A California court has ordered Israeli spyware merchant NSO Group to pay $167.25m in punitive damages, and $444,719 in compensatory damages, for enabling state-backed hacks of mobile devices belonging to 1,400 users of Meta’s WhatsApp messaging service.
The judgment, handed down this week in a federal courthouse, comes five months after US district judge Phyllis Hamilton ruled in favour of Meta in the case, having reviewed evidence that NSO’s Pegasus code had transited WhatsApp’s California-based servers 43 times during May 2019 after exploiting a vulnerability, CVE-2019-3568, in the WhatsApp voice calling feature.
The court had also ruled NSO infringed WhatsApp’s terms of service by using it for malicious or illegal purposes.
Besides spending millions of dollars every year hacking and developing malicious exploits for instant messaging apps, mobile browsers and operating systems, NSO became tainted after campaigners exposed systemic wrongdoing by its customers, mostly government agencies and many in states hostile to Israel.
Details of how its notorious zero-click spyware package Pegasus was misused started to trickle out following a lengthy investigation by Citizen Lab, an interdisciplinary laboratory based at the University of Toronto’s Munk School of Global Affairs. Famously, Pegasus was implicated in the murder of a Washington Post journalist by the Saudi Arabian government, among many other things.
NSO has always maintained that it had no responsibility for how its products were used, but repeatedly insisted that it thoroughly vetted its government customers. It appears likely that this disconnect proved a significant factor in Meta’s victory.
NSO has additionally been subjected to US sanctions and has also been sued by Apple, although that case was dropped in 2024 for security reasons.
In a blog post, a Meta spokesperson hailed an “important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone”.
The firm said: “Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.
“For the first time, this trial put spyware executives on the stand and exposed exactly how their surveillance-for-hire system – shrouded in so much secrecy – operates. Put simply, NSO’s Pegasus works to covertly compromise people’s phones with spyware capable of hoovering up information from any app installed on the device. Think anything from financial and location information to emails and text messages, or as NSO conceded: ‘every kind of user data on the phone.’ It can even remotely activate the phone’s mic and camera – all without people’s knowledge, let alone authorisation.”
It said that it would continue to pursue mercenary spyware vendors in the courts, describing their “malicious” technologies as a “threat to the entire ecosystem.”
Cyber accountability
“[The[ verdict against NSO is an enormous victory for digital rights and for victims of Pegasus spyware around the world,” said Access Now senior tech legal counsel, Natalkia Krapiva.
“Congratulations to Meta for sticking with their lawsuit and holding NSO to account. We urge other companies whose infrastructure and users are targeted by NSO and other spyware companies to explore filing similar legal actions.”
Michael De Dora, US policy and advocacy manager at Access Now, added: “This verdict sends a clear message to spyware companies that targeting people through US-based platforms will come with a high price. It underscores the importance of US institutions protecting the digital infrastructure and individuals that rely on it from unlawful surveillance.”
Carolyn Crandall, CMO at AirMDR, a supplier of AI-enabled managed detection and response (MDR) services, described a defining moment for accountability in cyber security, but said that the ruling opened up potentially difficult new questions for some organisations.
“By holding a spyware vendor liable for how its tools were used, the court has drawn a clear line between those who knowingly enable illicit hacking and those who build dual-use defensive solutions in good faith,” she said.
“But it also raises an important question: where will courts draw that line next? As more cyber security tools blur the boundary between offence and defence, transparency and intent will become defining factors. Tools like Mimikatz underscore the complexity of dual-use software, originally developed for security research and red teaming, yet widely exploited by threat actors.
“In a shifting legal landscape, how such tools are governed, documented, and distributed will increasingly influence how they are interpreted, and whether their creators are pulled into the crosshairs. The days of plausible deniability are fading, and vendors must get ahead of that curve,” said Crandall.
Appeal possible
In a statement shared with Courthouse News, NSO’s Gil Lanier said the company maintained its stance that its technology plays a critical role in stopping serious crime and terrorism, and has been “deployed responsibly” by governments. He claimed NSO’s technology had saved many lives, including in the US, and that this evidence had been excluded from the jury’s consideration. The firm has indicated that it plans to appeal.
Meta said it had a long road ahead to collect the awarded damages from cash-strapped NSO, but added that it does intent to do so. Ultimately, it said, it would like to make a significant donation to digital rights organisations that have been working tirelessly to expose the activities of mercenary spyware firms and provide guidance and protection to at-risk users.
