In a historic legal judgment that could reverberate across the global surveillance industry, a U.S. federal jury has ordered Israeli spyware firm NSO Group to pay more than $167 million in damages to WhatsApp, a subsidiary of Meta, for illegally hacking over 1,400 users via its notorious Pegasus software. The decision, announced this week, concludes a six-year courtroom battle and marks the largest penalty ever imposed on a spyware company.
A Major Blow to the Spyware Industry
The ruling includes $167.26 million in punitive damages and $440,000 in compensatory damages, following findings that NSO Group exploited a vulnerability in WhatsApp’s voice-calling feature between 2018 and 2020. This flaw enabled the installation of Pegasus spyware without users needing to answer a call — a method that allowed stealth surveillance of targets ranging from journalists and human rights activists to politicians and civil society members across over 20 countries.
WhatsApp’s parent company, Meta, welcomed the ruling. “This decision is an important step forward for privacy and security,” Meta stated, adding that any damages recovered will be donated to digital rights and privacy advocacy groups.
“This case sets a precedent,” said John Scott-Railton, senior researcher at Citizen Lab, who has closely followed Pegasus deployments. “After years of delays and denial, it took a jury only one day to send a clear message to the spyware industry: your time operating in the shadows is ending.”
The Mechanics of the Exploit
Court documents and expert testimony revealed that NSO Group used WhatsApp’s own infrastructure to deliver the spyware — a key detail that led the jury to conclude the firm had acted with “oppression, fraud, or malice.” The exploit, embedded in WhatsApp’s call function, enabled the spyware to be delivered even if the call was not answered, making it one of the most invasive forms of surveillance uncovered in recent years.
U.S. District Judge Phyllis Hamilton had previously ruled that NSO had violated both federal and California anti-hacking laws. The jury’s task was to determine the scope of the financial damages — a question it answered swiftly and decisively.
NSO Denies Wrongdoing, Plans to Appeal
Despite the verdict, NSO Group continues to deny wrongdoing. In court, its attorneys claimed that Pegasus was never deployed on WhatsApp’s servers and reiterated that the company only sells its software to “vetted government clients” for the purpose of fighting crime and terrorism.
“This lawsuit was never about justice — it was about publicity,” NSO’s legal team argued, insisting that the trial was a media-driven campaign orchestrated by Meta.
However, WhatsApp argued — and the jury appeared to agree — that NSO had engaged in willful misconduct, noting that the company continued to adapt and develop Pegasus even after the lawsuit was filed.
Global Scrutiny and a Shrinking Market for Spyware
The verdict comes at a time when governments and civil liberties groups are raising red flags about the proliferation of commercial spyware. Pegasus has been linked to surveillance abuses in multiple nations, prompting international outrage and calls for regulatory reform.
In 2021, the U.S. Department of Commerce blacklisted NSO Group, citing national security concerns and accusing the company of enabling transnational repression. That move alone severely restricted NSO’s business operations and ability to partner with American tech firms.
Furthermore, recent technical analyses — including findings from the iVerify security team — confirm that Pegasus remains active and operational on both iOS and Android platforms, increasing the urgency of curbing such tools’ unchecked spread.
What This Means for the Future
While NSO has signaled plans to appeal the verdict, legal experts say the implications are already significant. The ruling reinforces the growing consensus that tech firms, governments, and courts must enforce accountability in cyberspace, especially when commercial surveillance tools are used to target civilians.
“This isn’t just a win for WhatsApp,” said Scott-Railton. “It’s a warning to any company that thinks it can profit from weaponizing digital tools against innocent people.”
With the ruling now part of legal precedent, pressure is expected to mount on other surveillance vendors and their government clients to either reform or face similar legal and reputational consequences.
Conclusion
The $167 million verdict against NSO Group marks a turning point in the battle for digital privacy and corporate accountability. As governments and tech platforms ramp up efforts to combat surveillance abuse, this case serves as both a warning and a milestone. In an increasingly interconnected world, the line between security and surveillance has never been more scrutinized — and now, perhaps, never more enforceable.
Would you like a shortened version of this article for blog or social media use?