On the afternoon of May 1, 2018, Jeff Bezos received a message on WhatsApp from an account belonging to Saudi Arabia’s crown prince, Mohammed bin Salman.
The two men had previously communicated using the messaging platform, but Mr. Bezos, Amazon’s chief executive, had not expected a message that day let alone one with a video of Saudi and Swedish flags with Arabic text.
The video, a file of more than 4.4 megabytes, was more than it appeared, according to a forensic analysis that Mr. Bezos commissioned and paid for to discover who had hacked his iPhone X. Hidden in that file was a separate bit of code that most likely implanted malware that gave attackers access to Mr. Bezos’ entire phone, including his photos and private communications.
Mr. Bezos has been on a singular quest to find out who penetrated the device since early 2019, when he said The National Enquirer’s parent company had threatened to release private photographs and texts, and the forensic study was part of that effort. Those pictures and messages showed Mr. Bezos, who was married at the time, with another woman, Lauren Sanchez. The analysis did not connect the hack to The Enquirer.
The forensic report on Mr. Bezos’ phone was at the heart of a United Nations statement on Wednesday raising concerns about Prince Mohammed. The analysis essentially accused the Saudi prince of using malware created by a private cybersecurity company to spy on and to intimidate Mr. Bezos, who also owns The Washington Post. At the time of the hack, Jamal Khashoggi, a dissident Saudi writer, was employed at The Post, which has published coverage critical of the Saudi government. Mr. Khashoggi was killed in the Saudi consulate in Istanbul in late 2018.
Many technical mysteries remain about the infiltration of Mr. Bezos’ phone, including what type of malware was used. The forensic report did not detail whether Mr. Bezos had opened the file that was sent to him via Crown Prince Mohammed’s WhatsApp account. Cybersecurity experts said some malware did not require anyone to click on the file for it to install on a phone.
The details of the hack could not be independently verified by The New York Times. Mr. Bezos has been pushing a theory of Saudi involvement with the threats from The Enquirer, without providing proof, since early 2019. The Enquirer’s parent company has said Ms. Sanchez’s brother, Michael, was the sole source of the texts and intimate photos it acquired.
The Saudi Embassy in Washington has said that accusations that the kingdom was involved in hacking Mr. Bezos’ phone were “absurd.”
The report’s conclusions renew questions about the shadowy world of private hackers for hire. For the right client, or the right sum, such hackers apparently infiltrated the phone of one of the world’s wealthiest and most powerful men. The report did not say which private cybersecurity company was used, but suggested that the Tel Aviv-based NSO Group and Milan-based Hacking Team had the capabilities for such an attack.
The hack also exposed how popular messaging platforms like WhatsApp have vulnerabilities that attackers can exploit. In October, WhatsApp sued the NSO Group in federal court, claiming that NSO’s spy technology was used on its service to target journalists and human rights activists. WhatsApp, which is owned by Facebook, has patched the flaw that the malware used.
“This case really highlights the threats that are posed by a lawless and unaccountable private surveillance industry,” said David Kaye, the United Nations special rapporteur who was a co-author of Wednesday’s statement. “The companies who are creating these tools are extremely crafty and aggressive, and it’s a cat-and-mouse game at this point.”
NSO said it was not involved in any hack of Mr. Bezos’ phone. Hacking Team did not respond to a request for comment. WhatsApp declined to comment, as did FTI Consulting, the company that Mr. Bezos’ security team hired to examine his phone and that wrote the forensic analysis. Amazon declined to comment on behalf of Mr. Bezos.
Malware that was created for the explicit purpose of prying into private online communications, also known as spyware, has become a $1 billion industry. While companies like the NSO Group and Hacking Team have been accused of deploying their spyware with governments to monitor dissidents and others, smaller companies also sell simpler versions of the software for as little as $10, allowing people to snoop on their spouses or children.
Ron Deibert, the director of Citizen Lab at the University of Toronto, which was not involved in the Bezos investigation, said the Amazon chief’s situation was “a reminder that the proliferation of commercial spyware is a global security problem for all sectors, from government and businesses to civil society.”
