In 2019, a silent attack on WhatsApp's calling feature planted Pegasus, a piece of spyware (surveillance software), on roughly 1,400 phones: journalists, activists, dissidents. A single call was enough, and the target did not even have to answer it. In May 2025, a US federal jury ordered NSO Group, the Israeli company that builds Pegasus and sells it to governments, to pay around 168 million dollars. Months later, a judge permanently barred it from ever targeting WhatsApp and its users again. On 8 June 2026, Meta said it caught NSO trying anyway, and asked the court to hold it in contempt.
What interests me here is not the lawsuit. It is how the attack changed.
From a silent exploit to a one-click lure
In 2019, Pegasus was "zero-click": it infected the device without the victim touching anything. It was the perfect back door, invisible and automatic. This time, according to Meta, the attempts were something else: social engineering. In other words, messages trying to get people to click malicious links that pulled them outside WhatsApp. Meta itself compares them to the "one-click" phishing campaigns, the fraudulent messages carrying a link previously tied to NSO, and says it detected and dismantled them after investigating user reports, removing the test accounts and groups linked to the activity.
Notice the step down. An actor that once held an exploit, an exploitable technical flaw that needed no click, now needs the click. When the technical door closes, because the flaw was patched, because the case went to court, because the injunction landed, the attacker does not quit. It falls back to the oldest door of all: the trust of the person holding the phone.
A ruling on paper does not patch your phone
And here is the part worth taking home. An injunction is a legal instrument, not a technical control. It does not patch a vulnerability, does not block a message, does not stop a determined, well-funded actor from trying again. It does what the law does well: it draws a line and sets a consequence. Useful and necessary, but it is not a patch, the software fix that would close the flaw. The contempt motion is the proof: the line has stood for months and, even so, Meta says it was crossed. It is worth remembering that even the bill shrank, the 168 million was later cut by a judge to about four million, though the permanent ban held.
This is not distant news. NSO sits on the US government's Entity List, and its clients were never only faraway regimes. In the European Parliament, the PEGA committee of inquiry into Pegasus investigated the use of the program inside the Union itself, and NSO admitted that at least five member states used it. Pegasus's historic targets have names: journalists, activists, lawyers, public officials. Surveillance-for-hire is an industry, and Europe is on the map, not off to one side.
How you protect yourself
The good news is that the moment an attack drops to the level of social engineering, the defence is back within your reach. The same rules that beat any phishing beat phishing with an NSO label:
- Keep your phone and WhatsApp updated. That is what closes the door on silent exploits.
- Distrust any unsolicited link, even inside WhatsApp, even if it looks like it came from a contact you know.
- Never tap to "confirm your account", "verify your identity" or "enable a feature" through an external page.
- Turn on WhatsApp's two-step verification, with your own PIN code.
- If you have a high-risk profile, in journalism, activism or public office, enable Lockdown Mode on iPhone or its Android equivalent, and review the indicators Meta shared to check whether you were targeted.
- Report suspicious messages. It was precisely from user reports that this campaign was caught.
The court said "never again". The attacker heard "find another door". This time the door is the click, and the click is yours. Deciding whether to give it remains the cheapest and most effective defence you have.
Original source: Help Net Security.
#StaySafe
🙏🖖