Meta says 50,000 people were targeted by 'surveillance for hire' companies

Facebook banned seven companies for their 'malicious' activity.

Dado Ruvic / reuters

Meta has banned seven “surveillance for hire” companies that targeted at least 50,000 people around the world. The company also banned more than 1,000 accounts associated with these companies.

The companies targeted in the takedowns include Cobwebs, Cognyte, Black Cube, Bluehawk CI, BelltroX and Cytrox. Facebook’s security researchers also identified “an unknown entity in China,” which was “developing surveillanceware” and used facial recognition software. Facebook’s researchers didn’t say who was behind the group, but said the software had been used by “domestic law enforcement” in the country.

While some of the companies make spyware, the groups use other tactics as well, including social engineering with fake accounts in order to gain access to targets’ personal information. During a call with reporters Thursday, Meta’s security chief Nathaniel Gleicher said that while there has been a lot of attention on “hacking for hire” groups like NSO, the broader “surveillance for hire” industry is also troubling. “One of the things that characterizes the surveillance or hire industry is indiscriminate targeting,” he said.

Facebook will warn users who have been targeted.

“Cyber mercenaries often claim that their services and their surveillance were are meant to focus on tracking criminals and terrorists. But our investigation and similar investigations …have demonstrated that the targeting is in fact indiscriminate and includes journalists, dissidents, critics of authoritarian regimes, families of opposition figures and human rights activists.”

In all, Meta says it will notify “around 50,000” people from more than 100 countries who it believes were targeted by these companies. Facebook will recommend these users revisit their privacy settings, and enable additional account security measure like two-factor authentication.

Update 12/16 5:20pm ET: In a statement, a Black Cube representative said the company "does not undertake any phishing or hacking and does not operate in the cyber world." "Black Cube obtains legal advice in every jurisdiction in which we operate in order to ensure that all our agents' activities are fully compliant with local laws," the spokesperson said.