Meta wins $168M judgment against spyware seller NSO Group

Israeli surveillance firm NSO Group must pay almost $168 million in damages for exploiting WhatsApp to deploy its notorious Pegasus spyware against users worldwide, the jury in a US court said Tuesday.

An eight-person jury granted Meta $444,719 in compensatory damages to cover the costs of addressing the breach, plus an additional $167.25 million in punitive damages intended to discourage similar future actions by NSO, according to a court filing with the US District Court for the Northn District of California.

The jury’s verdict, delivered after less than two days of deliberation, caps a six-year legal battle that has unveiled rare insights into the shadowy world of cyber mercenaries and their government clients.

The case stemmed from NSO Group’s exploitation of a critical vulnerability in WhatsApp’s infrastructure. In May 2019, WhatsApp engineers discovered that NSO had developed a zero-click, zero-day attack that could silently install Pegasus spyware through a simple phone call, requiring no action from targets beyond having their devices powered on.

The attack compromised approximately 1,400 WhatsApp accounts before engineers patched the vulnerability.

“Today’s verdict in WhatsApp’s case is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone,” Meta said in a statement.

NSO spokesman Gil Lainer said the company will appeal the verdict, and said the court had ignored the good that spyware can do.

“We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies. This perspective, validated by extensive real-world evidence and numerous security operations that have saved many lives, including American lives, was excluded from the jury’s consideration in this case,” he said via email. “We will carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal.”

Inside the surveillance business model

Meta shared a transcript of court proceedings along with its statement, revealing details of NSO Group’s operations and pricing structure. Between 2018 and 2020, the company charged European government customers a “standard price” of $7 million for simultaneous access to hack 15 devices. Customers paid premium fees of $1 million to $2 million to target phones outside their national borders.

“It is a highly sophisticated product,” Meta lawyer Antonio Perez said during the trial, “And it carries a hefty price tag.”

Once installed, Pegasus granted complete access to compromised devices, including phone records, emails, messages, video content, and location data. The spyware could even remotely activate cameras and microphones for clandestine surveillance.

The trial also exposed unexpected connections between NSO and American intelligence. Court records showed that the CIA and FBI collectively paid NSO $7.6 million, with reports suggesting the CIA had financed Djibouti’s purchase of the spyware while the FBI acquired it for testing purposes.

A persistent threat despite legal consequences

In its post-verdict statement, Meta warned that the threat continues despite their legal victory: “While we stopped the attack vector that exploited our calling system in 2019, Pegasus has had many other spyware installation methods to exploit other companies’ technologies to manipulate people’s devices into downloading malicious code and compromising their phones.”

Most concerning for enterprise security teams was Meta’s revelation in recent court filings that NSO “repeatedly targeted Plaintiffs, Plaintiffs’ servers, and Plaintiffs’ mobile client even after this litigation was filed.” This persistent behavior prompted Meta to seek a permanent injunction against the company.

NSO Group’s legal defense strategy illustrated the evasive tactics often employed by surveillance vendors. The company initially defaulted by failing to appear in court, claiming its accuser hadn’t properly delivered legal documents. It then accused the company of hypocrisy, alleging executives had approached NSO to use the technology for spying on its own customers.

Enterprise security implications

For enterprise security leaders, the case highlights the sophisticated threats organizations face from state-sponsored and commercial surveillance tools. Zero-click vulnerabilities like those exploited by NSO can bypass traditional security awareness measures, as they require no phishing links, malicious downloads, or user interaction of any kind.

“The most notorious mercenary spyware currently available is NSO Group’s Pegasus,” John Scott-Railton, senior researcher at Citizen Lab, which assisted in investigating Pegasus, had said during his testimony to House Permanent Select Committee on Intelligence, in 2022. “This kind of mercenary spyware is highly sophisticated, invasive, and difficult to detect at scale, even by well-resourced governments.”

The case underscores how heavily used communication platforms can become vectors for highly targeted attacks, even when encrypted. Organizations with sensitive operations or communications should evaluate their security frameworks with these advanced persistent threats in mind.