The landmark Meta vs NSO Group case that began six years ago may have reached a conclusion after a US court on Tuesday, May 6, ordered the Israeli spyware maker to pay $167 million in damages to the tech giant.
The damages were awarded by a jury that sided with Meta after two days of deliberations. In December 2024, a district court in California, US, held that NSO Group was guilty of violating US cybersecurity laws by selling its popular Pegasus spyware to clients that let them hack into the phones of WhatsApp users by exploiting a zero-click security vulnerability in the instant messaging app.
Following the verdict, Meta filed a brief seeking damages from the NSO Group in March 2025. Those damages were determined on Tuesday.
The outcome of Meta’s legal battle against NSO Group could carry potential ramifications for India, which was the second-most targeted country (after Mexico) in the 2019 WhatsApp hacking campaign involving Pegasus spyware.
Court documents revealed that over 100 Indians were impacted by Pegasus spyware in 2019, out of a total of 1,223 individuals targeted across 51 countries. A Supreme Court bench is hearing a clutch of petitions filed in 2021 in the wake of the allegations that Pegasus was used to target users including journalists, lawyers, politicians, and human rights activists in India.
What is the NSO Group and Pegasus spyware?
Spyware is a type of malicious software that can be used to spy on targeted individuals by installing it on their phones, laptops, and other electronic devices. Israel-based NSO Group had emerged as one of the key developers of sophisticated spyware that exploited zero-click vulnerabilities in platforms like WhatsApp.
Zero-click vulnerabilities allow devices to be compromised without requiring people to click on text messages, images, or links.
Story continues below this ad
The NSO Group’s controversial Pegasus spyware is similarly capable of covertly compromising people’s phones. Once the device is hacked, it vacuums up information from any app installed on the device including financial and location data as well as emails and text messages — essentially “every kind of user data” found on a Pegasus-infected device, according to testimonies by NSO Group executives in court.
An infected device’s microphone and camera can also be remotely activated using Pegasus without the knowledge of the targeted individual.
Why did Meta sue NSO Group?
In May 2019, WhatsApp confirmed it had discovered a major security flaw in its platform that let hackers load spyware onto a phone through a video call, even if the person did not answer the call. The vulnerability was discovered by security researchers at University of Toronto’s Citizen Lab, who also said that it was being used to target journalists and human rights advocates.
WhatsApp sued the NSO Group in October 2019, seeking direction from the court to stop the cybersecurity firm from taking similar action in the future and to award damages.
Story continues below this ad
“While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful […] Now, we are seeking to hold NSO accountable under U.S. state and federal laws, including the US Computer Fraud and Abuse Act,” WhatsApp head Will Cathcart had said at the time.
What did the trial reveal about NSO’s operations?
The court proceedings and testimonies in the trial shed light on the inner workings of Pegasus and its deployment by the company’s clients between April 2018 and March 2020.
Unsealed court documents revealed that the NSO Group had reverse-engineered and decompiled WhatsApp’s source code to create successive installation vectors codenamed “Heaven”, “Eden”, “and “Erised” that were all part of a hacking suite named “Hummingbird”. This hacking software package was sold to NSO Group’s anonymous government clients.
The trial also revealed that the NSO Group had developed technology to hack into other messaging apps besides WhatsApp. “Pegasus has had many other spyware installation methods to exploit other companies’ technologies to manipulate people’s devices into downloading malicious code and compromising their phones,” Meta said.
Story continues below this ad
During the trial, NSO Group executives had argued that Pegasus helped law enforcement and intelligence agencies fight crime and protect national security. They also sought to downplay the company’s involvement in deploying the spyware. However, Meta contradicted this claim and said that NSO controlled “every aspect of the data retrieval and delivery process through its design of Pegasus.”
US District Judge Phyllis Hamilton ultimately sided with Meta. “The court finds no merit in the arguments raised by the defendants,” she said in her ruling.
What happens next?
Meta has said that Tuesday’s jury decision shows “spyware companies that their illegal actions against American technologies will not be tolerated.” “Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve,” it said in a blog post.
The tech giant also said that it would be donating the $167 million award to digital rights organisations. “Our next step is to secure a court order to prevent NSO from ever targeting WhatsApp again,” it added.
14/ OH WOW, @WhatsApp is publishing the transcribed NSO Group Depositions.
This is an unprecedented view for investigators into NSO’s business, exploit development, operations & financials.
Nothing like this has ever been made public about any spyware company.… pic.twitter.com/Tp2LdN9xQ1
— John Scott-Railton (@jsrailton) May 6, 2025
https://platform.twitter.com/widgets.js
Story continues below this ad
The NSO Group, on the other hand, may appeal the jury decision. “We will carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal. We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies,” Gil Lainer, the spyware vendor’s vice president for global communication, said.
The jury verdict deals a fatal blow to the NSO Group which is reportedly facing financial woes. Once valued at $1 billion, the spyware vendor has now been termed as ‘valueless’ by consulting firms who have said that investors could lose “substantially all [of the] investment” they poured into the company, according to a report by Financial Times. The US Department of Commerce also blacklisted NSO Group in 2021 as it acted “contrary to the national security or foreign policy interests of the United States.”
While the outcome of the ruling marks a pivotal moment in terms of privacy and security, it may not have the intended effect on other spyware companies. Earlier this year, WhatsApp said it had disrupted a sophisticated hacking campaign targeting journalists that involved spyware developed by another Israeli company called Paragon Solutions.