phone
Image: Fellipe Ditadi / Unsplash

Jury orders NSO Group to pay $168 million to WhatsApp for facilitating Pegasus hacks of its users

A Northern California jury on Tuesday decided that a spyware manufacturer must pay $167 million in punitive damages for its role facilitating the hacking of 1,400 WhatsApp users’ mobile phones.

The six-year case is the culmination of a Meta lawsuit filed in 2019, which argued that the manufacturer, the NSO Group, repeatedly attacked WhatsApp with spyware vectors, continuing to break into its systems even as the social media giant patched vulnerabilities.

NSO’s case was severely hampered by its inability to offer the court any details of its clients' aims in the attacks, prompting Northern California federal judge Phyllis Hamilton to bar the spyware firm from presenting any evidence related to its use by governments to snoop on terrorists and criminals.

In recent years, NSO’s spyware product, a powerful zero-click exploit known as Pegasus, has been found on scores of phones belonging to members of civil society, many of whom were among the 1,400 WhatsApp victims.

In addition to the $167 million in punitive damages, the jury determined that NSO must pay WhatsApp $445,000 in compensatory damages to pay it back for the significant efforts its engineers made to block the attack vectors.

“Six years ago, we detected and stopped an attack by the notorious spyware developer NSO against WhatsApp and its users, and today, our court case has made history as the first victory against illegal spyware that threatens the safety and privacy of everyone,” WhatsApp said in a statement.

“The jury's decision to force NSO to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and our users worldwide,” it said. “This trial also revealed that WhatsApp was far from NSO’s only target — this is an industry-wide threat and it’ll take all of us to defend against it.” 

A spokesperson for NSO said the company is studying the decision and could appeal.

“We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies,” the statement said.

“This perspective, validated by extensive real-world evidence and numerous security operations that have saved many lives, including American lives, was excluded from the jury's consideration in this case.”

The trial surfaced a great deal of new information about how Pegasus operates. 

NSO executives acknowledged to the court that Pegasus can be installed with a number of different mechanisms, including through attack vectors targeting instant messaging, browsers and operating systems. The company also revealed that its spyware can compromise both iOS and Android devices, a capability that continues today.

Digital freedom advocates called the jury’s verdict transformative, saying not only the size of the damages, but also the hit to NSO’s reputation will have long-lasting effects.

“NSO makes millions of dollars helping dictators hack people,” said John Scott-Railton, a digital forensic researcher at the Citizen Lab, which helped diagnose phone infections in the case. “The company emerges from this trial severely damaged.”

“Aside from the huge punitive damages, the bigger impact of this case has also been a huge blow to NSO’s efforts to hide their business activities.”

Natalia Krapiva, a digital freedom advocate whose organization, Access Now, has worked with the Citizen Lab to diagnose Pegasus targeting and infections and assist victims, also hailed the finding. 

The jury’s decision “really vindicates in a major way all the denial, gaslighting, threats, attacks, harassment and retaliation that human rights advocates and victims have faced for our work exposing NSO’s conduct,” she said.

Some cybersecurity industry watchers were less ecstatic about the findings, however.

NSO could go bankrupt, but some form of Pegasus will remain in use, said Jim Lewis, a longtime Washington, D.C.-based cyber expert.

“NSO likely goes away, but the software will live on and the service continues with a new name,” he said. “So it's a ritual sacrifice and everyone can feel good.”

Throughout the trial, NSO was hamstrung by its assertions that once it sells a government client Pegasus, it has no idea what customers do with it, who they target or why.

In her order late last month explaining why she would not allow NSO to introduce evidence about its business helping governments pursue criminals and terrorists, Hamilton was scathing.

“Defendants cannot claim, on the one hand, that its intent is to help its clients fight terrorism and child exploitation, and on the other hand say that it has nothing to do with what its client does with the technology, other than advice and support,” the judge wrote.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Suzanne Smalley

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.