WhatsApp today filed a federal contempt of court order against NSO Group, the Israeli spyware firm blacklisted by the US government, after detecting fresh targeting attempts linked to the company despite a permanent injunction that already barred it from accessing the platform.

The move, announced June 8, 2026, follows a series of social engineering attempts that WhatsApp says it disrupted after investigating reports from users. The company is now asking the United States District Court for the Northern District of California to hold NSO in contempt of a court order handed down last year. For the advertising and marketing community, the development underscores how precarious platform communications infrastructure can be when state-sponsored surveillance tools remain in active operation.

The case has its roots in May 2019, when NSO Group exploited a vulnerability in WhatsApp's voice calling system to install its Pegasus spyware on approximately 1,400 mobile devices. Those devices belonged to journalists, human rights workers, government officials, and humanitarian organizations across multiple countries. WhatsApp filed its original lawsuit that October, eventually navigating the litigation all the way to the United States Supreme Court, which in January 2023 declined to hear NSO's appeal for immunity as a foreign government agent.

Court documents from December 2024 established that NSO's WhatsApp Installation Server - known internally as the WIS - transmitted messages through WhatsApp's California-based servers on 43 separate occasions during May 2019, each time deploying cipher files containing "installation vectors." These vectors extracted information directly from targeted devices without requiring any action by the user. NSO had also created a modified version of the WhatsApp application itself for this purpose.

A jury verdict on May 6, 2025 initially set damages at $167.3 million in punitive and $444,719 in compensatory damages. On October 18, 2025, US District Judge Phyllis Hamilton reduced the punitive damages substantially, capping them at a 9-to-1 ratio and bringing the total payment to approximately $4 million. She cited insufficient evidence that NSO's conduct met the threshold of "particularly egregious" behavior necessary to support the jury's original calculation. But on the same day, Hamilton also granted a permanent injunction.

What the permanent injunction required

The injunction barred NSO Group from ever targeting WhatsApp or its users again. According to WhatsApp, the order was "unequivocal" in its finding that NSO violated federal and California state laws against hacking. The court also required the company to delete and destroy any computer code related to Meta's platforms.

NSO had warned prior to the ruling that such an injunction would "put NSO's entire enterprise at risk" and potentially "force NSO out of business," since WhatsApp remained one of the primary delivery mechanisms for Pegasus across a range of target profiles. Judge Hamilton took note of those statements - and issued the injunction anyway.

New attacks: spear phishing and test accounts

The June 8, 2026 announcement from WhatsApp describes what happened after the injunction took effect. The company says it investigated user reports and identified what it characterizes as spear phishing attempts linked to NSO. These were not zero-click exploits of the type used in 2019. Instead, according to WhatsApp, they involved social engineering: attempts to trick users into clicking on malicious links that would redirect them to external websites outside the WhatsApp environment. The technique is similar to previously reported 1-click phishing campaigns linked to the company.

WhatsApp says it also caught NSO creating test accounts and groups on the platform, which were subsequently taken down. The company is now sharing what it calls "threat indicators" - three specific malicious domains used in the attempts:

  • hxxps://ikhwancast[.]com
  • hxxps://ghazacast[.]com
  • hxxps://fr24cast[.]com

The bracket notation around the top-level domains is a standard security practice to prevent accidental navigation. WhatsApp says anyone can use these indicators to check whether they were targeted across any platform, including text messages, email, or other messaging services.

What contempt proceedings mean technically

A contempt filing is a distinct legal mechanism from the underlying lawsuit. WhatsApp is not filing a new case. Instead, it is asking Judge Hamilton to find that NSO violated the terms of an existing court order. If the court agrees, it can impose civil or criminal sanctions, which may include fines or other remedies designed to compel compliance. The burden is on WhatsApp to demonstrate that NSO's conduct clearly violated the specific terms of the injunction.

The court found in December 2024 that NSO bore direct responsibility for how Pegasus operated - rejecting the company's argument that its government clients were the actual operators and that NSO itself was merely a vendor providing technical tools. That precedent matters here: if NSO continues to claim it cannot control how clients use its systems, the court has already established it does not accept that defense.

NSO's status on the US Entity List

NSO Group remains on the US Department of Commerce Entity List, where it was placed in November 2021. Designation on that list means US companies cannot supply NSO with technology, software, or components without government authorization. The designation was based on findings that NSO developed and supplied spyware to foreign governments, which used those tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.

According to WhatsApp, NSO's CEO confirmed in court that the company actively searches for what it calls "vectors, or ways to access the phone" beyond WhatsApp, targeting browsers, operating systems, and other applications. That testimony matters in the context of the contempt filing because it establishes NSO's intent to continue expanding its attack surface - not to wind down operations following the injunction.

WhatsApp's announcement makes the national security framing explicit. The platform argues that easing any existing restrictions on a company that defies US courts would "undermine US national security and put American companies and billions of people worldwide who depend on secure communications at risk."

The coalition building beyond the courtroom

Parallel to the contempt filing, WhatsApp today announced a financial contribution to the Spyware Accountability Initiative, referred to as SAI. The organization supports dozens of groups worldwide working on forensic research, user support, and advocacy related to spyware. WhatsApp says it is beginning to deliver on a promise made earlier to support digital rights organizations working to defend individuals against spyware attacks.

Last month, 12 civil rights organizations filed amicus briefs in support of WhatsApp's position opposing NSO's appeal against the permanent injunction. That coalition includes security researchers, privacy advocates, and digital rights experts. The joining of amicus briefs is a formal legal procedure that allows organizations not directly party to a case to submit arguments for the court's consideration, typically when a ruling has broad public interest implications.

