WhatsApp says it has shut down a sophisticated spyware campaign that targeted users on its platform, attributing the attack to NSO Group, the Israeli firm behind the controversial Pegasus surveillance software.
The Meta-owned platform said it disrupted the hacking campaign by NSO, whose Pegasus spyware has been linked to the targeting of journalists, activists, government officials and humanitarian workers across dozens of countries.
WhatsApp said the disruption followed an internal investigation triggered by user reports.
It is now asking a US court to hold NSO in contempt of a permanent injunction secured last year that explicitly forbids the company from targeting WhatsApp and its users ever again.
The move marks a sharp escalation in a legal fight that began in 2019 and has become one of the most consequential cases in the global battle against commercial spyware.
What WhatsApp is saying
WhatsApp said NSO operatives attempted to manipulate users into clicking malicious links designed to redirect them outside the platform, following a pattern consistent with previously documented Pegasus infection methods.
- “They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp,” the company said, adding that it also caught NSO creating test accounts and groups on the platform, all of which were taken down.
- The campaign closely resembled one-click phishing attacks linked to NSO that were documented in Jordan in 2024, where targets were infected with Pegasus after clicking on malicious links sent through messaging platforms.
- WhatsApp is publishing threat indicators from the disrupted campaign so users can independently verify whether they were targeted across any platform, including email, SMS or other messaging services.
- The company also warned that NSO’s own chief executive confirmed in court that the firm actively searches for new ways into target devices beyond WhatsApp, including through browsers, operating systems and other applications.
More insights
WhatsApp said the case has broader implications beyond its own platform, arguing that NSO’s continued defiance of a US court order poses a direct threat to national security and secure communications worldwide.
- Twelve civil rights organisations filed amicus briefs last month backing WhatsApp’s effort to defend the permanent injunction against NSO’s appeal, including security researchers, privacy advocates and digital rights groups.
- WhatsApp announced it is making a significant contribution to the Spyware Accountability Initiative, a fund backing dozens of organisations focused on forensic research, user support and advocacy against commercial spyware.
WhatsApp first took NSO to court in 2019 after the firm exploited a platform vulnerability to deploy Pegasus against roughly 1,400 users, a list that included journalists, human rights defenders and senior government officials across multiple countries.
- Last year’s verdict handed WhatsApp a permanent injunction barring NSO from ever targeting the platform again, with the court ruling that NSO had broken both federal and state laws prohibiting hacking.
- NSO has long maintained that it sells Pegasus exclusively to vetted government clients for legitimate law enforcement and national security purposes, and that it bears no responsibility for how those clients use the technology.
- WhatsApp urged all users to update their apps and devices regularly and to report any suspicious activity. It specifically recommended that users who believe they may be targets of sophisticated attacks enable strict account protection settings within the app to further secure their accounts.
What you should know
In April 2023, Nairametrics reported that Technology expert, Mr. Jide Awe, raised concerns over WhatsApp’s multi-device feature, warning that it could expose users to increased cybersecurity risks, including hacking and phishing attacks.
Speaking with journalists, Awe said that while the feature enhances user experience, it also expands the potential attack surface for cybercriminals seeking unauthorized access to accounts and personal information.
According to him, linking multiple devices to a single account could provide hackers with more opportunities to compromise user accounts, particularly if adequate security measures are not followed.
