Pierluigi Paganini
May 07, 2025
A U.S. jury ordered NSO Group to pay WhatsApp over $167M for using Pegasus spyware to target over 1,400 people, violating U.S. laws. After a five-year legal battle, a jury ordered NSO Group to pay over $167 million in punitive and over $444,000 in compensatory damages.
“The jury’s decision to force NSO to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and our users worldwide.” reads the post published by WhatsApp after the juty’s rule. “This trial also revealed that WhatsApp was far from NSO’s only target — this is an industry-wide threat and it’ll take all of us to defend against it.”
“We will carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal,” said NSO Group’s spokesperson Gil Lainer.
In December, WhatsApp won a legal case against NSO Group in a U.S. court over exploiting a vulnerability to deliver Pegasus spyware. Will Cathcart of WhatsApp called the ruling a major privacy victory, emphasizing accountability for spyware firms after a five-year legal battle.
Court documents state that on October 29, 2019, plaintiffs filed this lawsuit, alleging that the defendants used WhatsApp to target approximately 1,400 mobile phones and devices to infect them with the surveillance software.
“defendants’ relevant software products, collectively referred to as “Pegasus,” allow defendants’ clients to use a modified version of the Whatsapp application – referred to as the “Whatsapp Installation Server,” or “WIS. The WIS, among other things, allows defendants’ clients to send “cipher” files with “installation vectors” that ultimately allow the clients to surveil target users.” reads the court document. published “As mentioned above, plaintiffs allege that defendants’ conduct was a violation of the CFAA, the CDAFA, and a breach of contract.”
The U.S. court ruled that NSO Group repeatedly failed to produce key evidence, including Pegasus source code, and imposed sanctions, reserving harsher penalties for later.
WhatsApp stated NSO only provided AWS server code, not the full codebase. Judge Hamilton criticized NSO’s non-compliance, citing concerns about transparency.
The court found NSO Group liable for breaching WhatsApp’s terms of service by using the platform for malicious purposes. WhatsApp hailed the decision as a victory for privacy.
The surveillance firm exploited a zero-day vulnerability, tracked as CVE-2019-3568 (CVSS score of 9.8), in the voice calling feature of the popular instant messaging app.
NSO Group continued using WhatsApp exploits, including spyware called “Erised,” even after being sued for violating anti-hacking laws. The experts detected three exploits, called “Heaven,” “Eden,” and “Erised”, that were employed in over 1,400 attacks attributed to NSO Group.
“Even after WhatsApp detected and blocked the exploit described in the Complaint in May 2019, NSO admits that it developed yet another installation vector (known as Erised) that also used WhatsApp servers to install Pegasus.2 NSO continued to use and make Erised available to customers even after this litigation had been filed, until changes to WhatsApp blocked its access sometime after May 2020. NSO’s witnesses have refused to answer whether it developed further WhatsApp-based Malware Vectors thereafter.” continues the court filing. “All of these facts are undisputed, drawn principally from the corporate representative testimony of NSO’s own witnesses, which is binding on Defendants.”
In May 2019, Facebook patched a critical zero-day vulnerability in WhatsApp, tracked as CVE-2019-3568, that has been exploited to remotely install spyware on phones by calling the targeted device.
At the time, The Financial Times reported that the WhatsApp zero-day was exploited by threat actors to deliver the spyware developed by surveillance firm NSO Group.
The surveillance software developed by NSO Group was used by government organizations worldwide to spy on human rights groups, activists, journalists, lawyers, and dissidents. Security experts have detected and analyzed some of the tools in its arsenal, such as the popular Pegasus spyware (for iOS) and Chrysaor (for Android).
In March 2024, Meta won the litigation against the Israeli spyware vendor, a U.S. Judge ordered the surveillance firm to hand over the source code for its Pegasus spyware and other products to the social network giant.
NSO Group has been requested to provide details regarding the complete functionality of the pertinent spyware, covering the period one year before the alleged attack through one year after the alleged attack (i.e., from April 29, 2018, to May 10, 2020).
Court documents filed in November revealed that NSO Group had minimal control over customers’ use of its spyware, contradicting prior claims by the Israeli firm.
Contrary to NSO’s claims, the filing suggests the spyware vendor operated its Pegasus system, with customers only needing to provide a target number. NSO disputes these allegations, asserting its clients solely operate the system.
“[NSO Group] stands behind its previous statements in which we repeatedly detailed that the system is operated solely by our clients and that neither NSO nor its employees have access to the intelligence gathered by the system.” said Gil Lanier, vice president of global communications for the Israeli firm.
Meta pointed out that the trial exposed how NSO Group’s Pegasus spyware secretly compromises phones, accessing data, mic, and camera. It targets more than WhatsApp, using various exploits, messaging apps, browsers, OS, to install malware on both iOS and Android. NSO admitted spending tens of millions annually to maintain and develop these covert surveillance tools.
“This trial also revealed that WhatsApp was far from NSO’s only target. While we stopped the attack vector that exploited our calling system in 2019, Pegasus has had many other spyware installation methods to exploit other companies’ technologies to manipulate people’s devices into downloading malicious code and compromising their phones.” reads the statement published by Meta. “NSO was forced to admit that it spends tens of millions of dollars annually to develop malware installation methods including through instant messaging, browsers, and operating systems, and that its spyware is capable of compromising iOS or Android devices to this day.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, NSO group)
