NSO Group Held Liable for WhatsApp Spyware Attacks

January 8, 2025

NSO Group Held Liable for WhatsApp Spyware Attacks

A landmark decision by a Northern California federal judge found NSO Group, the developer of Pegasus spyware, liable for spyware attacks in which 1,400 WhatsApp user devices were hacked. Suzanne Smalley reports in The Record that the ruling on the WhatsApp spyware attacks marks the first instance of a court holding NSO accountable for abuses related to its spyware, which has been used against activists, journalists, and political dissidents worldwide.

The case, California WhatsApp Inc., et al. v. NSO Group Technologies Limited et al., underscores growing scrutiny over spyware companies and sets the stage for potentially significant damages.

WhatsApp, owned by Meta, filed the lawsuit in 2019, alleging that NSO Group exploited a vulnerability in its system to install Pegasus spyware on users’ devices. Despite WhatsApp’s repeated efforts to block Pegasus, NSO circumvented defenses with rapid modifications.

NSO claimed its tools were for legitimate use by law enforcement and national security agencies, but evidence revealed its active involvement in data extraction and spyware deployment.

Judge Phyllis Hamilton ruled that NSO Group violated the federal Computer Fraud and Abuse Act and California’s Comprehensive Computer Data Access and Fraud Act, in addition to breaching WhatsApp’s terms of service.

The judge criticized NSO for refusing to produce complete Pegasus source code as ordered, further sanctioning the company. Evidence showed that NSO controlled every aspect of the spyware’s operation, contradicting claims that clients were solely responsible for misuse.

Senior executives admitted under oath to their direct role in the hacks, and unsealed court filings revealed the continuous development of malware to bypass WhatsApp’s defenses. Advocates hailed the decision as a critical win for victims and a warning to spyware companies.

This ruling on the WhatsApp spyware attacks highlights potential personal liability for senior executives involved in unlawful cyber activities. It establishes a critical precedent for holding spyware manufacturers accountable under US anti-hacking laws. 

The case also signals heightened regulatory and judicial scrutiny, making proactive risk management essential. Executives may be exposed to company actions and their direct participation in illegal activities, underscoring the need for robust legal counsel and governance practices.

Critical intelligence for general counsel

Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.

Daily Updates

Sign up for our free daily newsletter for the latest news and business legal developments.

Scroll to Top