The lawyer representing the Israeli spyware firm NSO Group has publicly identified Mexico, Saudi Arabia, and Uzbekistan as being among the governments responsible for targeting more than 1,200 WhatsApp users with the Pegasus spyware in 2019.
During a recent court hearing connected to a long-running lawsuit filed by WhatsApp against NSO Group, attorney Joe Akrotirianakis confirmed Mexico, Saudi Arabia, and Uzbekistan as clients involved in the spyware campaign. The acknowledgment marks the first instance where representatives of NSO Group have openly disclosed any of their government customers, despite repeatedly citing confidentiality and privacy obligations in the past.
The court case dates back to a lawsuit filed by Meta-owned WhatsApp in 2019, accusing NSO Group of exploiting a vulnerability in the messaging app to compromise the devices of around 1,400 users over a span of two months earlier in the same year. WhatsApp stated in its original complaint that the breach particularly focused on human rights activists, journalists, and members of civil society. The digital rights watchdog Citizen Lab assisted WhatsApp in identifying over 100 of these targeted individuals.
During the hearing, Akrotirianakis indicated that NSO had at least eight client governments whose identities formed part of the evidence submitted during legal discovery; however, he directly named only Mexico, Saudi Arabia, and Uzbekistan. Simultaneously, a judicial document unsealed recently listed 51 countries where the victims of the 2019 incident were located. This list also potentially constitutes a broader roster of NSO’s client countries, as Pegasus licenses are restricted territorially.
Saudi Arabia notably did not appear in this document, but lawyers and analysts suggest that certain NSO clients could have used the spyware to pursue targets outside their borders. This possibility aligns with earlier findings by Citizen Lab, which in 2017 provided circumstantial evidence suggesting that at least one Mexican government client used NSO spyware to target individuals inside U.S. territory.
An NSO spokesperson, Gil Lainer, reached for comment, declined to respond to specific queries regarding customer identities but did not dispute Akrotirianakis’ statement. A WhatsApp representative, Zade Alsaway, emphasized the company’s intent to pursue damages and secure an injunction to prevent further attacks on its platform.
Judge presiding over the lawsuit indicated in a recent pre-trial order that, while NSO acknowledged certain customers were identified in court documents, the company itself had yet to confirm officially that these states were clients. Hence, the judge described the existing record as “opaque,” with uncertainty persisting about the exact identities responsible for specific attacks.
For years, reports from organizations including Citizen Lab and Amnesty International have detailed widespread alleged abuses of Pegasus spyware in various countries, documenting its use against journalists, activists, and dissidents. Many of these countries, including Mexico, Hungary, Spain, and the UAE, appeared on the newly revealed list of victim locations.
NSO Group has faced mounting scrutiny and controversy over allegations of improper use of its surveillance tools, which it has repeatedly claimed are intended solely for lawful investigations and counter-terrorism measures. The current lawsuit by WhatsApp represents one of multiple legal and public-relations challenges confronting the Israeli firm, highlighting ongoing international debates around government surveillance, privacy rights, and the accountability of private surveillance technology companies.
