 times is the highest number of infections found to date among the Pegasus targets in Thailand. The infections against Niraphorn, whose role is mainly backstage, raise questions over the attackers’ motives, but may indicate that the attackers think her online activities might reveal more about UFTD’s protest plans as well as its operations as she is also a co-signatory of the UFTD bank account that accepts public donations. 

 

Niraphorn was first infected on February 16, 2021, when a demonstration calling for the release of detained activists awaiting trial was underway just days before Parliament’s scheduled no-confidence debate. Further information reveals that four other times when Niraphorn was infected were on the same days when the UFTD advertised scheduled rallies via an online platform: April 26, 2021 for a demonstration on the same day; a pressure demonstration on the bail hearing of a group’s member on April 30 advertised on the same day; a protest against the arrest of group members on May 11 promoted on the same day; and the advertisement on June 20 for a demonstration on June 24, 2021. From April 25 to May 6, 2021, around the time of Niraphorn’s infections, the UFTD was organizing a campaign demanding the government to free the jailed activists.

 

2466 Nutchanon sat in front of the police during the protest on April 30, 2021

 

The reason that Nutchanon was infected is difficult to conclude, but he also stepped forward to lead the UFTD when key activists of the UFTD were jailed. Nutchanon was infected on November 18, 2021, before he was sentenced to 2 months’ imprisonment on December 2, 2021, for contempt of court for a political action in front of the court that was organized to demand the release of Parit Chiwarak. Prior to the date of infection, he was also sentenced to 4-months imprisonment for contempt of court on November 1, 2021, but was released on the same date.

 

2.2.2.2 JUTATIP SIRIKHAN AND THE FREEYOUTH MOVEMENT

 

Jutatip Sirikhan is a key activist in the FreeYOUTH student movement which ignited a wildfire of anti-government protests nationwide and played an important role in the pro-democracy protests in 2020-2021. Its Facebook page, which is usually used to mobilize the public to join the protests, grew to a million followers in a few months from when it was founded. FreeYOUTH used Facebook as the primary medium of publicity and Telegram to communicate to participants in real time. The group often changed the venue and format of each demonstration shortly before the advertised time to avoid obstruction by state officials. 

 

2454 Jutatip Sirikhan was arrested by the polices on September 1, 2020

 

Jutatip’s device was infected six times: October 21 and 26, 2020; February 15 and 20, 2021; March 18, 2021; and September 6, 2021.  The first infection on October 21, 2020, happened on the day that tens of thousands of protestors marched from the Victory Monument to Government House to demand the resignation of PM Gen Prayut Chan-o-cha. After the protest ended, the police apprehended the organizers. Rumors spread that the police were in pursuit of Jutatip due to earlier arrest warrants against her. This led her to avoid returning home between October 21-22, 2020, once she was aware of her impending arrest. Based on the dates of infections, it may be concluded that they may have occurred because the attackers would like to know her whereabouts or they were harvesting more information about the protests. 

 

2461 Protestors gathered peacefully just minutes before the police began using water canon to disperse them on October 16, 2020

 

A total of 205 protests were held in the leaderless period between October 17-31, 2020, when the momentum was arguably the highest. The government declared a Severe State of Emergency on October 15, 2020. On that date, Jutatip, along with other key activists under Ratsadorn, led tens of thousands of protestors to protest at the Ratchaprasong Intersection before calling on people to return on a daily basis. The Severe State of Emergency ended on October 22, 2020. Her phone was infected again on October 26, 2020, on the same day that thousands of protestors marched from Samyan Mitrtown to the German embassy.

2467 Protestors hold a "REDEM" flag while they was marching to 1st Infantry Regiment on February 28, 2021

On February 24, 2021, FreeYOUTH’s Facebook page launched the Restart Democracy (REDEM) movement rebranded from the Restart Thailand (RT) campaign whose original logo featured the anti-monarchy communist hammer and sickle. Before the launch, Jutatip held various meetings with fellow activists, one of which was held on February 15, 2021, the same day her phone was infected after a 3-month hiatus. On March 17, 2021, REDEM announced a demonstration on March 20, 2021, at the Royal Field inviting protesters to fold letters demanding limits to the royal prerogative and throw them over the wall of the Grand Palace. Interestingly, Pegasus infected Jutatip’s phone again on March 18, 2021. 

 

Apart from Jutatip, members from FreeYOUTH and its close affiliates who have been infected with Pegasus include Katekanok Wongsapakdee, Poramin Rassameesawas, Pansiree Jirathakoone, and Chatrapee Artsomboon. Pansiree and Chatrapee are from Salaya for Democracy who usually joined FreeYOUTH activities. Ratchasak Komgris is another member of the Salaya for Democracy who received a notification from Apple. However, Citizen Lab notes that evidence of infection was not found at the time of analysis. 

 

Jutatip, Katenok, and Poramin were infected with Pegasus at around the same time in September 2021, on the 6th, 5th, and 12th. Two people from Salaya for Democracy, Pansiree and Chatrapee, were also infected in August. Pansiree was infected on August 17, 2021, before Chatrapee’s device was infected on August 30, 2021, and at around the same dates as the three members of FreeYOUTH, which are September 9, 2021. 

