This post is also available in:
עברית (Hebrew)
A U.S. jury has ordered a significant financial penalty in a high-profile cyber case involving advanced surveillance technology. The decision, delivered Tuesday, May 6th, requires the Israel-based NSO Group to pay approximately $168 million in damages following a legal battle with WhatsApp over the alleged use of spyware.
At the center of the case is Pegasus, NSO Group’s flagship surveillance tool. According to evidence presented in court, Pegasus was covertly installed on smartphones through vulnerabilities in messaging services, including WhatsApp, enabling near-total access to infected devices. Once active, the spyware could extract data from any installed application and even activate microphones and cameras without the user’s knowledge.
Meta, the parent company of WhatsApp, initiated the lawsuit in 2019. The company argued that Pegasus was used to target journalists, human rights defenders, and legal professionals by secretly compromising their communications. The jury awarded WhatsApp nearly half a million dollars in compensatory damages, along with $167 million in punitive damages designed to deter similar future actions.
Court documents revealed that NSO invested tens of millions annually in developing techniques to deploy spyware via various digital channels—including text messages, browsers, and mobile operating systems. This included efforts to simulate legitimate WhatsApp traffic to bypass security protocols and deliver malicious code, ultimately breaching the devices’ security after encrypted messages were decrypted by the app, according to AFP.
Though NSO has maintained that its technology is used exclusively by authorized governments for counterterrorism and law enforcement purposes, critics point to a long trail of abuse.
This case marks one of the most visible legal confrontations over the commercial spyware industry to date. The ruling may set a precedent for how spyware is regulated and litigated globally, especially as encrypted communication platforms remain a prime target for unauthorized surveillance.
