THE PEOPLE HAVE SPOKEN Jury orders NSO to pay $167 million for hacking WhatsApp users The verdict is a major victory for opponents of exploit sellers. Dan Goodin – May 6, 2025 8:26 pm | 10 Credit: Getty Images | the-lightwriter Credit: Getty Images | the-lightwriter Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more A jury has awarded WhatsApp $167 million in punitive damages in a case the company brought against Israel-based NSO Group for exploiting a software vulnerability that hijacked the phones of thousands of users. The verdict, reached Tuesday, comes as a major victory not just for Meta-owned WhatsApp but also for privacy- and security-rights advocates who have long criticized the practices of NSO and other exploit sellers. The jury also awarded WhatsApp $444 million in compensatory damages. Clickless exploit WhatsApp sued NSO in 2019 for an attack that targeted roughly 1,400 mobile phones belonging to attorneys, journalists, human-rights activists, political dissidents, diplomats, and senior foreign government officials. NSO, which works on behalf of governments and law enforcement authorities in various countries, exploited a critical WhatsApp vulnerability that allowed it to install NSO’s proprietary spyware Pegasus on iOS and Android devices. The clickless exploit worked by placing a call to a target's app. A target did not have to answer the call to be infected. “Today’s verdict in WhatsApp’s case is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone,” WhatsApp said in a statement. “Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.” NSO created WhatsApp accounts in 2018 and used them a year later to initiate calls that exploited the critical vulnerability on phones, which, among others, included 100 members of "civil society" from 20 countries, according to an investigation research group Citizen Lab performed on behalf of WhatsApp. The calls passed through WhatsApp servers and injected malicious code into the memory of targeted devices. The targeted phones would then use WhatsApp servers to connect to malicious servers maintained by NSO. After discovering the attack, WhatsApp shut them down with a software update that patched the critical vulnerability and notified target users that their devices had been hacked. In the weeks following, Facebook and WhatsApp also kicked NSO employees off their platforms. WhatsApp’s lawsuit was unprecedented at the time because it was among the first to take aim at the unregulated industry selling sophisticated malware services to governments around the world. NSO argued that it should be immune from such legal actions because it sold tools solely to licensed government intelligence and law-enforcement agencies for use in fighting terrorism, child sex abuse, and other serious crimes. The company said it barred customers from using the tools against human-rights activists, journalists, and dissidents. NSO also said it acted as a check against strongly encrypted platforms that could be used as a haven for criminals. Tuesday’s verdict—from a jury empaneled by the US District Court for the Northern District of California—is a sharp rebuke of NSO’s defense. “Turns out regular people don't like companies that help dictators hack dissidents,” John Scott-Railton, a senior researcher at Citizen Lab, wrote on Bluesky. “NSO had all the fancy legal arguments. And all the PR spin. But when their conduct got laid bare... the jury sent a massive Monsanto-style punitive damages signal. Other spyware companies: you may be next.” Besides setting a possible precedent for hacking victims and their technology providers, WhatsApp’s suit exposed NSO practices the company had long tried to keep secret. Last year, the judge hearing the case ordered NSO to reveal some of the source code that makes its products work. The litigation also exposed who some of NSO’s customers were and the location of many of the targeted WhatsApp users. NSO Group didn’t immediately respond to a request for comment. Dan Goodin Senior Security Editor Dan Goodin Senior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 10 Comments