NSO Group

NSO Group damages in WhatsApp spyware case could be in the ‘tens of millions,’ experts predict

Opening arguments in the damages trial concluding a five-year court battle between the Israeli spyware maker NSO Group and WhatsApp began Tuesday, with some experts predicting a substantial penalty that could precipitate the bankruptcy of the prominent spyware manufacturer, which was found liable for hacks of WhatsApp users in December.

Meta, the parent company of WhatsApp, is reportedly asking for over $440,000 in compensatory damages but fines for punitive damages could rise to tens of millions of dollars, experts told Recorded Future News.

The lawsuit stems from NSO’s role facilitating the 2019 spyware infections of approximately 1,400 WhatsApp users’ mobile devices. Many of those targets were members of civil society, including journalists, diplomats and dissidents. A federal judge in Northern California ruled last year the company was liable for the intrusions.

A spokesperson for NSO declined to comment for this story.

Even if NSO is slapped with hefty damages, a bankruptcy may not end the use of Pegasus, the company’s powerful zero-click spyware which is considered to be the most advanced commercial surveillance product in the world.

The company could continue to operate it by restructuring its business or could sell Pegasus to another vendor to rebrand the spyware and continue exploiting vulnerabilities, especially in other parts of the world, said Nitansha Bansal, a spyware expert and the assistant director at the Atlantic Council’s Cyber Statecraft Initiative.

“With the increasing decentralization and specialization of the spyware market, there are more buyers, brokers and investors to actualize such a deal,” Bansal said. “I find it unlikely that the misuse of Pegasus … will stop anytime soon.”

But there will almost definitely be a weakening of NSO itself, with smaller cash flows limiting its operations and its ability to maintain its aggressive lobbying efforts, Bansal said. 

The company could also be seen as an increasingly risky investment option by the private equity firms that have long supported it and other spyware manufacturers, she said. 

The prospect of Western private equity firms — which for years have owned majority stakes in various spyware companies — finally backing away from the sector is significant, said Aaron Cooper, a legal adviser on the National Security Council (NSC) under the Biden administration.

A Florida-based private equity firm, AE Industrial Partners, bought the Israeli spyware company Paragon in December. Another private equity firm, California-based Francisco Partners held a majority stake in NSO for more than four years, selling its holdings in February 2019.

A movement is already underway among private equity firms that have pledged not to invest in spyware, said Cooper, who focused on legal issues concerning the safety and security of emerging technologies, including spyware, artificial intelligence and cybersecurity while at the NSC.

He pointed to a May 2024 pledge organized by the Washington-based cyber-focused private equity firm Paladin Capital Group, which employs Ciaran Martin, the former head of cybersecurity at the UK’s Government Communications Headquarters (GCHQ), former acting National Cyber Director Kemba Walden and Jamil Jaffer, a former Department of Justice national security official.

Paladin had previously invested in Boldend, an offensive cybersecurity startup which marketed an “all-in-one malware platform” enabling the “easy creation of any piece of malware for any platform.”

Eight additional private equity firms and venture funds signed on to the Paladin-orchestrated pledge.

“This case – especially if the damages have a real effect on NSO Group – could contribute to a broader trend whereby private equity adopts a trusted capital approach, avoiding investments with entities that are not aligned with U.S. national security or democratic values while prioritizing those that are,” said Cooper, who is now an attorney at Jenner & Block specializing in artificial intelligence, cybersecurity and emerging technologies.

The price of obfuscation?

NSO’s refusal to comply with several discovery orders issued by Northern California federal judge Phyllis Hamiliton raises “obstacles” for the company, Cooper said, which could translate to greater damages.

The lack of compliance includes not providing the source code for Pegasus or details of its clients’ motives for targeting devices belonging to the 1,400 WhatsApp users.

“NSO faces a lose-lose choice, where they really thrive on secrecy in terms of what they're doing, in terms of their clients, in terms of who's affected,” said Matthew Pearl, a former NSC official working on technology and telecommunications issues, including spyware. “They can be uncooperative, in which case courts are really going to punish them for that, or they can be cooperative” and alienate clients insistent on total confidentiality.

