A forensic analysis shows that a sophisticated attack on Jeff Bezos’ iPhone X gave full access to both his photos and messages.

The attack, and the alleged attempted blackmail that followed, led to the famous “No thank you, Mr Pecker” blog post in which the Amazon founder decided to go public about the existence of embarrassing texts and photos…

While iOS is far better protected against malware than Android devices, iPhones are not immune, especially to sophisticated, targeted attacks.


The National Enquirer ran a series of posts in which it said it had evidence of an affair between Bezos and former Fox anchor Lauren Sanchez. The tabloid published what it says were text messages between the two of them, and said in a now-deleted post that it also had lewd selfies.

Enquirer owner American Media, Inc, was the subject of a Washington Post investigation into its role in helping Trump silence a former Playboy model who wanted to tell her story of an affair with Trump. AMI subsequently admitted to buying the exclusive rights to her story and then not running it, thus keeping it out of the media during Trump’s presidential election campaign.

Bezos, who owns the Washington Post, said AMI tried to pressure him into ending its investigation and making a false statement that there was nothing to it. He decided to go public ahead of the Enquirer coverage.

Several days ago, an AMI leader advised us that Mr. Pecker is ‘apoplectic’ about our investigation. For reasons still to be better understood, the Saudi angle seems to hit a particularly sensitive nerve.

A few days after hearing about Mr. Pecker’s apoplexy, we were approached, verbally at first, with an offer. They said they had more of my text messages and photos that they would publish if we didn’t stop our investigation […]

In the AMI letters I’m making public, you will see the precise details of their extortionate proposal: They will publish the personal photos unless Gavin de Becker and I make the specific false public statement to the press that we ‘have no knowledge or basis for suggesting that AMI’s coverage was politically motivated or influenced by political forces.’

Saudi Arabia crown prince Mohammed bin Salman was said to be behind the attack, subsequently sharing information with AMI, in order to apply pressure to end WP investigations into possible involvement in the 2018 murder of journalist Jamal Khashoggi.

Jeff Bezos iPhone X hack

Analysis by cybersecurity company FTI Consulting found that malware was embedded into a video file sent to Bezos from a WhatsApp account belonging to the Saudi crown prince, reports the New York Times.

On the afternoon of May 1, 2018, Jeff Bezos received a message on WhatsApp from an account belonging to Saudi Arabia’s crown prince, Mohammed bin Salman.

The two men had previously communicated using the messaging platform, but Mr. Bezos, Amazon’s chief executive, had not expected a message that day — let alone one with a video of Saudi and Swedish flags with Arabic text.

The video, a file of more than 4.4 megabytes, was more than it appeared, according to a forensic analysis that Mr. Bezos commissioned and paid for to discover who had hacked his iPhone X. Hidden in that file was a separate bit of code that most likely implanted malware that gave attackers access to Mr. Bezos’ entire phone, including his photos and private communications.

It’s not known whether Bezos opened the file; some malware can run without any user interaction.

The United Nations yesterday said the malware used points to Saudi Arabia.

The forensic analysis assessed that the intrusion likely was undertaken through the use of a prominent spyware product identified in other Saudi surveillance cases, such as the NSO Group’s Pegasus-3 malware, a product widely reported to have been purchased and deployed by Saudi officials. This would be consistent with other information. For instance, the use of WhatsApp as a platform to enable installation of Pegasus onto devices has been well-documented and is the subject of a lawsuit by Facebook/WhatsApp against NSO Group.

That lawsuit alleged that NSO facilitated spying on more than 1,000 WhatsApp users.

The Saudi government denies any involvement, but the UN says there is sufficient evidence to begin a criminal investigation.

The information we have received suggests the possible involvement of the crown prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, the Washington Post‘s reporting on Saudi Arabia. The allegations reinforce other reporting pointing to a pattern of targeted surveillance of perceived opponents and those of broader strategic importance to the Saudi authorities, including nationals and non-nationals. These allegations are relevant as well to ongoing evaluation of claims about the Crown Prince’s involvement in the 2018 murder of Saudi and Washington Post journalist Jamal Khashoggi.

The alleged hacking of Mr. Bezos’s phone, and those of others, demands immediate investigation by US and other relevant authorities, including investigation of the continuous, multi-year, direct, and personal involvement of the Crown Prince in efforts to target perceived opponents.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear