Seven Things We Learned From WhatsApp vs. NSO Group Spyware Lawsuit
The jury has delivered its verdict in the long-running lawsuit between WhatsApp and NSO Group, the infamous spyware maker. In a major victory for Meta-owned WhatsApp, the court ordered NSO Group to pay over $167 million in damages. This ruling concludes a legal battle that spanned more than five years, starting in October 2019 when WhatsApp accused NSO Group of hacking over 1,400 of its users by exploiting a vulnerability in WhatsApp's audio-calling functionality.
The trial featured several testimonies, including NSO Group's CEO Yaron Shohat and WhatsApp employees who responded to and investigated the incident. Even before the trial began, the case had uncovered several revelations, including that NSO Group had cut off 10 of its government customers for abusing its Pegasus spyware, the locations of 1,223 of the victims of the spyware campaign, and the names of three of the spyware maker's customers: Mexico, Saudi Arabia, and Uzbekistan.
The WhatsApp Attack Works Like This
The zero-click attack, which means the spyware required no interaction from the target, "worked by placing a fake WhatsApp phone call to the target," as WhatsApp's lawyer Antonio Perez said during the trial. The lawyer explained that NSO Group had built what it called the "WhatsApp Installation Server," a special machine designed to send malicious messages across WhatsApp's infrastructure mimicking real conversations.
NSO Group's Financial Struggles
During the trial, NSO Group's CEO Yaron Shohat disclosed a small but notable detail: NSO Group and its parent company, Q Cyber, have a combined number of employees totaling between 350 and 380. Around 50 of these employees work for Q Cyber. The spyware maker lost $9 million in 2023 and $12 million in 2024, with the company also revealing it had $8.8 million in its bank account as of 2023 and $5.1 million in the bank as of 2024.
NSO Group's financial struggles are highlighted by the fact that the company burns through around $10 million each month, mostly to cover the salaries of its employees. Additionally, it was revealed that Q Cyber had around $3.2 million in the bank both in 2023 and 2024. The company's research and development unit spent some $52 million in expenses during 2023, and $59 million in 2024.
NSO Group's Pricing Model
Shohat also said that NSO Group's customers pay "somewhere in the range" between $3 million and "ten times that" for access to its Pegasus spyware. This pricing model was a key factor in the company's financial struggles, as the high costs of maintaining the operation made it difficult for NSO Group to meet its commitments.
Expert Insights
The case has significant implications for the cybersecurity industry and beyond. Experts from OpenAI, Anthropic, Cohere delivered exclusive insights during an industry event, discussing topics such as AI and startups building AI solutions. These developments come at a time when Saudi prince launches an AI venture and major figures like Trump, Musk, Altman, and Zuckerberg arrive for a conference.
Conclusion
The WhatsApp vs. NSO Group spyware lawsuit has delivered significant verdicts that shed light on the inner workings of one of the most notorious cybersecurity companies in the world. The revelations about NSO Group's financial struggles, pricing model, and operations highlight the need for greater accountability and regulation in the industry.