Meta disrupts 7 ‘surveillance-for-hire’ networks and alerts 50,000 users

These groups targeted, surveilled and attempted to exploit Facebook and Instagram users in 100 countries.

Computer setup in a room

Surveillance groups targeted, spied on and at times attempted to exploit users in 100 countries.

Photo: Kaur Kristjan/Unsplash

Meta will start notifying around 50,000 Facebook and Instagram users on Thursday that they were the targets of “surveillance for hire” campaigns, carried out by seven different international organizations. These surveillance groups targeted, spied on and at times attempted to exploit users in 100 countries and were hired by customers all over the world, including in the United States.

Meta uncovered the groups as part of an internal investigation, the results of which it published Thursday. Some of the activity has been reported on in the past, but the new report sheds light on the full scope of these operations.

“While these ‘cyber mercenaries’ often claim that their services only target criminals and terrorists, our months-long investigation concluded that targeting is in fact indiscriminate and includes journalists, dissidents, critics of authoritarian regimes, families of opposition members and human rights activists,” the report reads.

Meta said it has removed the networks, has informed law enforcement and other tech companies of its findings and is sending cease-and-desist letters to the perpetrators. The report was written by Nathaniel Gleicher, Meta’s head of Security Policy; David Agranovich, director of Global Threat Disruption; and Mike Dvilyanski, head of Cyber Espionage Investigations.

These new findings follow ongoing reporting on the Israeli firm NSO Group, whose Pegasus spyware has been used by authoritarian regimes to spy on journalists, activists and other private citizens. Facebook sued NSO Group in 2019 for exploiting a vulnerability in WhatsApp’s video-calling feature. Last month, Apple announced it was also suing the group over its ForcedEntry exploit, which took advantage of a now-patched vulnerability to remotely break into people’s phones.

Meta’s latest report shows that NSO Group is far from alone in the world of companies that sell surveillance and hacking services. “Surveillance for hire is broader than any one company, and it’s broader than, I think, much of the public debate has been focused on in the last month and years,” Gleicher said on a call with reporters Thursday.

Over the course of its investigation, Meta discovered networks of accounts linked to Indian firm BellTroX, North Macedonian firm Cytrox, an unknown entity operating out of China and four separate firms run out of Israel: Cobwebs Technologies, Cognyte, Black Cube and Bluehawk CI. “These companies are democratizing access to these types of techniques,” Gleicher said.

All in, Meta removed 1,500 Facebook and Instagram accounts linked to these operations, as well as activity on WhatsApp. The companies used those accounts to conduct reconnaissance on targets, engage with them using social engineering tactics and, in some cases, exploit them through phishing campaigns and other techniques that allowed the companies to access or take control of their targets’ devices.

Gleicher stressed that while much of the public concern recently has focused on “hacking-for-hire,” or the actual delivery of malware, it’s just as important to disrupt companies in the earlier phases of these schemes, including their surveillance and social engineering operations. Once these companies have moved on to actually exploiting their targets, Gleicher said, the damage is already done.

While Meta was unable to determine exactly who the companies were working on behalf of, some past clients are already well-known. Harvey Weinstein famously hired Black Cube to try to stifle reporting in The New York Times about allegations of sexual misconduct against him. Meta’s report found instances of Black Cube accounts posing as TV and film producers to trick potential targets.

Meta also got a boost in its digging from other reporting and research. Earlier this year, The Daily Beast reported on an operation, run by Bluehawk CI, that involved a private investigator posing as a Fox News reporter in order to dig up dirt for a legal case in the United Arab Emirates. The Daily Beast’s findings led Facebook to uncover the broader Bluehawk network. Another 2020 report, out of Citizen Lab and Reuters, documented the work of India’s BellTroX. Meta said the company was active between 2013 and 2019, as covered by Reuters, but resumed its work in 2021, following a similar playbook of impersonating journalists to phish targets.

The report also sheds more light on ongoing surveillance efforts by Beijing, which Meta has discussed in the past and which Facebook whistleblower Frances Haugen recently described to Congress. In this new report, Meta said it found about 100 accounts that were used to “deliver malicious payloads” to targets as part of ongoing surveillance of minority groups throughout Asia.

The report makes clear that Facebook and Instagram are not the only platforms these groups have exploited. Many of them also market services that involve Twitter, YouTube and other social media sites. In its report, Meta urged the private sector to work together to thwart these networks. It’s unclear, however, what exactly other companies have done with the information Meta provided to them, and Gleicher didn’t answer Protocol’s question about that.

Meta is also calling on lawmakers and regulators to increase scrutiny surrounding this industry by imposing new laws and regulations on the use of this technology.


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories