WhatsApp Disrupts Spyware Campaign Targeting Journalists and Civil Society Members

My Privacy Blog

My Privacy Blog

8 min read
WhatsApp Disrupts Spyware Campaign Targeting Journalists and Civil Society Members
Photo by Adem AY / Unsplash

WhatsApp, the popular messaging platform owned by Meta, has successfully thwarted a hacking campaign that targeted approximately 90 users, including journalists and members of civil society[1][2]. The company has linked this campaign to Paragon, an Israeli spyware firm that was recently acquired by the American private equity giant AE Industrial Partners[12][13].

Meta’s Encryption Moves: Fortifying Privacy on Facebook Chat and WhatsApp
Introduction In a significant stride towards enhancing user privacy, Meta Platforms, Inc. has recently initiated the rollout of end-to-end encryption for Facebook Chat and strengthened the existing encryption on WhatsApp. This article explores the nuances of these changes, their implications for user privacy and security, and the broader context in
My Privacy BlogMy Privacy Blog

The Attack and WhatsApp's Response

The hacking attempt, which WhatsApp believes occurred in December 2024, involved a sophisticated method:

  • Hackers invited targets to WhatsApp groups
  • Malicious PDF files were sent through these groups to compromise devices[9]

WhatsApp has taken several steps in response to this threat:

  1. Pushed a fix to prevent the attack mechanism
  2. Sent a cease and desist letter to Paragon
  3. Reached out directly to affected users[1][3]

WhatsApp spokesperson Zade Alsawah emphasized the need for accountability, stating, "This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people's ability to communicate privately"[7].

Telegram’s Data Sharing Controversy: Privacy at a Crossroads
Overview of the Issue Telegram CEO’s Arrest: A Geopolitical and Economic Powder KegPavel Durov, the founder of TelegramPavel Durov, the founder of Telegram, has recently been arrested in France as part of an investigation into alleged criminal activities on the Telegram platform and a lack of cooperation with law
My Privacy BlogMy Privacy Blog

Paragon and Its Spyware

Paragon, founded in 2019 by former Israeli intelligence officers, has managed to maintain a low profile compared to other controversial spyware makers like NSO Group and Intellexa[12][13]. The company's flagship product, Graphite, is reportedly capable of penetrating encrypted platforms such as WhatsApp, Signal, and Telegram[8].

Despite its attempts to position itself as an "ethical" cybersecurity firm, this incident marks the first time Paragon has been publicly linked to a hacking campaign targeting journalists and civil society members[5][7].

The Shadow World of Phone Spyware: Unveiling the Role of NSO Group and State-Sponsored Surveillance
Introduction In an era where digital privacy is increasingly under threat, the use of sophisticated phone spyware by various nation-states has become a contentious issue. Central to this debate is the NSO Group, a company known for its Pegasus spyware, which has reportedly been used by governments to surveil citizens.
My Privacy BlogMy Privacy Blog

Implications and Reactions

The revelation of this spyware campaign has raised concerns among digital rights advocates:

  • John Scott-Railton, a senior researcher at The Citizen Lab, confirmed they are investigating the campaign[7].
  • Natalia Krapiva, senior tech-legal counsel at Access Now, noted that this incident challenges Paragon's previous reputation as a "better" spyware company[3][7].

Broader Context

This incident occurs against a backdrop of increasing scrutiny of the commercial spyware industry:

  • Other companies like NSO Group and Intellexa have faced sanctions and blacklisting by the U.S. government[7].
  • Paragon recently secured a $2 million contract with U.S. Immigration and Customs Enforcement, raising questions about the vetting process for such technologies[12][13].

As the investigation continues, the cybersecurity community awaits more details about the targets and the full extent of this spyware campaign. WhatsApp's proactive approach in disrupting the attack and notifying users underscores the ongoing challenges in protecting digital privacy and the need for continued vigilance against sophisticated cyber threats.

