Federal jury orders NSO Group to pay over $167 million in landmark spyware case

In a precedent-setting decision, a United States federal jury has ordered Israeli spyware firm NSO Group to pay a total of $167,698,719 in damages to WhatsApp for a 2019 cyberattack that targeted 1,400 users of the messaging platform. The verdict includes $167,254,000 in punitive damages and $444,719 in compensatory damages.

The lawsuit, filed by Meta—the parent company of WhatsApp—on October 29, 2019, in the U.S. District Court for the Northern District of California, accused NSO Group of exploiting a vulnerability in WhatsApp’s voice calling feature to deploy its Pegasus spyware. The attack took place in May 2019 and involved a zero-day vulnerability later identified as CVE-2019-3568, a buffer overflow flaw in the app’s VOIP stack. This allowed attackers to remotely execute code on targeted devices by sending specially crafted RTCP packets, even if the recipient did not answer the call.

The court found that NSO Group used the exploit to deliver Pegasus to individuals including journalists, diplomats, and human rights activists. Although the spyware firm maintains that its tools are intended for use by law enforcement agencies to combat serious crime, the court concluded that NSO was directly involved in the infection operations and was therefore liable for the cyberattacks.

The trial featured testimony from NSO executives, who admitted to spending tens of millions of dollars to develop a range of infection vectors in addition to those targeting WhatsApp. Evidence also emerged that the company continued to exploit WhatsApp vulnerabilities even after the lawsuit had been filed.

On December 23, 2024, U.S. District Judge Phyllis J. Hamilton issued a partial summary judgment in favor of WhatsApp, ruling that NSO Group had violated U.S. computer hacking laws and WhatsApp’s terms of service. The case was subsequently moved to a jury trial to determine the appropriate amount of damages.

This ruling marks the first time a commercial spyware vendor has been held accountable in a U.S. court, a development that could have significant implications for the global surveillance technology industry. Meta, in a public statement following the verdict, called the decision “an important step forward for privacy and security,” adding that it sends a “critical deterrent” message to spyware vendors targeting American companies and individuals.