PRECEDENT-SETTING WIN: Jury Awards Massive $167 Million in Punitive Damages Against NSO Group

My Privacy Blog

My Privacy Blog

7 min read
PRECEDENT-SETTING WIN: Jury Awards Massive $167 Million in Punitive Damages Against NSO Group
Photo by Christian Wiediger / Unsplash

A landmark victory against the notorious Pegasus spyware maker sends shockwaves through the surveillance industry

In a groundbreaking decision that could reshape the commercial spyware landscape, a federal jury in California has ordered Israeli surveillance company NSO Group to pay a staggering $167.3 million in punitive damages for hacking into the devices of WhatsApp users with its infamous Pegasus spyware. The jury also awarded $444,719 in compensatory damages to cover WhatsApp's costs in addressing the attacks.

The Pegasus Scandal Exposed: High-Tech Espionage Against Journalists and Activists in Jordan
Introduction: Scrutiny and tensions have skyrocketed following recent revelations regarding the extensive use of the notorious Pegasus spyware. Allegedly, this powerful tool was utilized to infiltrate the iPhones of numerous journalists and activists situated in Jordan. This disturbing discovery raises daunting questions concerning the increasingly invasive tendencies of government surveillance
My Privacy BlogMy Privacy Blog

The Verdict: A Historic First

The verdict, delivered on Tuesday in Oakland, California, marks the first time a commercial spyware company has been held financially accountable in U.S. courts. The case originated in 2019 when Meta-owned WhatsApp discovered NSO Group had exploited a vulnerability in its voice calling feature to install Pegasus on approximately 1,400 devices across 51 countries. The targeted individuals included journalists, human rights activists, political dissidents, and government officials.

U.S. District Judge Phyllis J. Hamilton had previously granted WhatsApp's motion for summary judgment against NSO Group in December 2024, finding that the company had violated the U.S. Computer Fraud and Abuse Act and a similar California law with its Pegasus spyware.

"Today's verdict in WhatsApp's case is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone," Meta stated after the ruling.

WhatsApp Privacy Guide: Technical Controls for 2025
With over 2.7 billion users globally, WhatsApp remains a critical platform for personal and business communication. However, its expansive feature set demands robust privacy configurations to safeguard data. This guide dissects WhatsApp’s 2025 privacy architecture, offering actionable strategies to secure messages, media, and business interactions. The Complete Guide
My Privacy BlogMy Privacy Blog

The Notorious Pegasus Spyware

Pegasus is one of the world's most powerful surveillance tools, known for its "zero-click" capabilities that allow installation without requiring victims to click links or open messages. Once deployed, the spyware can:

  • Remotely activate a device's microphone and camera
  • Monitor calls and messages in real-time
  • Download nearly all user data
  • Access passwords and encrypted communications
  • Track location data with precision

While NSO Group markets Pegasus as a tool for government agencies to combat terrorism and serious crime, numerous investigations have documented its abuse by governments worldwide to target civil society members. Court documents revealed that the 2019 campaign targeted 456 individuals in Mexico, 100 in India, 82 in Bahrain, 69 in Morocco, and 58 in Pakistan, among others.

WhatsApp Disrupts Spyware Campaign Targeting Journalists and Civil Society Members
WhatsApp, the popular messaging platform owned by Meta, has successfully thwarted a hacking campaign that targeted approximately 90 users, including journalists and members of civil society[1][2]. The company has linked this campaign to Paragon, an Israeli spyware firm that was recently acquired by the American private equity giant
My Privacy BlogMy Privacy Blog

The verdict caps a six-year legal journey that required extraordinary persistence from WhatsApp and Meta. NSO Group deployed multiple tactics to avoid accountability, including:

  • Claiming sovereign immunity as it works with government clients
  • Arguing it bears no responsibility for how clients use its products
  • Refusing to disclose source code and critical evidence
  • Appealing the case all the way to the U.S. Supreme Court

Throughout the proceedings, WhatsApp established that NSO Group repeatedly developed new exploits to circumvent the security measures WhatsApp implemented, continuing to attack users even after the lawsuit was filed.

