Israel's NSO Ordered to Pay $167M in WhatsApp Spyware Case

A federal jury has ordered NSO Group, the Israeli spyware firm behind Pegasus, to pay over $167 million in damages to WhatsApp for illegally hacking more than 1,400 users. The decision caps a six-year legal battle and marks the largest penalty ever levied against a spyware company.

First reported by TechCrunch, the jury awarded $167,256,000 in punitive and $440,000 in compensatory damages. WhatsApp described the decision as “an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone.” Meta, WhatsApp’s parent company, said any recovered funds would be donated to digital rights organizations.

The attacks occurred between 2018 and 2020, exploiting a vulnerability in WhatsApp’s voice-calling feature that allowed Pegasus to infect targets’ phones without any user interaction. As we reported last month, the victims included journalists, dissidents, and government officials in more than 20 countries. Although Judge Phyllis Hamilton previously ruled that NSO violated U.S. and California anti-hacking laws, the jury was left to decide the final damages.

“After years of every trick and delay tactic, it only took the jury a day’s deliberation,” Citizen Lab researcher John Scott-Railton told TechCrunch, calling the verdict a historic reckoning for the commercial spyware market. According to The Washington Post, the trial also revealed that NSO used WhatsApp’s own servers to deliver malicious payloads to users, with the jury concluding that the company acted with “oppression, fraud, or malice.”

NSO denied the accusations, claiming Pegasus was never deployed on WhatsApp servers and insisting it only sells its tools to vetted government clients. Nevertheless, Meta argued the spyware continued to evolve even after the lawsuit began — proof, it said, of willful misconduct. “This lawsuit is about publicity,” NSO’s attorney told the jury, dismissing WhatsApp’s motives as PR-driven.

The decision comes amid rising global concern over the unchecked spread of commercial spyware. Late last year, we reported that Pegasus infections were still active on both iOS and Android, according to technical analysis by the iVerify team.

Though NSO says it will appeal the verdict, the ruling — combined with the U.S. government’s prior blacklisting of the company — underscores a shrinking space for surveillance tech firms operating in legal gray zones. For the spyware industry, the message is clear: the era of accountability has begun.