WhatsApp’s Legal Victory Against NSO Group: A Detailed Look at the Case
In a groundbreaking legal battle that spanned over five years, WhatsApp emerged victorious against NSO Group, a notorious spyware maker, with a jury ordering the latter to pay more than $167 million in damages to the Meta-owned company. The case began in October 2019 when WhatsApp accused NSO Group of hacking over 1,400 of its users by exploiting a vulnerability in the app’s audio-calling feature.
The recent ruling came after a week-long jury trial that featured testimonies from key figures, including NSO Group’s CEO Yaron Shohat and WhatsApp employees involved in the investigation. Even before the trial commenced, several revelations came to light, such as NSO Group cutting ties with 10 government clients for misusing its Pegasus spyware, disclosing the locations of 1,223 spyware victims, and naming countries like Mexico, Saudi Arabia, and Uzbekistan as customers.
During the trial, new information was revealed about how the WhatsApp attack operated. The zero-click attack method employed by NSO Group involved sending fake WhatsApp calls to targets, triggering the installation of the Pegasus spyware without any interaction needed from the user. NSO Group’s Vice President, Tamir Gazneli, highlighted the significance of this zero-click solution for Pegasus.
Despite facing a lawsuit from WhatsApp, NSO Group admitted to continuing to target WhatsApp users with its spyware. Gazneli disclosed that different versions of the zero-click vector, named Erised, Eden, and Heaven, collectively known as Hummingbird, were active from late 2019 to May 2020, demonstrating the persistent nature of the attacks.
In a surprising revelation, NSO Group acknowledged targeting an American phone number as a test for the FBI, despite claiming that its spyware could not be used against US numbers. The FBI reportedly decided not to deploy Pegasus following the test, confirming the unique exception made for the demonstration to potential US government clients.
NSO Group’s CEO, Yaron Shohat, shed light on how the company’s government customers utilize Pegasus, emphasizing that customers prioritize obtaining intelligence rather than selecting specific hacking techniques. The Pegasus system autonomously determines the exploit to use for each target, streamlining the process for government clients.
Furthermore, NSO Group disclosed that it employs between 350 and 380 individuals, with a significant portion working for its parent company, Q Cyber. Interestingly, NSO Group’s headquarters in Herzliya, Israel, shares a building with Apple, a target of NSO’s Pegasus spyware. This proximity underscores the interconnected nature of the tech industry and surveillance technology.
The cost of accessing Pegasus spyware for European customers was also revealed during the trial, with standard pricing set at $7 million, along with additional charges for covert vectors. These details provide insight into the substantial costs associated with advanced spyware solutions like Pegasus.
Overall, WhatsApp’s legal victory against NSO Group marks a significant milestone in the ongoing battle against spyware and highlights the intricate workings of surveillance technology and its implications for user privacy and security. The case serves as a cautionary tale for companies engaging in questionable practices and underscores the importance of holding them accountable for their actions. NSO Group, a notorious spyware maker, is known for its Pegasus spyware, which has been used by governments around the world to surveil individuals. The use of covert vectors, such as zero-click exploits, allows operators to infect target phones without the need for the victim to interact with a message or click a link.
The pricing of spyware and zero-day exploits can vary depending on various factors. Customers in countries like Saudi Arabia or the United Arab Emirates may be charged more for the software. Additionally, the number of concurrent targets that a customer can spy on and added features like zero-click capabilities can affect the cost. For example, a European customer paid $7 million in 2019, while Saudi Arabia reportedly paid $55 million and Mexico paid $61 million over several years.
During a trial, NSO Group revealed the dire state of its finances. The company reported losses of $9 million in 2023 and $12 million in 2024. With $8.8 million in the bank in 2023 and $5.1 million in 2024, NSO Group disclosed that it burns through approximately $10 million per month to cover employee salaries. Additionally, its research and development unit spent $52 million in expenses in 2023 and $59 million in 2024.
In light of these financial struggles, NSO Group expressed doubts about its ability to pay damages. The company’s CFO stated that they were struggling to stay afloat and had to prioritize expenses to meet commitments. Despite the hefty fees charged to customers for access to Pegasus spyware, NSO Group’s financial challenges were apparent during the trial.
The revelations during the trial shed light on the inner workings of NSO Group and the high stakes involved in the spyware industry. The company’s financial difficulties highlight the complexities of operating in a controversial and lucrative market. As NSO Group continues to face legal battles and scrutiny, the future of the company remains uncertain.
