A ‘Historic’ Ruling in the US: Did the West Turn Less Wild for Mercenary Spyware?

In May 2019, the US social network corporation Meta detected an unprecedented, “highly sophisticated” cyber attack against its servers in California, US, which manipulated its WhatsApp messenger. The hacked WhatsApp servers started infecting pre-targeted users through malicious video calls, extracting practically all data on their mobile phones, and relaying the stolen information to the attacker whose whereabouts and motivations remained in the dark. The spyware could also remotely activate its victim’s microphone, camera, and GPS positioning, and it did all this even if the user never answered the attacker’s video call. Roughly 1,400 people had fallen victim to the spying operation before Meta could patch the previously unknown vulnerability in its messaging app.

In collaboration with The Citizen Lab, a research center for cyber threats against human rights at the University of Toronto, Canada, Meta followed the digital traces back to a Tel-Aviv-based spyware vendor NSO Group. Already at the time in 2019, the company’s flagship product Pegasus spyware was associated with systemic human rights violations worldwide, including unchecked spying on journalists, dissidents, opposition leaders, and other civil society figures.

Protected by alleged Israeli government backing, secretive export contracts with intelligence agencies, and a nearly absolute lack of international regulations on commercial spyware, NSO Group had never faced a legal indictment. But Meta was about to drag the company to a tiring legal battle at the Northern District of California—a years-long litigation that would bring, for the first time, NSO Group executives to testify in front of a court.

On May 6, 2025, the arm-wrestling between the two tech heavyweights finally came to a jury conclusion which ordered the company to pay WhatsApp $167 million in damages. The outcome, which has even been described as a potential “death blow” to the cyberweapon manufacturer, has been warmly welcomed by human rights organizations worldwide.

“The verdict is definitely a historic win as this was the first time a commercial spyware company has faced real legal consequences for their hacking operations,” said Natalia Krapiva, Senior Tech-Legal Counsel at the civil and digital rights organization Access Now. Access Now was one of the eight human rights organizations which submitted an amicus brief to the WhatsApp vs. NSO Group case, calling the court to hold “the notorious cybersurveillance company” accountable.

“Even though the road to collecting these damages may be lengthy and challenging for Meta, the verdict is likely to serve as a deterrent for NSO and other companies against targeting US companies, individuals, and infrastructure,” said Krapiva about the impact of the court ruling. “The jury verdict showed that regular people are also willing to award multimillion judgements to punish these companies.”

The hefty compensation will indeed present an unprecedented disruption for NSO Group which has been considered one of the global spyware industry leaders. The company is reported to have had a peak value of $1 billion in 2018, but its business has gone downhill since then.

“We do know that NSO has suffered financial losses due to the lawsuits in the US, as well as, most significantly, [the] US Department of Commerce placing NSO on the Entity List in November 2021,” said Krapiva, referring to a designation that practically banned  US companies and institutions from doing business with the company.

According to documents submitted to the court, NSO Group has run two years on the negative, marking $9 million and $12 million losses in 2023 and 2024 respectively. As of 2024, the company had a $5.1 million cash balance, while currently, its monthly expenses hover around $10 million.

“To be honest, I don’t think we’re able to pay anything. We are struggling to keep our head above water,” the NSO Group CEO Yaron Shohat reportedly testified, saying that the company joggles with its commitments on a week-by-week basis.

“However, we also know that various companies and banks, including Credit Suisse and US investment bank Jefferies, have been bankrolling NSO over the years,” she cautioned. “And selling spyware to dictators and authoritarians around the world remains a profitable business.”

NSO Group: from spy tech leader to disgrace—and back?

The NSO Group was founded in 2010 by Niv Karmi, Shalev Hulio, and Omri Lavie whose initials also make up the company name. Typical to Israeli cyber security companies, the whole founder triplet came from “Unit 8200,” the Intelligence Corps cyber warfare department which—despite its humble name—is the largest military unit in the country, with several thousand conscripts. The secretive unit is tasked to build and operate software for signal intelligence, digital surveillance, and offensive cyber warfare. Last year, it was in the bullseye of a global news storm after an independent Israeli-Palestinian media platform +972 Magazine, in collaboration with The Guardian, revealed its experimental AI model that generated kill lists of Palestinians for the Israeli army’s ongoing genocidal campaign in Gaza.

