Court Orders Do Not Stop Spyware by Themselves
Meta says it disrupted NSO-linked WhatsApp phishing even after a court order barred NSO from targeting WhatsApp users. That is the point: spyware is an operational problem, not just a legal one.
The depressing thing about commercial spyware is that even winning in court does not make the problem go away.
Meta says WhatsApp caught and disrupted NSO-linked spear phishing attempts after investigating user reports. According to Meta, the attackers tried to push people to malicious websites outside WhatsApp, similar to earlier one-click phishing campaigns linked to NSO. Meta says it removed related test accounts and groups, shared threat indicators, and is asking a federal court to hold NSO in contempt.
That last part matters. Meta says the attempts came after a permanent injunction barred NSO from targeting WhatsApp and its users. Help Net Security reported the same contempt request, and The Hacker News framed it as a new WhatsApp phishing attack linked to the spyware vendor.
If the allegation holds up, the lesson is not subtle: court orders are useful, but they are not controls. They do not patch phones. They do not warn a journalist before they click. They do not make a spyware company disappear.
The attack moved outside the encrypted app
This is the shape privacy defenders should expect more often.
WhatsApp messages can be end-to-end encrypted and still be used as a delivery channel for social engineering. If the target leaves the app and opens a malicious page, the encryption did its job and the user can still lose. That is not a contradiction. It is the normal boundary of encryption.
People often talk about secure messaging as if it creates a sealed room. It does not. It protects message contents in transit. It does not make links safe, devices uncompromisable, or targeted users immune to pressure.
Spyware operators understand that. If they cannot break the protocol cleanly, they can work around it. Send the target somewhere else. Abuse trust. Use urgency. Hide the exploit behind a link that looks boring enough to click.
Legal wins need operational follow-through
I am glad Meta keeps litigating this. The spyware market deserves real legal pressure, not another panel discussion about "responsible use" from people selling intrusion tools to governments.
But legal pressure is only one layer.
For platforms, the real work is boring and constant: detect suspicious account creation, kill phishing infrastructure, warn targets, publish indicators, support researchers, and keep enough evidence to make the legal case stick. Meta says it is doing some of that here by removing test accounts and sharing indicators.
For civil society, journalists, lawyers, activists, and political staff, the practical lesson is harsher. You cannot assume that a court victory against a spyware vendor means your threat model got simpler. It may make targeting riskier for the vendor. It does not make you untargetable.
The defensive habits are not glamorous:
- Treat unexpected links in sensitive conversations as hostile until proven otherwise.
- Keep WhatsApp, iOS, Android, and browsers updated quickly.
- Use disappearing messages for some contexts, but do not confuse deletion with device security.
- Move high-risk conversations to channels with stronger identity checks when something feels off.
- If you work in a targetable role, have a reporting path before you need it.
None of that is a perfect answer. Perfect answers do not really exist here.
Europe should pay attention
This is not only a U.S. court story or a Meta story.
Europe keeps running into the same spyware problem from different angles: mercenary vendors, government customers, cross-border targeting, journalists and opposition figures treated as intelligence targets, and a surveillance market that keeps finding softer jurisdictions and quieter procurement channels.
The mistake would be to treat spyware as a scandal cycle. A vendor gets exposed. A few politicians get angry. A report lands. Everyone waits for the next case.
That rhythm helps the industry survive.
A better response is slower and less satisfying: procurement bans with teeth, export controls that actually bite, liability for companies that keep rebranding the same capability, and platform-side detection that assumes the vendors will keep trying even after they lose in court.
Meta's latest claim is useful because it cuts through the theatre. If a company is already under a permanent injunction and linked attempts still appear, then trust-based regulation is fantasy.
Spyware is not a normal software market with a few bad customers. It is a business model built around breaking into other people's devices while everyone else argues about paperwork.
Court orders help. They are not enough. The people most likely to be targeted need warnings, patches, indicators, and a world where selling phone compromise as a service is treated like the democratic security problem it is.