WhatsApp Wins $167M Verdict Against NSO Group Spyware Maker

In a landmark legal victory on May 6, 2025, WhatsApp was awarded over $167 million in damages from NSO Group, the notorious spyware developer behind Pegasus. This verdict concluded a protracted legal battle that began in 2019 when WhatsApp accused NSO of exploiting a vulnerability in its audio-calling feature to hack more than 1,400 users worldwide.

The spyware attack was particularly insidious because it was a zero-click exploit, meaning victims did not have to interact with any message or call to be infected. NSO’s system sent fake WhatsApp calls that triggered the automatic download of Pegasus spyware using only the target’s phone number. This method bypassed traditional security measures and made detection extremely difficult.

Despite the lawsuit, NSO Group continued to deploy variants of this zero-click attack against WhatsApp users until May 2020. The company’s own executives testified about the ongoing use of these exploits, codenamed “Erised,” “Eden,” and “Heaven,” collectively known as “Hummingbird.”

The trial also revealed that NSO Group tested Pegasus on a U.S. phone number as part of a demonstration for the FBI, contradicting previous claims that the spyware could not target American numbers. Although the FBI opted not to deploy Pegasus, this admission highlighted the spyware’s reach and potential misuse.

NSO’s CEO disclosed that the Pegasus interface used by government clients does not allow them to select specific hacking methods; instead, the system automatically chooses the most effective exploit. This underscores the automation and sophistication behind Pegasus, enabling clients to gather intelligence without technical expertise.

Interestingly, NSO Group’s headquarters shares a building with Apple in Herzliya, Israel, the very company whose devices are frequently targeted by Pegasus. NSO occupies the top floors while Apple occupies the rest, a striking juxtaposition of adversaries under one roof.

Financial disclosures during the trial painted a bleak picture for NSO Group. The company reported losses of $9 million in 2023 and $12 million in 2024, with dwindling bank balances and monthly expenses around $10 million, mostly for salaries. Despite charging governments millions for Pegasus access, NSO claimed it struggles to pay damages.

The trial unearthed pricing details showing European customers paid around $7 million for Pegasus access, with additional fees for stealthy zero-click exploits. Other countries like Saudi Arabia and Mexico reportedly paid tens of millions over several years, illustrating the lucrative and controversial spyware market.

This verdict marks a significant milestone in holding spyware makers accountable and highlights the ongoing challenges in protecting user privacy against sophisticated state-sponsored cyber threats. As spyware technology evolves, so must our defenses and legal frameworks.