A California jury just handed down a major verdict against Pegasus spyware maker NSO Group, ordering the company to pay $167 million in punitive damages for its role in the hacking of 1,400 WhatsApp users’ phones.
This wraps up a six-year legal battle, during which WhatsApp alleged that NSO repeatedly launched spyware attacks against its platform—even as its engineering teams worked to patch the vulnerabilities being exploited.
In addition to the punitive damages, the jury awarded WhatsApp $445,000 in compensatory damages to cover the cost of the considerable work its engineers undertook to defend against these attacks.
“Six years ago, we detected and stopped an attack by the notorious spyware developer NSO against WhatsApp and its users, and today, our court case has made history as the first victory against illegal spyware that threatens the safety and privacy of everyone,” said WhatsApp in a statement.
“The jury’s decision to force NSO to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and our users worldwide. This trial also revealed that WhatsApp was far from NSO’s only target — this is an industry-wide threat and it’ll take all of us to defend against it,”
During the trial, NSO asserted that while it sells Pegasus, it has no idea what customers do with it, who they target or why.
“Defendants cannot claim, on the one hand, that its intent is to help its clients fight terrorism and child exploitation, and on the other hand say that it has nothing to do with what its client does with the technology, other than advice and support,” the judge said.
A spokesperson for NSO said the company is studying the decision and could appeal. “We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies,” the statement read.
A Defining Moment for Accountability
Carolyn Crandall, CMO of AirMDR, sees this “landmark ruling” as a defining moment for cybersecurity accountability. “By holding a spyware vendor liable for how its tools were used, the court has drawn a clear line between those who knowingly enable illicit hacking and those who build dual-use defensive solutions in good faith.”
However, she says it begs the important question, of where will courts draw that line next? “As more cybersecurity tools blur the boundary between offense and defense, transparency and intent will become defining factors. Tools like Mimikatz underscore the complexity of dual-use software, originally developed for security research and red teaming, yet widely exploited by threat actors. In a shifting legal landscape, how such tools are governed, documented, and distributed will increasingly influence how they are interpreted, and whether their creators are pulled into the crosshairs. The days of plausible deniability are fading, and vendors must get ahead of that curve.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.