Why a US court has ordered Pegasus-maker NSO Group to pay Meta $167 million | Technology News

Following the verdict, Meta had filed a brief seeking damages from the NSO Group in March 2025. Those damages were determined on Tuesday.

The outcomes of Meta’s legal battle against NSO Group could carry potential ramifications for India, which was the second-most targeted country in the 2019 WhatsApp hacking campaign involving Pegasus spyware.

Court documents revealed that over 100 Indians were impacted by Pegasus spyware in 2019, out of a total of 1,223 individuals targeted across 51 countries. A Supreme Court bench is hearing a clutch of petitions filed in 2021 in the wake of the allegations that Pegasus was used to target users including journalists, lawyers, politicians, and human rights activists in India.

What is the NSO Group and Pegasus spyware?

Spyware is a type of malicious software that can be used to spy on targetted individuals by installing it on their phones, laptops, and other electronic devices.

Israel-based NSO Group had emerged as one of the key developers of spyware that exploited zero-click vulnerabilities in platforms like WhatsApp. Zero-click vulnerabilities allow devices to be compromised without requiring people to click on text messages, images, or links.

The NSO Group’s controversial Pegasus spyware is similarly capable of covertly compromising people’s phones. Once the device is hacked, it vacuums up information from any app installed on the device including financial and location data in emails and text messages. “Every kind of user data” on a Pegasus-infected device is hoovered up and shared, according to testimonies by NSO Group executives in court.

An infected device’s microphone and camera can also be remotely activated using Pegasus without the knowledge of the device owner.

Why did Meta sue NSO Group?

In May 2019, WhatsApp confirmed it had discovered a major security flaw in its platform that let hackers load spyware onto a phone through a video call, even if the person never answered the call. The vulnerability was discovered by security researchers at Citizen Lab, who also said that it was being used to target journalists and human rights advocates.

WhatsApp sued the NSO Group in October 2019, seeking the court to stop the cybersecurity firm from taking similar action in the future and to award damages.

“While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful […] Now, we are seeking to hold NSO accountable under U.S. state and federal laws, including the US Computer Fraud and Abuse Act,” WhatsApp head Will Cathcart had said at the time.

What did the trial reveal about NSO’s operations?

The court proceedings and testimonies in the trial shed light on the inner workings of Pegasus and its deployment by the company’s clients between April 2018 and March 2020.

Unsealed court documents revealed that the NSO Group had reverse-engineered and decompiled WhatsApp’s source code to create successive installation vectors codenamed “Heaven”, “Eden”, “and “Erised” that were all part of a hacking suite named “Hummingbird”. This hacking software package was sold to NSO Group’s anonymous government clients.

The trial also revealed that the NSO Group had developed technology to hack into other messaging apps besides WhatsApp. “Pegasus has had many other spyware installation methods to exploit other companies’ technologies to manipulate people’s devices into downloading malicious code and compromising their phones,” Meta said.

During the trial, NSO Group executives had argued that Pegasus helped law enforcement and intelligence agencies fight crime and protect national security. But US District Judge Phyllis Hamilton ultimately sided with WhatsApp.

What happens next in the case?

Meta has said that Tuesday’s jury decision shows “spyware companies that their illegal actions against American technologies will not be tolerated.” “Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve,” it said in a blog post.

However, the NSO Group may appeal the jury decision. “We will carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal. We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies,” Gil Lainer, the spyware vendor’s vice president for global communication, said.

The $167 million in damages awarded to Meta deals a fatal blow to the NSO Group which is considered to be in financial ruin. Once valued at $1 billion, the spyware vendor has been termed as ‘valueless’ by consulting firms who have said that investors could lose “substantially all [of the] investment” they poured into the company.

While the outcome of the ruling marks a pivotal moment in terms of privacy and security, it may not have the intended effect on other spyware companies. Earlier this year, WhatsApp said it had disrupted a sophisticated hacking campaign targeting journalists that involved spyware developed by another Israeli spyware company called Paragon Solutions.