Decoding the world of cybersecurity

WhatsApp asks court to sanction NSO

Meta says WhatsApp disrupted NSO-linked spear-phishing attempts and is asking a US court to hold the spyware vendor in contempt of a permanent injunction.

WhatsApp asks court to sanction NSO
Summary
  • Meta says WhatsApp disrupted spear-phishing attempts linked to NSO Group and took down test accounts and groups.
  • WhatsApp is asking a court to hold NSO in contempt for allegedly violating a permanent injunction barring it from targeting WhatsApp users.
  • The case sits within wider European concerns over spyware accountability, platform security, mobile compromise risk, and protection of journalists, officials, and civil society.

Meta says WhatsApp has disrupted spear-phishing attempts linked to NSO Group and is asking a court to hold the spyware vendor in contempt for allegedly violating a permanent injunction that barred it from targeting WhatsApp and its users.

The company said on 8 June that WhatsApp caught and disrupted NSO-linked social engineering attempts after investigating user reports. According to Meta, the attackers tried to trick people into clicking malicious links that would send them to external websites outside WhatsApp, in a pattern similar to previously reported one-click phishing campaigns linked to NSO. Meta said it also caught NSO creating test accounts and groups on WhatsApp, which were taken down.

Meta has published threat indicators for the activity, including three malicious domains, so that potential targets can check whether they were approached across WhatsApp, text message, email, or other platforms. The company did not disclose how many users were targeted, whether any devices were successfully compromised, or where the targets were located.

The court action follows Meta and WhatsApp’s long-running case against NSO over spyware targeting of WhatsApp users. Meta says it previously secured a verdict and permanent injunction barring NSO from targeting WhatsApp and its users. It now claims the new activity violated that order.

The facts need careful separation. Meta’s disruption of accounts, publication of indicators, and court filing are confirmed by the company’s statement. The attribution to NSO and the alleged breach of the injunction are Meta’s claims and will be tested through the legal process. NSO’s response was not included in Meta’s statement.

Mercenary spyware has persisted despite litigation, sanctions, platform hardening, and public exposure. WhatsApp is not a niche communications service; it is part of personal, political, diplomatic, legal, journalistic, and business communications across Europe and the UK. A successful mobile spyware compromise can bypass encrypted messaging by compromising the endpoint itself, turning the device into the collection point rather than trying to break the encryption protocol.

Europe has already confronted the political consequences of spyware through Pegasus-related cases affecting journalists, opposition figures, civil society, and public officials. The Greek spyware case cited by Meta, along with broader European scrutiny of surveillance-for-hire firms, places mobile compromise inside accountability debates involving courts, regulators, procurement authorities, and governments.

Professional exposure can also begin outside enterprise controls. Legal teams, policy advisers, campaigners, board members, diplomats, security researchers, and journalists may hold sensitive communications or access to wider networks on personal devices and messaging channels. Spyware attacks often exploit that gap, starting with private contact before creating institutional risk.

Platform providers can harden products, notify targets, publish indicators, and pursue legal remedies, but they cannot independently regulate the global market for offensive surveillance tools. Meta’s position is that court orders and entity-list restrictions need to remain enforceable when spyware vendors continue to target major communications platforms.

Practical controls remain conservative: keep devices and apps updated, treat suspicious links as potential targeted lures, and enable stricter account settings where appropriate. Beyond individual hardening, the case points back to export controls, procurement scrutiny, sanctions, civil society support, and technical detection capacity. A permanent injunction can restrain conduct only if violations can be detected, evidenced, and sanctioned.

×