A federal jury on Tuesday decided that NSO Group must pay Meta-owned WhatsApp WhatsApp approximately $168 million in monetary damages, more than four months after a federal judge ruled that the Israeli company violated U.S. laws by exploiting WhatsApp servers to deploy Pegasus spyware, targeting over 1,400 individuals globally.
WhatsApp originally filed the lawsuit against NSO Group in 2019, accusing the latter of using Pegasus to target journalists, human rights activists, and political dissidents.
Court documents released as part of the trial have revealed that 456 Mexicans were targeted during the campaign, followed by 100 victims in India, 82 in Bahrain, 69 in Morocco, and 58 in Pakistan. In total, individuals across 51 different countries were targeted.
The attacks leveraged a then zero-day vulnerability in WhatsApp’s voice calling feature (CVE-2019-3568, CVSS score: 9.8) to trigger the deployment of the spyware.
In a ruling issued in December 2024, United States District Judge Phyllis J. Hamilton noted that Pegasus was sent through WhatsApp’s California-based servers 43 times during the relevant time period in May 2019.
“Our case against spyware developer NSO made history when the court found that they broke both federal and state laws in the United States in December,” Will Cathcart, head of WhatsApp at Meta, said in a statement on X.
“And the jury’s verdict today to punish NSO is a critical deterrent to the spyware industry against their illegal acts aimed at American companies and our users worldwide.”
Cathcart added the company’s next step is to secure a court order to prevent NSO from ever targeting WhatsApp again, adding it will be making a donation to digital rights organizations that are working to defend people against such attacks across the world.
In addition to the $167,254,000 in punitive damages, the jury determined that NSO Group must pay WhatsApp $444,719 in compensatory damages for the significant efforts WhatsApp engineers made to block the attack vectors.
The development is a major victory for privacy advocates and human rights organizations, who have repeatedly called out NSO Group for licensing its potent surveillance software to customers for keeping tabs on members of civil society.
While NSO Group tried to evade liability by claiming that it does not have visibility into what its clients do with Pegasus, Judge Hamilton pointed out it cannot claim that “its intent is to help its clients fight terrorism and child exploitation, and on the other hand say that it has nothing to do with what its client does with the technology, other than advice and support.”
“NSO was forced to admit that it spends tens of millions of dollars annually to develop malware installation methods including through instant messaging, browsers, and operating systems and that its spyware is capable of compromising iOS or Android devices to this day,” Meta said.
In a statement shared with Courthouse News and POLITICO, NSO Group said its technology plays a crucial role in preventing serious crime and terrorism, and that it intends to pursue appropriate legal remedies. The company was sanctioned by the U.S. government in 2021 for engaging in “malicious cyber activities.”
Apple, which filed a similar lawsuit against NSO Group, dropped it in September 2024, saying that continuing it could reveal sensitive details of its security program.
