In a landmark decision this past Tuesday, a jury ordered spyware manufacturer NSO Group to compensate Meta-owned WhatsApp with damages exceeding $167 million, delivering a significant legal defeat to the controversial Israeli company. The ruling marked the culmination of a high-profile legal fight lasting over five years, initiated when WhatsApp filed suit in October 2019, accusing NSO Group of hacking approximately 1,400 users through an exploit in the messaging app’s audio-calling feature.
The verdict followed an intensive week-long trial highlighted by pivotal testimonies from NSO Group CEO Yaron Shohat and key WhatsApp engineers involved in detecting and investigating the breach.
Several revelations emerged even prior to the trial. Notably, court documents exposed that NSO had severed ties with ten government customers due to their misuse of the Pegasus spyware tool. Additionally, disclosed documents identified the locations of 1,223 targeted victims and publicly named Mexico, Saudi Arabia, and Uzbekistan among confirmed buyers of the spyware.
Important details regarding the attack method surfaced during the trial. WhatsApp attorney Antonio Perez outlined the “zero-click” nature of NSO’s Pegasus spyware attack, meaning users required no interaction from their end for their phones to become infected. Perez described how Pegasus operated by initiating fraudulent WhatsApp calls, carefully engineered to resemble legitimate network communications: once these calls reached devices, they triggered downloads of malicious software from remote servers. According to NSO’s vice president of R&D, Tamir Gazneli, achieving zero-click execution significantly advanced the capabilities of their spyware technology.
Additionally, the trial confirmed a longstanding rumor: NSO Group had indeed targeted a U.S.-registered phone number, despite publicly claiming Pegasus was unable to infect numbers starting with the American “+1” prefix. According to NSO’s legal counsel, Joe Akrotirianakis, this particular intrusion was specifically arranged for demonstration purposes requested by the FBI, which ultimately chose not to adopt Pegasus following the test.
During testimony, Shohat also clarified how the spyware functions in practice: customers—typically governmental intelligence agencies—simply select targets, without specifying exact hacking methods. Pegasus autonomously determines and deploys the appropriate exploit tailored to the target’s device and environment, streamlining spyware deployment.
The trial further revealed an ironic geographical coincidence. NSO maintains its headquarters in Herzliya, Israel, in the same office building occupied by Apple, the manufacturer of iPhones regularly attacked via NSO’s sophisticated spyware. Shohat noted that while NSO occupies the building’s upper five floors, Apple fills much of the remaining space.
Finally, NSO executives admitted that the company continued targeting WhatsApp users even after receiving notice of the 2019 lawsuit. R&D Vice President Gazneli acknowledged that spyware variants designed to exploit WhatsApp—code-named “Eden,” “Heaven,” and “Erised,” and collectively referred to as “Hummingbird”—remained operational until May 2020, months after WhatsApp initiated legal proceedings.
