Italian spyware firm exploited WhatsApp’s design flaws to surveil 200+ targets: systemic failure of digital security governance exposed

Indigenous communities globally have long navigated state surveillance through non-digital or decentralised communication, treating digital platforms as inherently compromised. The WhatsApp incident underscores how corporate spyware replicates colonial tactics of control, where 'security' is weaponised against marginalised groups. Traditional knowledge systems often prioritise collective consent and transparency, contrasting with the extractive data practices of platforms like WhatsApp.

The use of spyware mirrors historical patterns of state-sponsored surveillance, from Cold War phone tapping to apartheid-era censorship, where technology served authoritarian ends. Italian firms like Hacking Team have long exported surveillance tools to repressive regimes, revealing a 20-year continuity of mercenary cyberwarfare. The incident echoes the 1970s Church Committee revelations, where corporate complicity in state surveillance was exposed but never fully dismantled.

In the Global South, surveillance is often a tool of political repression and economic extraction, with spyware deployed against activists and journalists at alarming rates. African digital rights groups have documented how Italian and Israeli firms sell surveillance tech to authoritarian regimes, normalising digital repression as 'security.' Latin American communities use encrypted networks like Briar or Signal’s 'sealed sender' to resist state and corporate surveillance, drawing on indigenous traditions of communal secrecy.

The attack exploited WhatsApp’s VoIP implementation flaws, where malicious GIFs or calls could trigger spyware installation without user interaction. Peer-reviewed research shows that 90% of spyware infections occur via social engineering, not technical exploits, highlighting the need for user education alongside software fixes. The incident aligns with documented cases of NSO Group’s Pegasus, where zero-click exploits leveraged platform vulnerabilities, demonstrating a reproducible attack vector.

Artists like Trevor Paglen have long exposed the aesthetics of surveillance, framing spyware as a tool of visual and cognitive colonisation. Indigenous storytellers in Australia and Canada depict digital surveillance as a continuation of colonial 'seeing'—where land and bodies are mapped and controlled. Spiritual traditions across cultures warn of the 'evil eye' as a metaphor for invasive gaze, resonating with the psychological toll of spyware on targeted individuals.

If unchecked, mercenary spyware will proliferate alongside AI-driven disinformation, creating a dystopian feedback loop where states and corporations surveil and manipulate populations simultaneously. Future scenarios include 'surveillance-as-a-service' markets where even non-state actors can purchase targeted intrusion tools. Regulatory fragmentation will likely lead to a 'cyber-arms race,' where weaker states and corporations become proxy vectors for great-power espionage.

Marginalised users—journalists, LGBTQ+ activists, and ethnic minorities—are disproportionately targeted by spyware, facing imprisonment, violence, or assassination. The WhatsApp case likely affected dissidents in authoritarian states, yet their stories are erased in mainstream coverage. Grassroots groups like Access Now and Citizen Lab have documented how spyware exacerbates existing power imbalances, silencing voices critical of corporate and state power.