"Do you have information that he is next? I heard something completely different...", read a message sent from an unknown number with an attached link, which a BIRN journalist received via Viber on February 14 of this year.
It all looked like a message from a potential source who wanted to report some information, but an unusual link and an unknown sender raised suspicions that it was phishing – and not just any kind. An hour earlier, another BIRN journalist received a message on Viber from the same unknown number, writes BIRN.
After the messages were suspected of being an attempt to install spyware on the journalists' phones, BIRN turned to Amnesty International's security lab for assistance. Their forensic analysis confirmed that the attacks were carried out using the Pegasus spyware.
"We discovered that the text messages contained links to a Serbian-language internet domain, which we can say with a high degree of certainty is linked to the NSO Group's Pegasus spyware," says Donna O'Carroll, head of Amnesty International's security lab.
The attack, fortunately, was not successful because the journalists did not click on the link. If they had, one of the most sophisticated and invasive digital surveillance programs in the world – Pegasus – would have been installed on their phones and would have allowed them to access their messages, emails, camera, microphone and files – without their knowledge.
"When I received the message, I was in my home, which I consider to be a violation of home privacy. The constitution guarantees me that wiretapping and surveillance are prohibited when I am in my home. As soon as I saw the message, I saw that the person was not listed in my phone book, that they were communicating so directly, that they did not sign who they were and who gave them my number. It seemed so immediate and so topical. I then replied: 'I do not have this number in my phone book, can I start by asking who is writing?' The message did not go through. Then I called the number and it was unavailable," says the BIRN journalist, who wished to remain anonymous, because as she says: "Today it is me, tomorrow it is someone else. The important thing is the story, not me."
Jelena Veljković, a multi-award-winning BIRN journalist with over 30 years of experience, also received a message on Viber from the same number, at the same time of day.
"The message was obfuscated by the application itself, as a security mechanism of Viber. I didn't dare do anything that would have enabled the installation. I don't know what it said, but you could see that it was written in two lines in white letters, and then in two lines in blue letters – some kind of link," says Jelena Veljković.
She immediately blocked the number from which the message came. “I wouldn’t have paid much attention to that message if, when I got home, I hadn’t entered the correspondence in our editorial group, where I saw that another colleague had received a message from the same number at about the same time,” says Veljković.
This discovery is disturbing, she says, because it is a private phone that she also uses for work.
"The awareness that someone had the motive and money to place such software on devices, knowing what Pegasus can do... This can also be seen as a warning message, pressure, like 'be careful, we're watching you, what are you doing', because the attacker could have counted on BIRN journalists not clicking on the link so easily. We don't know who is behind the attack. I have my own assumptions that I wouldn't like to speculate about. I don't even know why they chose me and my colleague - maybe it's a warning to the entire BIRN," says Veljković.
One issue, two journalists, same method of attack
Both journalists received a message on February 14, 2025, from a Viber account registered to the phone number +381659940263. The number is registered with Telekom Srbija and has been unavailable since February 14.
Jelena Veljković received the message at 12:55 on her Android phone and did not open it. Another colleague received it less than an hour later, at 13:46 on her iPhone. The message received on her phone contained text in Serbian and a link to an internet domain, also in Serbian.
Amnesty International's forensic team has determined with a high degree of certainty that the domain contained in this link is associated with the Pegasus spyware. This assessment is based on evidence collected by Amnesty International during a multi-year investigation into the misuse of this spyware.
The BIRN journalist did not click on the link, which is why the Pegasus spyware was not successfully installed on her phone. When Amnesty International researchers opened the link in a secure environment, it redirected to a fake N1 website, at https://n1info.com. Amnesty experts note that a previous attempt at a Pegasus “single-click” attack, which targeted a protest leader in Serbia in July 2023, also redirected to the same media site.
Amnesty International concluded that both cases of BIRN journalists involved an attempt to infect them with Pegasus software using the "1-click" method. Both messages and links were sent within an hour of each other, from the same Viber number, to two journalists working in the same newsroom.
A BIRN journalist, who wished to remain anonymous and who is also a multiple award-winning journalist with decades of experience, believes that espionage attempts will continue.
