Meta says NSO Group targeted WhatsApp users despite US court order

Meta says WhatsApp caught and disrupted NSO Group spear phishing attempts aimed at WhatsApp users, even after a US court order forbade NSO from targeting accounts. In a post, Meta said WhatsApp “caught and disrupted spear phishing attempts” by NSO Group. Meta also said WhatsApp saw NSO Group create “test accounts and groups” on WhatsApp.

The details matter because Meta frames this as active evasion. A spokesperson said the targets were a “handful of users in Jordan and Lebanon,” and that NSO was using malicious links to try to access WhatsApp accounts. In other words, the dispute is not abstract compliance theater. It is a live attempt to get through the front door after the court said, essentially, do not knock.

To understand why this is such a big deal for executives, you have to zoom out to how surveillance spyware campaigns usually work. These programs do not just “hack” in a single moment. They probe, test, and iterate. The use of “test accounts and groups” described by Meta looks like exactly that kind of iteration. If you are an operator building access pathways, you want to learn what works on the platform before you aim at real targets. Meta’s claim suggests NSO was not only sending spear phishing, but also running on-platform experiments.

Now add the regulatory layer. A US court order forbidding NSO from targeting accounts is the kind of constraint that is supposed to change behavior, not just create paperwork. When a company like Meta says it caught the attempts “in defiance of” that order, it turns the question from “are controls in place?” into “are enforcement and deterrence working fast enough?” For boards and compliance leaders, that is the hard part. Court orders can be slow. Attack cycles can be fast.

There is also a platform defense angle that executives cannot ignore. Meta is telling the story as incident response and threat disruption: WhatsApp did not sit still while malicious links circulated. Meta says WhatsApp “caught and disrupted” the spear phishing attempts. That phrasing signals more than detection. It implies the platform prevented the harmful access from landing successfully with at least some targets.

But the existence of test accounts and groups raises a second-order question: what happens before the “handful of users” stage? Meta’s spokesperson statement indicates a limited set of users in Jordan and Lebanon, but the broader pattern is a known problem in spyware markets. Even when campaigns appear narrow, they can still reveal tooling, infrastructure, and operator techniques. Each caught attempt can help a platform refine protections, but it also publicly confirms that the operator is still searching for openings.

For decision-makers at other messaging platforms, this becomes a governance problem, not only a security problem. If an operator can probe after a federal ban, then security teams need to plan for adversaries who treat restrictions as a hurdle, not a stop sign. Meanwhile legal and policy teams need to think about what “compliance” means in practice. A court order can forbid targeting, but it does not automatically eliminate experimentation, link delivery attempts, or other surrounding behavior that may fall in the gray zone of what gets argued in court.

There is also reputational and investor risk to consider. When Meta describes NSO Group’s actions as continuing to target WhatsApp users despite an order, it places Meta in the center of a high-visibility clash between spyware developers and major consumer platforms. That dynamic can pressure boards to weigh additional investment in platform defenses, monitoring, and legal enforcement. It also influences how regulators elsewhere might interpret the case: if actions continue, governments can conclude that spyware vendors need tighter constraints, faster reporting obligations, or more aggressive enforcement.

The strategic stake is simple: when spyware firms can resume attempts after a court order, the rest of the industry should assume the same playbook will show up elsewhere. For executives, the right question is not only whether WhatsApp caught these attempts. It is what it means for the next campaign cycle, how quickly platforms can adapt, and how effectively regulators can translate court orders into real-world disruption.