NSO Group must pay more than $167 million in damages to WhatsApp for spyware campaign

Spyware maker NSO Group will have to pay more than $167 million in damages to WhatsApp for a 2019 hacking campaign against more than 1,400 users.

On Tuesday, after a five-year legal battle, a jury ruled that NSO Group must pay $167,256,000 in punitive damages and around $444,719 in compensatory damages.

This is a huge legal win for WhatsApp, which had asked for more than $400,000 in compensatory damages, based on the time its employees had to dedicate to remediate the attacks, investigate them, and push fixes to patch the vulnerability abused by NSO Group, as well as unspecified punitive damages.  

WhatsApp’s spokesperson Zade Alsawah said in a statement that “our court case has made history as the first victory against illegal spyware that threatens the safety and privacy of everyone.”

Alsawah said the ruling “is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone. Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.”

NSO Group’s spokesperson Gil Lainer left the door open for an appeal. 

“We will carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal,” Lainer said in a statement. 

The trial, as well as the whole lawsuit, prompted a series of revelations, such as the location of the victims of the 2019 spyware campaign, as well as the names of some of NSO Group’s customers.

The ruling marks the end — pending a potential appeal — of a legal battle that started more than five years ago, when WhatsApp filed a lawsuit against the spyware maker. The Meta-owned company accused NSO Group of accessing WhatsApp servers and exploiting an audio-calling vulnerability in the chat app to target around 1,400 people, including dissidents, human rights activists, and journalists. 

Will Cathcart, the head of WhatsApp, explained the lawsuit’s reasoning in a Washington Post op-ed at the time, where he said that “this should serve as a wake-up call for technology companies, governments and all Internet users. Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk.”

Last December, WhatsApp won. Judge Phyllis Hamilton, who presided over the case, ruled that NSO Group was liable for breaching federal and California hacking laws in its 2019 spyware campaign against the 1,400 WhatsApp users. The judge ruled that NSO Group was also liable for breaching WhatsApp’s terms of service, which prohibit the use of the app for malicious purposes.

Cathcart celebrated the December ruling saying in an X post that it was “a huge win for privacy,” and that “surveillance companies should be on notice that illegal spying will not be tolerated.”

At that point, the case moved on to a jury trial to determine what damages the spyware company owed WhatsApp, which has now concluded.

John Scott-Railton, a senior researcher at Citizen Lab, where he has studied the spyware industry for more than a decade, celebrated the ruling.

“This is an incredible moment for those of us who have been around since the beginning of research on mercenary spyware,” Scott-Railton told TechCrunch. “NSO makes many millions of dollars helping dictators hack people. After years of every trick and delay tactic it only took the jury a day’s deliberation to see right through to the heart of the matter: NSO’s business is based on hacking American companies…so that dictators can hack dissidents.”

“The company emerges from this trial severely damaged. Aside from the huge punitive damages, the bigger impact of this case has also been a huge blow to NSO’s efforts to hide their business activities,” said Scott-Railton.

This story has been updated to include comments from WhatsApp and John Scott-Railton.