Facebook Blocks Seven Malware Purveyors, Deletes Hundreds Of Accounts, Notifies 50,000 Potential Hacking Targets

from the move-fast-and-break-oppressors dept

Thanks to the ongoing onslaught of negative press involving malware merchants like Israel’s NSO Group, tech companies whose devices and platforms have been used to deploy exploits targeting journalists, activists, and religious leaders are punching back. You’re a human rights abuser with high-dollar spyware at your disposal? Too bad. Ask for a refund, I guess.

Apple sued NSO Group for targeting iPhone users a few weeks ago. It also began notifying users who were targeted by NSO spyware, potentially nullifying further surveillance efforts by unfriendly nation-states.

But before Apple got in on the anti-NSO action, Facebook sued the company for using WhatsApp to deploy malware. Both lawsuits contain some troubling implications for the CFAA — something that could pose future problems for researchers who scrape data and security researchers who search for security flaws. The unintended consequences of this litigation have yet to be seen, but it’s enough to justify holding your applause until the lawsuits have run their course.

Denying state actors the fruits of their purchased spyware labor is now the name of the game, something that benefits everyone. Facebook (now Meta) has just thrown a decently-sized tech wrench into the malware works of an unknown number of entities.

Facebook has disrupted the operations of seven different spyware-making companies, blocking their Internet infrastructure, sending cease and desist letters, and banning them from its platform.

“As a result of our months-long investigation, we took action against seven different surveillance-for-hire entities to disrupt their ability to use their digital infrastructure to abuse social media platforms and enable surveillance of people across the internet,” said Director of Threat Disruption David Agranovich and Head of Cyber Espionage Investigations Mike Dvilyanski.

“These surveillance providers are based in China, Israel, India, and North Macedonia. They targeted people in over 100 countries around the world on behalf of their clients.”

Seven companies. 100 countries. 1,500 Facebook and Instagram accounts. 50,000 potential targets notified. That’s going to hurt paying customers of companies like NSO Group and its competition, most of which have yet to obtain the international infamy NSO has.

The full report [PDF] from Meta lists the companies ejected in this surveillance-for-hire purge. And there’s a common strain running through the list, one that’s going to cause even more problems for a government already dealing with blowback for running interference for a company selling spy tools to a long list of human rights violators.

We removed about 200 accounts which were operated by Cobwebs [Technologies] and its customers worldwide. This firm was founded in Israel with offices in the United States and sells access to its platform that enables reconnaissance across the internet, including Facebook, Instagram, WhatsApp, Twitter, Flickr, public websites and “dark web” sites.


We removed about 100 accounts on Facebook and Instagram which were linked to Cognyte (formerly known as WebintPro) and its customers. This firm is based in Israel and sells access to its platform which enables managing fake accounts across social media platforms including Facebook, Instagram, Twitter, YouTube, and VKontakte (VK), and other websites to social-engineer people and collect data.


We removed about 300 Facebook and Instagram accounts linked to Black Cube, an Israeli-based firm with offices in the UK, Israel and Spain. It provides surveillance services that include social engineering and intelligence gathering.


We removed about 100 Facebook accounts linked to Bluehawk, a firm based in Israel with offices in the UK and the US. We collaborated on this investigation with The Daily Beast who had identified a subset of this activity leading us to uncover the full cluster and who’s behind it earlier this year.


We removed about 400 Facebook accounts, the vast majority of which were inactive for years, linked to BellTroX and used for reconnaissance, social engineering and to send malicious links. BellTroX is based in India and sells what’s known as “hacking for hire” services…


We removed about 300 accounts on Facebook and Instagram linked to Cytrox. This North Macedonian company develops exploits and sells surveillance tools and malware that enable its clients to compromise iOS and Android devices…


We removed about 100 Facebook and Instagram accounts linked to an unidentified entity in China responsible for developing surveillanceware for Android, iOS, Windows, and also Linux, Mac OS X, and Solaris operating systems. It also engaged in reconnaissance and social engineering activity before delivering malicious payload to its targets.

Four of the seven entities identified and blocked call Israel home. Cytrox also has links to Israel as both Citizen Lab and the Times of Israel have reported. Cytrox is now part of a spyware conglomerate that has been criminally charged for human rights violations.

Israel has a malware problem. And the government can’t claim it was unaware of these companies and their selling of tools to authoritarians and human rights violators. The government was actively involved in brokering some of these deals.

The customers for these products, however, are far more varied. Cobwebs products were observed “frequently targeting” activists and opposition parties in Hong Kong and Mexico. But its customer base includes entities in Bangladesh, New Zealand, Poland, Saudi Arabia, and… the United States.

The list compiled by Meta shows malware firms are more than happy to sell to governments that like targeting critics and opponents, rather than criminals and terrorists. Serbia, Morocco, Mexico, China, Qatar, Saudi Arabia, Egypt, Oman, the Philippines, and Myanmar make this list.

But it’s not just the blocking. It’s the notification. And there’s plenty of that.

We also alerted around 50,000 people who we believe were targeted by these malicious activities worldwide, using the alert system we launched in 2015. We recently updated it to provide people with more granular details about the types of targeting and the actor behind it so they can take steps to protect their accounts, depending on the phase of the surveillance attack chain we detect in each case.

That’s a lot of disrupted surveillance efforts. State actors are paying good money for these exploits and now they’re facing more resistance than ever from the private sector being used to transport malware to targets. That’s a lot of money and a lot of surveillance being undone. Governments buying exploits won’t be happy but so what. There’s no reason to assume that just because it’s a government agency doing the targeting there’s any legitimacy to the hacking efforts. This is the way it should be — platforms and device makers protecting customers and users against hacking attempts, no matter the origin of the attacks. The world needs more of this because authoritarians and human rights abusers deserve to have their oppressive efforts thwarted.

Filed Under: , ,
Companies: facebook

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Facebook Blocks Seven Malware Purveyors, Deletes Hundreds Of Accounts, Notifies 50,000 Potential Hacking Targets”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

Re: Re: What a pleasant day

Facebook seems to be ruining the day/week/month of a bunch of terrible companies without engaging in any notable terrible behavior of their own so at the moment at least they would seem to be acting on the side of good. Give ’em a day or so though and I’m sure they’ll faceplant and give people another reason to rake them over the coals.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...