The NSO Group, on the other hand, gained major headlines for the first time in 2016, after a Saudi dissident sent his phone to Citizen Lab after he suspected being targeted by a hacking attempt. The Citizen Lab identified the code with the then relatively unknown Pegasus spyware which had appeared in NSO Group’s leaked marketing materials. Several cases started to emerge as the spyware’s “digital fingerprints” were identified, and Mexico, Saudi Arabia, United Arab Emirates, and Panama were identified among the NSO Group’s early customers. A technical analysis by The Citizen Lab found Pegasus operations in 45 countries in 2018.

In 2018-2019, NSO Group was already facing several lawsuits worldwide that linked its Pegasus program with severe human rights violations. Those included spying on the family of the Saudi-US dissident Jamal Khashoggi, whose murder and dismemberment in the Saudi Embassy in Istanbul provoked a global outcry in late 2018.

The global spread of Pegasus was finally exposed in 2021 when 17 news organizations published a bombshell investigation based on leaked confidential documents and emails which included 50,000 target phone numbers. The collaborative Pegasus Project, coordinated by Paris-based Forbidden Stories, was able to produce a general picture of the victims, with journalists, lawyers, activists, opposition figures, military officials, and politicians prominent among them. Until then, the NSO Group had insisted its spyware was used strictly for terrorism-related investigations and other issues of national security and had built-in technical guardrails to prevent its abuse for exactly what Pegasus Project revealed.

However, despite the reputational damage in the wake of international media investigations, NSO Group was able to deter all legal proceedings on forum non conveniens grounds, arguing that as an Israeli company, it could and should not face justice in foreign jurisdictions. The company also claimed it only built the tool—which is considered the most intrusive form of digital surveillance in the market—but was not responsible for how its clients, foreign secret services, used it.

More than for the multimillion damage compensation to Meta, human rights organizations like Access Now and Amnesty International have championed the California District Court’s recent decision for it being the first time that NSO Group bore legal responsibility for how its spyware is used.

Furthermore, for the first time, the company was forced to shed light on its spying operations. After all, for the developers of “offensive cyber tools,” privacy and secrecy are often more valuable than money itself. In fact, the company never delivered the source code of its spyware for the court’s revision even if it meant being automatically held liable. The May 6 jury ruling was therefore not about NSO Group being guilty or not, but merely to decree a sufficient amount of damage compensations.

The corporate disclosures indeed provided a rare look inside the company. In his testimony, the CEO Yaron Shohat painted a dire picture of its finances. However, according to the discovery, NSO Group and its parent company Q Cyber still employ between 350 and 380 people, roughly half of the peak 700 employees in 2018.

However, the financial and legal setbacks have not hindered the company’s commitment to its Pegasus program. The lion’s share of its $60 million budget is allocated to “research and development,” that is, for employees whose sole task is to figure out new ways to break into popular mobile applications and operating systems. Indeed, the company’s research and development chief Tamir Gazneli reportedly told the court that they had continued to target WhatsApp without interruption despite the lawsuit in California.

“At the same time, DOGE has sought unprecedented access to personal data, DHS is purchasing data on the free market for its immigration crackdown and building new surveillance tech, border agents are searching personal electronic devices, and now Congress is considering a 10-year moratorium on states regulating artificial intelligence,” he added. “The fact is that this administration is not motivated by human rights, but by national security and business competition.”

Other cases and the impact of Meta’s victory over NSO

The WhatsApp vs NSO trial will probably have an impact on the world of spyware and more generally cyber-surveillance technologies. However, there are currently at least two other ongoing trials against NSO that resonate with WhatsApp’s lawsuit.

