arstechnica

05/07/2025

A jury has awarded WhatsApp $167 million in punitive damages in a case the company brought against Israel-based NSO Group for exploiting a software vulnerability that hijacked the phones of thousands of users.

The verdict, reached Tuesday, comes as a major victory not just for Meta-owned WhatsApp but also for privacy- and security-rights advocates who have long criticized the practices of NSO and other exploit sellers. The jury also awarded WhatsApp $444 million in compensatory damages.

Clickless exploit

WhatsApp sued NSO in 2019 for an attack that targeted roughly 1,400 mobile phones belonging to attorneys, journalists, human-rights activists, political dissidents, diplomats, and senior foreign government officials. NSO, which works on behalf of governments and law enforcement authorities in various countries, exploited a critical WhatsApp vulnerability that allowed it to install NSO’s proprietary spyware Pegasus on iOS and Android devices. The clickless exploit worked by placing a call to a target’s app. A target did not have to answer the call to be infected.

“Today’s verdict in WhatsApp’s case is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone,” WhatsApp said in a statement. “Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.”

“Turns out regular people don’t like companies that help dictators hack dissidents,” John Scott-Railton, a senior researcher at Citizen Lab, wrote on Bluesky. “NSO had all the fancy legal arguments. And all the PR spin. But when their conduct got laid bare… the jury sent a massive Monsanto-style punitive damages signal. Other spyware companies: you may be next.”

Besides setting a possible precedent for hacking victims and their technology providers, WhatsApp’s suit exposed NSO practices the company had long tried to keep secret. Last year, the judge hearing the case ordered NSO to reveal some of the source code that makes its products work. The litigation also exposed who some of NSO’s customers were and the location of many of the targeted WhatsApp users.