The spyware attack is believed to have been a zero-click exploit, requiring no user interaction
Meta-owned WhatsApp has announced it successfully disrupted a spyware campaign aimed at journalists and members of civil society across more than two dozen countries, including several in Europe.
The attack, which reportedly targeted around 90 individuals, involved spyware developed by Israeli company Paragon Solutions. The attackers were neutralised in December 2024.
In a statement to The Guardian, WhatsApp confirmed it had reached out to affected users, stating it had “high confidence” that they were targeted and “possibly compromised.” However, the company has not disclosed who was behind the campaign or how long it lasted.
Zero-Click Attack Method Suspected
The spyware attack is believed to have been a zero-click exploit, requiring no user interaction. It is suspected that attackers deployed a specially crafted PDF file sent to individuals added to group chats on WhatsApp.
WhatsApp confirmed it had notified the affected parties and provided them with guidance on safeguarding their communications.
“This is the latest example of why spyware companies must be held accountable for their unlawful actions,” a WhatsApp spokesperson told The Hacker News. “WhatsApp will continue to protect peoples’ ability to communicate privately.”
Legal Actions Against Paragon Solutions
In response to the incident, WhatsApp issued a “cease and desist” letter to Paragon Solutions and indicated it was exploring further legal options. This marks the first time Paragon has been publicly linked to cases involving misuse of its technology.
Paragon, like the notorious NSO Group, is known for developing surveillance software. Its flagship product, Graphite, is marketed to government clients for combating digital threats. The company was acquired by U.S.-based investment group AE Industrial Partners in December 2024 in a deal worth USD 500 million.
Despite its claims of offering “ethically based tools” to combat security threats, Paragon has faced scrutiny. In 2022, it was revealed that Graphite was used by the U.S. Drug Enforcement Administration (DEA) for counternarcotics operations. Last year, the Center for Democracy and Technology (CDT) urged the Department of Homeland Security to disclose details of its USD 2 million contract with the company.
Context & Legal Precedents
This disclosure by WhatsApp follows a significant legal victory against NSO Group in California. The court ruled in favour of WhatsApp in a landmark case over the use of Pegasus spyware, which was deployed to compromise 1,400 devices in May 2019.
Meta’s announcement also coincided with the arrest of former Polish Justice Minister Zbigniew Ziobro, who allegedly sanctioned the use of Pegasus spyware to surveil opposition leaders.
The incident underscores ongoing concerns about the misuse of surveillance technologies and highlights the need for strict accountability measures to protect digital rights and privacy.
