NSO Group Hit with $168m Fine for WhatsApp Pegasus Spyware Abuse

For the first time, after years of legal proceedings over its use of spy tools targeting politicians, activists, journalists and civil society advocates, NSO Group will have to pay damages.

On May 6, a California federal jury found that the Israeli spyware vendor owes $167.254 million in punitive damages for hacking into about 1400 WhatsApp users’ devices. It will also have to pay $444,719 in compensatory damages to Meta, the owner of WhatsApp.

This decision follows a six-year legal battle between the NSO and Meta.

In May 2019, engineers at Meta detected and stopped an attempt by NSO to use its spyware tool, Pegasus, to target over a thousand WhatsApp users, including human rights activists, journalists and diplomats.

At the time, Meta had collaborated with Citizen Lab to further investigate and alert the individuals they believed had been targeted. The company took NSO Group to court in October 2019.

In this case, Meta was supported by many other tech companies as well as NGOs and human and digital rights defenders.

In December 2020, a group of NGOs, including Access Now, Amnesty International, the Internet Freedom Foundation, Paradigm Initiative, Privacy International and Reporters Without Borders, submitted an amicus brief which highlighted thestories of civil society victims of NSO when the case was heard by the US Federal 9th Circuit Court. 

In November 2022, the group of NGOs asked the US Solicitor General to consider NSO’s human rights conduct when making recommendations to the US Supreme Court about the case.

After the 9th Circuit Court ruled against NSO and the US Supreme Court denied hearing NSO’s appeal, the case went back to the District Court in Northern California.

In January 2025, a US District Court of Northern California judge ruled that NSO had violated federal and California state hacking statutes and breached WhatsApp’s Terms of Service, leaving the jury to decide only on the amount of damages NSO would have to pay.

Read more: Spyware Maker NSO Group Liable for WhatsApp User Hacks

NSO’s Pegasus Exploited WhatsApp Zero-Day Vulnerability

NSO Group’s Pegasus is a type of “zero-click” spyware, allowing attackers to compromise a target’s device without requiring any interaction, such as clicking on a link or opening a message. Investigative reports have revealed that governments have utilized Pegasus to surveil and monitor opposition figures, human rights advocates and activists and journalists.

According to court documents made public during the trial, the targeting campaign affected 456 individuals in Mexico, followed by 100 in India, 82 in Bahrain, 69 in Morocco and 58 in Pakistan. The scope of the attack was widespread, with victims identified in a total of 51 countries.

The attackers exploited a critical zero-day vulnerability in WhatsApp’s voice calling feature, identified as CVE-2019-3568, which carried a CVSS score of 9.8, to install the spyware on targeted devices.

Meta has published unofficial transcripts of deposition videos featuring NSO’s leadership team members, which were shown in open court.

NSO Group Could Appeal

In a public statement, Meta called this decision “an important step forward for privacy and security” and “the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone.”

“Now, for the first time, this trial put spyware executives on the stand and exposed exactly how their surveillance-for-hire system – shrouded in so much secrecy – operates, Given how much information people access on their devices, including through private end–to-end encrypted apps like WhatsApp, Signal and others, we will continue going after spyware vendors indiscriminately targeting people around the world,” the company added.

Meta also decided to donate to digital rights organizations working to defend people against such attacks around the world.

“Our next step is to secure a court order to prevent NSO from ever targeting WhatsApp again,” the company concluded.

NSO Group suggested it could appeal the decision.

“We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies,” the company said.

An Important Decision for Spyware Deterrence

Natalia Krapiva, Senior Tech Legal Counsel at Access Now, said the ruling is “an enormous victory for digital rights and victims of Pegasus spyware around the world.”

“Congratulations to Meta for sticking with their lawsuit and holding NSO to account. We urge other companies whose infrastructure and users are targeted by NSO and other spyware companies to explore filing similar legal actions,” she added.

In a series of Bluesky posts in reaction to the decision, John Scott-Railton, Senior Researcher at Citizen Lab, highlighted that the ruling “is also a blow to NSO’s secrecy, with their business splashed all over a courtroom. This will scare customers. And investors.”

Photo credits: mundissima/Shutterstock