A New Phishing Campaign, Caught in the Act
WhatsApp says it disrupted a fresh hacking campaign tied to NSO Group, the spyware maker with a long and controversial trail of documented abuse across the globe. And this time, it's not just raising the alarm — it's accusing NSO of defying a court order that explicitly bars the company from targeting WhatsApp and its users.
The Meta-owned messaging app announced it "caught and disrupted spear phishing attempts linked to NSO" after an investigation triggered by user reports. The mechanics were straightforward but calculated: attackers tried to trick people into clicking on malicious links that redirected them to external websites outside WhatsApp. On top of that, NSO-linked actors created fraudulent test accounts and groups within the app — all of which WhatsApp says it identified and shut down.
NSO Group did not respond to requests for comment.
How the Attack Worked — and Why It Looks Familiar
The campaign WhatsApp uncovered isn't without precedent. The attacks closely mirror a phishing operation that surfaced in Jordan in 2024, where users were lured into clicking malicious links that ultimately delivered NSO's Pegasus spyware directly onto their devices.
Pegasus isn't your average piece of malware. It's the kind of tool that can silently compromise a phone, giving operators access to messages, calls, location data — essentially everything. And it's been deployed, according to a decade's worth of documentation from security researchers and journalists, against some of the most vulnerable people imaginable: journalists, dissidents, human rights workers, political opponents.
The Court Order NSO Is Accused of Violating
What makes this latest campaign particularly significant is the legal context it sits inside.
Last year, as part of a long-running lawsuit WhatsApp launched against NSO, a court issued a permanent injunction ordering NSO to stop targeting WhatsApp and its users. WhatsApp says this new phishing campaign is a direct violation of that injunction. As a result, it has filed for a contempt order against NSO — a serious escalation that signals WhatsApp isn't treating this as business as usual.
The lawsuit itself traces back to 2019, when NSO carried out a mass-hacking operation that compromised more than 1,400 WhatsApp users. After discovering the campaign, WhatsApp notified the victims and took NSO to court. A jury eventually ordered NSO to pay $167 million in damages — a number that was later reduced to $4 million.
The Bigger Picture: Years of Documented Abuse
This isn't a single incident. It's one chapter in a much longer story.
Over the past decade, tech companies, security researchers, and journalists have built up an overwhelming body of evidence showing how government clients wielded NSO's tools to go after people who posed no security threat — only a political or journalistic one. WhatsApp has been one of the most aggressive corporate actors in pushing back, doing everything from publicly exposing hacking campaigns and notifying affected users, to filing lawsuits and rolling out opt-in security features specifically designed to make devices harder to penetrate with powerful government-grade spyware like Pegasus.
The U.S. government has applied pressure too. NSO landed on the Commerce Department's trade blocklist, joining other spyware firms like Intellexa — whose founder faced direct sanctions — as entities the U.S. won't do business with.
NSO's American Ambitions, and the Blocklist That Won't Budge
Here's where things get complicated. Last year, a group of American investors acquired NSO Group with a clear goal in mind: clean up its reputation and make a play for the U.S. market. There were even lobbying efforts aimed at getting the U.S. government to lift its restrictions on the company.
But as of now, NSO remains on the Commerce Department blocklist. And with WhatsApp's contempt filing adding fresh legal pressure, that path to American legitimacy looks considerably rockier than the new owners might have hoped.