The Verdict: A Blow to Spyware Industry

A California federal jury has ordered NSO Group to pay $167.254 million in punitive damages for hacking into approximately 1,400 WhatsApp users’ devices. The company must also pay $444,719 in compensatory damages to Meta, WhatsApp’s parent company. This decision marks the culmination of a six-year legal battle that began in May 2019, when Meta engineers detected and thwarted an attempt by NSO to deploy its Pegasus spyware against over a thousand WhatsApp users, including human rights activists, journalists, and diplomats.

The Genesis of the Lawsuit

Meta’s discovery in 2019 prompted immediate action. The company collaborated with Citizen Lab to investigate the attacks and alert potential targets. In October 2019, Meta officially took NSO Group to court.

meta received support from numerous tech companies, NGOs, and human and digital rights defenders. In December 2020, a coalition of NGOs, including access now, Amnesty International, the Internet Freedom Foundation, Paradigm Initiative, Privacy International, and Reporters Without Borders, submitted an amicus brief highlighting the stories of civil society victims of NSO when the case was heard by the U.S. Federal 9th circuit Court.

Legal Battles and Key Rulings

The legal process involved multiple stages:

• November 2022: the NGO group urged the U.S. Solicitor General to consider NSO’s human rights conduct when making recommendations to the U.S. Supreme court.
• After the 9th Circuit Court Ruling: The U.S. Supreme Court denied hearing NSO’s appeal, sending the case back to the District Court in Northern California.
• January 2025: A U.S. District Court of Northern California judge ruled that NSO had violated federal and California state hacking statutes and breached WhatsApp’s Terms of Service. This ruling limited the jury’s role to determining the amount of damages.

Pegasus: Exploiting WhatsApp’s Vulnerabilities

NSO Group’s Pegasus spyware exploited a critical zero-day vulnerability in WhatsApp’s voice calling feature, identified as CVE-2019-3568, which carried a CVSS score of 9.8. This vulnerability allowed attackers to install the spyware on targeted devices without any user interaction. Court documents revealed that the targeting campaign affected individuals across 51 countries, with important numbers in Mexico (456), India (100), Bahrain (82), Morocco (69), and Pakistan (58).

reactions and Potential Appeal

Meta hailed the decision as an important step forward for privacy and security and the first victory against the progress and use of illegal spyware that threatens the safety and privacy of everyone. The company added, Now, for the first time, this trial put spyware executives on the stand and exposed exactly how their surveillance-for-hire system – shrouded in so much secrecy – operates, Given how much information people access on their devices, including thru private end–to-end encrypted apps like WhatsApp, Signal and others, we will continue going after spyware vendors indiscriminately targeting people around the world. Meta also plans to donate to digital rights organizations and seek a court order to prevent NSO from targeting WhatsApp again.

NSO group suggested it might appeal the decision, stating, We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies.

Industry Perspectives

Natalia Krapiva, Senior Tech Legal Counsel at Access now, described the ruling as an enormous victory for digital rights and victims of Pegasus spyware around the world. She urged other companies to follow Meta’s lead and hold spyware companies accountable.

John Scott-Railton, Senior Researcher at Citizen Lab, noted that the ruling is also a blow to NSO’s secrecy, with their business splashed all over a courtroom. This will scare customers.And investors.