Meta has won a landmark $168 million verdict against spyware vendor NSO Group for exploiting a vulnerability in WhatsApp to deploy Pegasus spyware on 1,400 devices in 2019. The ruling, issued by a US jury, includes $167.3 million in punitive damages and $444,000 in compensatory damages, marking the first major legal victory against commercial spyware vendors1. The case revealed NSO’s business model, including its $50 million R&D budget and contracts with governments like Saudi Arabia and Mexico2.
Technical Exploitation and Legal Precedent
The attack exploited a zero-click vulnerability in WhatsApp’s RTCP protocol, allowing Pegasus to be installed via a missed call while bypassing end-to-end encryption3. Forensic analysis showed NSO reverse-engineered WhatsApp’s code to deliver the malware, violating the Computer Fraud and Abuse Act (CFAA)4. Meta’s court filings revealed NSO spent “tens of millions annually” to develop exploits for iOS and Android, with Pegasus granting full device access (calls, messages, cameras)5.
NSO’s Operational Model Exposed
Court documents disclosed NSO’s pricing structure: $7 million for 15 device licenses, plus $1M–$2M for cross-border targeting capabilities6. The company refused to disclose client identities during the trial, though leaked records tied Pegasus to surveillance of Jamal Khashoggi’s family and global activists7. Meta plans to donate the damages to digital rights groups and implement permanent technical blocks against NSO infrastructure8.
Security Implications and Mitigation
The verdict sets a precedent for holding spyware vendors accountable under CFAA’s “network trespass” provisions9. Organizations should:
- Monitor for anomalous RTCP traffic patterns in VoIP services
- Implement application allowlisting to prevent unauthorized process injection
- Review WhatsApp’s 2019 patch (CVE-2019-3568) for legacy systems
Meta’s victory demonstrates the viability of civil litigation against offensive cybersecurity vendors, with the FBI now investigating NSO for criminal CFAA violations10. The case underscores the need for cross-platform collaboration to detect and mitigate zero-click exploits targeting encrypted communications.
References
- “Meta wins $168 million verdict against spyware company NSO,” NBC News, May 6, 2025.
- “Meta wins $168M judgment against spyware seller NSO Group,” Computerworld, May 7, 2025.
- “Winning the fight against spyware merchant NSO,” Meta Official Statement, May 6, 2025.
- “Meta wins $167M over NSO spyware hack,” GovInfoSecurity, May 6, 2025.
- “NSO Group vows appeal after WhatsApp jury verdict,” Axios, May 6, 2025.
- “Meta wins $167M damages from spyware firm NSO,” Yahoo Finance, May 7, 2025.
- “US jury orders NSO Group to pay $167M for WhatsApp exploit,” Verdict, May 7, 2025.
- “Legal analysis of WhatsApp v. NSO Group,” SSRN Paper, March 11, 2022.