Revelations from the Trial

The trial provided unprecedented insights into NSO Group's operations, contradicting the company's public claims of limited involvement in surveillance activities:

Sworn testimony from NSO executives revealed that government clients played only a minimal role in deploying Pegasus, with the company handling most of the technical process. According to court documents, NSO "set up and controlled all the server infrastructure used to implant Pegasus and deliver the exfiltrated data to a customer."

In a notable admission during depositions, NSO Group acknowledged disconnecting 10 government customers in recent years from accessing Pegasus due to abuse of the service. This contradicted the company's public stance that it has no visibility into how clients use its technology.

The Intricate Web of Digital Surveillance: NSO Group, Cellebrite, and the Pegasus Spyware
Introduction In the complex arena of digital surveillance, companies like NSO Group and Cellebrite have gained notoriety for their powerful spyware tools, such as Pegasus. These tools have raised global concerns over privacy invasions and human rights violations. This article delves into the implications of these technologies, focusing on both
My Privacy BlogMy Privacy Blog

Implications for the Surveillance Industry

Legal experts and human rights advocates view this verdict as a watershed moment that could dramatically impact the growing commercial spyware industry:

  1. Financial deterrent: The massive punitive damages serve as a warning to other surveillance companies about the potential costs of facilitating illegal hacking.
  2. Legal precedent: The ruling establishes that spyware vendors can be held directly liable for violations committed through their products, even when selling to government clients.
  3. Accountability mechanism: The case demonstrates that persistent legal action can succeed despite jurisdictional challenges and national security claims.

John Scott-Railton, a researcher at Citizen Lab who has documented Pegasus abuses, described the verdict as "transformative," noting that "NSO emerges from this trial severely damaged" both financially and reputationally.

What's Next?

Despite the verdict, WhatsApp acknowledges collecting the damages won't be easy. "We have a long road ahead to collect awarded damages from NSO and we plan to do so," WhatsApp stated. "Ultimately, we would like to make a donation to digital rights organizations that are working to defend people against such attacks around the world."

The company is also seeking a permanent injunction to prevent NSO Group from ever targeting WhatsApp again and to force deletion of any code related to its platforms.

NSO Group, meanwhile, has indicated it will appeal the decision. "We will carefully examine the verdict's details and pursue appropriate legal remedies, including further proceedings and an appeal," the company stated. "We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies."

The Shadow World of Phone Spyware: Unveiling the Role of NSO Group and State-Sponsored Surveillance
Introduction In an era where digital privacy is increasingly under threat, the use of sophisticated phone spyware by various nation-states has become a contentious issue. Central to this debate is the NSO Group, a company known for its Pegasus spyware, which has reportedly been used by governments to surveil citizens.
My Privacy BlogMy Privacy Blog

A Turning Point for Digital Rights

For privacy advocates, the verdict represents a crucial victory in the broader fight against unregulated surveillance technologies. When WhatsApp first filed its lawsuit in 2019, NSO Group operated with relative impunity despite mounting evidence of abuses.

"Back in 2019 no country had sanctioned NSO Group," noted Citizen Lab researcher John Scott-Railton. "No parliamentary hearings, no hearings in congress, no serious investigations. For years, WhatsApp's lawsuit helped carry momentum & showed governments that their tech sectors were in the crosshairs from mercenary spyware too."

Since then, the U.S. government has blacklisted NSO Group, multiple countries have launched investigations, and other tech giants like Apple have filed similar lawsuits. While the commercial spyware industry continues to grow, with researchers warning that many dangerous players remain largely unknown, this verdict establishes that the era of unchecked surveillance is beginning to face meaningful legal constraints.

This article was compiled through research of multiple sources reporting on the NSO Group case and verdict.

Read more