Jury Orders NSO Group to Pay $167 Million in WhatsApp Pegasus Case

Figure 1: Visual representation of the BeyondTrust vulnerability chain

A federal jury in Oakland, California, on May 6, 2025, ordered Israeli surveillance technology company NSO Group to pay approximately $167 million in damages to WhatsApp and its parent company Meta. The verdict concluded a six-year legal battle that began when WhatsApp discovered NSO Group had exploited a vulnerability in its voice calling feature to deploy Pegasus spyware against approximately 1,400 users in 2019.

The damages award consists of $167.25 million in punitive damages and approximately $444,000 in compensatory damages, according to court filings. WhatsApp had originally sought $400,000 in compensatory damages to cover the engineering costs of patching the vulnerability and notifying affected users.

The case represents the first time a commercial spyware vendor has been held liable in a U.S. court for hacking operations. NSO Group had argued throughout the proceedings that it should be immune from prosecution because it sells exclusively to government clients for law enforcement and intelligence purposes. The court rejected this defense in a December 2024 summary judgment ruling.

Affected users included journalists, human rights activists, diplomats, and political dissidents across multiple countries. WhatsApp identified the intrusion in May 2019 and filed suit in October of that year. The verdict arrives as governments worldwide debate regulations on commercial spyware and its use against civil society.

NSO Group indicated through its legal representatives that it intends to appeal the verdict. The company faces ongoing financial difficulties and has been subject to U.S. Commerce Department export restrictions since November 2021.

The timeline of events leading to the May 6, 2025 verdict spans nearly six years of legal proceedings and technical investigation.

In May 2019, WhatsApp security engineers detected unusual activity in the platform's voice calling infrastructure. Investigation revealed that attackers were exploiting a buffer overflow vulnerability (CVE-2019-3568) in WhatsApp's VoIP stack. The exploit allowed remote code execution through specially crafted RTCP packets sent during call setup, requiring no interaction from the target beyond having WhatsApp installed.

WhatsApp patched the vulnerability on May 13, 2019, and began notifying affected users. The company's investigation, conducted with assistance from Citizen Lab at the University of Toronto, traced the attacks to infrastructure associated with NSO Group.

On October 29, 2019, WhatsApp filed suit against NSO Group in the U.S. District Court for the Northern District of California. The complaint alleged violations of the Computer Fraud and Abuse Act (CFAA), the California Comprehensive Computer Data Access and Fraud Act, and breach of contract for violating WhatsApp's terms of service.

NSO Group moved to dismiss the case, arguing sovereign immunity because its clients are foreign governments. The Ninth Circuit Court of Appeals rejected this argument in November 2021, ruling that NSO Group, as a private company, could not claim immunity on behalf of its government clients.

In December 2024, Judge Phyllis Hamilton granted partial summary judgment to WhatsApp, finding NSO Group liable for violations of the CFAA and California state law. The ruling left only the question of damages for the jury.

The trial on damages began in late April 2025. WhatsApp presented evidence of the engineering resources required to identify and patch the vulnerability, as well as the costs of user notification. NSO Group's defense focused on the legitimate law enforcement purposes of its government clients.

On May 6, 2025, the jury returned its verdict awarding $167.25 million in punitive damages and $444,000 in compensatory damages.

Figure 2: How the authentication bypass vulnerability works

WhatsApp's legal team presented several categories of evidence during the damages trial.

Technical forensics demonstrated that the exploit targeted specific phone numbers associated with journalists, activists, and political figures. Citizen Lab researchers testified that they had independently verified Pegasus infections on devices belonging to individuals in the targeted group.

WhatsApp's engineering team documented 1,400 devices that received the malicious call packets during the two-week attack window in April and May 2019. The company presented internal communications showing the resources devoted to emergency patching and incident response.

Financial evidence showed WhatsApp spent approximately $444,000 on direct remediation costs, including engineering time for the patch, security audit expenses, and user notification infrastructure.

NSO Group's defense centered on the argument that it provides technology to governments for legitimate purposes and does not operate the spyware itself. Company representatives testified that NSO Group has no visibility into specific targets selected by its government clients.

The jury's punitive damages award of $167.25 million significantly exceeded the compensatory damages, reflecting what legal observers characterized as a finding of willful misconduct. Under California law, punitive damages require a finding of malice, oppression, or fraud.

The verdict establishes legal precedent for holding commercial spyware vendors accountable in U.S. courts. Technology companies and civil liberties organizations have argued that such accountability is necessary to deter the proliferation of surveillance tools.

For WhatsApp and Meta, the verdict validates their decision to pursue litigation rather than settle. The company has stated that the case was never primarily about financial recovery but about establishing that spyware vendors cannot operate with impunity.

Human rights organizations have welcomed the verdict as a signal that commercial surveillance companies face legal risk when their products are used against journalists and activists. Access Now, a digital rights organization, characterized the ruling as a potential deterrent to the broader spyware industry.

The case may influence ongoing policy debates about regulating commercial spyware. The European Union has been considering restrictions on spyware exports, and the U.S. Commerce Department's 2021 entity list designation of NSO Group reflected growing government concern about the industry.

Figure 3: Privilege escalation from user to SYSTEM level

NSO Group's announced intention to appeal introduces uncertainty about the verdict's durability. The company has previously succeeded in narrowing the scope of the case through appellate proceedings.

