Meta defeats NSO in spyware case, wins $168M over WhatsApp hack

Meta Platforms has won a $168 million verdict against Israeli surveillance firm NSO Group, concluding a six-year legal battle between the world’s largest social media company and one of the most controversial spyware makers.

The ruling, delivered Tuesday by a jury in California, followed a December judgment that found NSO had unlawfully exploited a vulnerability in WhatsApp to plant its Pegasus spyware on the phones of journalists, human rights activists, and others. Meta said the jury awarded $444,719 in compensatory damages and $167.3 million in punitive damages—making it one of the most significant legal defeats ever for a commercial spyware vendor.

NSO Pegasus.

“Today’s verdict in WhatsApp’s case is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone,” Meta said in a statement.

NSO said it would “carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal.”

The ruling marks a pivotal moment in a case that began in 2019, when WhatsApp sued NSO for allegedly facilitating attacks on more than 1,400 users. Meta later revealed that a single vulnerability exploited by NSO brought the company $61.7 million in revenue between mid-2018 and mid-2020, generating profits of up to $40 million depending on how R&D costs were accounted for.

Previously sealed court documents, released last month, revealed that Pegasus spyware was deployed through WhatsApp against 1,223 individuals in 51 countries. The highest number of victims was in Mexico (423), followed by India (100), Bahrain (82), Morocco (69), and Pakistan (58). Spain—where Pegasus was used in 2022 to spy on the prime minister and defense minister—was the highest-ranked Western democracy on the list, with 21 victims.

Though NSO has long argued that its tools are only sold to governments for legitimate counterterrorism efforts, the data showed a stark pattern: a disproportionate number of targets were in authoritarian or semi-authoritarian regimes. Only one victim was identified in the U.S., but documents suggest Pegasus may have been deployed inside American territory by a foreign law enforcement agency prior to NSO’s blacklisting in 2021.

The court also heard testimony from a former NSO employee who said the company had attempted—but failed—to sell Pegasus to U.S. law enforcement agencies, including police departments in Los Angeles, San Diego, San Francisco, and Idaho.

Beyond sending a message to spyware vendors, the ruling sheds rare light on NSO’s internal operations. The company operates a 140-person research team with a $50 million budget dedicated in part to finding and exploiting smartphone vulnerabilities. Its clients have included governments in Saudi Arabia, Mexico, and Uzbekistan, according to on-the-record disclosures during the case.

Much about the firm’s operations remains hidden. Judge Phyllis Hamilton, who presided over the trial, sharply criticized NSO for repeatedly failing to comply with discovery requirements, stating that the company “failed to obey court orders” and withheld key evidence. Last year, The Guardian reported that Israeli officials had seized NSO documents to prevent them from reaching U.S. courts.

Natalia Krapiva, a senior lawyer at Access Now, called the verdict a turning point: “This is something that will hopefully show spyware companies that there will be consequences if you are careless, if you are brazen, and if you act in such a way as NSO did in these cases.”

Reuters contributed to this report.