UK Court Rules Saudi Arabia Can Be Sued for Pegasus Spyware Attacks

A British appeals court just delivered a ruling that could reshape how victims of state sponsored surveillance seek justice. On January 26, 2026, the UK Court of Appeal ruled that Saudi Arabia cannot hide behind sovereign immunity to dismiss a lawsuit alleging it deployed Pegasus spyware to hack the phones of a prominent critic living in London.

The Victim and the Attack

Ghanem Almasarir is a Saudi satirist who built a substantial following through YouTube videos criticizing the Saudi government. While living in London, his iPhones were infected with Pegasus spyware. Forensic analysis by Citizen Lab, the University of Toronto research group that has tracked NSO Group operations for years, confirmed the compromise.

The surveillance was allegedly accompanied by a physical assault near Harrods in August 2018, when two men attacked Almasarir. His legal team connected the attack to the digital monitoring, arguing it demonstrated a coordinated campaign of harassment enabled by the spyware.

How Pegasus Works

Pegasus is perhaps the most sophisticated commercial spyware ever created. Developed by Israeli company NSO Group, it can be installed through "zero click" exploits that require no action from the target. The victim does not need to click a link or open a file. Once installed, it transforms a phone into a continuous surveillance device.

The spyware grants attackers complete access to messages, calls, camera, microphone, and location data. It can intercept encrypted communications from apps like Signal and WhatsApp before the encryption is applied. For journalists and activists who depend on secure communications, this level of access is devastating.

The Legal Breakthrough

Saudi Arabia attempted to have the case dismissed under the State Immunity Act of 1978, which generally protects foreign governments from lawsuits in UK courts. The Court of Appeal rejected this argument, finding that the alleged digital intrusion fell under a specific exception: actions causing "personal injury" within UK borders.

The judges accepted that severe psychological distress from constant surveillance constitutes personal injury. This is new legal territory. The ruling establishes that a digital attack originating abroad but causing psychiatric harm to someone in the UK can overcome sovereign immunity claims.

Why This Matters for Surveillance Victims

The Pegasus Project investigation identified over 50,000 phone numbers targeted for potential surveillance. Victims include journalists, human rights activists, opposition politicians, and associates of murdered Saudi journalist Jamal Khashoggi. The United States blacklisted NSO Group in 2021, citing evidence of systematic human rights abuses.

Until now, most victims had no realistic path to legal accountability. Governments deploying spyware could claim sovereign immunity and avoid any consequences. This ruling opens a potential new front. Other victims of state sponsored hacking may now be able to seek justice in British courts if they can demonstrate the attacks caused harm while they were on UK soil.

The Bigger Picture

The commercial spyware industry continues to operate despite international condemnation. NSO Group claims it sells only to vetted government clients for legitimate law enforcement purposes. The evidence tells a different story. Pegasus has been found on the phones of journalists investigating corruption, activists organizing protests, and family members of dissidents.

Recent research from iVerify found Pegasus infections at a rate of 2.5 compromised devices per 1,000 scans, significantly higher than any previously published estimates. The spyware remains active and widespread despite being classified as a weapon by Israel and requiring government approval for export.

This UK ruling does not solve the surveillance problem. But it demonstrates that courts are beginning to recognize digital intrusions as serious harms deserving legal remedy. For the thousands of people targeted by state sponsored spyware, that recognition is a meaningful step toward accountability.