Telegram CEO’s Arrest: A Geopolitical and Economic Powder Keg
Pavel Durov, the founder of TelegramPavel Durov, the founder of Telegram, has recently been arrested in France as part of an investigation into alleged criminal activities on the Telegram platform and a lack of cooperation with law enforcement. Despite his arrest, Durov has not been charged with any crime, and
My Privacy BlogMy Privacy Blog

How did Paragon manage to keep a low profile until now

Paragon, an Israeli spyware company, managed to keep a low profile until recently through several strategic approaches:

Secretive Operations

Paragon has maintained an extremely secretive stance since its founding in 2019[1][10]:

  • The company does not have a public website[1][11]
  • It has avoided public attention and scrutiny that other spyware makers like NSO Group have faced[6]

Limited Customer Base

Paragon has reportedly been selective in its clientele:

  • The company claims to only sell to countries that abide by international norms and respect fundamental rights[10]
  • Its only publicly known customer is the U.S. Drug Enforcement Agency[11]

Positioning as an "Ethical" Alternative

Paragon has attempted to differentiate itself from controversial competitors:

  • It markets itself as an "ethical" cyber defense company[3]
  • The company reportedly implemented controls to prevent misuse of its tools[2]

Focus on Specific Capabilities

Rather than offering full device control, Paragon has specialized in:

  • Accessing instant messaging applications on devices[10]
  • Exploiting protocols of end-to-end encrypted apps like WhatsApp and Signal[10][16]

Strategic Partnerships and Backing

Paragon has secured influential support:

  • It is financially backed by prominent American private equity firm Battery Ventures[11]
  • Former Israeli Prime Minister Ehud Barak serves on its board[11]

Limited Public Disclosures

Until recently, there were few public disclosures about Paragon's activities:

  • The company has not been implicated in major scandals like some of its competitors[2]
  • Its acquisition by AE Industrial Partners in December 2024 brought more attention to the company[6]

By maintaining secrecy, limiting its customer base, positioning itself as ethical, focusing on specific capabilities, securing strategic partnerships, and avoiding public disclosures, Paragon managed to operate under the radar until recent events brought it into the spotlight.

The Intricate Web of Digital Surveillance: NSO Group, Cellebrite, and the Pegasus Spyware
Introduction In the complex arena of digital surveillance, companies like NSO Group and Cellebrite have gained notoriety for their powerful spyware tools, such as Pegasus. These tools have raised global concerns over privacy invasions and human rights violations. This article delves into the implications of these technologies, focusing on both
My Privacy BlogMy Privacy Blog

What was the role of the malicious PDF files in the hacking campaign

The malicious PDF files played a crucial role in the Paragon spyware campaign targeting WhatsApp users:

Delivery Mechanism

The malicious PDFs served as the primary vector for delivering the spyware:

  • WhatsApp reported that the attack utilized malicious PDF files sent to targets who were added to group chats13.
  • These PDFs were designed to automatically download onto the recipient's device5.

Infection Process

Once downloaded, the malicious PDFs initiated the infection process:

  • The PDFs contained embedded malicious links or code68.
  • When users interacted with the PDF, it triggered a multi-stage process leading to the installation of spyware6.

Spyware Capabilities

After successful infection, the spyware (known as Graphite) provided extensive access to the compromised device:

  • The operator could access the phone completely, including reading messages sent via encrypted applications like WhatsApp and Signal3.
  • This allowed for potential data theft, surveillance, and other malicious activities11.

Evasion Techniques

The use of PDFs as an attack vector helped the campaign evade detection:

  • PDFs are commonly used for legitimate purposes, making them less suspicious10.
  • The attack exploited the trust users place in PDF documents, especially when received through seemingly trusted group chats5.

By leveraging malicious PDFs, Paragon was able to target approximately 90 users, including journalists and members of civil society, in a sophisticated and hard-to-detect spyware campaign135.