 

The attackers may have been looking for information in relation to the protests that happened at that time. The more frequent infections of the REDEM-affiliated activists may also be due to the group’s adoption of a “leaderless” approach and the sudden announcements of protest venues. When Chatrapee was infected with Pegasus on August 30 , the REDEM group was discussing the organization of a protest before a rally was called at the Swiss Embassy on September 4, 2021. On September 5, 2021, when Katekanok’s device was found to be infected with Pegasus, FreeYouth was having an internal meeting, although she was not present at the meeting. Jutatip’s device was then infected the next day on the 6th. 

 

Regarding Poramin, as a less publicly-known member of the group, there is a question about why his device was infected with Pegasus on September 12, 2021. However, he is a co-signatory of the bank account of FreeYOUTH that is used for public donations, which might have served to make him a target. He also assisted with livestreaming protests before his residence was raided by the authorities on September 17, 2021. The search warrant stated that the authorities were looking for a specific person in a photo which featured a man who looked like him being handcuffed, in the middle of a protest.

 

2.2.2.3 JATUPAT BOONPATARARAKSA AND THALUFAH

 

Jatupat Boonpatararaksa, also known as “Pai Dao Din,” was infected by Pegasus three times on June 23 and 28, and July 9, 2021. Jatupat first became known when he and other activists displayed the three-finger salute, an anti-authoritarian gesture originally from the movie Hunger Games, in front of Prayut in 2014.

 

2468 Jatupat hold the mock of the 1932 Revolutionary Plaque on June 24, 2021

 

The infection on June 23, 2021, happened before the planned protest on June 24, 2021, to commemorate the 89th anniversary of the 1932 Siamese Revolution. Infected on the same date were Panusaya and Niraphorn from the UFTD as well as Individual #3. As this date saw the highest number of individuals infected in one day, this may indicate that the attackers were looking for information as a large protest approached. It was also the first large protest following a long hiatus induced by the COVID-19 pandemic and waves of political detentions.

 

On June 28, 2021, when the second infection occurred, Jatupat went to Khon Kaen Province and prepared a protest at the Democracy Monument in Khon Kaen Province on July 1, 2021, which also preceded the protest at Government House on July 2, 2021. Jatupat said that he attended countless meetings related to the protests during the period he was infected. The third infection against him on July 9, 2021, occurred just a week before the protest on July 18, 2021. The protest was to commemorate the anniversary of the pro-democracy movement. However, on the date of the protest, he did not participate in the event either.   

 

2.2.3 THE USE OF PEGASUS TO SEEK INFORMATION ON PROTEST FUNDING SOURCES

 

The findings allow the conclusion that Pegasus has been used against certain individuals who financially support the protests. Inthira Charoenpura is known publicly for donating money to the protests. A well-known actress, she used social media to post messages inviting people to join the protests and prepared facilities including meals, ice cream, and bathrooms.

 

She was infected with Pegasus three times: April 9 and 26 and June 4, 2021.  At that time, she was targeted for possible tax investigations by the revenue officer. As the person dubbed the “Godmother” of the protestors, her role in the protests was always backstage. The dates of the Pegasus infections on her match those of a group of private donors, The Mad Hatter, who never took part in organizing protests and who were infected with Pegasus from May to July 2021.

 

Activists whose infections might belong in this category are Niraphorn Onnkhaow from the UFTD and Poramin Rassameesawas from FreeYOUTH who were co-signatories of their groups’ bank accounts receiving public donations.

 

3. CONCLUSION

 

The ongoing investigation reveals that the 30 individuals who have been infected by Pegasus are linked to the pro-democracy protests in 2020-2021, and that the infections are a form of repression against pro-democracy dissidents.

 

Although official information to show the persons behind this operation is not accessible, it is clear that it is the Thai government that benefits most from the infections as the infections are a form of suppression. They make activists feel unsafe in taking action against the Thai government as their right to privacy has been significantly violated by the use of the most sophisticated cyber espionage tool in the world. The infections send a message that if one does not want to be infected and have all one’s personal information exposed to the authorities, they had better not challenge the government or the monarch.

 

If the state is behind the Pegasus infections, the spyware would contribute to the government’s efforts at digital surveillance against critics and dissidents, and this, or a similar kind of digital weapon, can be used against dissidents in the future when the opportunity arises. No cases of blackmail against activists calling for reform of the monarchy have been identified before. However, the police possess the capability to identify the names of individuals operating online in relation to the movement and can locate individuals almost in real time. According to the rules of evidence, information obtained through Pegasus spyware may not be legally admissible in court. However, this problem is circumvented in many cases when state officials testify in court that they have obtained such information from “secret investigations” without an exact explanation.

 

In a truly democratic country, dissent is allowed because the rights to freedom of expression and freedom of assembly are an important foundation of democracy. The right to privacy is also protected under the country’s constitution. However, if these rights have not been respected in Thailand, where activists are threatened for their peaceful political views, it sends a strong message about what kind of country Thailand is under the current government of Prayut Chan-o-cha.

Report type: