A U.S. federal jury has ordered Israeli spyware vendor NSO Group to pay WhatsApp $167,254,000 in punitive damages and $444,719 in compensatory damages for a 2019 campaign that targeted 1,400 users of the communication app.
The verdict is considered a landmark case for being the first time a spyware vendor is held accountable in court, and could send ripples across the commercial spyware industry.
“Today’s verdict in WhatsApp’s case is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone,” commented Meta, WhatsApp’s owner, in an announcement.
“Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.”
The fines stem from a May 2019 campaign when NSO attempted to infect 1,400 WhatsApp users with its Pegasus spyware using a WhatsApp zero-day vulnerability.
It was later revealed that the vulnerability NSO leveraged during this operation was CVE-2019-3568, a buffer overflow in the WhatsApp VOIP stack, allowing attackers to send specially crafted RTCP packets to a target phone number to achieve remote code execution.
When recipients received these calls, even if they did not answer, the vulnerability was automatically exploited, allowing Pegasus to be installed on devices.
Meta filed the lawsuit against NSO Group on October 29, 2019, in the U.S. District Court for the Northern District of California, alleging that NSO had exploited a vulnerability in WhatsApp’s calling feature to deliver its Pegasus spyware to approximately 1,400 users.
Although NSO Group claims that its products are used by law enforcement tackling serious crime, Meta confirmed that the targets included human rights activists, journalists, and diplomats.
The trial that included NSO executives’ testimonies revealed that the spyware vendor is directly involved in infection operations, so they have direct liability. Also, they were forced to admit they spent tens of millions in USD to develop multiple infection channels besides WhatsApp.
Court documents also revealed that the NSO Group used at least one more zero-day vulnerability in WhatsApp software to target users with spyware even after Meta’s lawsuit had been submitted.
On December 23, 2024, Judge Phyllis J. Hamilton ruled that NSO Group is liable for violating U.S. hacking laws and WhatsApp’s Terms of Service, granting partial summary judgment in WhatsApp’s favor and moving the case to a jury trial to determine damages.
Finally, WhatsApp was awarded punitive damage compensation of $167,254,000, plus an extra $444,719 compensation for the incident investigation, vulnerability patching, and user notification.
CitizenLab researcher John Scott-Railton welcomed the court’s decision and warned spyware firms they could be next.
For those interested in diving deeper into the details, Meta has published transcribed NSO Group depositions (1, 2, 3, 4).
