U.S. Jury Orders NSO Group to Pay $168 Million to WhatsApp Over Pegasus Spyware Abuse

On Tuesday, a federal jury awarded Meta-owned WhatsApp approximately $168 million in damages in a landmark decision involving Israeli spyware firm NSO Group. The ruling follows a 2019 lawsuit filed by WhatsApp, alleging that NSO unlawfully used its servers to deploy Pegasus, a highly invasive spyware tool.

The verdict comes after a federal judge ruled in December 2024 that NSO Group violated both U.S. federal and state laws by exploiting a vulnerability in WhatsApp's system to target over 1,400 individuals across 51 countries. Victims included journalists, human rights defenders, and political dissidents.

How the Exploitation Happened

The case centers on a zero-day vulnerability in WhatsApp’s voice call function, tracked as CVE-2019-3568 (CVSS score: 9.8). This flaw allowed attackers to install Pegasus spyware on users' devices without requiring any user interaction — not even answering the call.

Court documents revealed that the spyware was delivered via WhatsApp’s U.S.-based servers 43 times in May 2019, giving the court jurisdiction over the case. Victims of the campaign were globally distributed, with the highest concentration in:

• Mexico: 456 individuals

• India: 100 individuals

• Bahrain: 82 individuals

• Morocco: 69 individuals

• Pakistan: 58 individuals

Jury’s Decision and Damages Awarded

The jury awarded $167,254,000 in punitive damages and an additional $444,719 in compensatory damages to WhatsApp, recognizing the efforts by the platform’s engineers to block the exploit and secure user data.

This ruling is significant as it represents one of the first instances where a spyware vendor has been financially and legally penalized in the U.S. for enabling surveillance abuses.

WhatsApp and Meta’s Response

Meta and WhatsApp leadership celebrated the decision as a critical milestone for digital privacy rights. Will Cathcart, Head of WhatsApp, emphasized that the court's decision sends a powerful message to the spyware industry:

Cathcart also noted that Meta will seek a permanent court order to prevent NSO Group from targeting WhatsApp again, and pledged to donate funds to digital rights organizations supporting spyware victims globally.

NSO Group’s Defense and Controversy

NSO Group claimed that it does not control how its clients use Pegasus and has long argued that the software is intended for use only in combatting terrorism and organized crime. However, Judge Phyllis J. Hamilton rejected this defense:

The court further revealed that NSO invests tens of millions of dollars annually to develop advanced malware installation methods that target messaging apps, browsers, and mobile operating systems.

NSO Group responded to the ruling stating that it intends to pursue legal remedies, maintaining that Pegasus is a vital tool for law enforcement agencies globally. However, the U.S. Department of Commerce had already sanctioned NSO Group in 2021, labeling its software a threat to national security.

Broader Implications for the Industry

This case marks a watershed moment in global digital rights advocacy. Human rights organizations have long accused companies like NSO Group of enabling authoritarian surveillance. The ruling affirms that spyware vendors can be held liable in democratic jurisdictions.

While Apple dropped its own lawsuit against NSO Group in September 2024 — citing concerns over revealing sensitive security architecture — WhatsApp’s legal victory may inspire other tech firms to pursue accountability more aggressively.