One of these, Dada vs NSO, takes place in the same Northern District Court of California which ruled over the WhatsApp vs NSO Group litigation. The lawsuit was opened in 2022 by the Columbia Knight Institute which represents former journalists and current members of El Faro, an independent news outlet focusing on investigative journalism in Central America. Its employees were subjected to 226 Pegasus infections between June 2020 and November 2021.

Last year, judge James Donato granted NSO Group’s motion to dismiss the suit under forum non conveniens doctrine given that neither NSO Group nor the bailiffs were from California. However, shortly after, on July 22, 2024, a group of Big Tech companies filed an amicus brief to reverse and remand the order, arguing that “the United States and California have strong interests in deterring NSO’s sale of commercial spyware.”

In the latest oral arguments on April 10, 2025, the judges appeared more skeptical of NSO’s arguments. Carrie DeCell, a senior staff attorney and legislative advisor at the Knight First Amendment Institute at Columbia University, thinks that the fact that the Apple and WhatsApp cases against NSO were both located in California might have played a big role.

“We pointed to the WhatsApp case as an example of how cases involving a lot of similar evidence were already effectively proceeding in U.S. Federal court in California,” DeCell said in an interview. “And we noted that the judge in that case had already concluded that NSO Group was […] guilty basically of the claims that WhatsApp had raised. And that all that remained was for the case to go before a jury to figure out how much NSO Group owed and damages to WhatsApp.”

The second case was opened in 2022 in Barcelona under Spanish jurisdiction, with Iridia, a Catalonian human rights organization, representing lawyer Andreu Van den Eynde. Van den Eynde’s device was infected during a broad hacking campaign against the Catalan independentist movement when, between 2017 and 2022, the Spanish government carried out 65 infections using the Pegasus software. The initial lawsuit named Osy Technologies and Q Cyber Technologies as defendants, but on March 3, 2025, the Provincial Court ruled in favor of the indictment of three individuals with great relevance inside NSO.

The case of Iridia vs NSO is important for another set of reasons, most notably, for establishing for the first time a precedent for individuals to be held personally responsible for violations related to the use of their spyware product. A victory in the Iridia case might create a new level of accountability for the executives of spyware companies and constitute a further deterrent factor.

DeCell said that The Columbia Knights Institute hopes that the DADA vs NSO case will set a legal precedent in this respect. From a human and personal point of view, an intrusion of this kind is devastating as it damages the ability to ensure confidentiality. In El Faro’s case, it also damages any kind of journalistic work, limiting the possibility of online communications which become more difficult and costly. DeCell pointed out that El Faro’s work is fundamental in the US especially now after direct communications between the Trump and Bukele administrations have caused the Salvadoran immigrant community in the US to shrink.

The role of Big Tech companies

Meta has clearly been affected by NSO Group’s spyware as—since the introduction of e2e encryption in Whatsapp messanger—millions of people have relied on its messaging service to be secure. Yet, as evidenced by the amicus brief in the Dada vs. NSO case, also other “Big Tech” companies are following the cases closely.

“It’s also in the interests of these companies to protect their products and customers from spyware attacks because it costs them a lot of money and effort to respond to these attacks,” evaluated Krapiva from Access Now. “It also costs them their reputation because their customers get spooked by learning that the products they rely on for their everyday personal and professional communications may be susceptible to these kinds of sophisticated attacks.”

The amicus brief was signed in particular by Microsoft, Google, GitHub, LinkedIn, Trend Micro, and Big Cloud Consultants. In the introduction, the amici mention the efforts made by many leading technology companies to protect cybersecurity. An example of this is the Cybersecurity Tech Accord, a coalition aimed at expressing opinions of the over 155 member companies on matters of peace and security online. The amici then continued to explore how the use and proliferation of companies like NSO put at risk the US’s integrity and safety, both by targeting US citizens and officials, and by exploiting the products and services of US companies.

“Talking to security professionals at these major companies, they take these threats very seriously, and that’s why I believe we will continue seeing more enforcement action, lawsuits, and other measures against the spyware industry,” said Krapiva.

