It started with a tub of protein powder. Omar Abdulaziz ordered one on Amazon in late June and was waiting for it to arrive at his Sherbrooke, Que., apartment. Abdulaziz didn't think much of it when he received a text message later that day from DHL with a link to a tracking number, stating his package was on its way.

In what has become a scarily effective hacking technique, the text message — and the link it contained — was not what it claimed to be. Abdulaziz believes he clicked the link, which would have let spyware burrow its way into his iPhone. There, it could copy his contacts and messages and even eavesdrop on calls. Its operators would have total control.

But unlike the phishing attacks that ultimately helped Russian operatives disrupt the 2016 U.S. presidential election, the attack on Abdulaziz's phone was deeply personal.

In a new report, researchers at the University of Toronto's Citizen Lab say that it was very likely conducted by the government of Abdulaziz's home country, Saudi Arabia.

Abdulaziz arrived in Canada from Saudi Arabia in 2009 to study English at McGill University. But as he grew increasingly critical of his government's repressive tactics and human rights record — and drew a sizeable following for his activism on YouTube and Twitter — his scholarship was revoked in 2013.

He was granted political asylum, became a Canadian permanent resident the following year and now attends Bishop's University in Sherbrooke, Que., where he lives with four other Saudi expats, whom he has warned not to return home.

Abdulaziz has built a large following on social media. Given his global audience, he believes the Saudis wanted to find a way to intimidate him into silence. (Anand Ramakrishnan/CBC News)

There's good reason for his concern. Abdulaziz said his two brothers, along with several of his friends, were recently imprisoned by the Saudi Arabian government. He has been unable to speak to his mother in months. Like the spyware that infected his phone, he sees the arrests as an attempt to intimidate him — to silence his continued protests against the Saudi Arabian government and his recent criticism of the regime's handling of a Canadian diplomatic feud.

In spite of all this, Abdulaziz not only wants to speak about his experience — a rarity among those infected with spyware — but believes it's the best thing he can do to force his country to change.

"So many people are scared. They're scared to talk about what's happened to them. Maybe they experienced something even worse than me. But someone has to say no," said a sombre Abdulaziz, standing on the balcony of his modest student apartment, which overlooks train tracks and trees and the Saint-François River.

"Someone has to [stand] against this. And I do believe that things are going to be changed soon."

Reckless and illegal

The diplomatic relationship between the governments of Canada and Saudi Arabia has been fraught since early August, when Canada's foreign affairs ministry called for the release of all "peaceful human rights activists" who had been jailed. The tweets prompted a swift rebuke from Saudi Arabia's foreign ministry, which suggested that Canada not meddle in the country's affairs.

Abdulaziz couldn't help but speak out. But by then, his phone had already been infected with spyware, and he believes the government of Saudi Arabia used its view into the minutiae of his life to retaliate against him.

"I had no secrets. I'm not hiding anything," he said. "Because I'm [in Canada], I know that I'm protected. I'm not scared. So I would just keep doing what I'm doing."

The fake text message that Abdulaziz received was crafted to look like a legitimate DHL delivery message. (Anand Ramakrishnan/CBC News)

Abdulaziz has built a large following on social media. His YouTube videos and livestreams routinely garner tens of thousands of viewers, and hundreds of thousands follow him on Twitter. Every few minutes, a new Snapchat message comes in. Given his global audience, he believes the Saudis wanted to find a way to intimidate him into silence.

"They think, 'No, let's try it this time to harm him. Let's try to stop him from doing that. Let's go to his family, to his friends,'" Abdulaziz said.

He is worried about what will happen to his roommates and to his friends — both in Canada and abroad — and to people who contacted him on his phone for reasons that had nothing to do with politics. All of them may now be implicated by the spyware that was present on his phone. And he wonders, if the government is willing to reach across borders to spy on him, how might they escalate their attacks?

"It's about how far they can go. What are they capable of doing?" he said. "So now, maybe they're using just hacking stuff to get to my phone. Tomorrow maybe they're going to harm me physically."

Researchers from the University of Toronto's Citizen Lab discovered and analyzed the infection over the summer months, and detailed their findings in a report released Monday. They cannot say with certainty it was Saudi Arabia that installed the spyware, short of being in the room with the operators when they launched their attack. Nor can they draw a definitive link between Abdulaziz's surveillance and the detention of his friends and family back home.

Ron Deibert, Citizen Lab's longtime director, said 'there's a reckless nature' to the type of digital targeting that Abdulaziz experienced. (Riley Stewart/Citizen Lab)

But based on similarities to past attacks on Saudi-linked individuals by the same operator that infected Abdulaziz's phone, they have a high degree of confidence that the Saudi Arabian government or its security agencies were likely behind the attack.

Ron Deibert, Citizen Lab's longtime director, said "there's a reckless nature to this type of targeting." He said it's unlikely the Canadian government gave permission for a foreign state to conduct a spying operation of this kind against one of its own, which would likely be illegal.

