WhatsApp Cracks Down on NSO Group-Linked Phishing Campaigns, Removes Suspected Spying Accounts and Boosts Spyware Defense
- WhatsApp has disrupted a new spear-phishing campaign linked to NSO Group, a spyware vendor blacklisted by the U.S.
- The phishing attempts, described as “social engineering” efforts by Meta, involved methods similar to previously reported 1-click phishing campaigns tied to NSO’s Pegasus spyware.
- Meta’s announcement highlights ongoing tensions between WhatsApp and NSO Group, which has been accused of developing surveillance tools used to target journalists, activists, and government officials.
WhatsApp has disrupted a new spear-phishing campaign linked to NSO Group, a spyware vendor blacklisted by the U.S. government, according to a report from Help Net Security. The social media giant identified and removed test accounts and groups associated with the activity, which aimed to trick users into clicking malicious links designed to redirect them to external websites outside of WhatsApp. Meta, WhatsApp’s parent company, is seeking a contempt order against NSO Group for allegedly violating a court injunction that bars the firm from targeting WhatsApp users.
The phishing attempts, described as “social engineering” efforts by Meta, involved methods similar to previously reported 1-click phishing campaigns tied to NSO’s Pegasus spyware. While specific technical details about the campaign—such as its timeline, number of targeted users, or success rate—were not disclosed, Meta emphasized that the activity violates a permanent injunction secured by WhatsApp in 2025. The company shared threat indicators with users to help identify potential exposure through text messages, emails, or other communication channels.
NSO Group’s Persistent Threat and Legal Battles
Meta’s announcement highlights ongoing tensions between WhatsApp and NSO Group, which has been accused of developing surveillance tools used to target journalists, activists, and government officials. The latest campaign allegedly bypassed WhatsApp’s security measures by leveraging external websites, a tactic that circumvents the platform’s end-to-end encryption. “They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp,” Meta stated, echoing prior reports of NSO-linked attacks.

The dispute dates back to 2025, when WhatsApp secured a court ruling against NSO Group, prohibiting the firm from exploiting vulnerabilities in its messaging service. Despite this, Meta claims NSO continues to engage in “surveillance-for-hire” activities, prompting the company to renew its call for stricter enforcement of existing restrictions. “No technology is off-limits to surveillance-for-hire firms,” Meta wrote, criticizing the industry’s broad targeting of “journalists, government officials, military personnel, and humanitarian organizations.”
WhatsApp’s threat indicators, shared with users, include specific URLs and messaging patterns linked to the campaign. However, the company did not provide a public timeline for when the phishing attempts occurred or whether any user data was compromised. This lack of transparency has raised questions about the scale of the threat, though Meta’s focus remains on preemptive measures to block further attacks.
Cybersecurity Implications and Industry Response
The incident underscores the evolving tactics of state-sponsored spyware operators, who increasingly rely on social engineering to bypass technical defenses. NSO Group’s alleged use of phishing campaigns reflects a broader trend in cybersecurity, where attackers exploit human behavior rather than software vulnerabilities. This approach complicates detection, as users may unknowingly engage with malicious links embedded in seemingly legitimate messages.
Regulatory bodies and tech companies have faced growing pressure to address the proliferation of surveillance tools. The U.S. Department of Commerce added NSO Group to its Entity List in 2022, citing its role in enabling human rights abuses. However, enforcement of such restrictions remains challenging, particularly when adversaries operate in jurisdictions with weak cybersecurity laws. Meta’s legal actions against NSO Group signal a shift toward aggressive litigation as a deterrent against future attacks.
Cybersecurity experts have warned that the threat landscape will continue to evolve, with attackers likely to adopt more sophisticated methods. “The key challenge is balancing user privacy with proactive threat detection,” said a spokesperson for the cybersecurity firm CrowdStrike, which was not directly involved in the case. “Platforms like WhatsApp must continuously adapt their defenses while avoiding overreach that could undermine user trust.”
What Comes Next for WhatsApp and NSO Group?
Meta’s request for a contempt order against NSO Group could set a precedent for how courts handle violations of cybersecurity injunctions. If granted, the ruling may force NSO Group to disclose more information about its operations or face penalties. However, the firm has not publicly responded to the allegations, and its legal team has yet to comment on the matter.

For users, the incident serves as a reminder of the importance of vigilance when interacting with unsolicited messages. WhatsApp advises users to verify the authenticity of links and avoid sharing personal information through external websites. The company also encourages reporting suspicious activity through its in-app tools.
As the legal and technical battles between Meta and NSO Group continue, the outcome could influence broader efforts to regulate surveillance technologies. With governments and private entities increasingly reliant on digital communication, the fight to protect user data from malicious actors remains a critical priority. For now, WhatsApp’s actions highlight the ongoing arms race between cybersecurity defenders and state-sponsored threat actors.
“We successfully disrupted NSO-linked social engineering attempts after investigating user reports,” Meta stated. “They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp, similar to previously reported 1-click phishing campaigns linked to NSO.”
Meta, Help Net Security, June 8, 2026
