Meta says 50,000 users were targeted by cyber mercenary firms

A months-long investigation identified seven companies accused of surveillance for hire

Facebook’s parent company Meta has recently alerted 50,000 users in over 100 countries that their accounts were spied on by surveillance-for-hire companies.

The surveillance-for-hire industry consists of companies around the globe that target Internet users to collect intelligence, manipulate them into revealing information and compromise their devices and accounts. These companies are part of a sprawling industry that provides intrusive software tools and surveillance services indiscriminately to any customer — regardless of who they target, or the human rights abuses they might enable.

“We alerted around 50,000 people who we believe were targeted by these malicious activities worldwide, using the system we launched in 2015. We recently updated it to provide people with more granular details about the nature of targeting we detect, in line with the surveillance chain phases framework we shared above” said Meta in a statement.

As the company announced, a months-long investigation identified seven different surveillance-for-hire entities around the globe, which provided services to indiscriminately target people on behalf of their clients. These companies are based in China, Israel, India, and North Macedonia.

“The “surveillance-for-hire” entities we removed violated multiple Community Standards and Terms of Service. Given the severity of their violations, we have banned them from our services. To help disrupt these activities, we blocked related internet infrastructure and issued Cease and Desist letters, putting them on notice that their targeting of people has no place on our platform. We also shared our findings with security researchers, other platforms, and policymakers so they can take appropriate action,” Meta underlined.

Facebook in 2019 sued the Israeli NSO Group, the hacking company behind the Pegasus spyware, but as Meta points out, NSO is only one piece of a much broader global cyber mercenary industry. Now, Meta sends cease-and-desist letters to the seven companies accused of surveillance for hire and share alerts to approximately 50,000 victims. Meta’s notifications warn users that “a sophisticated actor may be targeting your Facebook account” and suggest ways of improving the account’s security, including running a privacy checkup.

“We’re enforcing against 7 entities we identified as systemically using fake accounts to target people across our platform and the broader internet, as well as sending malware and taking other steps to spy on their targets,” said Nathaniel Gleicher, head of security policy at Facebook. “We have mapped each of these companies across the Surveillance Attack Chain: three stages (recon -> engagement -> exploit) that these companies follow as they target people for spying around the world. While the exploit stage is particularly harmful, all three are important steps to hacking a target’s devices. Enforcing, and regulating, early against recon, and engagement helps counter-threat actors before they exploit devices and accounts” he added.

Meta’s investigation aims at prompting a public discussion with the participation of platforms, policymakers, and civil society, about the surveillance-for-hire industry, and as the company emphasized, “although public debate has mainly focused on the exploitation phase, it’s critical to disrupting the entire lifecycle of the attack because the earlier stages enable the later ones. If we can collectively tackle this threat earlier in the surveillance chain, it would help stop the harm before it gets to its final, most serious stage of compromising people’s devices and accounts”.

George Mavridis is a freelance journalist and writer based in Greece. His work primarily covers tech, innovation, social media, digital communication, and politics. He graduated from the Aristotle University of Thessaloniki with a BA in Journalism and Mass Communication. Also, he holds an MA in Media and Communication Studies from the Malmö University of Sweden and an MA in Digital Humanities from the Linnaeus University of Sweden.