Meta (formerly Facebook) has removed seven surveillance-for-hire that targeted users across 100 countries including journalists, activists, politicians, lawyers and doctors.

"The global surveillance-for-hire industry targets people across the internet to collect intelligence, manipulate them into revealing information and compromise their devices and accounts. These companies are part of a sprawling industry that provides intrusive software tools and surveillance services indiscriminately to any customer — regardless of who they target or the human rights abuses they might enable," the social media major said in a blog post

"This industry “democratizes” these threats, making them available to government and non-government groups that otherwise wouldn’t have these capabilities," it said.

Malicious links

These entities that Meta removed were based in China, Israel, India, and North Macedonia and were linked to around 1,500 accounts on Facebook and Instagram.

It also alerted around 50,000 people who the company believed were targeted by these malicious activities worldwide, using the alert system that it had launched in 2015.

Among the seven companies was India-based BellTroX. Meta removed about 400 Facebook accounts," the vast majority of which were inactive for years" linked to the company that were used for reconnaissance, social engineering and to send malicious links.

"BellTroX is based in India and sells what’s known as “hacking for hire” services, which were reported on by researchers at the Citizen Lab and Reuters. Its activity on our platform was limited and sporadic between 2013 and 2019, after which it paused," Meta explained.

"BellTroX operated fake accounts to impersonate a politician and pose as journalists and environmental activists in an attempt to social-engineer its targets to solicit information including their email addresses, likely for phishing attacks at a later stage," it added.


Among those targeted were lawyers, doctors, activists, and members of the clergy in countries including Australia, Angola, Saudi Arabia, and Iceland.

Apart from BellTroX, it also removed 200 accounts operated by Cobwebs and its customers worldwide. The firm was founded in Israel with offices in the United States and sells access to its platform that enables reconnaissance across the internet, including Facebook, Instagram, WhatsApp, Twitter, Flickr, public websites and “dark web” sites, Mera said.

Its investigation identified customers in Bangladesh, Hong Kong, the United States, New Zealand, Mexico, Saudi Arabia, Poland, and other countries. Apart from targeting law enforcement activities, it also observed frequent targeting of activists, opposition politicians and government officials in Hong Kong and Mexico.

Another entity removed was Israel-based Cognyte. Around 100 accounts on Facebook and Instagram linked to the company (formerly known as WebintPro) and its customers were removed.

"The firm sells access to its platform which enables managing fake accounts across social media platforms including Facebook, Instagram, Twitter, YouTube, and VKontakte (VK), and other websites to social-engineer people and collect data," Meta explained.

Customers were identified in Israel, Serbia, Colombia, Kenya, Morocco, Mexico, Jordan, Thailand, and Indonesia.

Their targets included journalists and politicians around the world.

Around 300 Facebook and Instagram accounts linked to Black Cube, an Israeli-based firm with offices in the UK, Israel and Spain were removed.

"It provides surveillance services that include social engineering and intelligence gathering. Black Cube operated fictitious personas tailored for its targets: some of them posed as graduate students, NGO and human rights workers, and film and TV producers," it said.

"Our investigation found a wide range of customers, including private individuals, businesses, and law firms around the world," it added.

Targets were found across industries, including the medical, mining, minerals and energy industries. It also included NGOs in Africa, Eastern Europe, and South America, as well as Palestinian activists. They also targeted people in Russia associated with universities, the telecom, high tech, consulting, legal, and financial industries, real estate development and media, Meta said.

Fake accounts

It removed about 100 Facebook accounts linked to Bluehawk, a firm based in Israel with offices in the UK and the US. The firm sells a wide range of surveillance-for-hire activities that included social engineering, gathering of litigation-related intelligence about people, and managing fake accounts to trick them into installing malware, as per the report.

"The individuals behind this firm showed persistence and continued to try to come back to our platform after we took down dozens of their accounts," Meta said.

These fake accounts posed as journalists working for existing media organisations such as La Stampa in Italy and Fox News in the US to trick their targets into giving an on-camera interview.

Most recently, Bluehawk attempted to create accounts claiming to be based in Argentina, it added.

About 300 accounts on Facebook and Instagram linked to Cytrox, a North Macedonian were removed. The firm develops exploits and sells surveillance tools and malware that enable its clients to compromise iOS and Android devices.

It had customers in Egypt, Armenia, Greece, Saudi Arabia, Oman, Colombia, Côte d’Ivoire, Vietnam, the Philippines, and Germany. Targets of Cytrox and its customers included politicians and journalists around the world, including in Egypt and Armenia.

"Our findings suggest that Cytrox likely provided services to another threat actor known in the security community as Sphinx, which targeted people in Egypt and its neighboring countries," it said.

Last on the list was an unknown entity in China where around 100 Facebook and Instagram accounts linked to the unidentified entity were removed. It was responsible for developing surveillance-ware for Android, iOS, Windows, and also Linux, Mac OS X, and Solaris operating systems.

"It also engaged in reconnaissance and social engineering activity before delivering malicious payload to its targets," it said.

"Our investigation found that malware tools were used to support surveillance against minority groups throughout the Asia-Pacific region, including in the Xinjiang region of China, Myanmar, and Hong Kong," it added.

The “surveillance-for-hire” entities violated multiple Community Standards and Terms of Service.

"Given the severity of their violations, we have banned them from our services. We recently updated it to provide people with more granular details about the types of targeting and the actor behind it so they can take steps to protect their accounts, depending on the phase of the surveillance attack chain we detect in each case," Meta further said.