"I believe we are not the last in the editorial office to experience this. I had sensitive contacts during that period – perhaps it was precisely because of those sources that we drew attention to us. In our work, we all have such sources and stories, so it won't end with the two of us. They don't have to insert spyware into us – we publish the texts publicly, so that anyone in the service can read them completely free of charge. Investigative journalism is patriotism. We don't get badges and weapons, we don't carry repressive force with us, and we uncover what is important for Serbia to be better, because we uncover what is bad."
Amnesty International: The Serbian state is the most likely employer
NSO Group states that its products are used exclusively by “government intelligence and law enforcement agencies in the fight against crime and terrorism.” In a letter to Amnesty International, NSO Group stated that all of its systems are “sold exclusively to verified government users.” NSO responded to BIRN that it complies with international human rights and export regulations, and that it cannot accept Amnesty International’s findings until it has conducted an internal evaluation.
As part of this research, Amnesty International has not identified any government other than Serbia that would have an interest in targeting the two BIRN journalists. Amnesty International concludes that it is highly likely that one or more actors within the Serbian state apparatus, or agents acting on their behalf, were involved in this latest use of the Pegasus spyware to target two BIRN investigative journalists. Of particular concern is the fact that NSO Group apparently continues to enable the use of the Pegasus software in Serbia, despite two previous Amnesty International reports documenting its misuse in the country. A license to use Pegasus costs between $20.000 and $30.000 per person.
Amnesty International contacted the Security Information Agency (BIA) in November 2024 and again in March 2025 in an attempt to obtain a response to these findings, but had not received any response by the time of publication of the report.
The cases of the two BIRN journalists represent the fourth and fifth cases in the last two years in which Amnesty International’s security lab has uncovered the use of Pegasus spyware against media and civil society representatives in Serbia. In November 2023, Amnesty International and its partners Access Now, SHARE Foundation and Citizen Lab documented that two members of Serbian civil society were targeted by a zero-click spyware attack. The research also uncovered a third, previously unreported case, in which a Serbian activist was targeted by an attempted Pegasus infection via a one-click link, back in July 2023.
In addition to previous revelations that Serbian security structures use Cellebrite digital forensics equipment for mobile phones and NoviSpy tracking software, which require physical access to the phone, the use of Pegasus spyware adds a new dimension, as it can be installed on the victim's phone remotely and without visible traces.
Legally dangerous, professionally unacceptable, personally distressing
Rodoljub Šabić, the former Commissioner for Personal Data Protection, points out that the use of Pegasus and similar programs outside of criminal proceedings or the protection of state security is punishable. "The illegal use of all these 'tools', if practiced by the government, is incompatible with the idea of a state governed by the rule of law and threatens several constitutionally guaranteed rights of citizens. And from the aspect of the freedom of action of the media and journalists, it is additionally, especially dangerous, because it calls into question one of the fundamental standards of journalism - the confidentiality of journalistic sources," Šabić told BIRN.
Milorad Ivanović, editor-in-chief of BIRN Serbia, says that the attack on our two colleagues is not just an attack on them – it is an attack on the entire BIRN.
“Although the espionage attempt was sophisticated, the message it sends is primitive – that we should be silent, that we should retreat, that we should be afraid. This will not stop us. On the contrary – we will be even more determined to do what we do best: uncover the truth, protect sources and serve the public interest. Because you cannot silence the truth with spyware. You can only make it more necessary.”
BIRN journalists say this will not disrupt their daily work on investigative stories. "I find all this a little uncomfortable, but I don't see why I should back down from the pressure, because everyone within their profession can make a small contribution to the fact that one day we live in a more normal, if not completely settled, society," says Jelena Veljković.
Another BIRN journalist says that "it is ugly that someone allowed themselves to intrude too much on intimacy. I consider this an attempt to hinder me from doing my job, which I usually do in tense circumstances. It made me feel angry and insecure for a moment, and also made me be even more cautious - which is obviously never out of place in the 21st century. I will be even more cautious and I will tell everyone else to be more cautious. By the way, I have never made it a practice to exchange the most important information over the phone."
Bonus video:
