In a significant court ruling, the NSO Group, an Israeli surveillance software company, has been ordered to pay Meta (Facebook’s parent company) $168 million in damages for its role in a high-profile cyber espionage attack. The lawsuit, which has spanned over six years, was the result of NSO’s use of its notorious Pegasus spyware to compromise the accounts of over 1,400 WhatsApp users, including journalists, diplomats, and human rights activists worldwide. This ruling marks a critical moment in the fight against illegal spyware and sets a major precedent for the tech industry.
A History of Surveillance: NSO’s Pegasus Spyware
NSO Group has long been known for developing Pegasus, a powerful surveillance tool that allows its operators to infiltrate smartphones, often without the knowledge of the target. The spyware has the ability to monitor a user’s phone calls, emails, messages, and even their location, as well as activate cameras and microphones for covert surveillance. While the company claims its product is meant for counter-terrorism and crime prevention, Pegasus has been used to spy on political opponents, journalists, and activists, raising serious human rights concerns.
In May 2019, engineers at WhatsApp uncovered a critical vulnerability in the app’s calling feature, which allowed hackers to install Pegasus spyware on devices without any interaction from the target. The flaw, later dubbed a “zero-click” vulnerability, meant that a single phone call was enough for an attacker to deploy malware onto a victim’s phone. WhatsApp quickly patched the vulnerability, but the damage had already been done.
The Attack: How Pegasus Infiltrated 1,400 Devices
The NSO Group’s cyberattack affected over 1,400 WhatsApp accounts, including those of political dissidents, journalists, and human rights advocates. Court documents revealed that the spyware primarily targeted individuals in countries like Mexico, India, Bahrain, Morocco, and Pakistan. These nations are known for their contentious political environments, where governments have been accused of using surveillance tools to suppress dissent and monitor opposition figures.
In response, Meta collaborated with Citizen Lab, a leading cybersecurity and human rights research group, to investigate the attack and warn those affected. The scale of the attack was alarming, and Meta quickly filed a lawsuit against NSO Group in October 2019. This legal action marked the beginning of a multi-year battle in court that would expose the operations of one of the most secretive companies in the surveillance industry.
The Legal Battle: Meta vs. NSO Group
NSO Group fought back vigorously, using several legal arguments in its defense. Initially, the company argued that Meta could not sue it because NSO only sold its software to government entities, not private companies. Furthermore, NSO contended that it was immune from prosecution due to its status as a foreign entity, a claim that was repeatedly shot down in court.
The case gained momentum in 2020 when NSO’s attempts to claim sovereign immunity were dismissed, paving the way for a full trial. This was a critical moment for Meta, which had already accused NSO Group of repeatedly violating U.S. cyber laws. The company argued that the spyware vendor continued to target WhatsApp’s infrastructure even after the legal proceedings had commenced.
In November 2021, Apple joined Meta in its lawsuit against NSO Group, highlighting the spyware’s broader impact on Apple users and government officials in various countries. This move added pressure on NSO, which was already facing a series of legal challenges. By 2023, the U.S. Supreme Court rejected NSO’s final bid for sovereign immunity, allowing the case to proceed.
The Jury’s Verdict: $168 Million in Damages
After years of legal wrangling, the case finally reached its climax in May 2025, when a California jury found NSO Group guilty of breaching federal and state hacking laws. The jury awarded Meta $167.254 million in punitive damages, marking one of the largest fines ever imposed on a spyware company. Additionally, NSO was ordered to pay $444,719 in compensatory damages, bringing the total financial penalty to $168 million.
This ruling is not just a financial blow to NSO Group but also a clear message that companies involved in illegal surveillance and cyber espionage will face serious consequences. Meta’s legal team argued that NSO’s actions posed a continuing threat to the privacy and security of WhatsApp users, especially those from vulnerable communities.
What This Ruling Means for Digital Privacy
The $168 million fine is more than just a financial settlement—it’s a landmark decision for digital privacy and security. Meta has described the ruling as “an important step forward for privacy and security” and stressed that it is the first major victory against the use of illegal spyware. The case also highlighted the growing threat posed by surveillance software like Pegasus, which is capable of exploiting vulnerabilities in popular apps to compromise users’ privacy without their consent.
The ruling also underscores the importance of holding spyware vendors accountable for the tools they develop and distribute. By allowing NSO Group’s practices to be exposed in court, the trial has shone a light on the murky world of private surveillance and espionage. In particular, the deposition videos of NSO executives revealed the company’s operations and sales tactics, offering the public a rare glimpse into the shady business practices of the spyware industry.
A Blow to NSO Group’s Secrecy
One of the most significant aspects of the trial was the exposure of NSO Group’s secretive operations. In court, NSO executives were forced to testify about their products and how they were sold to governments and intelligence agencies worldwide. The company’s attempts to maintain secrecy were undermined by Meta’s legal team, which succeeded in obtaining important documents and testimony that revealed the scale of the spyware’s use.
John Scott-Railton, a senior researcher at Citizen Lab, celebrated the ruling as a victory for transparency, noting that “this will scare customers and investors” of NSO. The public release of court transcripts and deposition videos has given the media and cybersecurity researchers unprecedented access to information about the spyware industry. This, in turn, is expected to help protect users from future attacks and strengthen the case for digital rights and privacy protections worldwide.
The Continuing Threat of Spyware
Despite the legal victory, the threat of spyware remains a significant concern for tech companies and users alike. Meta has emphasized that while the vulnerability exploited in the 2019 attack was patched, Pegasus and other surveillance tools continue to evolve, with new methods of infection and espionage being developed constantly. NSO Group, for its part, has claimed that its technology is used to combat crime and terrorism, though critics argue that its tools are frequently misused by authoritarian regimes to target political dissidents and journalists.
Meta has pledged to donate the $168 million in damages to organizations working to defend digital rights and protect individuals from cyber espionage. The company also stated that it would seek a permanent injunction to prevent NSO from ever targeting WhatsApp users again.
NSO’s Response and Future Legal Battles
Following the verdict, NSO Group announced that it would consider appealing the decision. In a public statement, the company argued that its technology played a crucial role in preventing serious crime and terrorism, and that it was deployed responsibly by authorized government agencies. However, critics remain skeptical about the company’s claims, given the widespread abuse of its products.
With the growing backlash against spyware companies like NSO, the future of the industry remains uncertain. Experts warn that legal actions against such firms are likely to increase, as governments, tech companies, and human rights organizations push for greater accountability in the use of surveillance technologies.
Looking Ahead: A Stronger Digital Rights Movement
The $168 million fine against NSO Group is more than just a victory for Meta—it’s a win for digital rights activists, privacy advocates, and the millions of people worldwide who use WhatsApp and other encrypted messaging apps. It sends a powerful message that the use of surveillance tools for political gain will not go unpunished. As the legal battle continues, it is hoped that more companies will take a stand against the exploitation of their platforms for malicious purposes and that stronger regulations will be put in place to protect user privacy and security.
The ruling also marks a shift in the way tech companies approach privacy and cybersecurity. With more attention being paid to the ethical implications of surveillance software, the decision against NSO Group may well become a turning point in the broader fight for digital rights and privacy protection.
Learn more: NSO Group Fined $168M for Targeting 1,400 WhatsApp Users With Pegasus Spyware
