A US federal jury has ordered Israeli surveillance firm NSO Group to pay Meta-owned WhatsApp $168 million in damages for allegedly using its Pegasus spyware to hack users’ phones between April and May 2019.
The verdict, delivered on Tuesday in California’s Northern District Court, concluded a high-profile 2019 lawsuit where WhatsApp accused NSO of exploiting vulnerabilities in its servers to infiltrate approximately 1,400 devices worldwide. The complaint specifically alleged that journalists, human rights activists, lawyers and government officials were targeted through sophisticated cyber attacks.
Meta stated in an official blog post that the trial exposed NSO’s “global surveillance-for-hire” business model. According to court documents, Pegasus spyware can secretly extract data from messaging apps, track locations through GPS, and remotely activate a device’s camera or microphone without user knowledge. The malware allegedly leaves no visible traces of intrusion.
The nine-member jury awarded WhatsApp $444,719 in compensatory damages for breach of contract and computer fraud, plus $167,254,000 in punitive damages – the maximum allowable under California law – intended to deter similar conduct by private surveillance firms.
NSO’s vice president for global communications, Gil Lainer said that the company would review verdict and consider all legal options including appeal. He maintained that NSO only licenses its technology to vetted government agencies for counter-terrorism and law enforcement purposes under strict protocols.
Court filings revealed NSO spent an estimated $30 million annually developing zero-click exploits that could bypass security measures on messaging apps, browsers and operating systems. Forensic evidence presented during the three-week trial showed how NSO engineers allegedly reverse-engineered WhatsApp’s encryption protocols to deliver malicious code disguised as legitimate voice calls.
Meta’s security team noted that independent researchers from Citizen Lab and Amnesty International have documented Pegasus deployments in at least 45 countries, including several with questionable human rights records. The company pledged to continue investing in its end-to-end encryption infrastructure and taking legal action against commercial spyware vendors.
NSO Group, founded in 2010 by former Israeli military intelligence unit members Shalev Hulio and Omri Lavie, operates under license from Israel’s Ministry of Defense. The Herzliya-based company has faced multiple lawsuits and US trade blacklists since 2021 over alleged misuse of its technology.
This ruling could set a precedent for holding private surveillance companies accountable for cyber intrusions, potentially impacting ongoing cases against NSO in other jurisdictions including the UK and EU.