But a Google report, Buying Spying – Insights into Commercial Surveillance Vendors, went even further. The report focused on Commercial Surveillance Vendors (CSVs) and the impact of their activity on broader society. It expresses extreme concern over the proliferation of these companies, fostered by governmental interests: “Compared to other cyber threats, spyware is used against a small number of targets. But the use against high risk targets has a profound impact on society. Spyware is often abused by governments for purposes antithetical to a free society including targeting dissidents, journalists, human rights defenders, and opposition party politicians.”

“While we rightfully criticize companies like Apple, Google, Meta, Microsoft for their policies related to insufficient content moderation, data privacy, and other policies, the reality is that these companies own the vast majority of the infrastructure that civil society and all of us depend on for exercising our human rights,” said Krapiva, referring to exercising freedom of expression and assembly in internet. “And it is in our interests to push them to increase the security of their infrastructure and fight back against governments and private actors that are actively trying to undermine it.”

Where do we go from here?

Spyware infection cases have never dropped out of the news since they first came out in 2016 with the first Pegasus scandal. Earlier this year, scandals erupted in Serbia and Italy with both governments implicated in using Pegasus-type intrusion tools to spy on journalists and civil society organizers.

“The latest research adds to previous findings by Amnesty International and other civil society partners exposing the rampant misuse of spyware across Europe. Despite repeated and ongoing scandals in Serbia, Spain, Greece, Poland, Hungary, and now Italy, authorities at both the national and European levels have failed to take effective action,” said Donncha Ó Cearbhaill, the Head of Amnesty International’s Security Lab, at the time.

The use of cyber-surveillance technologies still pertains to a legal gray area, even though there are many regulations concerning the topic. Like all forms of state-enacted targeted surveillance, they are technically allowed for threats against national security such as terrorism or narcotrafficking. However, the heart of the issue is having a common understanding of who or what exactly poses a danger. In an authoritarian state, free journalism might be a threat to the status quo, so why could not the government authorize the use of spyware?

On April 4, 2025, 21 nations signed a non-binding “Code of practice” to address the governmental use of commercial cyber intrusion capabilities (CCICs). The pact is a step in the Pall Mall process, launched by England and France in 2024. The code of practice clearly states that “CCICs should not be used to target individuals or members of a group based on any discriminatory grounds, to violate or abuse human rights and fundamental freedoms, including the right to freedom of expression, and that no one should be subjected to arbitrary or unlawful interference with privacy.” It encourages states to take collective and individual action regarding the irresponsible use of CCICs, with the guiding principles of accountability, precision, oversight, and transparency.

This seems to go hand in hand with the NSO Transparency Report for 2024, where the company mentioned that “in engagements where domestic laws are not fully aligned with international norms, or where regulations are unclear, we require customers to develop and implement detailed and designated protocols governing the use of our products.”

So while both institutions and spyware developers seem to be trying to adopt more regulated approaches towards CCICs, maybe even urged by the recent developments in the trials, it seems like the fundamental question regarding these technologies remains unanswered. In the aforementioned NSO Transparency Report, the company argues that “in many ways, Pegasus is similar to a traditional wiretap,” but other actors—such as Google, human rights organizations, and infection victims—describe it as a tool with much broader consequences on freedom of societies.

Maybe the core issue should not concern how to regulate the use, production, and selling of CCICs, but if they should even be an option in the frame of an increasingly authoritarian world. The world is seeing increasingly normalized, accepted, and widespread surveillance: streets are progressively being covered with automatic recognition cameras, payments are mostly done with banking systems that can be tracked, and companies are collecting and selling data about online behaviors. In early April, the US Citizen and Immigration Services stated its plan to automatically review social media accounts of noncitizens to potentially deny or revoke legal statuses such as visas. France has recently put out a law proposal that included the introduction of encryption backdoors (later dropped), remote activation of phones by police, and mass screening of internet and telecom traffic.

Is the world going towards a social credit system, where surveillance is so widespread and intimate that there will be no need for mercenary spyware?

Edit 30.5.”Current net worth” was corrected to “most recent net worth” to accurately reflect the context of Krapiva’s comment.