A spyware firm a court told to stop went after WhatsApp users anyway

Cybersecurity 4 min 68 sources

NSO Group is accused of breaking a permanent US court order to target WhatsApp users — a sign of how little a legal ban deters a company when the prize is bigger than the penalty. Plus Microsoft's record 206-flaw patch day, and Signal's warning about UK device-scanning.

Key takeaways

A spyware firm under a permanent US court ban targeted WhatsApp users anyway — a sign that a legal penalty only deters when it costs more than the prize the rule is blocking.
Microsoft's record 206-flaw patch day is good news and bad news: more holes are being found and closed, but more are shipping, and every fix is a race against attackers who exploit the gap before you install it.
Turn on automatic updates and don't click links sent out of the blue — the two dull habits that stop most of what reaches an ordinary person.

A court said stop. The spyware firm didn’t.

Meta said on Monday that NSO Group — the maker of the Pegasus spyware — tried to break into WhatsApp accounts again, in defiance of a court order that permanently bars it from doing exactly that [22]. WhatsApp said it “caught and disrupted” the attempts, which targeted a handful of users in Jordan and Lebanon, and that it caught NSO creating test accounts on the service too [22][34]. Meta has asked the court to hold NSO in contempt [34].

The back-story matters. Pegasus is zero-click spyware: it can take over a phone without the owner tapping anything, harvesting messages, photos and calls [34]. NSO used a flaw in WhatsApp to plant it on about 1,400 users’ devices — including journalists, activists and diplomats — which is what triggered the original case [34]. Last year Meta won that case. NSO was ordered to pay $167m, later cut to $4m, and hit with a permanent injunction: never target WhatsApp again [22].

This week’s attempts, Meta says, broke that injunction outright. The method was simpler than the old Pegasus break-in — links sent to trick people into clicking through to malicious sites, the kind of one-click phishing NSO has used before [34]. WhatsApp published three of the web domains used in the campaign so people can check whether they were targeted [34].

What stands out isn’t the technique. It’s the defiance. “It’s an astonishing signal of hubris that NSO would do this while permanently enjoined from not doing it,” said John Scott-Railton of Citizen Lab, a group that tracks digital threats to civil society [22]. His read: either NSO thinks it won’t get caught, or it believes it can dodge the consequences [22].

There’s a reason it might believe that. NSO sits on the US Commerce Department’s “Entity List” — a trade blacklist that bars it from buying from American companies — placed there in 2021 after the Biden administration found it had acted against US national-security interests [22][34]. But the firm is now under US ownership and is lobbying hard to get off the list and into the American market, having hired a lobbying firm close to the president [22]. A company chasing a US foothold has every reason to look clean. It targeted WhatsApp users anyway.

The ordinary-person angle: Most people are not Pegasus targets — this tool is aimed at high-value individuals, not the public. But the lesson is general. WhatsApp’s defence held because end-to-end encryption means even Meta can’t read your messages — so a stranger has to trick you into clicking a link to get in. Don’t tap links sent out of the blue, even from a known contact, if anything about the message feels off.

Microsoft’s biggest patch day ever — and what that number really says

On the same day, Microsoft shipped fixes for 206 separate security flaws — its largest single monthly batch on record [8]. Of those, 200 were the standard count, including three “zero-days” — flaws already known to attackers before a fix existed, so there was a window with no patch to apply [6]. Thirty-three were rated critical, most of them letting an attacker run their own code on a target machine [6].

Adobe patched 123 of its own the same day; SAP patched several critical ones [12][5]. “It is extraordinary that Microsoft can produce so many patches in a single month, but it does raise concerns,” said Dustin Childs of Trend Micro’s Zero Day Initiative [8].

The concern is the trend, not the diligence. A record patch day is good — the holes are getting found and closed. But it also means more holes are shipping in the first place, and every patch is a job that lands on someone else: the IT staff who now have 206 fixes to test and deploy before attackers reach the unpatched machines. The danger of a known flaw isn’t the flaw — it’s the gap between “fix released” and “fix installed everywhere.” Attackers live in that gap. One was exploited this week: a flaw in Check Point’s VPN software was used in Qilin ransomware attacks before many had patched [10].

The angle: For an ordinary person this is the boring habit that matters most — turn on automatic updates on your phone, laptop and apps, and don’t sit on the “restart to update” prompt for days. A patch you haven’t installed protects no one.

Signal warns: scanning every phone to catch a few

The under-covered piece is a fight over what “safety” costs. The UK Prime Minister said on Monday that the government wants to compel tech companies to scan phones for nude images of children [30]. Signal, the encrypted messaging app, pushed back hard, calling the plan dangerous: “It endangers us all” [30].

Signal’s argument is about what a tool becomes, not what it’s for. To scan for one kind of image, you build a system that can inspect everything on everyone’s device. “Once created, they will be expanded,” Signal said — a scanner built to find one thing can later be aimed at any “harmful content” a future government names [30]. The mechanism that protects a child can, unchanged, surveil a population. Whether the UK proceeds is unsettled — this is a stated intention, and the technical and legal fight is just starting.

