The digital surveillance world has once again intersected with the daily technology this time via one of the most popular messaging systems on earth. WhatsApp has shunned the light and exposed that an Italian spyware firm duped about 200 users to install a fake copy of the application, which was actually designed to stalk its victims. The event poses immediate concerns over the increasing commercialisation of spyware technology and how it is becoming more sophisticated with sophisticated means used to enlist it against the common people.
WhatsApp claimed that it was done by ASIGINT, a subsidiary of SIO, a surveillance company based in northern Italy, whose site talks of its services as high-performance, field-proven cyber intelligence solutions and technology. The Meta-owned messaging service affirmed that the campaign was highly targeted and it solely relied on deceit to persuade the victims to install what it described as malicious software that purported to be WhatsApp. The counterfeit app looked realistic enough to the point of convincing those who were the targeted audience, and this is why the amount of technical investment that went into its creation was remarkable.
What is disturbing about this occurrence, besides the means, is the degree of trust that it took advantage of. More than two billion people use WhatsApp around the world, and there is an unofficial guarantee of the safety and end-to-end encryption. When a company creates a bogus copy of the same platform to spy on its targets, it is not only a technical violation but also an intentional misuse of the trust that users have placed in a tool they use every day to communicate with others on a personal and professional level. WhatsApp claimed that the victims were mostly in Italy, but there was probably no reason why they should have suspected that the software they were downloading was not genuine.
The website of SIO offers a different representation of the company as a technology partner to law enforcement and intelligence agencies, indicating that it collaborates with “Law Enforcement Agencies, Government Organizations, Police and Intelligence Agencies. This framing is typical of vendors of commercial surveillance, who tend to frame their tools as legitimate governmental purposes. But there is a thin boundary between the state-sanctioned intelligence collection and intrusive, ethically dubious surveillance and such an event has fueled a heated debate among international communities and such an incident only further intensifies the discussion. SIO did not comment when approached at the time of reporting, and the interior ministry of Italy passed the query to the police, which also did not respond promptly.
This is not a one-off event in the recent past of Italy where surveillance technology is involved. WhatsApp observes that this is the second occasion in a period of fifteen months that Meta has publicly interfered with spyware-related operation involving Italian organizations. The nation continues to grapple with the political and legal fallout of another surveillance scandal that emerged in the early half of 2025, which involved spyware created by Paragon, an American-owned company. The episode caused a lot of controversy and Italy and Paragon are no longer in a relationship. Such incidences happening in such a short period of time imply that the relationship that Italy has with commercial spyware vendors is not an isolated accident but a systemic problem.
The bigger picture is huge in this case. The commercial spyware sector has grown considerably over the last ten years, and dozens of companies in Europe, the Middle East, and others are now providing governments and agencies with the ability to crack encrypted messages, turn on cameras and microphones on devices and steal data without leaving any trace. What was previously the preserve of the national intelligence agencies of the nation-states has now been turned into a market, with the level of oversight, regulation, and ethical responsibility varying according to the country of operation. Italy, as most European countries, has been unable to come up with clear cut boundaries that can be enforced regarding the use of such tools.
It is also worth analyzing the targeting of WhatsApp in particular. Being among the only mass-market apps to use end-to-end encryption as a default, WhatsApp has been a specific target of surveillance players due specifically to the fact that the communications through the platform are otherwise very challenging to intercept. Instead of cracking the encryption, such operations as the one that ASIGINT is supposed to have performed circumvent it completely by breaking into the device they are encrypting even before any message is sent through it. A counterfeit copy of the app, after installation, is able to pull all the information typed, viewed or heard by the user right to whoever is controlling the spyware infrastructure. It is a beautiful and most disturbing workaround.
The move by Meta to publicise this information is a continuation of the company leveraging on transparency as a defence and image-making mechanism. WhatsApp is placing a pressure on a fairly opaque sector by calling ASIGINT and SIO. It is yet to be established whether that pressure is going to lead to any significant regulatory action, especially at the European Union and Italy. The EU has gone a long way in legislation pertaining to data privacy, yet the commercial spyware world keeps on changing at a higher rate than laws that are set to restrict it.
To the few 200 individuals who were targeted in this campaign, the experience is much more personal than a policy debate. The awareness that personal messages, location information and online behaviour may have been security surveilled without authorization is a deep infringement of privacy, which can have promising psychological and professional repercussions. The objects of such surveillance in most of these instances are journalists, activists, lawyers, or political figures – individuals whose livelihood and professional success requires confidentiality and disclosure can be costly in the real world.
