In a landmark decision, a federal jury in California has ordered Israeli spyware firm NSO Group to pay Meta Platforms $168 million in damages for unauthorized surveillance activities targeting WhatsApp users. This verdict concludes a protracted legal battle initiated by Meta in 2019, highlighting the persistent challenges posed by cyberespionage tools like NSO’s Pegasus spyware.
Background of the Legal Dispute
Meta, the parent company of WhatsApp, filed a lawsuit against NSO Group in October 2019, accusing the firm of exploiting vulnerabilities in WhatsApp to deploy its Pegasus spyware on approximately 1,400 devices. These devices belonged to journalists, human rights activists, and other members of civil society. The lawsuit alleged that NSO’s actions violated both federal and state laws, as well as WhatsApp’s terms of service. ([axios.com](https://www.axios.com/2019/10/31/nso-spyware-whatsapp-facebooks-new-war-government-spying?utm_source=openai))
NSO’s Continued Exploitation Post-Lawsuit
Despite the ongoing litigation, NSO Group continued to exploit WhatsApp’s infrastructure to deliver its spyware. Court documents reveal that NSO developed multiple installation vectors, collectively known as Hummingbird, which included exploits codenamed Eden, Heaven, and Erised. Notably, the Erised exploit was active from late 2019 until May 2020, well after Meta had initiated legal proceedings. ([securityaffairs.com](https://securityaffairs.com/171047/security/nso-group-used-whatsapp-exploits-even-after-meta-owned-company-sued-it.html?utm_source=openai))
Tamir Gazneli, NSO’s Vice President of Research and Development, confirmed the continued use of these exploits during the trial. This admission underscores the company’s persistent efforts to infiltrate WhatsApp’s defenses, even in the face of legal challenges.
Legal and Financial Repercussions
The jury’s decision to award Meta $168 million in damages reflects the severity of NSO’s actions. This sum includes $444,000 in compensatory damages and $167.3 million in punitive damages. The ruling also mandates that NSO Group provide Meta with the source code for Pegasus and other related spyware tools, aiming to prevent further unauthorized access to WhatsApp’s platform. ([elpais.com](https://elpais.com/us/2025-05-07/la-empresa-propietaria-del-software-espia-pegasus-condenada-a-pagar-168-millones-de-dolares-a-meta.html?utm_source=openai))
This case sets a significant legal precedent, emphasizing the accountability of spyware manufacturers for their products’ misuse. It also highlights the ongoing struggle between technology companies and surveillance firms over user privacy and security.
Broader Implications and Industry Response
The NSO Group’s activities have drawn widespread condemnation from human rights organizations and privacy advocates. The misuse of Pegasus spyware has been documented in multiple countries, targeting a diverse range of individuals, including journalists and political figures. In response to these abuses, the U.S. Commerce Department added NSO Group to its Entity List in November 2021, effectively restricting American companies from conducting business with the firm. ([opensecrets.org](https://www.opensecrets.org/news/2023/05/spyware-firm-nso-group-continues-lobbying-efforts-to-resume-business-as-usual-in-the-u-s?utm_source=openai))
Despite these sanctions, NSO Group has engaged in extensive lobbying efforts to reverse the blacklisting and influence potential regulations on the spyware industry. The company has reportedly spent over $1.1 million on public relations and legal services in the U.S., surpassing the lobbying expenditures of the Israeli government during the same period. ([opensecrets.org](https://www.opensecrets.org/news/2023/05/spyware-firm-nso-group-continues-lobbying-efforts-to-resume-business-as-usual-in-the-u-s?utm_source=openai))
Conclusion
The legal victory for Meta against NSO Group marks a pivotal moment in the ongoing battle for digital privacy and security. It underscores the necessity for robust legal frameworks to hold surveillance firms accountable and protect individuals from unauthorized intrusions. As technology continues to evolve, the balance between security, privacy, and surveillance remains a critical issue for policymakers, technology companies, and civil society.
