Meta’s New Clash With NSO Group Over WhatsApp Phishing
Meta’s contempt motion against NSO Group is a legal action accusing a spyware vendor of breaching a permanent court order by mounting new phishing attacks against WhatsApp users, raising broader questions about whether existing cybersecurity enforcement tools can restrain surveillance-for-hire companies that operate across borders and rely on persistent technical and social-engineering tactics. Meta said it recently detected and blocked spear-phishing attempts linked to NSO Group that tried to trick people into clicking malicious links and send them to external websites outside WhatsApp. The activity included the creation of test accounts and groups on WhatsApp, which Meta has since removed. Domains tied to the campaign include fr24cast[.]com, ghazacast[.]com, and ikhwancast[.]com. Meta’s filing, made on Monday in federal court, argues these actions violate a permanent injunction that barred NSO from targeting WhatsApp or its users after earlier Pegasus spyware abuses.
From Pegasus Ruling to Alleged Injunction Violations
The contempt motion comes on the heels of earlier courtroom defeats for NSO Group Pegasus operations. In a previous ruling, a U.S. court found that NSO had violated U.S. laws by exploiting WhatsApp servers to deploy Pegasus spyware against more than 1,400 individuals worldwide. That case produced monetary damages of approximately USD 168 million (approx. RM774,000,000), later reduced to USD 4 million (approx. RM18,400,000), alongside a permanent injunction forbidding NSO from targeting WhatsApp or its users. According to Meta, the new WhatsApp phishing attack closely mirrors earlier “1-click” campaigns, where a single tap on a malicious link can expose a device without further interaction. By asking the judge to hold NSO in contempt, Meta argues that the spyware firm is defying both the spirit and the letter of that injunction and testing the limits of spyware court enforcement.
How NSO Group’s Pegasus Fits the Surveillance-for-Hire Model
NSO Group Pegasus spyware sits at the center of a surveillance-for-hire ecosystem that sells intrusion capabilities to government clients. Pegasus is not an ordinary hacking tool: once installed, it can read messages, activate the microphone and camera, and track a target’s movement around the clock, sometimes with no action needed from the victim. NSO says it supplies vetted authorities to fight crime and terrorism, but investigations by groups such as Amnesty International and Citizen Lab have linked Pegasus to the targeting of journalists, opposition politicians, lawyers, and human rights defenders. NSO has also been placed on a U.S. Commerce Department blocklist for activities described as “contrary to the national security or foreign policy interests of the United States.” The new Meta contempt motion suggests that, injunction or not, NSO continues to run offensive operations that threaten WhatsApp users globally.
Cybersecurity Enforcement Meets a Cross-Border Spyware Industry
Meta’s move highlights how difficult cybersecurity enforcement becomes when courts confront cross-border spyware companies. WhatsApp first sued NSO in 2019 after a single Pegasus campaign hit around 1,400 users, but Meta now says similar attacks have resumed despite the permanent order. For Meta, the stakes are tied to the credibility of WhatsApp’s end-to-end encryption and the privacy promises it makes to billions of users; repeated breaches by a commercial spyware vendor are both a security risk and a reputational threat. At the same time, the contempt motion shows the limits of traditional remedies such as injunctions, sanctions, and blacklists when firms can retool their infrastructure and operate through shifting domains and intermediaries. A coalition of civil rights, privacy, and security groups that backed the injunction has framed the case as a test of whether surveillance-for-hire outfits can be meaningfully constrained by existing legal frameworks.
What the Case Means for WhatsApp Users and Future Regulation
For individual users, the Meta contempt motion is also a reminder that the most effective attacks against encrypted platforms often target people, not the encryption itself. The latest WhatsApp phishing attack relied on deceptive links in messages, rather than breaking end-to-end encryption. Meta says WhatsApp’s encryption remains intact, but it urges users to keep apps updated, report suspicious messages, and enable stricter account settings such as two-step verification and privacy limits on profile details and link previews. On the regulatory front, the dispute highlights a gap between courtroom victories and real-world deterrence. NSO has been sued, sanctioned, blacklisted, and now faces a contempt request, yet Meta alleges the company continues operating surveillance-for-hire campaigns. Future policy debates are likely to focus on stronger export controls, coordinated sanctions, and clearer liability rules for commercial spyware vendors that ignore court orders.
