NSO Group Is Back to Targeting WhatsApp Users Eight Months After a Court Ban

Key Takeaways

• WhatsApp disrupted a new NSO-linked spear-phishing campaign in June 2026, with attackers tricking users into clicking malicious links leading to sites outside the platform.
• The campaign directly violates the November 2025 permanent injunction from a US federal court barring NSO from targeting WhatsApp and its users, and Meta has now filed a contempt order.
• A jury awarded $167 million in damages against NSO in May 2025, with punitive damages later reduced and a final judgment of $4,447,190 entered on November 12, 2025.
• NSO's CEO confirmed in court that the company actively searches for access vectors beyond WhatsApp, targeting browsers, operating systems, and other applications.
• NSO sells exclusively to government intelligence and law enforcement clients and remains on the US Commerce Department's Entity List as a threat to national security.

A Court Said “Never Again,” While NSO Heard Something Else

The 2019 attack was the opening chapter. NSO Group's infrastructure targeted more than 1,400 WhatsApp users in a mass-hacking campaign, and WhatsApp sued. A jury entered a verdict in May 2025 awarding $167 million in damages, which were later remitted, with a final judgment of $4,447,190 entered on November 12, 2025. The court was explicit: NSO violated federal and state laws against hacking.

On October 17, 2025, the court also granted a permanent injunction. NSO was barred from targeting WhatsApp and its users ever again. That injunction has been in force for less than eight months.

Well, this week WhatsApp announced it had caught and disrupted a fresh NSO-linked spear-phishing campaign, discovered after users reported suspicious activity. Attackers tried to trick people into clicking malicious links redirecting them outside the platform, mirroring a phishing pattern previously documented in Jordan in 2024. NSO also created test accounts and groups on WhatsApp, which were taken down. Meta is now asking the court to hold NSO in contempt. NSO did not respond to press requests for comment.

The "Private Company" That Only Sells to Governments

NSO Group markets itself as a private technology company. But while technically that is accurate, in every meaningful operational sense, it is something closer to a contracted intelligence capability that sells exclusively to government intelligence agencies and law enforcement bodies, has never had a civilian client on record, and whose product, Pegasus, is designed specifically for state-level surveillance operations.

For example, NSO's Pegasus was used to surveil figures connected to the Catalan independence movement in Spain, with Barcelona courts reopening the investigation this year after finding forensic evidence pointing toward Spain's own intelligence service. Nobody has officially confirmed which government ordered any particular Pegasus deployment. But the pattern is consistent enough that the inference requires no real effort.

NSO's own CEO confirmed as much under oath. In trial testimony, he acknowledged that the company actively looks for access vectors beyond WhatsApp, including browsers, operating systems, and other applications. The US government placed NSO on the Commerce Department's Entity List in 2021 for actions contrary to US national security, a designation that remains in force. In October 2025, a group of US investors acquired NSO with the stated goal of cleaning up the company's reputation and lobbying for removal from that list.

Meanwhile, this particular attack was not claimed by any government client. Nobody will claim it. That is how the arrangement works. The same structural opacity that lets a tech company based in Israel operate surveillance infrastructure on behalf of sovereign states also lets individual attacks remain officially unattributed, regardless of how narrow the list of plausible actors actually is.

What a Contempt Order Means When Courts Are the Only Check

A contempt filing is the appropriate legal response to what WhatsApp documented, and it is also genuinely the only tool left, because the alternatives are not promising. NSO has operated across multiple legal jurisdictions, survived blacklisting by the world's largest economy, appealed a landmark judgment, and continued developing new spyware capabilities through all of it.

The contempt order puts the question of accountability back before a US federal judge, who now has to decide what consequences attach to violating a permanent injunction. The court has that power. Whether that power has any meaningful reach over an Israeli company whose primary clients are sovereign governments is a different question.

The broader surveillance-for-hire industry that NSO represents has been documented targeting journalists, dissidents, and human rights workers across dozens of countries, with the kind of regularity that reflects institutional demand, not rogue deployment.

Twelve civil society organizations filed amicus briefs this year supporting WhatsApp's permanent injunction. Meta has committed funding to the Spyware Accountability Initiative. All of that is meaningful, and none of it changes the basic dynamic. The people buying spyware are governments, and governments are not answerable to the same courts that just held NSO in contempt.

I think the contempt filing is the right move and a genuine test of what US courts can actually enforce against a company operating in this space. And yet the harder question is not whether a judge holds NSO accountable but whether anyone holds the clients accountable, and right now that part of the answer is almost completely empty.