Meta takes down 7 hacking-for-hire operations that targeted 50,000 users

In one case, Meta removed 300 accounts linked to Israeli-based Black Cube that operated as fictitious personas to set up calls with targets.
Facebook's Meta logo. (Photo illustration by Chesnot/Getty Images)

Meta removed seven “surveillance-for-hire” organizations that used Facebook to target at least 50,000 individuals across 100 countries for surveillance operations, some of which included the deployment of spyware, the company announced in a report Thursday.

The operation marks a major step in efforts by the social media company against a sprawling surveillance industry that Facebook security experts warn is becoming more “democratized” and easily accessible to spy on not just high-profile targets, but ordinary users.

The company removed hundreds of accounts belonging to firms known as Israeli Cobwebs Technologies, Cognyte, Black Cube, Bluehawk CI, India-based BellTroX, Macedonia-based Cytrox, and an unknown entity in China. Of the seven firms, only Cobwebs and Cognyte did not engage in what it called “exploitation” phase activities, or actually delivering malware to hack victims.

Facebook sent cease and desist letters to the six named companies.


The social media platform has clashed with the growing spyware market for years. Facebook sued notable spyware vendor NSO Group in 2019 for allegedly using its messaging app WhatsApp to deploy malware used for spying on 1,400 mobile devices. NSO Group has disputed the claims.

Nathaniel Gleicher, head of security policy at Meta, says the latest report aims to highlight how the surveillance industry goes well beyond Israeli-based NSO Group, which is the subject of ongoing scrutiny by the U.S. government, and starts much earlier than attackers deploying spyware onto a target’s phone.

“If we focus only on malware and exploits, then, by the time industry enforces, the government imposes control, by the time civil society exposes these actors — they will already be exploiting people’s phones and surveilling their most private conversations,” said Gleicher. “By moving earlier in the surveillance attack chain … we can hopefully stop this activity earlier,  before those compromises occur.”

The surveillance companies named in the report all appeared to follow a similar playbook to target individuals including but not limited to journalists, dissidents and academics across Africa, Eastern Europe and South America. For instance, Meta removed 300 Facebook and Instagram accounts linked to Israeli-based Black Cube that operated as fictitious personas to set up calls with targets. The fictitious accounts would gather targets’ emails to later send phishing attacks.

“Black Cube does not undertake any phishing or hacking and does not operate in the cyber world,” the firm said in a email statement. “Black Cube is a litigation support firm which uses legal … methods to obtain information for litigations and arbitrations.”


Meta also took down accounts used by Cytrox, a company that Citizen Lab identified in a separate report Thursday as being behind the hacking of two Egyptians, including exiled politician Ayman Nour and an unidentified news journalist. Citizen Lab researchers found that Nour’s phone was infected by both the NSO Group’s Pegasus spyware as well as Predator, a less sophisticated spyware sold by Cytrox. Citizen Lab has identified likely customers of the Cytrox spyware in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia and Serbia

Meta could not identify how many of the 50,000 possible victims were attacked with malware or other exploitation software.

Political tensions around spyware have risen in recent weeks as the U.S. has taken steps to rebuke the industry, including the November blacklisting of NSO Group and Candiru, another spyware vendor. In December,  U.S. officials alongside counterparts from Australia, Denmark and Norway announced the “Export Controls ad Human Rights Initiative” to address the misuse of technologies to threaten human rights.

Still, lawmakers and advocates have pressed the Biden administration to do more. A group of Democratic lawmakers on Wednesday called on the Treasury Department to sanction NSO Group and three other surveillance firms. Meanwhile, the United Nations and human rights group Amnesty International have called for a full moratorium of sales on surveillance technologies until countries create rules around the technology that safeguard human rights.

The Facebook report also demonstrates that the spyware-for-hire market isn’t only a foreign problem for the U.S. An American division of Cobwebs Technologies, one of the firms removed by Facebook, currently boasts a five-year contract with the Department of Homeland Security.


David Agranovich, director of threat disruption at Meta, said the company welcomes “domestic and international efforts to raise accountability on the industry, in particular through legislation for export controls and other regulatory actions.”

Access Now, a human rights group that has denounced spyware, said it welcomed Facebook’s move.

“It’s really good to see these major platforms finally stepping up and recognizing they are attack vectors and are providing spaces that aren’t as secure as they could be,” said general counsel Peter Micek. “It’s important that companies look at their role in the cyber weaponry ecosystem and where they fall in the workflow of these malicious entities.”

He emphasized that there’s “no silver bullet” for Facebook or any other company alone to fully protect users.

Micek called the number of potential victims notified by Facebook significant and said that while Facebook’s actions are unlikely to deter a sophisticated operation against a high-value target, the company can do a lot to educate the public about how ubiquitous and accessible spyware has become.


CyberScoop was not able to immediately reach Cobwebs Technologies, Cognyte and Bluehawk CI for comment. CyberScoop could not immediately identify contact information for BellTroX and Cytrox.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts