A Landmark Victory for Digital Privacy and Security
In a groundbreaking legal victory that may reshape the commercial spyware landscape, Meta has won a $168 million verdict against Israeli surveillance firm NSO Group. This ruling, delivered on May 6, 2025, concludes a six-year legal battle between the world's largest social media company and one of the most controversial spyware makers in the industry.
The Case Background
The legal battle began more than five years ago when WhatsApp filed a lawsuit against NSO Group in 2019. Meta's messaging platform accused the Israeli firm of accessing WhatsApp servers and exploiting an audio-calling vulnerability in the chat app to target approximately 1,400 users, including dissidents, human rights activists, and journalists.
Meta — owner of WhatsApp, an encrypted communication app with over 2 billion users worldwide — sued the Israel-based firm for violations of the U.S. Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act, as well as for breaching WhatsApp's terms of service.
Will Cathcart, the head of WhatsApp, explained the lawsuit's reasoning in a Washington Post op-ed at the time, stating this should serve as a wake-up call regarding the abuse of surveillance technology and the risks posed by its proliferation.
The Pegasus Spyware
NSO Group's flagship product, Pegasus, is marketed to governments as a tool to fight terrorism and organized crime. However, investigations by the Citizen Lab and other organizations have consistently shown it being used against political leaders, peaceful activists, and journalists around the world.
NSO executives acknowledged in court that Pegasus can be installed through various attack vectors, including those targeting instant messaging, browsers, and operating systems. The company also revealed that its spyware can compromise both iOS and Android devices.
According to previously sealed court documents released last month, Pegasus spyware was deployed through WhatsApp against 1,223 individuals in 51 countries. The highest number of victims was in Mexico (423), followed by India (100), Bahrain (82), Morocco (69), and Pakistan (58). Spain was the highest-ranked Western democracy on the list, with 21 victims.
The Legal Victory
In December 2024, U.S. District Judge Phyllis Hamilton in Oakland, California, granted a motion by WhatsApp and found NSO liable for hacking and breach of contract. Because Judge Hamilton had already ruled in Meta's favor, the trial was only held to determine how much NSO owed in damages.
On May 6, 2025, a California federal jury found that Israel-based spyware vendor NSO Group owes $167.25 million in punitive damages for enabling the hacks of about 1,400 WhatsApp users' devices. In addition to the punitive damages, the jury awarded Meta $444,719 in compensatory damages.
Meta had the burden of justifying that the $444,719 in compensatory damages accurately represented the cost of the attack to the company, including employee time spent remediating the attacks and investigating them. For punitive damages, Meta had to prove that NSO was guilty of "oppression, fraud or malice" under law.
NSO's attorney argued during the trial that the employee salaries would have been paid regardless and that there was no damage to WhatsApp's servers, claiming Meta hadn't actually suffered any losses.
Implications of the Verdict
WhatsApp indicated in a statement on their blog that they detected and stopped the attack by NSO against WhatsApp and its users, and that this court case has made history as the first victory against illegal spyware threatening privacy and security.
Meta stated that if it collects the money from the Israeli company, it would donate to digital rights groups that have been critical in detecting and examining spyware attacks. The company acknowledged there is a long road ahead to collect awarded damages from NSO, but they plan to do so.
Digital freedom advocates called the jury's verdict transformative, suggesting that not only the size of the damages but also the hit to NSO's reputation will have long-lasting effects.
John Scott-Railton, a senior researcher at Citizen Lab who has studied the spyware industry for more than a decade, celebrated the ruling in comments to TechCrunch, describing it as an incredible moment for those who have researched mercenary spyware from the beginning.
NSO's Response and Future Steps
NSO Group said the company will carefully examine the verdict's details and pursue appropriate legal remedies, including further proceedings and an appeal.
The case isn't completely over yet. Meta still plans to argue a permanent injunction motion at an upcoming hearing, which would prevent NSO from using its platforms, emulating its technology, or creating future WhatsApp accounts. Meta is also asking the court to order NSO to delete any code it still possesses related to its platforms.
Conclusion
This landmark verdict represents the first major legal defeat for a commercial spyware vendor and sets a significant precedent for similar cases involving surveillance technology. As governments and private entities continue to develop and deploy increasingly sophisticated spyware, this case underscores the legal risks for companies that enable surveillance without proper safeguards and consent.
The outcome of this trial may encourage other technology companies to take stronger legal action against spyware developers and may ultimately lead to greater accountability in the commercial surveillance industry.
