Meta Platforms has secured a significant jury award totaling nearly $168 million against Israeli spyware vendor NSO Group, a decision delivered on May 6, 2025, that caps a legal battle spanning over five years.
The case centered on a 2019 incident where NSO’s potent Pegasus spyware was used to exploit Meta’s WhatsApp messaging service, targeting the devices of more than 1,400 users worldwide. A federal jury in Oakland, California, determined that NSO Group owes Meta $444,719 in compensatory damages to cover the costs Meta incurred in addressing the sophisticated attack.
More substantially, the jury levied $167.3 million in punitive damages, an amount specifically broken down to $55.76 million for each of three claims: violation of the federal Computer Fraud and Abuse Act (CFAA), breach of California’s computer crime law, and breaking WhatsApp’s contractual terms of service.
NSO Group quickly signaled its intention to contest the verdict. “We will carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal,” spokesperson Gil Lanier said in a statement.
Lanier also reiterated NSO’s position, stating, “We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies… This perspective… was excluded from the jury’s consideration in this case.”
This statement follows earlier trial testimony from NSO CEO Yaron Shohat, who had described the company’s precarious financial situation, raising questions about its ability to pay such a substantial sum.
Meta, the parent company of WhatsApp, framed the outcome as a pivotal moment for user security and a stand against the spyware industry. In an official announcement following the verdict, the company declared, “Today’s verdict in WhatsApp’s case is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone.”
Will Cathcart, the head of WhatsApp, amplified this message on the social media platform X, writing, “the jury’s verdict today to punish NSO is a critical deterrent to the spyware industry against their illegal acts aimed at American companies and our users worldwide.” Meta has stated its intention to pursue collection of the awarded damages and, as mentioned in their announcement, “Ultimately, we would like to make a donation to digital rights organizations that are working to defend people against such attacks around the world.”
Looking ahead, Meta plans to seek a permanent injunction to bar NSO Group from using its platforms or technology and will also demand the deletion of any WhatsApp-related code NSO may still possess. As part of its commitment to transparency, Meta also announced, “Finally, we’re publishing (unofficial) transcripts of deposition videos that were shown in open court so that these records are available to researchers and journalists studying these threats and working to protect the public,” and encouraged ongoing vigilance through its Bug Bounty program.
A Protracted Legal Confrontation
The six-day damages trial, which saw the jury deliberate for approximately one day, was convened after U.S. District Judge Phyllis J. Hamilton had already found NSO Group liable for the attack in a December 2024 ruling.
That prior ruling highlighted that Pegasus spyware was routed through WhatsApp’s California-based servers 43 times during the May 2019 attack window. Consequently, the recent trial focused exclusively on the financial repercussions for NSO. Meta’s legal team successfully argued that NSO Group acted with “oppression, fraud or malice,” a necessary finding for the jury to award punitive damages.
These damages notably exceeded NSO’s reported $50 million annual research and development budget, a figure Meta’s lawyers had suggested as a guideline. NSO’s defense, in turn, characterized Meta’s damages claim as inflated and an attempt to make an example of the firm.
The lawsuit was first filed in October 2019, shortly after WhatsApp identified and patched the vulnerability exploited by NSO. This vulnerability, detailed by Winbuzzer at the time, resided in WhatsApp’s audio/video calling feature and allowed Pegasus spyware to be surreptitiously installed on target devices, often through unanswered calls.
Meta confirmed it had collaborated with the University of Toronto’s Citizen Lab in 2019 to investigate the breach and alert affected users. Subsequent court documents revealed these users were spread across 51 countries, with significant numbers in Mexico (456), India (100), and Bahrain (82), as reported by the Organized Crime and Corruption Reporting Project (OCCRP).
The legal journey was arduous, involving proceedings before the Ninth Circuit Court of Appeals and NSO Group’s unsuccessful 2023 attempt to claim sovereign immunity, a bid rejected by the U.S. Supreme Court. The case also saw NSO Group face prior sanctions for failing to comply with court orders to produce the Pegasus source code.
The Nature of Pegasus and NSO’s Defense
Pegasus is a highly sophisticated piece of spyware, notorious for its ability to infiltrate mobile devices, often utilizing “zero-click” exploits that require no action from the device owner. Once installed, Pegasus can grant attackers extensive remote control, enabling them to access microphones, cameras, messages, location data, and a wide array of other personal information.
This capability to compromise device endpoints effectively bypasses the protections offered by end-to-end encrypted messaging applications like WhatsApp or Signal. The inherent risks of such endpoint compromises, even with secure messaging apps like Signal, as the ongoing Signal-Gate scandal of the Trump administration shows.
NSO Group has consistently defended its operations by stating that it licenses Pegasus exclusively to vetted government clients for the sole purpose of combating serious crime and terrorism, and that it does not operate the spyware itself.
However, court filings from November 2024 suggested that NSO Group continued to develop new exploits against WhatsApp, specifically tools named “Eden” and “Erised,” even while the lawsuit was ongoing. These filings also indicated that NSO had reverse-engineered WhatsApp’s code. Adding to the scrutiny, reports emerged during the litigation that NSO’s sister company, Westbridge, had attempted to sell Pegasus to U.S. police forces, a development that appeared to challenge NSO’s claims about its restricted customer base and operational scope.
Broader Industry Reactions and Spyware Landscape
The verdict against NSO Group is set against a backdrop of increasing global concern over the commercial spyware industry. In a parallel development, Apple initiated warnings to its users in 100 countries in early May regarding “mercenary spyware attacks,” explicitly comparing the threat level to that posed by NSO’s Pegasus.
Apple itself had filed a lawsuit against NSO Group in November 2021, with the tech giant referring to NSO as “amoral 21st century mercenaries.” The U.S. government has also taken steps, placing NSO Group on the Commerce Department’s entity list in November 2021 due to activities deemed contrary to national security interests.
Human rights organizations have praised the verdict. Natalia Krapiva of the digital rights group Access Now commented, “This sends a clear message to spyware firms: abuse has consequences.” Despite the substantial financial penalty, some cybersecurity analysts express caution regarding its long-term impact on the spyware market.
While NSO Group might face bankruptcy, the underlying technology or similar services could potentially re-emerge under a different structure or name, indicating that the fight against such surveillance tools is likely to be an ongoing challenge.
