Meta details actions against eight spyware firms

Details about the spyware firms, based in Italy, Spain and the UAE, were shared by the social media giant in its quarterly adversary threat report.
This illustration photograph taken on October 30, 2023, shows the Meta (former Facebook) logo. (Photo by SEBASTIEN BOZON/AFP via Getty Images)

Meta took a series of actions in the last quarter of 2023 against a half-dozen networks of accounts tied to eight spyware firms, which had used the social media’s platform to perform reconnaissance against targets and also test exploit capabilities, the company said Wednesday.

The spyware firms — based in Italy, Spain and the United Arab Emirates — employ a series of complicated corporate structures, likely to obfuscate attribution as well as rebranding after exposures, according to Meta, the parent company of Facebook, Instagram and WhatsApp. Nevertheless, Meta’s broad visibility into its popular social media platforms gives some visibility into how these firms’ products work, particularly before the exploitation phase, which gets most of the attention in media coverage and in discussions about spyware firms’ activity.

The details — shared in Meta’s Q4 2023 Adversarial Threat Report — come after a series of developments targeting the spyware industry. Earlier this month Google released details on the more than 40 spyware vendors it tracks, and called on governments to do more to combat the industry. The Google report came a day after the U.S. State Department announced it would on a case-by-case basis deny visas for individuals who have been implicated in the misuse of commercial spyware, and a coalition of international governments and business interests announced joint efforts to combat misuse of such technologies.

In its quarterly threat report, Meta detailed actions taken against Italian companies Cy4Gate, one of its subsidiaries called RCS Labs, IPS Intelligence and Negg Group; Spanish firms Variston IT, its subsidiary and exploit developer TrueL IT, and Mollitiam Industries; and a UAE-based firm called Protect Electronic Systems.


Each of the firms used fake accounts on Meta’s platforms — some that employed artificially generated profile photos — to scrape information about potential targets, set up phishing attacks, perform social engineering or gather target device and location information using IP logging links, for instance.

In other cases, the firms would test their capabilities and exploits by sending them via their own fake accounts to other fake accounts controlled by the firms, Meta said.

In one case, Meta took down a network of Facebook and Instagram accounts with ties to the Spanish firm Variston IT, its Italian subsidiary and exploit developer TrueL IT, and the UAE’s Protect Electronic Systems. Google had previously detailed intrusion campaigns conducted with Variston technology, but Meta said Wednesday that on its platforms “they used fake accounts for exploit development and testing, including sharing of malicious links and placing calls between their own accounts in an apparent attempt to validate iOS and Android-targeting capabilities.”

Meta said that while it only has visibility into what happens on its platforms — which represent a small slice of campaigns that typically occur across a variety of internet services — it is taking continuous steps to identify and crack down on illicit spyware-connected activity. The company will continue to share information with the public and industry peers, take legal actions where appropriate, alert people targeted by spyware and share information with governments and regulators to strengthen policies and defense strategies.

Spyware firms are also evolving, Meta noted, including by incremental improvements to AI-generated photos, removing or limiting scraping capabilities in their products, patching or updating code that gives away malicious activity, changing back-end infrastructure, changing corporate names or pausing activity for limited periods.


Meta has also taken technological steps to make exploitation harder, it said, such as code updates to Messenger and WhatsApp to reduce attack surfaces.

The company also offered recommendations for further actions from government regulators and the financial backers and investors tied to the firms.

“We believe that our latest recommendations for countering the surveillance-for-hire industry are applicable to a wide range of defender teams — from tech companies and the financial sector to governments and civil society,” Meta said in the report. “Our hope is to see them serve as a force multiplier in raising our collective defenses against the abuse by spyware.”

Latest Podcasts