NSO Group Fined $168M for Illegal Use of Pegasus Spyware on WhatsApp Users

In a landmark decision that underscores growing global resistance to surveillance abuse, NSO Group, the Israeli spyware developer behind Pegasus, has been ordered by a U.S. federal jury to pay $168 million in damages to WhatsApp and its parent company Meta. The ruling follows a years-long legal battle and marks a critical moment for digital rights and privacy advocates around the world.

What Happened: A Breakdown of the Pegasus WhatsApp Hack

Back in May 2019, a zero-day vulnerability (CVE-2019-3568) in WhatsApp’s voice calling feature allowed attackers to install Pegasus spyware simply by calling the victim’s phone. The target didn’t even have to answer the call.

More than 1,400 individuals across 51 countries were affected. These weren’t just random users — they included journalists, human rights activists, lawyers, and political dissidents.

Key Victim Demographics:

• Mexico: 456 targets
• India: 100 targets
• Bahrain: 82 targets
• Morocco: 69 targets
• Pakistan: 58 targets

Pegasus spyware gives attackers near-total control over a device, including:

• Access to messages and emails
• Real-time camera and microphone surveillance
• GPS tracking
• Password theft
• Exfiltration of encrypted chats

Meta’s Legal Stand Against NSO Group

In October 2019, WhatsApp sued NSO Group, alleging that its use of Pegasus violated U.S. federal and state laws, including the Computer Fraud and Abuse Act (CFAA).

During the trial, it was revealed that Pegasus was deployed via WhatsApp’s California-based servers 43 times, firmly establishing jurisdiction within the United States.

Judge’s Statement:

Judge Phyllis J. Hamilton ruled in December 2024 that NSO’s actions constituted an illegal exploitation of Meta’s infrastructure, adding that NSO could not claim to fight crime while disclaiming responsibility for how its technology is used.

The Jury’s Verdict: Accountability With Teeth

On May 7, 2025, the jury ordered:

• $167.25 million in punitive damages
• $444,719 in compensatory damages (for the engineering and security efforts made by WhatsApp to thwart the attack)

This outcome is being heralded as a historic milestone in holding spyware companies accountable for transnational digital surveillance abuses.

Will Cathcart, Head of WhatsApp, Stated:

“The jury’s verdict today to punish NSO is a critical deterrent to the spyware industry against their illegal acts aimed at American companies and our users worldwide.”

Meta has announced plans to pursue a permanent injunction against NSO to prevent future targeting of WhatsApp users. Additionally, they will be donating a portion of the damages to nonprofit digital rights organizations.

NSO’s Defense and Government Backlash

NSO has long maintained that it sells Pegasus only to law enforcement and government agencies to combat terrorism and serious crime. However, the firm was blacklisted by the U.S. government in 2021 for engaging in malicious cyber activities.

Despite claiming no control over its clients’ actions, NSO admitted during the trial to spending tens of millions annually developing delivery methods for Pegasus across platforms like:

• Browsers
• Instant messaging apps
• Operating systems (iOS and Android)

Why This Verdict Matters

This case isn’t just about one company. It signals:

• Legal recognition of spyware abuse
• Accountability for private surveillance companies
• Precedent-setting implications for future cases involving surveillance tech

It also brings to light how commercial spyware can be used for state-sponsored oppression, violating civil liberties and threatening democracy in regions where digital tools are used to silence dissent.

What’s Next?

While Apple dropped its lawsuit against NSO in 2024 to avoid disclosing security measures, Meta’s legal victory reinforces:

• The urgency for global regulations on spyware
• The importance of platform-level security and transparency
• The power of tech companies to push back against misuse

Privacy-focused organizations are now calling on international governments to ban or strictly regulate spyware tools like Pegasus, especially when sold to authoritarian regimes.

Final Thoughts

The $168 million fine against NSO Group isn’t just a legal punishment — it’s a wake-up call for the entire surveillance industry. In a world increasingly dependent on digital communication, protecting privacy must be non-negotiable.

If you use apps like WhatsApp or Signal, stay updated, enable 2FA, and keep your device’s operating system fully patched. And always remember: security is a shared responsibility between platforms, users, and the legal system.