Meta disrupts 7 ‘surveillance-for-hire’ networks and alerts 50,000 users

These groups targeted, surveilled and attempted to exploit Facebook and Instagram users in 100 countries.

Computer setup in a room

Surveillance groups targeted, spied on and at times attempted to exploit users in 100 countries.

Photo: Kaur Kristjan/Unsplash

Meta will start notifying around 50,000 Facebook and Instagram users on Thursday that they were the targets of “surveillance for hire” campaigns, carried out by seven different international organizations. These surveillance groups targeted, spied on and at times attempted to exploit users in 100 countries and were hired by customers all over the world, including in the United States.

Meta uncovered the groups as part of an internal investigation, the results of which it published Thursday. Some of the activity has been reported on in the past, but the new report sheds light on the full scope of these operations.

“While these ‘cyber mercenaries’ often claim that their services only target criminals and terrorists, our months-long investigation concluded that targeting is in fact indiscriminate and includes journalists, dissidents, critics of authoritarian regimes, families of opposition members and human rights activists,” the report reads.

Meta said it has removed the networks, has informed law enforcement and other tech companies of its findings and is sending cease-and-desist letters to the perpetrators. The report was written by Nathaniel Gleicher, Meta’s head of Security Policy; David Agranovich, director of Global Threat Disruption; and Mike Dvilyanski, head of Cyber Espionage Investigations.

These new findings follow ongoing reporting on the Israeli firm NSO Group, whose Pegasus spyware has been used by authoritarian regimes to spy on journalists, activists and other private citizens. Facebook sued NSO Group in 2019 for exploiting a vulnerability in WhatsApp’s video-calling feature. Last month, Apple announced it was also suing the group over its ForcedEntry exploit, which took advantage of a now-patched vulnerability to remotely break into people’s phones.

Meta’s latest report shows that NSO Group is far from alone in the world of companies that sell surveillance and hacking services. “Surveillance for hire is broader than any one company, and it’s broader than, I think, much of the public debate has been focused on in the last month and years,” Gleicher said on a call with reporters Thursday.

Over the course of its investigation, Meta discovered networks of accounts linked to Indian firm BellTroX, North Macedonian firm Cytrox, an unknown entity operating out of China and four separate firms run out of Israel: Cobwebs Technologies, Cognyte, Black Cube and Bluehawk CI. “These companies are democratizing access to these types of techniques,” Gleicher said.

All in, Meta removed 1,500 Facebook and Instagram accounts linked to these operations, as well as activity on WhatsApp. The companies used those accounts to conduct reconnaissance on targets, engage with them using social engineering tactics and, in some cases, exploit them through phishing campaigns and other techniques that allowed the companies to access or take control of their targets’ devices.

Gleicher stressed that while much of the public concern recently has focused on “hacking-for-hire,” or the actual delivery of malware, it’s just as important to disrupt companies in the earlier phases of these schemes, including their surveillance and social engineering operations. Once these companies have moved on to actually exploiting their targets, Gleicher said, the damage is already done.

While Meta was unable to determine exactly who the companies were working on behalf of, some past clients are already well-known. Harvey Weinstein famously hired Black Cube to try to stifle reporting in The New York Times about allegations of sexual misconduct against him. Meta’s report found instances of Black Cube accounts posing as TV and film producers to trick potential targets.

Meta also got a boost in its digging from other reporting and research. Earlier this year, The Daily Beast reported on an operation, run by Bluehawk CI, that involved a private investigator posing as a Fox News reporter in order to dig up dirt for a legal case in the United Arab Emirates. The Daily Beast’s findings led Facebook to uncover the broader Bluehawk network. Another 2020 report, out of Citizen Lab and Reuters, documented the work of India’s BellTroX. Meta said the company was active between 2013 and 2019, as covered by Reuters, but resumed its work in 2021, following a similar playbook of impersonating journalists to phish targets.

The report also sheds more light on ongoing surveillance efforts by Beijing, which Meta has discussed in the past and which Facebook whistleblower Frances Haugen recently described to Congress. In this new report, Meta said it found about 100 accounts that were used to “deliver malicious payloads” to targets as part of ongoing surveillance of minority groups throughout Asia.

The report makes clear that Facebook and Instagram are not the only platforms these groups have exploited. Many of them also market services that involve Twitter, YouTube and other social media sites. In its report, Meta urged the private sector to work together to thwart these networks. It’s unclear, however, what exactly other companies have done with the information Meta provided to them, and Gleicher didn’t answer Protocol’s question about that.

Meta is also calling on lawmakers and regulators to increase scrutiny surrounding this industry by imposing new laws and regulations on the use of this technology.


