In a historic legal victory for digital privacy, a U.S. federal jury has ordered Israeli spyware vendor NSO Group to pay over $167 million in damages to WhatsApp, marking the first successful lawsuit against a spyware company for illegally targeting users of a U.S. tech platform.
The case centers on a 2019 spyware campaign that exploited a vulnerability in WhatsApp’s audio-calling system to covertly deliver NSO’s Pegasus spyware to approximately 1,400 users. Victims included journalists, human rights defenders, diplomats, and other members of civil society. According to Meta, the parent company of WhatsApp, the attack was quickly detected and blocked by WhatsApp engineers, who then partnered with the University of Toronto’s Citizen Lab to investigate the scope of the intrusion.
The jury’s verdict awards WhatsApp $167,254,000 in punitive damages and $444,719 in compensatory damages. The compensatory sum reflects the resources Meta dedicated to investigating the incident, patching the exploited vulnerability, and notifying affected users. The ruling follows an earlier decision in December 2024 by U.S. District Judge Phyllis Hamilton, who found NSO liable for violations of the federal Computer Fraud and Abuse Act (CFAA), California’s data access law (CDAFA), and WhatsApp’s terms of service.
This case is a rare example of a spyware vendor being held accountable in court. During the trial, NSO executives were compelled to testify, offering a rare glimpse into how the Pegasus platform operates. The spyware is capable of extracting virtually all user data from infected devices — including texts, emails, photos, financial records, and real-time location — while also covertly activating microphones and cameras. The tool has historically been marketed to government clients, but civil society groups have repeatedly shown it being used against dissidents and activists.
NSO Group, headquartered in Herzliya, Israel, is among the most prominent players in the controversial “surveillance-for-hire” industry. The company has claimed its software is used exclusively by governments for lawful investigations, but evidence presented during the trial showed that NSO maintained direct control over Pegasus infrastructure and invested tens of millions annually into researching new infection vectors, including via browsers, messaging apps, and mobile operating systems.
The company’s misuse of WhatsApp infrastructure involved a component referred to in legal filings as the WhatsApp Installation Server (WIS), which coordinated the delivery and installation of Pegasus onto victims’ phones. Technical data and internal records submitted to the court confirmed that NSO was actively involved in targeting and deploying the malware, despite its claims that government clients were solely responsible for operations.
Founded in 2009, WhatsApp is one of the world’s most widely used encrypted messaging platforms, serving over two billion users globally. Its end-to-end encryption has made it a critical communication tool for at-risk populations, but also a frequent target for exploitation by commercial surveillance vendors. Meta has positioned the lawsuit as part of a broader campaign to defend user privacy against spyware companies that operate in legal gray zones.
The trial also uncovered that WhatsApp was just one of many targets. Pegasus has reportedly been deployed through multiple vectors against other encrypted communication services and mobile platforms. NSO’s admission that it continues to develop spyware capable of infecting both Android and iOS devices underscores the ongoing threat posed by commercial surveillance technology.
WhatsApp now plans to seek a court order barring NSO from targeting its users again and intends to donate any recovered damages to digital rights organizations combating spyware abuse. Meanwhile, NSO’s spokesperson indicated the company is considering an appeal.
This ruling significantly damages NSO’s legal standing and could have far-reaching implications for the spyware industry, which has until now operated largely without judicial scrutiny.
Leave a Reply