According to WhatsApp, the investigation uncovered campaigns designed to lure people into clicking malicious links, similar to phishing attacks previously attributed to NSO.
WhatsApp also released technical information to help users and cybersecurity researchers determine whether they were targeted in attempted attacks linked to NSO, including outside WhatsApp through text messages, email or other communication channels.
The company also said it would ask a U.S. federal court to impose sanctions on NSO for violating a permanent injunction issued last year that barred the company from acting against WhatsApp and its users. The move comes after the court found that NSO had violated U.S. federal and state laws banning unauthorized access to computer systems.
As part of its broader campaign against the spyware industry, WhatsApp also announced a donation to the Spyware Accountability Initiative (SAI), which brings together civil society organizations, cybersecurity researchers and digital rights groups working to detect, study and counter digital espionage attacks around the world.
One of the cyber world's most prominent legal battles
The confrontation between WhatsApp and NSO has been ongoing for nearly seven years. In 2019, WhatsApp disclosed that NSO's Pegasus spyware had exploited a vulnerability in the app's calling mechanism to install spyware on users' phones. According to the company, the attack targeted more than 1,000 people worldwide, including journalists, human rights activists, lawyers, diplomats and opposition figures.
2 View gallery
Meta says its WhatsApp investigation found campaigns aimed at luring users into clicking malicious links
(Photo: REUTERS/Carlos Barria)
Following the disclosure, WhatsApp filed a precedent-setting lawsuit against NSO in the United States. The company alleged that NSO had used WhatsApp servers to carry out cyberattacks and that its activity violated U.S. computer laws and the service's terms of use.
NSO has argued over the years that it develops technology sold only to government agencies and law enforcement bodies for use in combating terrorism and serious crime. It has said it does not operate the systems itself and does not choose surveillance targets.
The case gained another international dimension in 2021, when the U.S. Commerce Department added NSO to its Entity List. The administration said at the time that the company's tools had been used by foreign governments to conduct surveillance of journalists, human rights activists, academics and government officials in a manner contrary to U.S. interests.
That same year, a wide-ranging international investigation alleged that the software had been used against thousands of civilians, politicians and activists around the world. NSO rejected most of the claims, saying the methodology behind the investigation was flawed and that it does not operate the systems after selling them to government clients.
Pegasus also sparked a major public outcry in Israel after reports that police had used offensive cyber tools against civilians and senior officials without proper authorization. The affair led to review committees and a broad public debate over the limits of digital spyware, although some of the initial claims published at the start of the affair were not fully substantiated.
In late 2024, a U.S. federal court found NSO liable for violating U.S. computer laws and WhatsApp's terms of service in connection with the spyware attack. In 2025, a permanent injunction was issued barring the company from using WhatsApp services for its activity, and damages were later awarded against it as part of the legal proceedings.
WhatsApp is now asking the court to impose additional sanctions on NSO, alleging that the company continued to violate the order.