Can crypto regulate itself? The Lummis-Gillibrand bill hopes so.

Creating the equivalent of the stock markets’ FINRA for crypto is the ideal, but experts doubt that it will be easy.

The idea of creating a government-sanctioned private regulatory association has been drawing more attention in the debate over how to rein in a fast-growing industry whose technological quirks have baffled policymakers.

Illustration: Christopher T. Fong/Protocol

Regulating crypto is complicated. That’s why Sens. Cynthia Lummis and Kirsten Gillibrand want to explore the creation of a private sector group to help federal regulators do their job.

The bipartisan bill introduced by Lummis and Gillibrand would require the CFTC and the SEC to work with the crypto industry to look into setting up a self-regulatory organization to “facilitate innovative, efficient and orderly markets for digital assets.”

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.

Every day, millions of us press the “order” button on our favorite coffee store's mobile application: Our chosen brew will be on the counter when we arrive. It’s a personalized, seamless experience that we have all come to expect. What we don’t know is what’s happening behind the scenes. The mobile application is sourcing data from a database that stores information about each customer and what their favorite coffee drinks are. It is also leveraging event-streaming data in real time to ensure the ingredients for your personal coffee are in supply at your local store.

Applications like this power our daily lives, and if they can’t access massive amounts of data stored in a database as well as stream data “in motion” instantaneously, you — and millions of customers — won’t have these in-the-moment experiences.

Keep Reading Show less
Jennifer Goforth Gregory
Jennifer Goforth Gregory has worked in the B2B technology industry for over 20 years. As a freelance writer she writes for top technology brands, including IBM, HPE, Adobe, AT&T, Verizon, Epson, Oracle, Intel and Square. She specializes in a wide range of technology, such as AI, IoT, cloud, cybersecurity, and CX. Jennifer also wrote a bestselling book The Freelance Content Marketing Writer to help other writers launch a high earning freelance business.

Alperovitch: Cybersecurity defenders can’t be on high alert every day

With the continued threat of Russian cyber escalation, cybersecurity and geopolitics expert Dmitri Alperovitch says it’s not ideal for the U.S. to oscillate between moments of high alert and lesser states of cyber readiness.

Dmitri Alperovitch (the co-founder and former CTO of CrowdStrike) speaks at RSA Conference 2022.

Photo: RSA Conference

When it comes to cybersecurity vigilance, Dmitri Alperovitch wants to see more focus on resiliency of IT systems — and less on doing "surges" around particular dates or events.

For instance, whatever Russia is doing at the moment.

Keep Reading Show less
Kyle Alspach

Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.


How the internet got privatized and how the government could fix it

Author Ben Tarnoff discusses municipal broadband, Web3 and why closing the “digital divide” isn’t enough.

The Biden administration’s Internet for All initiative, which kicked off in May, will roll out grant programs to expand and improve broadband infrastructure, teach digital skills and improve internet access for “everyone in America by the end of the decade.”

Decisions about who is eligible for these grants will be made based on the Federal Communications Commission’s broken, outdated and incorrect broadband maps — maps the FCC plans to update only after funding has been allocated. Inaccurate broadband maps are just one of many barriers to getting everyone in the country successfully online. Internet service providers that use government funds to connect rural and low-income areas have historically provided those regions with slow speeds and poor service, forcing community residents to find reliable internet outside of their homes.

Keep Reading Show less
Aditi Mukund
Aditi Mukund is Protocol’s Data Analyst. Prior to joining Protocol, she was an analyst at The Daily Beast and NPR where she wrangled data into actionable insights for editorial, audience, commerce, subscription, and product teams. She holds a B.S in Cognitive Science, Human Computer Interaction from The University of California, San Diego.

How I decided to exit my startup’s original business

Bluevine got its start in factoring invoices for small businesses. CEO Eyal Lifshitz explains why it dropped that business in favor of “end-to-end banking.”

"[I]t was a realization that we can't be successful at both at the same time: You've got to choose."

Photo: Bluevine

Click banner image for more How I decided series

Bluevine got its start in fintech by offering a modern version of invoice factoring, the centuries-old practice where businesses sell off their accounts receivable for up-front cash. It’s raised $240 million in venture capital and about $700 million in total financing since its founding in 2013 by serving small businesses. But along the way, it realized it was better to focus on the checking accounts and lines of credit it provided customers than its original product. It now manages some $500 million in checking-account deposits.

Keep Reading Show less
Ryan Deffenbaugh
Ryan Deffenbaugh is a reporter at Protocol focused on fintech. Before joining Protocol, he reported on New York's technology industry for Crain's New York Business. He is based in New York and can be reached at rdeffenbaugh@protocol.com.
Latest Stories