WhatsApp Wins $167 Million Verdict Against NSO Group in Spyware Lawsuit

On May 6, 2025, WhatsApp secured a significant victory against NSO Group, a notorious Israeli spyware company, when a jury ordered NSO to pay more than $167 million in damages. This outcome resolved a legal dispute that began in October 2019, when WhatsApp sued NSO Group for hacking over 1,400 of its users using a vulnerability in the app's audio-calling function. The trial lasted a week, featuring testimonies from key figures including NSO Group’s CEO, Yaron Shohat, and WhatsApp employees involved in the incident. The hack was executed through a zero-click attack, which means it required no action from the target. According to WhatsApp’s lawyer, Antonio Perez, NSO Group created a "WhatsApp Installation Server" to send malicious messages masquerading as normal calls. Upon receipt, these messages triggered the phone to connect to another server and download the Pegasus spyware, all needing just the target's phone number. NSO Group’s R&D VP, Tamir Gazneli, acknowledged the significance of this zero-click capability, calling it a "significant milestone" for Pegasus. Despite the lawsuit, NSO Group continued to target WhatsApp users. Gazneli admitted that "Erised," one of the versions of the zero-click attack, was operational from late 2019 to May 2020. Other versions, "Eden" and "Heaven," were part of the broader "Hummingbird" attack suite. A controversial revelation emerged regarding NSO Group's targeting of American numbers. NSO had long claimed its spyware couldn't target U.S. phone numbers, but a 2022 New York Times report disclosed that the company attacked an American number as a demo for the FBI. NSO Group's lawyer, Joe Akrotirianakis, confirmed this, stating it was a specially configured version of Pegasus used for demonstrations to potential U.S. government clients. The FBI ultimately decided not to deploy the spyware. NSO Group's CEO, Shohat, provided insights into how government customers use Pegasus. He explained that the user interface does not allow customers to select specific hacking methods. Instead, the backend system chooses the appropriate exploit based on the target's device and location, ensuring the most effective and stealthy approach. The company's size and financial state were also revealed during the trial. Shohat stated that NSO Group and its parent company, Q Cyber, have between 350 and 380 employees combined, with about 50 working for Q Cyber. Interestingly, NSO Group shares the same building in Herzliya, Israel, with Apple, occupying the top five floors while Apple takes the rest. Shohat mentioned that the companies even share elevators, highlighting a peculiar juxtaposition of corporate neighbors. Pricing details for Pegasus were also unveiled. An NSO Group employee testified that the standard price for European customers between 2018 and 2020 was $7 million, with an additional $1 million for covert vectors—likely referring to zero-click exploits. The costs varied widely depending on the customer, the number of concurrent targets, and additional features, explaining why countries like Saudi Arabia and Mexico paid significantly more, with Saudi Arabia reportedly paying $55 million and Mexico $61 million over several years. NSO Group's financial difficulties were starkly exposed during the trial. Shohat testified that the company lost $9 million in 2023 and $12 million in 2024, with only $8.8 million and $5.1 million in its bank accounts, respectively. The company spends about $10 million monthly, primarily on employee salaries. The R&D unit, vital for finding and exploiting vulnerabilities, incurred expenses of $52 million in 2023 and $59 million in 2024. Shohat candidly admitted, "I don’t think we’re able to pay anything. We are struggling to keep our head above water." Industry insiders and experts have highlighted the implications of this ruling. They believe it sets a precedent for holding spyware companies accountable for abuses, potentially deterring similar activities in the future. The jury’s decision underscores the need for stronger regulations and more transparent practices in the cybersecurity and surveillance sectors. Additionally, WhatsApp’s successful suit may embolden other tech companies to take legal action against entities that compromise user security. WhatsApp, owned by Meta, has consistently prioritized user privacy and security, as evidenced by its robust response to the NSO Group incident. This legal victory reinforces the company's commitment to protecting its users from sophisticated cyber threats, reaffirming its leadership in the messaging app market.