Malik Haidar stands at the intersection of high-stakes corporate security and global threat intelligence. Having spent years shielding multinational organizations from sophisticated state-sponsored actors, he views the digital landscape not just as a network of servers, but as a battlefield of business integrity. In this conversation, we explore the persistent shadow cast by the NSO Group and its recent attempts to circumvent WhatsApp’s defenses through unauthorized accounts and spearphishing. Haidar delves into the implications of the landmark $167 million legal judgment, the terrifying reach of zero-click spyware like Pegasus, and why the fight for secure communications is now a matter of national security.
How do entities like the NSO Group manage to keep launching spearphishing attempts even after being blacklisted and hit with permanent injunctions?
The sheer defiance of these organizations is truly remarkable from a security standpoint, as they continue to treat international regulations as mere speed bumps. By creating unauthorized test accounts and specialized groups on the platform, they are essentially running a laboratory for digital deception to see which social engineering hooks still work. They have moved toward tricking people into clicking malicious links that lead to external sites, a strategy that mimics the very behaviors we’ve spent years training users to avoid. It is a chilling game of persistence where the attacker only needs to be right once, while platforms like WhatsApp have to be right every single second to protect their global user base.
What does the recent court ruling, involving a $167 million payout for hacking 1,400 devices, tell us about the long-term struggle for platform accountability?
This ruling is a massive victory that was six years in the making, proving that the legal system can eventually catch up with even the most elusive spyware vendors. When engineers first detected the Pegasus spyware targeting diplomats and human rights activists, it kicked off a marathon of technical forensics and legal maneuvering. The $167 million in damages serves as a loud warning shot to any firm that believes they can hide behind the “neutral technology provider” defense while their tools are used to suppress dissent. It validates the immense effort required to protect those 1,400 individuals, many of whom were being hunted by repressive regimes using the most sophisticated tools money can buy.
Why does the concept of “zero-click” spyware, particularly the Pegasus tool, remain such a profound nightmare for security experts and high-profile targets alike?
Zero-click exploits are the ultimate weapon because they bypass the most important line of defense we have: human skepticism. When a device can be compromised without the owner ever touching a link—as we saw in the high-profile hacking of Amazon boss Jeff Bezos—the traditional security playbook is essentially thrown out the window. This technology allows attackers to turn a smartphone into a silent spy that records every conversation and tracks every movement of journalists and opposition figures without a single red flag appearing. For a cybersecurity expert, the realization that billions of people worldwide depend on these communications makes the defense against such invisible threats a top-tier priority for global stability.
What is your forecast for the future of commercial spyware and the global initiatives designed to stop it?
I anticipate a significant escalation in this digital arms race as more civil society organizations, including the 12 groups that recently filed amicus briefs, join the fight for transparency. We are going to see a much more collaborative defense model, exemplified by the contribution to the Spyware Accountability Initiative and the public release of the three specific domains used in phishing attacks. While firms like the NSO Group will continue to appeal injunctions and seek loopholes, the growing pressure from the US Commerce Department’s Entity List will make it increasingly difficult for them to source the American components they need. The future of security will not just be about better code, but about creating a global environment where the cost of developing and deploying invasive spyware becomes far too high for any commercial entity to sustain.
