A former officer of Morocco’s domestic intelligence agency, the Direction Générale de la Surveillance du Territoire (DGST), has told a consortium of international news organizations that the agency deployed Pegasus spyware against journalists, human rights defenders, French politicians, and Spanish cabinet officials beginning in 2017. This directly contradicts Morocco’s longstanding public denials.
The disclosures were published July 16, 2026, the same day French Prime Minister Sébastien Lecornu arrived in Rabat with a 12-minister delegation for a bilateral summit.
Forbidden Stories and its partners, including Le Monde and OCCRP, reported that Lecornu’s own phone was targeted by Moroccan intelligence from July 2019, when he served as environment minister. He was one of seven French cabinet members whose devices were reportedly infected, according to the consortium.
The whistleblower said the DGST deployed Pegasus widely from 2017 and extended surveillance to foreign government targets. Forbidden Stories reported that NSO Group, the Israeli firm that develops and licenses Pegasus, used the internal codename “Morgan” for its Moroccan client account. An Emirati intermediary brokered the acquisition to obscure its origin.
The surveillance program extended beyond digital tools. Forbidden Stories reported that the DGST also physically trailed targets and monitored internet cafes as part of its broader monitoring operation.
Documents reviewed by Forbidden Stories show that French intelligence services separately considered purchasing Pegasus from 2019 to 2020, with NSO’s French reseller citing a price range of 60 to 80 million euros in official hearings. The Élysée Palace ultimately blocked the deal over reputational and sovereignty concerns.
Morocco has consistently denied using Pegasus. NSO Group maintains it sells exclusively to vetted government clients and does not operate the software itself. Neither party responded to requests for comment from the reporting consortium, according to OCCRP. SOFX has not independently verified the whistleblower’s account.







