WhatsApp Wins Major Legal Battle Against NSO Group, Awarded $167 Million in Damages
In a landmark victory for WhatsApp, a jury recently ordered the notorious spyware maker NSO Group to pay over $167 million in damages to the Meta-owned messaging platform. This ruling marks the conclusion of a lengthy legal battle that began in October 2019 when WhatsApp accused NSO Group of exploiting a vulnerability in its audio-calling feature to hack more than 1,400 users.
The trial, which lasted a week, featured testimonies from NSO Group’s CEO Yaron Shohat and WhatsApp employees who investigated the breach. Prior to the trial, significant revelations emerged, including NSO Group cutting ties with 10 government clients for misusing its Pegasus spyware, identifying 1,223 spyware victims, and naming customers such as Mexico, Saudi Arabia, and Uzbekistan.
One of the most intriguing revelations from the trial was how the WhatsApp attack unfolded. The zero-click attack method involved sending fake WhatsApp calls to targets, triggering the download of the Pegasus spyware without any user interaction. NSO Group’s research and development VP described this as a significant advancement for Pegasus.
Despite facing a lawsuit from WhatsApp, NSO Group continued to target WhatsApp users with its spyware, using versions codenamed “Erised,” “Eden,” and “Heaven” collectively known as “Hummingbird.” It was also revealed that NSO Group targeted a U.S. phone number as a test for the FBI, a departure from their claim that Pegasus couldn’t target American numbers.
NSO Group’s CEO detailed how their government clients utilize Pegasus, explaining that the spyware’s backend determines the hacking method for each target automatically. Additionally, NSO Group disclosed having between 350 and 380 employees, with their headquarters coincidentally located in the same building as Apple.
The trial also shed light on the cost of Pegasus for European customers, with one NSO Group employee revealing a standard price of $7 million, plus additional fees for covert vectors. These revelations provide insight into the lucrative business of advanced spyware and the high stakes involved in cyber espionage.
Overall, the legal battle between WhatsApp and NSO Group has brought to light the inner workings of the spyware industry, exposing the methods used by governments and the financial costs associated with acquiring such powerful surveillance tools. The outcome of this case sets a precedent for holding spyware makers accountable for their actions and protecting users’ privacy in the digital age. The concept of “covert vectors” is not explicitly defined, but it likely refers to sneaky methods used to install spyware on a target phone. These techniques, such as zero-click exploits, allow a Pegasus operator to hack a device without the victim needing to interact with a message or click on a link.
The prices of spyware and zero-day exploits can vary based on various factors. Spyware makers may charge more when selling to certain countries like Saudi Arabia or the United Arab Emirates. Additionally, the cost may depend on the number of targets a customer can spy on simultaneously and any additional features like zero-click capabilities.
In 2019, a European customer reportedly paid $7 million for spyware, while Saudi Arabia paid $55 million and Mexico paid $61 million over several years. These disparities could be attributed to the factors mentioned earlier.
During a trial, NSO Group’s financial state was discussed. The company disclosed losses of $9 million in 2023 and $12 million in 2024. They also revealed having $8.8 million in the bank in 2023 and $5.1 million in 2024. NSO Group currently spends around $10 million per month, primarily on employee salaries. Q Cyber, a subsidiary, had $3.2 million in the bank in both 2023 and 2024.
NSO Group’s research and development unit, responsible for finding software vulnerabilities and exploiting them, incurred expenses of $52 million in 2023 and $59 million in 2024. The company’s customers reportedly pay between $3 million and significantly more for access to Pegasus spyware.
Given these financial details, NSO Group aimed to avoid paying substantial damages during the trial. The company expressed financial struggles and a commitment to managing expenses to meet their obligations.
This article was originally published on May 10, 2025, and has been updated with additional information.