Collection of the damages award may prove difficult. NSO Group has faced financial difficulties since the U.S. export restrictions, and the company's assets are primarily located in Israel. Cross-border enforcement of U.S. civil judgments presents practical challenges.

The verdict does not address the underlying demand for surveillance capabilities from governments. Critics of the spyware industry note that restricting one vendor may simply shift business to competitors or encourage governments to develop capabilities internally.

Some legal analysts have questioned whether the punitive damages award will survive appeal, given the ratio to compensatory damages. The U.S. Supreme Court has previously indicated that punitive damages exceeding single-digit multiples of compensatory damages may raise due process concerns, though the Court has not established a bright-line rule.

The case also does not resolve questions about government accountability. The verdict holds NSO Group liable, but the governments that purchased and deployed Pegasus against the 1,400 targets face no direct consequences from this litigation.

Pegasus is a sophisticated mobile surveillance platform designed to extract data from iOS and Android devices. The spyware operates by exploiting vulnerabilities in mobile operating systems or applications to gain privileged access to the target device.

In the WhatsApp attack, NSO Group exploited CVE-2019-3568, a buffer overflow vulnerability in WhatsApp's VoIP implementation. The attack worked by sending malformed RTCP (Real-time Transport Control Protocol) packets during the call setup process. The vulnerability existed in the code that parsed incoming call signaling data.

When a target device received the malicious packets, the buffer overflow allowed the attacker to execute arbitrary code with the privileges of the WhatsApp application. From this initial foothold, the exploit chain escalated privileges to gain root or system-level access to the device.

Once installed, Pegasus can access virtually all data on the target device, including encrypted messages, emails, photos, location data, and microphone and camera feeds. The spyware operates covertly, with minimal impact on device performance or battery life that might alert the user.

Technical context (optional): The WhatsApp vulnerability was a zero-click exploit, meaning it required no interaction from the target. The attack could be initiated simply by calling the target's phone number through WhatsApp. Even if the target did not answer the call, the malicious packets were processed during call setup, triggering the exploit. This zero-click capability made Pegasus particularly dangerous because targets had no opportunity to avoid infection through cautious behavior.

The verdict represents the first successful U.S. civil action against a commercial spyware vendor for hacking operations. Legal scholars have noted that the case establishes that the Computer Fraud and Abuse Act applies to foreign companies that target U.S. platform infrastructure, regardless of where the ultimate targets are located.

The spyware industry has operated in a legal gray zone, with vendors arguing that they bear no responsibility for how government clients use their products. The WhatsApp verdict challenges this framework by holding the vendor liable for the technical act of exploiting the platform, separate from questions about the legitimacy of specific surveillance targets.

For the technology industry, the case reinforces the viability of civil litigation as a tool against security threats. Apple filed a similar lawsuit against NSO Group in November 2021, and other technology companies have indicated they are monitoring the WhatsApp case as a potential model.

The verdict arrives amid broader international attention to commercial spyware. The Biden administration issued an executive order in March 2023 restricting U.S. government use of commercial spyware, and a coalition of governments signed the Pall Mall Declaration in February 2024 committing to address spyware proliferation.

Confirmed:

• The jury awarded $167.25 million in punitive damages and approximately $444,000 in compensatory damages
• NSO Group was found liable for violating the Computer Fraud and Abuse Act and California state law
• Approximately 1,400 WhatsApp users were targeted in the 2019 attack
• NSO Group intends to appeal the verdict

Remains unclear:

• Whether NSO Group has sufficient assets to pay the judgment
• The timeline and grounds for NSO Group's appeal
• Whether other technology companies will pursue similar litigation against spyware vendors
• The identities of the government clients who deployed Pegasus against the 1,400 targets
• Whether the verdict will influence pending regulatory proposals on commercial spyware

NSO Group's appeal filing will indicate the legal arguments the company believes are most viable for overturning or reducing the verdict. The timeline for appellate proceedings in the Ninth Circuit typically extends 12 to 18 months.

WhatsApp's efforts to collect the judgment will test the practical enforceability of U.S. civil verdicts against foreign technology companies. Any asset discovery proceedings may reveal additional information about NSO Group's financial structure and government contracts.

Apple's parallel lawsuit against NSO Group, filed in the Northern District of California in November 2021, remains pending. The WhatsApp verdict may influence settlement discussions or trial strategy in that case.

Congressional activity on commercial spyware regulation may accelerate following the verdict. Several bills addressing spyware have been introduced but not advanced in recent sessions.

International developments, including the European Parliament's investigation into Pegasus use by EU member states and ongoing litigation in other jurisdictions, will indicate whether the WhatsApp verdict influences global approaches to spyware accountability.

1. Axios - NSO Group Verdict (May 6, 2025): https://www.axios.com/2025/05/06/nso-group-whatsapp-pegasus-spyware-verdict
2. Reuters - WhatsApp NSO Damages (May 6, 2025): https://www.reuters.com/technology/whatsapp-nso-group-damages-verdict-2025-05-06/
3. U.S. District Court Northern District of California - Case Filing: https://www.courtlistener.com/docket/16395144/whatsapp-inc-v-nso-group-technologies-limited/
4. WhatsApp Official Statement (May 6, 2025): https://about.fb.com/news/2025/05/whatsapp-nso-verdict/