US Court Injunction Against NSO Group for WhatsApp Spyware Exploit
A U.S. federal judge has issued a permanent injunction against the Israeli spyware vendor NSO Group, prohibiting the company from using its technology to hack WhatsApp, one of the world's most widely used encrypted messaging applications. The court found that NSO Group had illegally reverse-engineered WhatsApp using a zero-day exploit, which resulted in the compromise of approximately 1,400 user devices. This exploit allowed unauthorized access to personal information, undermining the security and privacy of WhatsApp users globally. The case was brought before the U.S. District Court for the Northern District of California, where Judge Phyllis Hamilton presided over the proceedings. A California jury previously determined that NSO Group's actions constituted a breach, and initially awarded $167 million in punitive damages to Meta, WhatsApp's parent company. NSO Group appealed the ruling, arguing that the damages were excessive and that the injunction would effectively shut down its operations. In her final order, Judge Hamilton reduced the damages to $4 million but maintained the permanent injunction, emphasizing the broader harm caused by unauthorized access to encrypted personal information. The court's decision also requires NSO Group to destroy any code used in the WhatsApp hack, further limiting the company's ability to conduct similar operations in the future. Meta representatives welcomed the verdict, describing it as a significant advancement for user privacy and security. The ruling highlighted NSO Group's alleged role in enabling governments to target dissidents, political opponents, and journalists through its spyware. The case underscores the legal and ethical challenges posed by commercial spyware vendors and their impact on global digital privacy. The court's findings reinforce the importance of robust encryption and the need for legal protections against unauthorized surveillance. The decision sets a precedent for holding spyware vendors accountable for facilitating unauthorized access to secure communications platforms. The outcome of this litigation may influence future regulatory and legal actions against similar companies. The case also demonstrates the willingness of U.S. courts to intervene in matters involving foreign technology firms and the protection of user data. The permanent injunction serves as a warning to other entities considering the development or deployment of similar surveillance tools. The legal battle between Meta and NSO Group has drawn international attention to the risks associated with commercial spyware and the necessity of safeguarding encrypted communications.
Timeline
Oct 22, 2025
Court reduces punitive damages as NSO pursues appeal
The court reduced punitive damages to $4 million after earlier jury awards of compensatory and punitive damages, while NSO continued an appeal seeking to limit damages. This marked a further narrowing of the financial outcome after liability had been established.
Oct 20, 2025
Court permanently bars NSO from targeting WhatsApp users
Judge Phyllis J. Hamilton granted Meta a permanent injunction prohibiting NSO from targeting WhatsApp users, reverse-engineering WhatsApp, or creating new WhatsApp accounts. The order also required NSO to destroy any WhatsApp source code in its possession.
Oct 20, 2025
US court finds NSO liable in WhatsApp hacking case
In the course of the litigation, a US court found NSO Group liable under US and California anti-hacking statutes and for breach of contract, citing evidence that it reverse-engineered WhatsApp code and used a modified client to install spyware via WhatsApp servers. The ruling established NSO's responsibility for the 2019 campaign.
Jan 1, 2019
WhatsApp sues NSO Group over abuse of its platform
Following the 2019 spyware campaign, WhatsApp and parent company Meta brought a lawsuit against NSO Group, alleging it abused WhatsApp infrastructure to target users and violated anti-hacking laws and contractual terms. The case began a legal battle that lasted roughly six years.
