In a landmark ruling, WhatsApp has secured a massive legal victory against the NSO Group, with a U.S. jury ordering the Israeli spyware maker to pay more than $167 million in damages. This outcome marks the end of a legal battle that began in 2019, when WhatsApp accused NSO Group Spyware of exploiting a vulnerability in its audio-calling system to deploy its notorious Pegasus spyware.
The case centered on zero-click attacks targeting over 1,400 WhatsApp users across the globe. These attacks required no user interaction and used a fake call to secretly install Pegasus on victims’ devices. The verdict highlights growing concerns about surveillance technology abuse and sets a powerful precedent in the digital privacy space.
How the Attack Worked and What the Trial Uncovered
During the week-long jury trial, several key testimonies explained how the exploit was executed. WhatsApp’s attorney, Antonio Perez, told jurors that the spyware operated by initiating a fake WhatsApp call. Even if the victim never answered, a specially designed “Installation Server”—built by NSO—sent malicious messages through WhatsApp’s own infrastructure. Once delivered, the messages caused the target’s phone to connect to a third server and download the Pegasus spyware.
All that was needed to infect the device was the target’s phone number.
NSO Group’s VP of R&D, Tamir Gazneli, called the zero-click capability “a significant milestone” in Pegasus’ development. During the trial, WhatsApp engineers detailed the urgency and intensity of their internal investigation when the attack was first discovered.
Before the trial began, documents revealed NSO had terminated contracts with 10 governments over spyware abuse. The proceedings also exposed the identities of three clients—Mexico, Saudi Arabia, and Uzbekistan—and showed that at least 1,223 victims were geolocated during the attacks.
NSO Group Targeted a U.S. Number for the FBI
For years, NSO Group insisted its Pegasus software could not target American numbers. But trial testimony revealed a critical exception. In 2022, The New York Times reported that the FBI tested Pegasus using a +1 U.S. number.
NSO’s legal counsel confirmed this during trial, explaining that a specially configured version of Pegasus was used in a demonstration for potential U.S. government clients. The FBI later decided against deploying the spyware operationally, but the incident raised questions about NSO’s claims regarding Pegasus’ limitations.
Pegasus Spyware and NSO’s Government Customers
NSO CEO Yaron Shohat explained that clients don’t select hacking techniques directly. Instead, the Pegasus platform automatically selects the best available exploit. This automation ensures government users get the data they want without needing technical know-how. Shohat noted that customers cared more about intelligence outcomes than the method used to obtain them.
Ironically, NSO Group’s headquarters in Herzliya, Israel, shares a building with Apple, whose iPhones have also been frequently targeted by Pegasus. NSO occupies the top five floors, while Apple uses the remaining space in the 14-story tower.
Unlike NSO, many spyware vendors operate under deep secrecy. For example, Variston, a European surveillance firm that shut down in February, had falsely listed a fake address on its website.
NSO Continued Targeting WhatsApp Users Even After Lawsuit
Perhaps one of the most shocking revelations from the trial was that NSO continued to attack WhatsApp users even after the lawsuit was filed in November 2019. According to Gazneli, three versions of the spyware exploit—Eden, Heaven, and Erised—remained active until at least May 2020. Collectively called Hummingbird, these exploits were used long after Meta had initiated legal action.
The WhatsApp NSO Group spyware verdict sends a clear message to surveillance tech firms worldwide: misuse of security tools against civilians or communication platforms will carry real consequences. Meta’s victory may also pave the way for further crackdowns on rogue spyware vendors and stronger safeguards for digital privacy.
