The Rise of Cyber Espionage in Spain: A Deep Dive into the Pegasus Affair
Shortly after taking office in 2018, a significant group of high-ranking officials from La Moncloa, appointed by President Pedro Sánchez, were invited for a visit to the National Intelligence Center (CNI). During this visit, held in the crisis room under the watchful eye of the director of the secret service, Félix Sanz Roldán, the attendees were shown a demonstration highlighting the vulnerability of mobile phones to cyberattacks. One of the participants recalls, "We were left astonished." As part of the session, they received several recommendations on how to protect themselves, which included keeping their device's operating system updated, reviewing permissions granted to applications, regularly powering down their devices, and avoiding connections to open WiFi networks. However, judging by subsequent events, it appears these warnings were not heeded.
The first major security breach became evident on April 22, 2021, when Moroccan authorities revealed through a pseudo-media outlet—established only a few months prior, as demonstrated by WebArchive and currently inactive—and two affiliated platforms, _Jeune Afrique_ in Paris and _Le360.fr_ in Casablanca, that the leader of the Polisario Front, Brahim Ghali, had been hospitalized in Logroño for COVID-19 treatment. He had flown from Algiers to Zaragoza using a false identity.
Nearly three years had passed since the Moroccan Directorate General for Territorial Surveillance (DGST) had infected its first Spanish mobile phone, that of Aminetou Haidar, according to an investigation published on July 16, 2026, by El Confidencial and an international media consortium led by _Forbidden Stories_. Subsequently, they attempted to hack at least 250 other phones. It is highly likely that this massive hacking operation enabled Moroccan agents to discover Ghali's presence in Spain.
Security Lapses and the Aftermath of Cyber Attacks
A month later, in late May 2021, another glaring flaw was exposed when the National Cryptological Center (CCN), under the CNI, inspected the mobile phone of Foreign Minister Arancha González Laya. They confirmed it had been compromised but did not specify the malicious software involved. The Spanish government never officially acknowledged this infection but also did not deny it. González Laya publicly referred to the incident a year later in an interview with _El Periódico_, hinting that Morocco may have orchestrated this cyberattack. It was she who negotiated with her Algerian counterpart, Sabri Boukadoum, the clandestine transfer of Ghali to Spain.
The discovery of the infection in the Foreign Minister's phone should have prompted immediate security measures, starting with the review of the mobile devices of all high-ranking officials who had been involved in the prolonged crisis between Spain and Morocco, which peaked in May 2021. However, no such actions were taken. During that May, Moroccan authorities encouraged over 10,000 immigrants to enter Ceuta within 48 hours, with "instructions given from Rabat to relax security surveillance along the coastal stretch from Larache to Saidia," as stated in a confidential CNI report dated May 19, 2021.
This delay in reviewing the official Spanish mobile phones extended to 11 months, until April 2022. Forensic analysis by the CCN subsequently revealed that the devices of Pedro Sánchez and Defense Minister Margarita Robles were infected. In Sánchez's case, the infection dated back to October 2020, long before tensions escalated with Morocco. The most significant data breaches occurred in May 2021, coinciding with the height of the bilateral crisis.
Upon learning of these findings, Sánchez reportedly erupted in anger at La Moncloa, leading to a decision that stunned the Spanish intelligence community and allied nations: he filed a complaint in the National Court regarding the cyberattacks. This public acknowledgment revealed the vulnerabilities in communication among government members. Ironically, rather than penalizing the individual responsible for this massive security breach, Sánchez opted to promote them instead.
In the recent history of espionage, only one country has openly acknowledged that its leaders' communications were intercepted. In October 2013, German Chancellor Angela Merkel called President Barack Obama to protest the National Security Agency's surveillance of her phone. No such public complaint has been made by La Moncloa against any entity.
The judicial process concerning the Pegasus attacks was announced on May 2, 2022, by Félix Bolaños, then Secretary-General of the Presidency, responsible for communication security. Just two months later, on July 10, he was appointed Minister of the Presidency and Relations with Parliament. The lack of accountability from Bolaños raised concerns for Margarita Robles that the CCN and the CNI, both under her authority, would be blamed for this colossal failure. "Take a minute to consider who is responsible for the security of the Prime Minister's mobile phone," she remarked to the press, hoping to deflect any culpability from herself.
At that time, governmental communication was in disarray. Only a few high-ranking officials used the ComSec application, a highly encrypted messaging app, for internal communication. They neglected to update their antivirus patches, disregarding the CCN's recommendations, and failed to undergo regular phone inspections. A retired La Moncloa official remarked, "They were quite lazy." An ex-agent of the DGST who fled Morocco commented, "They need to understand that Spain has become an infiltrated state." Both the CCN and the National Security Department pressured in 2022 for mobile security to be transferred to the latter body, which integrates military personnel and is also part of the Presidency. However, Óscar López, then chief of staff to Pedro Sánchez, resisted this change, fearing it would acknowledge that the existing system was not functioning correctly. A transition did not occur until 2024.
The consortium behind this journalistic investigation, coordinated by _Forbidden Stories_, inquired whether there had been any negligence in the security of phone communications and what measures had been implemented since 2022 to ensure their inviolability. **No response was received**. In the same year (2024), the CCN published a report reviewing "the cyber powers that pose a risk to Spain," identifying threats from China, Russia, Iran, and even North Korea, but omitting Morocco altogether. Notably, it failed to mention Pegasus, despite the fact that its cybersecurity experts had established that this was the program used to hack Sánchez and his ministers.
As reported by elconfidencial.com.