NSO Group, which builds tools for breaking into some of the world’s most popular electronic devices, is one of many cybersecurity contractors that insist that its weapons be used only to enforce laws, to stop criminals and terrorists. But on Tuesday, the human rights nonprofit Amnesty International announced that one of its staff member’s phones had nearly been hacked by the company’s spyware in Saudi Arabia alongside that of another activist—two more in a string of NSO-enabled attacks that have targeted an estimated 174 activists, journalists, lawyers, and others in abusive ways.

NSO, founded in 2010 by former Israeli intelligence officials, still sells only one product, Pegasus, a spyware package thought to be capable of penetrating most smartphones. Infiltration typically begins by sending a link sent to the target’s phone. It can be sent as a tweet, a taunting text message, or an innocuous email—any electronic message likely to convince the user to open the link. Once they do, the phone’s web browser connects to one of NSO Group’s many anonymous servers across the globe. From there, Pegasus determines the type of device, then installs the exploit remotely and surreptitiously.

In June, an unnamed Amnesty International staff member received a suspicious message in Arabic on WhatsApp. “The text contained details about an alleged protest outside the Saudi embassy in Washington, D.C., followed by a link to a website,” Amnesty International reported. Instead of clicking the link, the employee sent the message to investigators. “Investigations by Amnesty International’s technology team revealed that clicking the link would have, according to prior knowledge, installed ‘Pegasus’.”

In a separate attack, an unnamed target received an SMS text message about a mysterious court order, along with a URL, which investigators later linked to NSO. The nonprofit did not say if that attack was successful.

Toronto internet watchdog Citizen Lab issued a report last year about how the clandestine company helps governments hack the phones of activists and others. As John Scott-Railton, a senior researcher at Citizen Lab, told Fast Company at the time, “Anything you can do on the phone, Pegasus can do on your phone.” The software can turn on a target’s smartphone camera and watch anybody within the frame, or use the built-in microphone to listen in on conversations. Scott-Railton also explained that Pegasus can add and delete files and manipulate other types of phone data. (Since the report, Apple and Google have issued updates to defend against the spyware, but that doesn’t guarantee that every phone is protected.)

When contacted last fall by phone, an NSO Group employee at its office in Maryland refused to comment, saying, “We don’t talk to journalists.” While the firm apparently still isn’t talking to journalists, they did send a statement to Amnesty International with a familiar refrain, stating that their product “is intended to be used exclusively for the investigation and prevention of crime and terrorism,” adding that “any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company.”

Despite such assurances, NSO Group’s spyware suite, Pegasus, is regularly used by governments to surveil the mobile devices of journalists, human-rights activists, lawyers, investigators, and even scientists and public health campaigners, according to Citizen Lab. It’s been used in Mexico, Panama, and the United Arab Emirates for the purpose of spying on civilians. And the company has registered web domains in several countries with questionable civil rights records, including Uzbekistan, Bahrain, Kenya, Saudi Arabia, Nigeria, and others. Citizen Lab estimates 174 people have been “abusively targeted” with the software.