In the WhatsApp case, NSO lawyers have repeatedly asserted the company cannot provide detail on the motives of the governments hacking into the WhatsApp accounts because it does not know what its clients do with Pegasus. The judge deemed evidence about how the company chooses its clients, and its claims that Pegasus is used as a tool for rooting out terrorism and crime, inadmissible. 

“Defendants cannot claim, on the one hand, that its intent is to help its clients fight terrorism and child exploitation, and on the other hand say that it has nothing to do with what its client does with the technology, other than advice and support,” the judge wrote.

The fact that jurors won’t hear about how Pegasus is used by law enforcement and counterterrorism officials leaves them with nothing more than the details of how NSO hacked into WhatsApp accounts. This conduct includes mounting repeated efforts to hit the  social media platform with new attack vectors as patches were put in place — even after the lawsuit had been filed.

High damages could be a “death blow” for NSO, said Pearl, who is now director of the Strategic Technologies Program at the Center for Strategic and International Studies.

NSO under pressure

The WhatsApp ruling is unprecedented given that NSO had never before been found liable for Pegasus intrusions despite a handful of other lawsuits, including one from Apple, which sued the spyware manufacturer for how Pegasus has been deployed against its users.

Apple dropped the suit in September, saying that continuing it could reveal sensitive details of its security program.

In November, a Thai civil court dismissed a lawsuit filed against NSO by a well-known activist there who was allegedly targeted with Pegasus and spent time in jail for criticizing the monarchy.

Still, with new cases of Pegasus being used to target members of civil society emerging all the time, digital freedom advocates expect more suits to be filed. But how much NSO will be able to pay when, or if, lawsuits are successful — including in the WhatsApp case — remains an open question.

While NSO is a private company and its finances are not public, it has long been in financial distress. It nearly defaulted on $500 million in debt in the aftermath of the U.S. government placing it on the Bureau of Industry and Security’s entity list in 2021.

From there, its financial problems worsened and in 2023 creditors, including Credit Suisse and Senator Investment Group, foreclosed on its parent company.

NSO's blacklisting is thought to have led to reduced revenues at a time when it has also spent millions defending itself in multiple lawsuits.

Business suffers for companies placed on the entity list due to reputational effects, and the designation also prevents firms from receiving U.S. goods, including technology, without a license from the Commerce Department.

“The financial situation has definitely been impacted — it's precarious,” Bansal said, pointing to the fact that about 100 NSO employees were laid off in 2022.

NSO has spent millions lobbying the U.S. government over the past couple of years and recently hired a firm close to the Trump administration.  

The lobbying effort is lately designed to push the current administration to help NSO get removed from the entity list, Pearl said.

It is a crusade which Pearl described as “their Hail Mary.”

Those efforts to get off the list are unlikely to succeed, he said, in part because of a post-Salt Typhoon emphasis on the benefits of encryption by federal law enforcement as well as the fact that principals in the Trump administration “value privacy.”

NSO’s contention that its spyware is critical as a workaround to encryption is not an argument that has “as many friendly ears [in the U.S.] right now,” Pearl said.

Civil society under attack

Civil society groups that have long fought against NSO and other spyware companies struck a hopeful note that the damages award in the WhatsApp case will have a major impact.

WhatsApp could “win big because NSO won’t be able to take away the attention from its own conduct by focusing on the conduct and character of the victims or its clients,” said Natalia Krapiva, senior tech counsel at Access Now. 

A large damages award “will encourage others to file lawsuits as well, costing the companies a lot of money in legal fees and will tarnish their reputation,” she said.

The prospect of social media accounts being hacked to expose private communications is likely to resonate with jurors, Pearl said.

The relatability of having a WhatsApp account hacked is “going to tug at people's heartstrings,” he said. 

Jim Lewis, a longtime Washington cyber expert, said he has spoken to NSO representatives on three occasions about its travails with the U.S. government — which became especially acute after U.S. diplomats were targeted in the WhatsApp hacks — and the company is “sort of expecting to lose” by getting hit with high damages.

But he doesn’t believe this case will put the “lid back on” Pegasus.

“Israel is not the only country that has these companies,” Lewis said. “They go out of business, and you'll be able to buy the product somewhere else, because the talent will go elsewhere and build the same products.

“It's like having a boat with 10 holes in it and plugging one.” 

Clarification: This story has been updated to reflect that creditors foreclosed on NSO’s parent company in 2023. 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Suzanne Smalley

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.