This Israeli spyware firm will pay WhatsApp over $167M for its illegal spyware campaign in 2019
It's a major legal win for user privacy.
For years, Israeli spyware firm NSO Group has quietly equipped governments with powerful tools to hack phones and monitor dissidents. But this time, the spyware maker got burned. A U.S. jury has ordered the firm to pay WhatsApp over $167 million for illegally using its servers to deploy Pegasus, a surveillance spyware.
The ruling comes more than four years after WhatsApp filed suit in 2019, accusing NSO of using Pegasus to target over 1,400 users, including journalists and activists. Pegasus is a highly invasive tool designed to covertly compromise people’s phones and extract data from any app installed, including messages, call logs, camera feeds, and location history.
In this case, the spyware was installed using a “zero-click” exploit: NSO abused a now-patched flaw in WhatsApp’s voice calling system (CVE-2019-3568, CVSS score 9.8). The spyware was secretly delivered during the call setup, without user interaction, and could erase the call log to cover its tracks. Once installed, Pegasus could access messages, listen to calls, track location, and even turn on the camera or microphone.
Fishon Amos
Court documents revealed targets in 51 countries, with hundreds affected in Mexico, India, Bahrain, and Morocco. In December 2024, U.S. District Judge Phyllis Hamilton ruled that NSO had violated both federal and state laws. The jury followed up by awarding WhatsApp $167 million in punitive damages and an additional $445,000 to cover technical costs incurred while blocking the attack.
WhatsApp’s head, Will Cathcart, called the decision “historic,” emphasising that it sends a strong message to spyware vendors. Meta, WhatsApp’s parent company, is also seeking a court order to prevent future Pegasus-related attacks and plans to donate part of the damages to digital rights organisations.
NSO, sanctioned by the U.S. in 2021, maintains that its tools help fight crime and terrorism, and it plans to challenge the verdict. But the court rejected the company’s argument that it isn’t responsible for how its clients use Pegasus.
While Apple had previously filed a similar case against NSO Group, it dropped the lawsuit in 2024 to avoid exposing internal security systems. WhatsApp’s case, by contrast, became a rare instance where a major tech firm saw a courtroom win against a surveillance vendor.
The broader concern: this case may be a turning point in how courts and tech companies confront the spyware industry. But with Pegasus still capable of breaching Android and iOS devices, the fight over digital surveillance tools is far from over.
