U.S. Jury Holds NSO Group Liable in Landmark Spyware Case
An American federal jury has ruled that Israeli spyware company NSO Group must pay $167,254,000 in punitive damages and $444,719 in compensatory damages to WhatsApp, following a 2019 spyware campaign that exploited a zero-day vulnerability to target 1,400 users.
The verdict marks the first time a spyware vendor has been held accountable in court, setting a precedent that could impact the broader commercial surveillance industry.
“Today’s verdict in WhatsApp’s case is an important step forward for privacy and security as the first victory against the development and use of illegal spyware,”
— Meta (WhatsApp’s parent company)
WhatsApp Zero-Day Exploit Enabled Remote Spyware Infections
The case stems from an operation in May 2019, during which NSO Group exploited a WhatsApp vulnerability, later identified as CVE-2019-3568. This flaw, a buffer overflow in WhatsApp’s VOIP stack, allowed attackers to send malicious RTCP packets to user phone numbers.
Devices were infected with Pegasus spyware when users simply received a call—no interaction was needed to trigger the attack.
WhatsApp filed the lawsuit on October 29, 2019, in the U.S. District Court for the Northern District of California, alleging that NSO used the exploit to breach the privacy of its users. Targets included journalists, human rights defenders, and diplomats, rather than only criminals, as NSO had claimed.
Court Confirms NSO’s Direct Role and Continued Exploitation
Testimony from NSO executives during the trial revealed that the company actively participated in infection operations, confirming direct involvement and liability.
Further court documents showed that NSO:
- Spent tens of millions of dollars developing additional infection channels
- Used at least one more WhatsApp zero-day even after Meta initiated legal proceedings
On December 23, 2024, Judge Phyllis J. Hamilton ruled NSO violated both U.S. hacking laws and WhatsApp’s Terms of Service, advancing the case to jury trial to determine damages.
Damages Awarded and Industry Impact
The final jury decision awarded WhatsApp:
- $167.25 million in punitive damages
- $444,719 in compensatory damages to cover response costs, including investigation, patch development, and user notifications
“This ruling sends a strong message to spyware firms globally. They are not beyond accountability,”
— John Scott-Railton, CitizenLab researcher
The case is expected to have ripple effects across the commercial spyware sector, where vendors often operate in legal gray areas under the justification of supporting law enforcement.
Meta has also released transcripts of key NSO Group depositions for public review. Visit these links for NSO Group depositions (1, 2, 3, 4).
