After more than five years of legal proceedings, a U.S. federal jury has ordered Israeli spyware vendor NSO Group to pay over $167 million in punitive damages—and nearly half a million in compensatory damages—to WhatsApp for its role in a 2019 cyberattack that targeted more than 1,400 users through a vulnerability in the app’s audio calling feature.
The case stems from a lawsuit filed in October 2019 by WhatsApp, which accused NSO of using its servers to deliver spyware to journalists, dissidents, and human rights defenders across the globe. The malware campaign exploited a now-patched vulnerability to install NSO’s Pegasus spyware, even if the recipient didn’t answer the call.
On Tuesday, the jury awarded $167,254,000 in punitive damages and $444,719 in compensatory damages—close to what WhatsApp had requested for the costs of incident response, patch development, and user protection.
“This ruling is an important step forward for privacy and security,” said WhatsApp spokesperson Zade Alsawah. “Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry.”
NSO Group said it is considering its legal options. “We will carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal,” said spokesperson Gil Lainer.
Broader Impact on the Spyware Industry
The decision follows a December 2024 ruling by Judge Phyllis Hamilton, who found NSO Group liable for violating the Computer Fraud and Abuse Act (CFAA), California’s Comprehensive Computer Data Access and Fraud Act, and WhatsApp’s own terms of service. That ruling cleared the way for this week’s jury trial on damages.
Will Cathcart, head of WhatsApp, has long positioned the case as a pivotal battle for user privacy. In a 2019 op-ed in The Washington Post, he called the lawsuit a “wake-up call” about how commercial surveillance tools are being misused by governments to target civil society.
“This should serve as a wake-up call for technology companies, governments and all internet users,” Cathcart wrote. “Tools that enable surveillance into our private lives are being abused.”
John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab who has extensively investigated NSO Group, said the ruling sends a strong message.
“NSO makes many millions helping dictators hack people. After years of delay tactics, it only took the jury a day’s deliberation to see through it,” he told TechCrunch. “Aside from the huge punitive damages, the bigger impact is the blow to NSO’s efforts to hide their business activities.”
A Precedent-Setting Case
The verdict marks the first time a spyware vendor has been successfully sued by a U.S. tech company for targeting its users. It’s also a rare instance where a court has awarded significant financial damages in a cyber intrusion case—one that many privacy advocates hope will be a turning point for accountability in the surveillance-for-hire industry.
Whether NSO Group follows through with an appeal remains to be seen, but the case has already reshaped the conversation around private spyware use and the responsibilities of those who develop and sell these tools.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
