[notkurt]

Has anyone put forward some theories as to how they are pulling this off? Are they tapping into iMessage Metadata, scanning crash logs, or something along those lines? While I totally understand the need for them to keep how they are doing this private, I do find it slightly concerning. Unless they are just flagging suspicious iCloud login attempts. If it’s relating to crash logs, it would be nice to know as I’m sure a bunch of privacy focused users have that disabled.

[marcan_42]

I assume they have iMessage metadata on what accounts the NSO accounts talked to. The contents are E2E encrypted, but unless they have explicitly promised not to keep logs, they probably have the metadata logged.

[gjsman-1000]

Apple claims in their lawsuit that they have over 100 false iCloud accounts that were created, and is confident in their identities to the degree they are going to use them for standing to prove that NSO signed a legal agreement in the lawsuit.

In which case, NSO f!@#ed up and left iCloud Messages Backup enabled, which stores unencrypted copies of the End-to-End messages and makes it trivial for Apple to alert any person that these accounts messaged to. That's one possibility.

[smoldesu]

Because the NSO group definitely used iMessage to communicate with one another...

[HatchedLake721]

Not with one another. With targets

[TheGeminon]

This is more likely targeting phishing messages coming from NSO Group to victims, rather than communication between NSO members.

[kristofferR]

Not even phishing, NSO had a zero-click iMessage exploit (so they could just send a message to their victims and then hack their iPhones remotely).

[randyrand]

It’s likely much more manual that.

They admit themselves that these attacks are not easy to detect.

[diebeforei485]

> If it’s relating to crash logs, it would be nice to know as I’m sure a bunch of privacy focused users have that disabled.

It is not possible to disable all telemetry entirely.