Global Affairs spokesperson Adam Austen said the ministry is reviewing the report but takes "any such allegations very seriously" and is "firmly committed to freedom of expression, including online." Public Safety has yet to respond to a request for comment.

"It goes to show how much money the [Saudi Arabian] government is willing to expend on somebody who is effectively a nuisance, because of what they're expressing freely over social media," said Deibert. "This is likely going to amplify the dispute between Canada and Saudi Arabia, no doubt."

Following breadcrumbs

Citizen Lab stumbled upon Abdulaziz's case while conducting a larger investigation into government spyware campaigns worldwide. They had set out to identify countries where spyware known as Pegasus, sold by an Israeli vendor called NSO Group, had been used. The company says it only sells its spyware to governments, for use in serious criminal and national security investigations.

But Citizen Lab has found numerous cases of abuse over the past six years where Pegasus and software like it is used against human rights activists, dissidents, journalists and political opponents.

Citizen Lab first identified NSO Group's Pegasus spyware in 2016, when a prominent human rights activist was targeted by an operator thought to be the United Arab Emirates government. (Anand Ramakrishnan/CBC News)

"The difference between Pegasus and the average piece of malicious software that a criminal would use in terms of features and functionality is nothing," said Mike Murray, vice-president of security intelligence for San Francisco-based Lookout Security, a cybersecurity company that has also examined NSO's Pegasus spyware in the past.

Where Pegasus differs is how it infects its targets, and how much that privilege costs. What makes Pegasus so hard to detect is that it exploits software flaws unknown to Google or Apple, meaning that even the latest security updates can't stop it. That advantage allows NSO Group to command tens of thousands of dollars from government clients for each person they intend to target, Murray said.

In practice, it means that governments reserve the use of Pegasus for only their most serious threats — but there has been little in the way of oversight or regulation to prevent abuse.

"In my opinion, this market is out of control, and I think it's in Canada's interests and other governments' interest to do something about this market right now," Deibert said. "We should be devoting more resources to promoting norms of mutual restraint."

In a report released last month, Citizen Lab researchers used internet scanning techniques to identify 45 countries where NSO's spyware was active — including, curiously, an infected device in Quebec. In a feat of digital detective work, researchers at the Citizen Lab attempted to identify the target — later revealed to be Abdulaziz — based on the distinctive pattern of digital breadcrumbs the infected device left behind when contacting the spyware operators abroad.

The researchers noticed the infected device spent most of the day connected to one of Quebec's consumer internet service providers, Vidéotron. But there was often a period of about three hours on evenings in which the device switched to a network they traced to Bishop's University in Sherbrooke.

The device only took about 20 minutes to switch between the networks, leading the researchers to believe it belonged to someone — a student, perhaps — who lived nearby. And it was communicating with servers that this particular Pegasus spyware operator had used to infect other Saudi-linked targets in the past.

It was this tub of protein powder, which Abdulaziz ordered on Amazon, that led to the revelation that he had been hacked. (Anand Ramakrishnan/CBC News)

They guessed their target fit a similar profile — someone of interest to the Saudi Arabian government — and after reaching out to members of the Saudi-Canadian community in Quebec, it quickly became apparent that there was only one person in Sherbrooke who fit the bill: Omar Abdulaziz.

'I recognize how weak they are'

When Citizen Lab first contacted Abdulaziz with its findings, he wasn't surprised he had been targeted — though he was skeptical at first that the researchers could be trusted. "Suddenly someone is contacting you and telling you that your phone might be infected or might be hacked. 'OK, sorry, [I] just to have to ask some questions,'" he recalled with a laugh.

His incredulity is understandable. Bill Marczak, a Citizen Lab researcher based in San Francisco, asked Abdulaziz what he did from 5 p.m. to 8 p.m. every day. That was typically when Abdulaziz went to the gym on campus to work out — and why he bought the protein powder in the first place. On two days, Citizen Lab found a perfect match between Abdulaziz's movements between the gym and home, and the distinctive pings of the Pegasus infection it spotted in Quebec.

To be sure, Marczak flew to Sherbrooke and examined Abdulaziz's phone. There, Marczak found the fake package notification from DHL. There was little likelihood Abdulaziz was not the target. Who else would have a high-enough profile to justify the cost of Pegasus?

"As soon as we reached out to them, the check-ins stopped," Deibert said. "Which suggests to me that the operators knew that we had gotten in touch with them and the operation had been exposed."

Abdulaziz remains cut off from his family and friends, and is sorry that his political activism has adversely affected those he loves. But the attack on his phone has only driven him to devote even more energy to these activities than before, and exploring the possibility of legal action.

"Because when you stop, they're going to do more and more. So you have no choice," Abdulaziz said. "Because now I recognize how weak they are."