Citizen Lab, the interdisciplinary research laboratory based at the Munk School of Global Affairs at the University of Toronto, helped WhatsApp investigate the original 2019 attack and notify targeted individuals. Citizen Lab's research has driven legal and policy outcomes beyond this case: one zero-day vulnerability it discovered led Apple to issue a security patch for over a billion devices. In 2026, a Greek court issued the first criminal conviction of spyware company executives, a case that drew on forensic evidence and investigative reporting by civil society organizations.

Why this matters for marketing and digital communications

The NSO case has direct implications for platforms that billions of people use for both personal and commercial communication. WhatsApp has 3 billion users globally. For businesses and advertisers operating through WhatsApp's commercial infrastructure, platform integrity is a precondition for the entire ecosystem. Spyware that targets individual accounts can in principle be used to access business accounts, intercept customer communications, or extract commercially sensitive data.

As PPC Land has covered extensively, Meta has been simultaneously expanding WhatsApp's commercial footprint - launching Status advertising in Europe, introducing the WhatsApp Business Calling API in July 2025, and deploying Incognito Chat with Meta AI using Trusted Execution Environments. That commercial expansion is premised on user trust in the platform's security architecture.

The existence of NSO-linked targeting attempts - even if disrupted - is a reminder that technical security measures and legal protections are two separate layers. Default end-to-end encryption protects message content from interception in transit, but spyware installed directly on a device operates at the operating system level, below the encryption layer. A compromised device can expose messages before they are encrypted or after they are decrypted, regardless of what the messaging application itself does.

The court case also has implications for the broader surveillance-for-hire industry. NSO is not the only company providing commercial spyware to government clients. According to WhatsApp's announcement, the reported targets of such firms range from journalists to government officials, military personnel, and humanitarian organizations. No specific technology platform is off-limits, and the attacks adapt as platforms patch known vulnerabilities.

End-to-end encryption and its limits

WhatsApp notes that all personal messages and calls on the platform remain protected with default end-to-end encryption. The Signal Protocol, which WhatsApp has used since 2016, remains the baseline for its messaging infrastructure. The platform's architecture has been a point of contrast with Instagram, which ended support for encrypted direct messages after May 8, 2026, suggesting Meta has concentrated its messaging privacy infrastructure in WhatsApp specifically.

WhatsApp recommends that users who believe they may be targeted by sophisticated attacks enable what it calls "strict account settings," a configuration mode designed to harden the account beyond defaults. General recommendations include keeping apps and devices updated and reporting suspicious activity so the company can investigate.

The spyware industry's advantage in this environment is resource asymmetry. Forensic research, user support, and legal proceedings are costly, slow, and demand specialist expertise. Developing new exploits, by contrast, can be done by a relatively small engineering team with access to the right personnel and prior knowledge of platform architectures. WhatsApp's announcement acknowledges this directly, describing the work of civil society organizations as "demanding, often dangerous, and consistently under-resourced compared to the spyware industry."

Timeline

  • May 2019 - NSO Group exploits a WhatsApp voice call vulnerability to deploy Pegasus spyware on approximately 1,400 devices across 20 countries, targeting journalists, activists, and government officials
  • October 2019 - WhatsApp and Facebook file lawsuit against NSO Group in the US District Court for the Northern District of California
  • January 2023 - US Supreme Court declines NSO's appeal for immunity as a foreign government agent, allowing the case to proceed
  • December 20, 2024 - Judge Phyllis Hamilton grants WhatsApp's motion for summary judgment, finding NSO violated the Computer Fraud and Abuse Act, the California Comprehensive Computer Data Access and Fraud Act, and WhatsApp's terms of service
  • May 6, 2025 - Jury in San Francisco awards Meta $167.3 million in punitive damages and $444,719 in compensatory damages against NSO Group
  • October 18, 2025 - Judge Hamilton issues a permanent injunction barring NSO from ever targeting WhatsApp again; punitive damages reduced to approximately $4 million
  • May 2026 - Twelve civil society organizations file amicus briefs opposing NSO's appeal against the permanent injunction
  • June 8, 2026 - WhatsApp announces it has disrupted NSO-linked spear phishing attempts and test account creation; files federal contempt order against NSO Group; announces contribution to the Spyware Accountability Initiative (SAI)

Summary

Who: WhatsApp (owned by Meta Platforms) and NSO Group Technologies Limited, an Israeli commercial spyware company on the US government's Entity List. Supporting parties include Citizen Lab at the University of Toronto and a coalition of 12 civil rights organizations.

What: WhatsApp today filed a federal contempt of court order against NSO Group for allegedly violating a permanent injunction issued October 18, 2025, which barred NSO from targeting WhatsApp and its users. WhatsApp says it detected and disrupted NSO-linked spear phishing attempts and test account creation on the platform. Three malicious domains were identified and are being shared publicly as threat indicators. WhatsApp simultaneously announced a financial contribution to the Spyware Accountability Initiative to fund civil society forensic research and advocacy.

When: The contempt filing and SAI contribution were announced June 8, 2026. The underlying legal dispute began with NSO's 2019 attack and has been through the Northern District of California, the US Court of Appeals, and the US Supreme Court.

Where: The legal proceedings are in the US District Court for the Northern District of California. NSO Group is incorporated in Israel and has been placed on the US Department of Commerce Entity List. WhatsApp operates globally with approximately 3 billion users.

Why: WhatsApp asserts that NSO Group continued to attempt to access the platform despite a court-ordered permanent ban. The company frames spyware as a national security threat, citing NSO's continued presence on the US Entity List and arguing that easing restrictions on a company defying US courts would harm American companies and billions of individuals relying on secure communications infrastructure. The contempt filing is an attempt to use judicial enforcement mechanisms to compel compliance where the injunction alone did not.