A U.S. federal court has ordered Israeli spyware developer NSO Group to pay $168 million in damages to Meta* for exploiting a vulnerability in WhatsApp to deploy its Pegasus spyware. The ruling, issued on May 7, 2025, follows a 2019 lawsuit by Meta, which accused NSO of targeting approximately 1,400 devices, including those of journalists, activists, and diplomats1. The case highlights the growing legal and technical challenges posed by commercial spyware vendors.
Legal and Technical Background
The lawsuit centered on NSO Group’s exploitation of a WhatsApp vulnerability (CVE-2019-3568), a buffer overflow flaw in the VoIP stack that allowed remote code execution via a maliciously crafted SRTCP packet2. Meta alleged that NSO’s clients used Pegasus to compromise devices without user interaction, leveraging zero-click exploits. Judge Phyllis Hamilton described the case as “shrouded in secrecy” after NSO repeatedly refused to disclose Pegasus’s source code or client identities3.
The $168 million penalty comprises two components: $444,700 in direct damages to Meta and a $167.3 million fine imposed under the U.S. Computer Fraud and Abuse Act (CFAA)4. NSO argued that Pegasus is sold exclusively to government agencies for counterterrorism, but evidence showed deployments against civil society figures, including Meduza editor Galina Timchenko5.
Technical Analysis of Pegasus Exploits
Pegasus infections typically involved:
- Zero-click vectors: Exploits requiring no user interaction, often via malicious media files or network packets.
- Persistent payloads: Kernel-level rootkits observed in iOS and Android variants.
- Encrypted C2: Traffic blended with legitimate cloud service traffic (e.g., iMessage or WhatsApp calls).
Forensic artifacts from compromised devices included:
# Example Pegasus process injection artifact (macOS)
$ sudo lsof -i | grep -E "(cfprefsd|launchd|com.apple.audio.driver)"Mitigation Strategies
Organizations can reduce risk through:
- Patch management: Immediate updates for messaging app vulnerabilities.
- Network monitoring: Detect anomalous VoIP traffic patterns.
- Endpoint detection: Tools like Google’s Project Zero have published Pegasus detection signatures.
Meta announced it would allocate penalty funds to digital rights organizations, though the company remains banned in Russia under “extremist” designations6.
Future Implications
The ruling sets a precedent for holding spyware vendors accountable under U.S. law, despite their claims of sovereign immunity. NSO plans to appeal, citing financial distress, while Meta seeks a permanent injunction against NSO’s use of its platforms7. The case underscores the need for coordinated international action against commercial surveillance tools.
References
- “Суд в США оштрафовал NSO Group,” VC.ru, 2025. [Online]. Available: https://vc.ru/legal/1971030-sud-v-ssha-oshtrafoval-nso-group
- “NSO Group обязали выплатить WhatsApp $170 млн,” Meduza, 2025. [Online]. Available: https://meduza.io/news/2025/05/07/sud-v-ssha-obyazal-razrabotchika-shpionskoy-programmy-pegasus-vyplatit-whatsapp-170-millionov-dollarov-za-vzlom-polzovateley
- “Суд в США взыскал с NSO Group $168 млн,” TASS, 2025. [Online]. Available: https://tass.ru/ekonomika/23872313
- “NSO Group fined $170M for WhatsApp hack,” Politico, 2025. [Online]. Available: https://www.politico.com/news/2025/05/06/nso-group-pegasus-whatsapp-hack-170-million-damages-00332155
- “Давайте-ка поймем, не шпионы ли они,” Meduza, 2024. [Online]. Available: https://meduza.io/feature/2024/05/30/davayte-ka-poymem-ne-shpiony-li-oni
- “Winning the fight against spyware merchant NSO,” Meta Newsroom, 2025. [Online]. Available: https://about.fb.com/news/2025/05/winning-the-fight-against-spyware-merchant-nso/
