WhatsApp has accused the Israeli spyware company Paragon Solutions of orchestrating a targeted hacking campaign aimed at nearly 100 journalists and civil society members, as reported by The Guardian. The platform alleges that these attacks were carried out using a highly sophisticated spyware known as Graphite. What sets Graphite apart is its capability to infiltrate users' devices without any interaction from the victim, a technique referred to as a zero-click attack. This method allows hackers to gain access to a device silently and without any noticeable signs of intrusion, making it especially difficult to detect.
According to WhatsApp, the company is highly confident that around 90 individuals, including journalists, activists, and members of civil society, were specifically targeted in this attack. Although the exact locations of these users were not disclosed, WhatsApp confirmed that it had promptly notified those affected by the breach, cautioning them about the potential compromise of their devices. As part of its response, WhatsApp also sent a cease and desist letter to Paragon Solutions, signaling its intention to take legal action and hold the company accountable for its alleged role in the campaign. The messaging platform made it clear that it was determined to pursue all possible legal avenues to ensure justice and prevent future attacks.
Paragon Solutions, with an office in Virginia, USA, has been known for its involvement in the spyware industry. The company is most recognized for its Graphite spyware, a tool that has drawn comparisons to the infamous Pegasus software developed by the NSO Group, another Israeli-based spyware company. Graphite, once deployed on a device, grants its operators complete access to the device, including the ability to monitor and read encrypted communications sent through messaging apps like WhatsApp and Signal. This highlights just how invasive and damaging the spyware can be, offering hackers the power to bypass encryption and access private information without the victim’s knowledge.
The identity of the attackers behind the campaign remains unclear. Paragon Solutions, like other firms in the spyware industry, markets its products to government clients, though WhatsApp emphasized that it could not definitively determine who specifically ordered the attacks. A person close to Paragon Solutions claimed that the company serves 35 government customers, all of which are reportedly democratic nations. The source further added that Paragon is selective about its clients, deliberately avoiding business with countries that have been previously accused of misusing spyware for surveillance or political oppression, including nations such as Greece, Poland, Hungary, Mexico, and India. This claim attempts to present Paragon as a more responsible player within the spyware industry, although WhatsApp’s allegations now cast doubt on this reputation.
This incident is part of a larger, growing wave of scrutiny surrounding the commercial spyware industry, which has come under increasing criticism for its role in facilitating widespread surveillance and privacy breaches. Natalia Krapiva, a senior tech legal counsel at the organization Access Now, commented that while Paragon Solutions had previously been seen as a more ethical spyware company with fewer reports of abuse, WhatsApp’s revelation challenges that perception. She emphasized that this is not a case of a few rogue actors within the industry, but rather part of a systemic issue in the commercial spyware business. "This is not just a question of some bad apples — these types of abuses are a feature of the commercial spyware industry," Krapiva noted, highlighting the broader implications of this case for the industry as a whole.
WhatsApp’s allegations follow its previous legal victory against NSO Group, another major player in the spyware market. In December 2024, a California judge ruled that NSO Group was liable for hacking 1,400 WhatsApp users in 2019. The ruling determined that NSO had violated US hacking laws and WhatsApp’s terms of service, marking a significant legal defeat for the spyware company. As a result of its involvement in these illegal activities, NSO Group was placed on a US Commerce Department blacklist in 2021, effectively barring the company from doing business with US firms and limiting its access to key technology.
WhatsApp has not yet revealed the full scope of the attack or how long the targeted individuals may have been vulnerable to the spyware. However, the company confirmed that it had disrupted the alleged attacks in December 2024, suggesting that the damage may have been contained before it could reach a larger number of users. WhatsApp has expressed its commitment to supporting the affected individuals and is focusing on fortifying its defenses to prevent similar breaches in the future. As the case develops, it will likely serve as a catalyst for more rigorous regulatory oversight of the commercial spyware industry, especially in light of the ongoing concerns about privacy violations and the misuse of surveillance tools by both state and private entities.
This situation further underscores the need for stricter global regulations and accountability in the spyware industry, particularly as these tools become more advanced and are increasingly used to target vulnerable populations, such as journalists, human rights activists, and members of civil society. With tech companies like WhatsApp leading the charge against these types of abuses, the broader tech community is likely to face mounting pressure to prioritize user privacy and safety, while also holding spyware vendors and government clients to account.
