A federal jury on Tuesday ordered the best-known maker of government spyware to pay a record-setting $167 million for hacking more than 1,000 people through WhatsApp messages in a stunning cap to six years of litigation.
The verdict came on the second day of deliberations in the damages phase of the trial in Oakland, California. U.S. District Judge Phyllis J. Hamilton granted WhatsApp’s motion for summary judgment against Israel-based NSO Group in December, finding that it had violated the U.S. Computer Fraud and Abuse Act and a similar California law with its spying program known as Pegasus.
Tuesday’s award was for $167,256,000 in punitive damages and $440,000 in compensatory damages, the largest blow ever dealt to the burgeoning spyware industry.
While Pegasus is marketed to governments as a tool to fight terrorism and organized crime, a steady stream of investigations have shown it being used against political leaders, peaceful activists and journalists around the world.
“Today’s verdict in WhatsApp’s case is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone,” WhatsApp parent Meta said.
“The jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.”
NSO said it would probably appeal.
“NSO remains fully committed to its mission to develop technologies that protect public safety, while continuously strengthening our industry-leading compliance framework and ensuring our technology is deployed solely for their legitimate, authorized purposes by legitimate sovereign governments,” spokesman Gil Lanier said.
Meta said that if it collects the money from the Israeli company, it would donate to the sort of digital rights groups that have been critical in detecting and examining spyware attacks.
“We have a long road ahead to collect awarded damages from NSO and we plan to do so,” it said. “Ultimately, we would like to make a donation to digital rights organizations that are working to defend people against such attacks around the world. Our next step is to secure a court order to prevent NSO from ever targeting WhatsApp again.”
The Toronto-based nonprofit Citizen Lab, which led the way in exposing Pegasus, praised WhatsApp for persisting in its litigation and for notifying victims when it detected attacks.
“Back in 2019 no country had sanctioned NSO Group,” Citizen Lab researcher John Scott-Railton posted on Bluesky. “No parliamentary hearings, no hearings in congress, no serious investigations. For years, WhatsApp’s lawsuit helped carry momentum & showed governments that their tech sectors were in the crosshairs from mercenary spyware too.”
Hamilton’s December ruling held NSO liable for hacking into the Meta unit’s systems by sending malicious software through its servers to about 1,400 targeted phones, which Meta said belonged to government officials, journalists, human rights activists and dissidents in dozens of countries.
Hamilton also found that WhatsApp was entitled to sanctions against NSO for its refusal to turn over source code for the software in discovery, with the penalty to be determined later. She ruled that with the underlying legal issues settled, the case should proceed to trial only to determine how much the company should pay in civil damages.
The case included the first U.S. testimony from NSO executives, who have long taken pains to stay out of the public eye.
The jury’s award is by far the most consequential result from scores of lawsuits in an industry at the center of global disputes over governmental surveillance powers and individual freedoms. That it took so long to come to trial, after an appeal that reached the U.S. Supreme Court, underscores the high stakes and national interests involved.
The U.S. government blacklisted NSO and a handful of other companies and individuals after determining that they were operating in opposition to U.S. interests. Most American allies have been slow to follow suit.
Apple dropped a similar case against NSO in September after Israeli authorities reportedly seized the company’s source code and NSO said it could no longer produce it. NSO has been closely allied with the Israeli government, from which the company has said it needs permission to export its products.
NSO had argued that it should be exempt from legal punishment because it sells only to government agencies, which determine which people to target with the programs, but appeals courts rejected that defense. The company’s executives acknowledged in depositions that it determines how hacks are conducted, based on what phone and software each target uses.
Pegasus and similar wares have exploited security flaws, including those in WhatsApp and Apple’s operating system, to get inside phones and capture pictures, emails and texts, even those that are fully encrypted in transmission.
In some cases, those exploits require no user interaction and leave the software all but indiscoverable.
Evidence developed in the case showed how capable and dangerous NSO has been, with 140 employees looking for ways to exploit Apple’s iPhone and Google-supported Android phones and the apps that run on them. An NSO executive testified that the spyware had been installed through operating systems, instant messengers and browsers.
Pegasus is programmed with technical blocks against spying within the United States and on phones with U.S. numbers that are physically located elsewhere in the world, an attorney for NSO said.
But spy programs made by other vendors or within national agencies do not have such limitations. That is one reason security experts have been aghast at the use of Signal and an archiving program for its messages by White House officials including Michael Waltz, who was recently ousted as national security adviser, and Defense Secretary Pete Hegseth. Although Signal is end-to-end encrypted, any spy software that can take control of a phone can access all of those messages.
Testimony in the WhatsApp case showed that NSO used a succession of attacks on the company between 2018 and 2020, altering its technique when WhatsApp blocked earlier methods. One of those modifications came after WhatsApp had filed suit, strengthening Meta’s argument that NSO had acted willfully.
Meta told the court that it had paid more than $400,000 in salary to employees as they battled with NSO.
But NSO attorney Joseph Akrotirianakis told the jury that those salaries would have been paid in any case and that jurors were not being asked to weigh the impacts on the ultimate hacking targets, only any costs to Meta.
“This lawsuit is about publicity,” he said in closing arguments. “Facebook wanted to make headlines about how deeply and strongly and genuinely they believe in protecting their users’ privacy, and it viewed suing NSO as an easy way to get those good headlines.”
NSO emphasized that it had used WhatsApp’s computers only in passing tainted messages through to the victims.
“Pegasus did not take anything from WhatsApp servers,” Akrotirianakis said. “It did not leave anything behind. It did not execute any code on WhatsApp servers, it did not delete, change or corrupt any data.”
To win punitive damages under the California hacking statute, Meta had to show by convincing evidence that NSO was “guilty of oppression, fraud, or malice.”
To convey to the jury how big an award would need to be to have an impact, WhatsApp established in sometimes combative testimony that NSO spent about $50 million yearly on research and development.
NSO chief executive Yaron Shohat testified that NSO lost $12 million in 2024 and $9 million in 2023 and that it would struggle to pay significant damages.
