NSO Group Hit with $168m Fine for WhatsApp Pegasus Spyware Abuse
The world of cybersecurity has just seen a major victory for digital rights and victims of spyware abuse. After years of legal proceedings, NSO Group, the Israeli spyware vendor behind the notorious Pegasus tool, has been hit with a staggering fine of $168 million in punitive damages.
In May 2023, a California federal jury found that NSO Group owes Meta, the owner of WhatsApp, $167.254 million in punitive damages for hacking into approximately 1,400 WhatsApp users' devices. The company also has to pay an additional $444,719 in compensatory damages. This decision marks a significant milestone in the six-year-long legal battle between NSO and Meta.
In May 2019, engineers at Meta detected and stopped an attempt by NSO to use its spyware tool, Pegasus, to target over 1,000 WhatsApp users, including human rights activists, journalists, and diplomats. At that time, Meta collaborated with Citizen Lab to further investigate and alert the individuals believed to have been targeted.
The company took NSO Group to court in October 2019, seeking justice for the victims of this cyberattack. In this case, Meta was supported by many other tech companies, as well as NGOs and human rights defenders. The case gained international attention, with a group of NGOs, including Access Now, Amnesty International, the Internet Freedom Foundation, Paradigm Initiative, Privacy International, and Reporters Without Borders, submitting an amicus brief in December 2020.
The brief highlighted the stories of civil society victims of NSO's spyware. In November 2022, the group asked the US Solicitor General to consider NSO's human rights conduct when making recommendations to the US Supreme Court about the case. After the 9th Circuit Court ruled against NSO and the US Supreme Court denied hearing NSO's appeal, the case went back to the District Court in Northern California.
In January 2025, a US District Court of Northern California judge ruled that NSO had violated federal and California state hacking statutes and breached WhatsApp's Terms of Service. This ruling left the jury to decide only on the amount of damages NSO would have to pay.
The Scope of the Attack
According to court documents made public during the trial, the targeting campaign affected 456 individuals in Mexico, followed by 100 in India, 82 in Bahrain, 69 in Morocco, and 58 in Pakistan. The scope of the attack was widespread, with victims identified in a total of 51 countries.
The attackers exploited a critical zero-day vulnerability in WhatsApp's voice calling feature, identified as CVE-2019-3568, which carried a CVSS score of 9.8, to install the spyware on targeted devices. This exploitation allowed NSO's Pegasus tool to compromise devices without requiring any interaction.
A Major Victory for Digital Rights
Meta has hailed this decision as "an important step forward for privacy and security" and "the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone." The company also released unofficial transcripts of deposition videos featuring NSO's leadership team members, which were shown in open court.
"Now, for the first time, this trial put spyware executives on the stand and exposed exactly how their surveillance-for-hire system – shrouded in so much secrecy – operates," Meta said. "We will continue going after spyware vendors indiscriminately targeting people around the world."
A New Frontier in Cybersecurity
NSO Group has suggested it could appeal the decision, stating that its technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies.
"We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies," the company said. However, this victory marks a significant blow to NSO's secrecy, and its business will likely be impacted as customers and investors take notice.
Natalia Krapiva, Senior Tech Legal Counsel at Access Now, described the ruling as "an enormous victory for digital rights and victims of Pegasus spyware around the world." She added that she congratulates Meta for sticking with their lawsuit and holding NSO to account. "We urge other companies whose infrastructure and users are targeted by NSO and other spyware companies to explore filing similar legal actions," Krapiva said.
John Scott-Railton, Senior Researcher at Citizen Lab, highlighted that the ruling is also a blow to NSO's secrecy, with its business splashed all over a courtroom. This will scare customers. And investors," he noted.