A US jury has ruled against Israeli firm NSO Group, makers of Pegasus spyware, ordering it to pay $167 million to WhatsApp-owner Meta after the company was found liable for a 2019 hack affecting 1,400 users worldwide.
What Is Pegasus Spyware?
Pegasus is a form of military-grade spyware developed by the NSO Group, a cyber intelligence company headquartered in Herzliya, Israel. Marketed as a tool for governments to combat terrorism and serious crime, Pegasus is capable of remotely infiltrating smartphones without the need for the user to click a link or open a file.
Once installed, it can silently access the device’s microphone, camera, messages, emails, GPS location and more, essentially turning the phone into a pocket spy without the victim’s knowledge.
Dubious Claims
The NSO Group has repeatedly claimed that its clients are limited to “authorised government agencies” and that Pegasus is only sold under export licences approved by Israel’s Ministry of Defence. However, that claim has come under increasing scrutiny in recent years, especially after multiple investigations revealed the software’s alleged use against political opponents, journalists, and activists.
What Happened With The WhatsApp Hack?
In 2019, WhatsApp discovered that Pegasus spyware had exploited a vulnerability in its system to target 1,400 individuals across at least 20 countries. The victims identified included journalists, human rights defenders, political dissidents and diplomats. Worryingly, it appears that the attack allowed hackers to inject Pegasus onto phones simply by placing a missed voice call via WhatsApp!
Meta Patch
Meta, which owns WhatsApp, quickly patched the flaw but then filed a lawsuit against NSO Group, accusing it of illegally accessing its servers in violation of both US law and WhatsApp’s terms of service. This marked one of the first high-profile legal actions taken by a tech company against a spyware developer, and set the stage for what has become a protracted six-year legal battle.
Meta Awarded $167 Million in Damages
Earlier this month, a US federal jury ruled in favour of Meta, awarding $167 million in damages for the WhatsApp hack, alongside an additional $444,000 in damages related to legal fees and expenses.
Meta has described the ruling as a “first victory against the development and use of illegal spyware” and a “critical deterrent to this malicious industry”.
A company spokesperson added: “This decision affirms the rule of law and sends a clear message that unlawful surveillance will not be tolerated.”
NSO’s Response
In response, NSO said it was “examining the verdict’s details” and intends to appeal, maintaining that Pegasus plays a “critical role in preventing serious crime and terrorism”.
However, legal experts say the case sets a precedent, i.e. it’s the first time a spyware vendor has been held financially accountable for exploiting a commercial tech platform’s vulnerabilities. This could embolden other firms, including Apple and Microsoft, both of which have reported Pegasus-related attacks, to pursue similar legal routes.
Who Else Was Targeted?
The global controversy around Pegasus escalated in 2021 when an international consortium of journalists revealed a leaked list of more than 50,000 phone numbers allegedly selected for targeting by clients of NSO Group. These included:
– Politicians and heads of state, including French President Emmanuel Macron, Iraqi President Barham Salih, and South African President Cyril Ramaphosa.
– Journalists from outlets such as CNN, The New York Times, and Al Jazeera.
– Human rights defenders and opposition figures from Mexico, India, Hungary, and beyond.
– British government officials, including those at Downing Street and the Foreign Office, as suspected by Canada-based research group Citizen Lab.
– Also notably affected were individuals connected to Jamal Khashoggi, the Saudi journalist murdered in Istanbul in 2018. His fiancée and close associates were reportedly targeted by Pegasus both before and after his death, thereby sparking widespread condemnation.
A Spy Tool With State-Sanctioned Backing?
It seems that NSO’s close ties to Israel’s defence apparatus have raised eyebrows across the international community. For example, while the company remains privately owned, it’s been reported that it must receive government approval for each client sale, as Pegasus is officially classified as a weapon under Israeli law.
That connection has become increasingly uncomfortable for Israel’s foreign relations. For example, the US government blacklisted NSO in 2021, citing its spyware’s use to “maliciously target government officials, journalists, activists and academics.” This led to significant diplomatic tension, especially given Pegasus’s prior use by some US allies.
Grey Areas
Critics argue that the spyware industry has flourished in legal grey areas, with few guardrails on how such powerful surveillance tools are used once deployed. This ruling may mark the beginning of a broader reckoning.
What Does This Mean For Your Business?
This essentially sends the message that even the most sophisticated spyware firms are not above the law. For NSO Group, the financial penalty is damaging, but the reputational fallout may prove even more significant. For example, it’s quite rare for any technology company, let alone one dealing in military-grade surveillance tools, to be held publicly and legally accountable in such a clear-cut fashion. The fact that the case was brought by Meta, a major global player, also lends it weight and visibility across both the tech sector and the legal community.
For other spyware vendors, and even governments that procure these tools, the judgement may prompt a bit of a rethink of what constitutes acceptable use, and more importantly, what might now be legally indefensible. It now appears to be a matter of legal risk as much as one of international ethics. This could, therefore, open the floodgates to further legal challenges from other tech platforms whose infrastructure has been exploited, including Microsoft, Apple, and Google, who have all raised concerns about Pegasus in recent years.
For UK businesses, especially those handling sensitive communications, the verdict is a timely reminder of just how high the stakes are when it comes to cyber resilience. Pegasus wasn’t just used against high-profile political figures but it was also reportedly used to target British government officials, raising concerns about potential exposure for those operating in sectors like legal services, defence contracting, or journalism. Organisations will need to double down on end-to-end encryption, third-party risk assessments, and proactive security patching to defend against such state-grade threats. In practical terms, this could mean more investment in mobile security, tighter controls over messaging apps, and growing pressure on suppliers to demonstrate compliance with new surveillance risk standards.
Meanwhile, the diplomatic ramifications continue to unfold. With Pegasus formally treated as a military export by Israel, and NSO now blacklisted by the US government, there’s rising concern that surveillance technology could become a new front in the global tech cold war. The blurred lines between state-sanctioned espionage, private sector innovation, and cross-border cybercrime are becoming harder to ignore, and even harder to manage without clear international frameworks.
Whether this ruling will reshape the future of spyware remains to be seen, but it appears to have raised the bar for accountability, and could prompt governments, tech firms, and businesses alike to confront uncomfortable truths about privacy, power, and protection.