Citations:
[1] https://therecord.media/paragon-bought-private-equity-american
[2] https://newsinterpretation.com/the-500-million-secret-inside-the-paragon-deal/
[3] https://www.theverge.com/news/604100/whatsapp-meta-spyware-paragon-solutions
[4] https://www.devdiscourse.com/article/technology/3247636-whatsapp-vs-paragon-spyware-showdown-unfolds
[5] https://www.hpbl.co.in/news/whatsapp-targets-israeli-spyware-firm-paragon-solutions-for-hacking-effort-on-journalists-and-activists/
[6] https://techcrunch.com/2024/12/16/israeli-spyware-maker-paragon-bought-by-u-s-private-equity-giant/
[7] https://timesofindia.indiatimes.com/technology/tech-news/whatsapp-says-its-users-targeted-by-israeli-spyware-read-companys-response/articleshow/117796050.cms
[8] https://tribune.com.pk/story/2525771/whatsapp-says-israeli-spyware-firm-targeted-journalists-and-activists
[9] https://mexicobusiness.news/cybersecurity/news/us-government-expands-spyware-use-amid-growing-privacy-concerns
[10] https://www.forbes.com/sites/thomasbrewster/2021/07/29/paragon-is-an-nso-competitor-and-an-american-funded-israeli-surveillance-startup-that-hacks-encrypted-apps-like-whatsapp-and-signal/
[11] https://www.thirdway.org/memo/what-is-spyware-and-why-should-policymakers-care
[12] https://cdt.org/insights/dhs-must-come-clean-on-contract-with-spyware-purveyor-paragon-solutions/
[13] https://www.atlanticcouncil.org/in-depth-research-reports/report/mythical-beasts-and-where-to-find-them-mapping-the-global-spyware-market-and-its-threats-to-national-security-and-human-rights/
[14] https://www.mobileworldlive.com/big-tech/whatsapp-hit-by-spyware-attack/
[15] https://www.newyorker.com/news/news-desk/the-technology-the-trump-administration-could-use-to-hack-your-phone
[16] https://www.reddit.com/r/privacytoolsIO/comments/ouj2wr/meet_paragon_an_americanfunded_supersecretive/
[17] https://www.yahoo.com/news/whatsapp-says-paragon-spyware-used-164350400.html
[18] https://www.schneier.com/blog/archives/2023/06/paragon-solutions-spyware-graphite.html
[19] https://carnegieendowment.org/research/2023/03/why-does-the-global-spyware-industry-continue-to-thrive-trends-explanations-and-responses?lang=en&center=global
[20] https://corrata.com/pegasus-predator-hermit-spyware-nso-and-its-clones/
[21] https://www.hrw.org/news/2024/10/17/us-immigration-agency-contract-spyware-company-poses-risk-rights
[22] https://www.aa.com.tr/en/americas/dozens-of-journalists-civil-society-members-targeted-by-israeli-spyware-in-whatsapp-hack/3468201
[23] https://www.aljazeera.com/news/2025/1/31/whatsapp-says-its-users-targeted-by-israeli-spyware-company-paragon
[24] https://www.bloomberg.com/news/articles/2025-01-31/whatsapp-says-paragon-spyware-used-to-try-hacking-journalists
[25] https://techcrunch.com/2025/01/31/whatsapp-says-it-disrupted-a-hacking-campaign-targeting-journalists-with-spyware/
[26] https://www.calcalistech.com/ctechnews/article/s1ucev64kg
[27] https://news.bloomberglaw.com/us-law-week/whatsapp-says-paragon-spyware-used-to-try-hacking-journalists
[28] https://www.middleeastmonitor.com/20250131-dozens-of-journalists-civil-society-members-targeted-by-israeli-spyware-in-whatsapp-hack/
[29] https://www.reuters.com/technology/cybersecurity/metas-whatsapp-says-israeli-spyware-company-paragon-targeted-scores-users-2025-01-31/

Read more