WhatsApp Wins $167 Million Verdict Against NSO Group in Spyware Lawsuit

On Tuesday, Meta-owned WhatsApp emerged victorious in a significant legal battle against the notorious Israeli spyware firm, NSO Group, securing a jury verdict that awarded the company over $167 million in damages. This conclusion to a five-year lawsuit, initiated in October 2019, stemmed from allegations that NSO Group exploited a vulnerability in WhatsApp's audio-calling feature to hack more than 1,400 users. The trial, lasting a week, featured numerous testimonies, including those from NSO Group's CEO Yaron Shohat and WhatsApp employees who investigated the incident. The lawsuit exposed several critical details about NSO Group's operations and the mechanics of their spyware. One of the key revelations was the zero-click attack method, which did not require any interaction from the target. According to WhatsApp's lawyer, Antonio Perez, the attack involved placing a fake WhatsApp call, which triggered the target's phone to connect to a third server and download the Pegasus spyware. This process only needed the target's phone number to be executed. NSO Group's R&D VP, Tamir Gazneli, acknowledged that creating any zero-click solution was a "significant milestone" for the Pegasus system. Another significant revelation came from NSO Group's confirmation that it targeted an American phone number as a test for the FBI. For years, the company had claimed that its spyware could not be used against American numbers (+1 country code). However, in 2022, The New York Times reported that NSO Group did conduct a test with a U.S. number for the FBI. NSO Group's lawyer, Joe Akrotirianakis, confirmed this as a "single exception" using a specially configured version of Pegasus for U.S. government customers. The FBI ultimately decided not to deploy Pegasus following this test. During the trial, NSO Group's CEO, Shohat, provided insights into how government customers use Pegasus. The user interface does not offer options to select specific hacking methods; instead, the backend Pegasus system determines the most effective exploit for each target. This approach ensures that clients achieve their intelligence objectives without needing technical expertise. Interestingly, NSO Group’s headquarters in Herzliya, Israel, are located in the same 14-story building as Apple, another frequent target of Pegasus. Perhaps most damning, Gazneli admitted that NSO Group continued targeting WhatsApp users even after the lawsuit was filed in November 2019. The codename "Erised" referred to one version of the WhatsApp zero-click vector, which was in use from late-2019 until May 2020. Other versions, "Eden" and "Heaven," were collectively known as "Hummingbird." This ongoing targeting, despite the legal proceedings, highlights the aggressive tactics employed by NSO Group. The implications of this verdict are substantial both legally and technologically. Industry insiders view this ruling as a landmark moment, reinforcing the importance of accountability for companies involved in cyberespionage. It serves as a strong warning to other firms that developing and deploying such invasive tools will have severe financial and reputational consequences. The transparency forced upon NSO Group during the trial may also lead to greater scrutiny and regulation of the spyware industry. Facebook, now part of Meta, acquired WhatsApp in 2014, making it one of the world's most widely used messaging platforms. NSO Group, founded in 2010, has been a controversial player in the cybersecurity industry, often linked to human rights abuses through its Pegasus spyware. This legal victory for WhatsApp signifies a significant step forward in battling unethical surveillance practices and protecting user privacy.