02 · Lesson · why it matters

Why a court can ban something and it keeps happening

A penalty is a price, and a price only stops you if it's higher than what you're buying — which is why a rule on paper can fail in the open.

The puzzle hiding in plain sight

A US court issued a permanent order: NSO Group must never again target WhatsApp users. Not a fine to pay and move on — a standing ban [22]. This week, Meta says, NSO did it anyway [34].

The instinct is to call this lawless, or arrogant. A researcher who tracks the company called it “hubris” [22]. That’s a fair read of the character. But it doesn’t explain the behavior, and explaining the behavior is the point. Plenty of companies under court orders obey them. Why didn’t this one?

The answer isn’t about morals. It’s about arithmetic.

A penalty is just a price

Here is the uncomfortable thing about rules: to the person deciding whether to break one, a penalty is not a wall. It’s a price tag.

The court fined NSO $167m, then cut it to $4m, and added the ban [22]. To you or me, $4m and a federal injunction sound like the end of the world. But put it next to what’s on the other side of the scale. NSO is trying to get off a US trade blacklist and into the American market — a market worth far more than $4m [22]. It hired a lobbying firm close to the president to do it [22].

Now the decision looks different. The cost of breaking the order is some risk of a contempt finding. The prize is staying in the spyware business and winning a foothold in the biggest market there is. When the prize is bigger than the price, the rule doesn’t decide the behavior — the arithmetic does. The ban was real. It just wasn’t expensive enough to matter.

This is why “but it’s illegal” so often fails to predict what happens. Illegal sets a price. It doesn’t set an outcome.

Deterrence has three dials, not one

We tend to imagine a rule works by being severe. Make the punishment harsh enough and people stop. But severity is only one of three things that decide whether a penalty actually deters, and it’s usually the weakest.

The first is how likely you are to be caught. A $4m penalty you’ll never face is worth $0. NSO’s bet, the researcher suggested, may simply be that it wouldn’t get caught — and the attempts were small, a handful of users in two countries, the kind of thing that might slip by [22][34].

The second is whether the penalty actually lands on you. NSO seems to believe it has “a special way to not face the consequences,” in the researcher’s words — a path through lobbying and US politics that blunts the order [22]. A consequence you can route around isn’t a consequence.

The third is severity — the part everyone fixates on. But severity times a tiny chance of being caught, divided by your ability to dodge it, can round to nothing. That’s the math NSO appears to have run.

When a rule fails in the open like this, the problem is rarely that the punishment was too soft. It’s that one of the other two dials — getting caught, or making the penalty stick — was set near zero.

The thing that did work was not the law

Notice what actually stopped the attack. Not the court order — that was being violated. WhatsApp’s encryption stopped it.

Because messages are end-to-end encrypted, even Meta can’t read them, and neither can an intruder who hasn’t taken over your phone [22]. So NSO couldn’t quietly siphon data; it had to send people links and try to trick them into clicking [34]. That’s a much louder, more detectable method — which is exactly how WhatsApp caught it and could publish the malicious domains for others to check [34].

This is the quiet lesson under the loud one. A rule deters by raising the price of acting. A good system makes the act hard to do at all — and then makes it easy to spot when someone tries. The injunction was a price NSO was willing to pay. The encryption was a wall it had to climb in full view. Walls and tripwires beat fines, because they don’t depend on anyone choosing to obey.

Why this reaches you, sitting where you are

You will probably never be a Pegasus target. This tool is aimed at journalists, diplomats, dissidents — not the public [34]. It would be easy to read this as someone else’s problem.

But look at how much of your own safety rests on exactly this arithmetic, decided by people you’ll never meet. The reason your bank doesn’t sell your transaction history, the reason an app maker patches a flaw instead of shipping it and shrugging, the reason a data broker stays inside the lines — none of it is mainly because they’re good. It’s because, for them, the price of crossing the line is set higher than the prize. You are protected by thousands of these invisible price tags, and you set none of them.

So when a court bans something and it keeps happening, that’s not a freak event off in the distance. It’s a reading on a gauge that governs your life too — a sign that for one actor, on one rule, the price slipped below the prize. The activists in Jordan and Lebanon are the visible edge of a web you’re standing inside [22]. The same machinery that priced their safety too cheap is the machinery pricing yours.

That should make us a little humbler about “there ought to be a law.” There is one, here. The harder question — the one that actually decides whether you’re safe — isn’t whether the rule exists. It’s whether anyone made it cost more than it’s worth to break. And almost none of us can see, from where we sit, whether they did.

03 · Lab · your turn

Set the Deterrent

Rehearse how a penalty only stops a rule-breaker when its expected cost — severity times the chance of getting caught times how much actually sticks — outweighs the prize.