In a landmark decision, a U.S. federal jury in California on Tuesday ordered Israeli spyware firm NSO Group to pay nearly $168 million in punitive damages to Meta Platforms Inc., the parent company of WhatsApp.
Besides this, the company will also have to pay $444,719 in compensatory damages to Meta for the significant efforts its WhatsApp engineers made to block the attack vectors.
This ruling stems from NSO Group’s use of Pegasus spyware to hack approximately 1,400 WhatsApp users over two weeks between April and May 2019. This decision sets an important precedent for holding spyware developers accountable for unauthorized surveillance activities.
โTodayโs verdict in WhatsAppโs case isย an important step forward for privacy and securityย as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone,โ Meta said in aย statementย after the ruling was announced.
โToday, the juryโs decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.โ
Background Of The Case
The lawsuit, initiated by WhatsApp on October 29, 2019, in the District Court for the Northern District of California, accused NSO Group of exploiting a vulnerability in WhatsApp’s video calling feature to install Pegasus spyware on users’ devices without their knowledge. The targets included human rights activists, journalists, diplomats, and civil society advocates.
According to theย court filings (PDF), NSOโs Pegasus spyware was installed through a WhatsApp call that didnโt even require the recipient to answer. Once the call was placed, the malicious code would deploy itself, granting access to a wide range of personal data, including phone calls, emails, encrypted private messages, images, geolocation, and other sensitive data โ all without the knowledge of the user.
In December 2024, U.S. District Judge Phyllis Hamilton found NSO Group guilty of violating the U.S. Computer Fraud and Abuse Act (CFAA) and the California Comprehensive Computer Data Access and Fraud Act (CDAFA). It also found that NSO’s actions breached WhatsApp’s terms of service by accessing its servers without authorization to deploy spyware.
NSO Group’s Response
After its loss in court, NSO Group has stated that it plans to appeal the decision, maintaining that its Pegasus software is intended for use by authorized governments to combat crime and anti-terror operations around the world.
โWe will carefully examine the verdictโs details and pursue appropriate legal remedies, including further proceedings and an appeal,โ Lainer added, stating that the company โremains fully committed to its mission to develop technologies that protect public safetyโ while working within legalities.
Meanwhile, Meta has decided to donateย to digital rights organizations that are working to defend people against such attacks around the world.
โOur next step is to secure a court order to prevent NSO from ever targeting WhatsApp again,โ the company concluded.
