In a landmark decision, a U.S. federal jury in California on Tuesday ordered Israeli spyware firm NSO Group to pay nearly $168 million in punitive damages to Meta Platforms Inc., the parent company of WhatsApp.
Besides this, the company will also have to pay $444,719 in compensatory damages to Meta for the significant efforts its WhatsApp engineers made to block the attack vectors.
This ruling stems from NSO Group’s use of Pegasus spyware to hack approximately 1,400 WhatsApp users over two weeks between April and May 2019. This decision sets an important precedent for holding spyware developers accountable for unauthorized surveillance activities.
“Today’s verdict in WhatsApp’s case is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone,” Meta said in a statement after the ruling was announced.
“Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.”
Background Of The Case
The lawsuit, initiated by WhatsApp on October 29, 2019, in the District Court for the Northern District of California, accused NSO Group of exploiting a vulnerability in WhatsApp’s video calling feature to install Pegasus spyware on users’ devices without their knowledge. The targets included human rights activists, journalists, diplomats, and civil society advocates.
According to the court filings (PDF), NSO’s Pegasus spyware was installed through a WhatsApp call that didn’t even require the recipient to answer. Once the call was placed, the malicious code would deploy itself, granting access to a wide range of personal data, including phone calls, emails, encrypted private messages, images, geolocation, and other sensitive data — all without the knowledge of the user.
In December 2024, U.S. District Judge Phyllis Hamilton found NSO Group guilty of violating the U.S. Computer Fraud and Abuse Act (CFAA) and the California Comprehensive Computer Data Access and Fraud Act (CDAFA). It also found that NSO’s actions breached WhatsApp’s terms of service by accessing its servers without authorization to deploy spyware.
NSO Group’s Response
After its loss in court, NSO Group has stated that it plans to appeal the decision, maintaining that its Pegasus software is intended for use by authorized governments to combat crime and anti-terror operations around the world.
“We will carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal,” Lainer added, stating that the company “remains fully committed to its mission to develop technologies that protect public safety” while working within legalities.
Meanwhile, Meta has decided to donate to digital rights organizations that are working to defend people against such attacks around the world.
“Our next step is to secure a court order to prevent NSO from ever targeting WhatsApp again,” the company concluded.
