Facebook Owner Meta Set for $167 Million Windfall After NSO Group Ordered to Pay Up Over WhatsApp Spyware Campaign

In a significant victory for digital rights, Facebook owner Meta has been awarded over $167 million in punitive damages and nearly half a million dollars ($445,000) in compensatory damages from Israeli cyber-intelligence firm NSO Group. The fines stem from a five-year legal battle that began in 2019, following a hacking campaign that targeted over 1,400 WhatsApp users.

The attack, which exploited an audio calling vulnerability on the mobile app, affected high-profile individuals and public figures, including journalists, activists, and diplomats. NSO Group's Pegasus spyware was capable of accessing emails, texts, financial data, location data, and remote camera and microphone activation.

How Did NSO Group Use WhatsApp Spyware?

NSO Group used the Pegasus spyware to covertly compromise people's phones, allowing it to "hoover up information from any app installed on the device," according to Meta. This means that once the spyware was installed, it had access to all the data stored on the device, including sensitive information and personal communications.

Meta noted that Pegasus was not WhatsApp's only target, but rather a tool designed to compromise people's phones with spyware capable of hoovering up information from any app installed on the device. The tech giant also confirmed that NSO Group spends tens of millions of dollars annually to develop malware installation methods, which can be used via instant messengers, browsers, and operating systems – both iOS and Android.

What Are the Implications of This Ruling?

The ruling is significant not only because of the large amount of money awarded but also because it highlights the risks posed by spyware attacks. NSO Group claims that it sells its spyware to governments only, but there are increasing reports of malicious actors obtaining the spyware and using it to target civilians.

According to The Citizen Lab, Pegasus is designed to be stealthy and evade forensic analysis, avoid detection by anti-virus software, and can be deactivated and removed by operators. However, even after six years, Meta has acknowledged that there could be a long way to go before any damages are paid out.

Meta's Response

In the wake of this ruling, Meta expressed its support for digital rights organizations working to defend people against such attacks around the world. The company stated that it would like to make a donation to these organizations as a result of its success in court.

"Put simply, NSO's Pegasus works to covertly compromise people's phones with spyware capable of hoovering up information from any app installed on the device," Meta explained in an announcement. The company has also acknowledged that there could be a long way to go before any damages are paid out, but it is committed to supporting those affected by such attacks.