Over the years that he has run Amazon, Mr. Bezos has largely kept private. That changed when The National Enquirer published photos and messages last year between him and Ms. Sanchez, a TV anchor. Mr. Bezos and his wife, MacKenzie Bezos, later got a divorce.
On Feb. 7, 2019, Mr. Bezos went public with his claims. In a post on Medium, he accused The Enquirer of trying to blackmail him with his own text messages and photos and said he had asked Gavin de Becker, a private investigator, to determine how his phone had been hacked.
Ten days later, Mr. de Becker was advised by a “leading intelligence expert” to conduct a forensic analysis of Mr. Bezos’ iPhone and to look for Saudi fingerprints in the hack, according to notes in the report. The report did not identify the intelligence expert who reached out to Mr. de Becker.
Mr. de Becker, who declined to comment, hired FTI Consulting on Feb. 24, 2019, to examine Mr. Bezos’ phone. FTI was initially asked to look into several text messages that Mr. Bezos had received from the WhatsApp account of the Saudi prince. In mid-May 2019, Mr. Bezos handed over his iPhone X and asked FTI to run a full analysis on it, according to the report.
FTI zeroed in on an April 2018 dinner in which Prince Mohammed and Mr. Bezos had exchanged phone numbers in Los Angeles. After that, FTI found, the WhatsApp account of the prince initiated contact with Mr. Bezos repeatedly and without prompting.
The May 2018 message that contained the innocuous-seeming video file, with a tiny 14-byte chunk of malicious code, came out of the blue, according to the report and additional notes obtained by The New York Times. In the 24 hours after it was sent, Mr. Bezos’ iPhone began sending large amounts of data, which increased approximately 29,000 percent over his normal data usage.
In the additional notes to the report, investigators said several phone apps were being used during the time that data was leaving the phone. Those included the Safari web browser and the Apple Mail program, both of which Mr. Bezos did not appear to be using heavily himself. Mr. Bezos did not have iCloud backup enabled on the phone, the notes added, which would have also explained large amounts of data leaving the phone.
Messages sent by Prince Mohammed’s WhatsApp account starting in late 2018 soon began to suggest that the sender had intimate knowledge of Mr. Bezos’ private life. On Nov. 8, 2018, the report said, Mr. Bezos received a message from the account that included a photo of a woman resembling Ms. Sanchez.
The photo was captioned, “Arguing with a woman is like reading the software license agreement. In the end you have to ignore everything and click I agree.”
At the time, Mr. Bezos and his wife were discussing divorce, which would have been apparent to anyone reading his text messages.
In mid-February 2019, Mr. Bezos held a series of phone calls with his security team about the Saudis’ alleged online campaign against him, the report said. Two days later, Mr. Bezos received a message from Prince Mohammed’s WhatsApp account that read, in part, “there is nothing against you or Amazon from me or Saudi Arabia.”
The report listed spyware known as Pegasus, developed by the NSO Group, and spyware called Galileo, developed by Hacking Team, as the two most likely tools used to carry out the attack. The report added that Saud al-Qahtani, a close adviser of Prince Mohammed, owned a 20 percent stake in Hacking Team.
The FTI report was not definitive about the hack, but said it had “medium to high confidence” that the message from the prince’s WhatsApp account was the culprit. In notes to the report, FTI said it was still attempting a more thorough analysis of the iPhone, including by jailbreaking it, or bypassing Apple’s control system on the phone.
Some cybersecurity experts said more information about the hack was needed to verify the report’s conclusions. Bill Marczak, a cyber expert at Citizen Lab, said in a blog post on Wednesday that technology existed for decrypting the WhatsApp messages to see more detail about the video file that was sent.
Agnes Callamard, the United Nations special rapporteur who also co-wrote Wednesday’s statement, said the episode was “a wake-up call to the international community as a whole that we are facing a technology that is very difficult to track, extremely powerful and effective, and that is completely unregulated.”
She said Mr. Bezos’ experience should sound alarms because even with his wealth and resources, it took months of investigation by specialists to figure out what had happened a luxury few others have.
“It basically means that we are all extremely vulnerable,” she said.
Ben Hubbard contributed reporting from Beirut, and Karen Weise from Seattle.