WhatsApp said on Friday that it had disrupted a hacking campaign that targeted around 90 users, including journalists and members of civil society.
A WhatsApp spokesperson told TechCrunch that the campaign was linked to Paragon, an Israeli spyware maker that was acquired in December of last year by American private equity giant AE Industrial.
“We’ve reached out directly to people who we believe were affected. This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately,” WhatsApp spokesperson Zade Alsawah told TechCrunch.
WhatsApp said that the hacking campaign used malicious PDFs sent via WhatsApp groups to compromise targets and said it had pushed a fix to prevent this mechanism.
John Scott-Railton, a senior researcher who has for years investigated spyware companies and their abuses at Citizen Lab, told TechCrunch that they also have observed this hacking campaign by Paragon using this specific attack vector and that they are investigating it.
WhatsApp told TechCrunch that it believed the hacking campaign happened in December, and that it sent a cease and desist letter to Paragon.
Contact Us
Do you have more information about Paragon, and this spyware campaign? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
Idan Nurick, the CEO of Paragon, did not respond to a request for comment sent via LinkedIn. AE Industrial did not respond to a request for comment.
This is the first time that Paragon has been publicly linked to a hacking campaign that allegedly targeted journalists and members of civil society. Ever since its founding in 2019, Paragon has been able to keep a low profile and avoid getting ensnared in scandals like other spyware makers such as Intellexa and NSO Group, which have both been sanctioned by the U.S. government.
Paragon, through its U.S. subsidiary, signed a contract with the U.S. Immigration and Customs Enforcement in September, as Wired revealed last year. The New Yorker cited a Paragon source as saying the contract came after a vetting process whereby the company demonstrated its technology had controls to prevent customers abroad from targeting U.S. residents.
At this point, it’s unclear who are targets of this spyware campaign revealed by WhatsApp.
Natalia Krapiva, the senior tech-legal counsel at Access Now, a digital rights organization that investigates spyware abuses, celebrated the actions taken by WhatsApp.
“For some time Paragon has had the reputation of a ‘better’ spyware company not implicated in obvious abuses, but WhatsApp’s recent revelations suggest otherwise,” Krapiva told TechCrunch.“This is not just a question of some bad apples — these types of abuses are a feature of the commercial spyware industry.”