Jan 1, 2019
NSO exploits WhatsApp zero-day to deploy Pegasus spyware
In 2019, NSO Group used a WhatsApp zero-day later tracked as CVE-2019-3568, a buffer overflow in RTCP handling, to deliver Pegasus spyware through targeted calls. The campaign reportedly infected about 1,400 devices.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Affected Products
Sources
Related Stories
Permanent Injunction Against NSO Group Targeting WhatsApp Users with Pegasus Spyware
A U.S. federal judge has issued a permanent injunction prohibiting the NSO Group, an Israeli spyware company, from targeting or infecting WhatsApp users with its Pegasus spyware. The ruling, delivered by Judge Phyllis J. Hamilton of the Northern District of California, stems from a lawsuit filed by Meta, WhatsApp's parent company, in 2019 after NSO was discovered attempting to compromise approximately 1,400 WhatsApp users, including attorneys, journalists, human rights activists, political dissidents, diplomats, and senior government officials. NSO's campaign involved creating fake WhatsApp accounts and targeting Meta's infrastructure to deploy Pegasus, a sophisticated zero-click spyware tool known for exploiting vulnerabilities in widely used software. The court found that NSO's actions caused direct business harm to Meta by undermining the privacy and security assurances that WhatsApp offers its users, particularly its end-to-end encryption based on the Signal Protocol. Judge Hamilton emphasized that unauthorized access to users' personal information constitutes more than reputational damage; it directly interferes with the core service Meta provides. In addition to the injunction, the court ordered NSO to delete any data obtained from targeting WhatsApp users. The judge also reduced the punitive damages awarded to Meta from $167 million to $4 million, citing legal precedents regarding the proportionality of damages to the conduct in question. While NSO argued that the injunction could force it out of business, the company stated that the ruling does not apply to its customers, who may continue using its technology, though legal experts and advocates for spyware victims dispute this interpretation. The decision is seen as a significant precedent for technology companies seeking to protect their platforms from commercial spyware and unlawful surveillance. Will Cathcart, head of WhatsApp, celebrated the ruling as a victory for user privacy and a warning to those who attempt to circumvent encryption protections. The case highlights the ongoing legal and ethical challenges posed by commercial spyware vendors and the importance of judicial intervention in safeguarding digital privacy. The ruling is the culmination of six years of litigation and is expected to influence future cases involving unlawful electronic surveillance. NSO Group, recently acquired by a consortium led by Hollywood producer Robert Simonds, is reviewing the decision but welcomed the reduction in damages. Privacy advocates have praised the court's recognition of the irreparable harm caused by circumventing end-to-end encryption and the broader implications for protecting civil society from targeted surveillance.
1 months ago
NSO Group Appeals WhatsApp Spyware Injunction
NSO Group has filed an appeal to overturn a U.S. federal court's permanent injunction that prohibits the company from targeting WhatsApp with its Pegasus spyware. The injunction, issued by Judge Phyllis Hamilton in the Northern District of California, found that NSO Group had improperly used WhatsApp's infrastructure to target approximately 1,400 users with zero-click exploits. NSO argues that the ruling misapplies the Computer Fraud and Abuse Act (CFAA) and mischaracterizes how Pegasus operates, claiming that the order could force the company out of business and disrupt law enforcement and intelligence operations that rely on its technology. In its motion to stay the injunction pending appeal, NSO Group emphasized the "catastrophic" and "irreparable" harm the order would cause, including the requirement to destroy code that interacts with WhatsApp. The company also contends that the injunction would prevent it from engaging in lawful business activities, such as developing and licensing products for authorized government investigations, while leaving competitors unaffected. NSO has recently appointed a former U.S. envoy to Israel as executive chairman and confirmed new U.S. investors, underscoring the high stakes of the legal battle for its future operations and partnerships.
1 months ago
UK Court Awards Damages for Saudi Pegasus Spyware Targeting as NSO Seeks Legitimacy via Pall Mall Process
A UK court ordered the Kingdom of **Saudi Arabia** to pay **£3 million** in damages to London-based Saudi dissident **Ghanem Al-Masarir** after finding his iPhones were infected with **NSO Group’s Pegasus** spyware as part of a 2018 targeting campaign attributed to a Saudi operator dubbed **KINGDOM**. The ruling credited expert evidence from **Citizen Lab** researcher **Bill Marczak**, and the damages award covered injury, costs, and lost earnings tied to the spyware targeting and related harms; the decision was framed by advocates as a rare avenue for accountability for victims of mercenary spyware and transnational repression. Separately, civil society groups warned that spyware vendors linked to human rights abuses are attempting to launder their reputations by engaging with diplomatic initiatives intended to curb misuse of commercial hacking tools. The criticism followed an **NSO Group** “transparency report” highlighting its claimed participation in the **Pall Mall Process**—a French- and UK-led effort to develop governance for *Commercial Cyber Intrusion Capabilities (CCICs)*—even as officials said NSO was not invited and participation does not equate to human-rights compliance; critics pointed to continued allegations of Pegasus abuse, including reported targeting of journalists and civil society in countries such as **Serbia**.
1 months ago