US court finds spyware maker NSO liable for WhatsApp hacks
A U.S. federal judge has ruled that Israeli spyware maker NSO Group violated U.S. hacking laws by using WhatsApp zero-days to deploy Pegasus spyware on at least 1,400 devices.
NSO Group markets Pegasus as surveillance software for governments that enables clients to monitor victims' activities and extract data from compromised devices.
"This ruling is a huge win for privacy," WhatsApp's Will Cathcart said. "We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions."
Cathcart also highlighted the importance of accountability for spyware firms, saying, "Surveillance companies should be on notice that illegal spying will not be tolerated."
"Proud that we fought for this and that WhatsApp continues to lead on privacy and encryption," added Meta CEO Mark Zuckerberg.
Last week's decision marks a significant victory for Meta-owned WhatsApp, which filed the case five years ago, accusing NSO Group of violating the Computer Fraud and Abuse Act (CFAA) and California's Computer Data Access And Fraud Act (CDAFA).
While the court has already ruled in WhatsApp's favor, the damages owed will be determined early next year.
Hacks continued even after the lawsuit was filed
Court documents filed last month revealed that NSO allegedly exploited WhatsApp vulnerabilities using multiple zero-day exploits, including a previously unknown one called "Erised," to deploy Pegasus in zero-click attacks. The documents also said that NSO developers reverse-engineered WhatsApp's code to create tools capable of sending malicious messages that installed spyware, violating federal and state laws.
NSO allegedly continued using and making its exploits available to customers even after WhatsApp filed the lawsuit in October 2019, until WhatsApp server patches blocked its access after May 2020.
However, the company has denied responsibility for its customers' actions, claiming it cannot access the data retrieved using its Pegasus spyware platform.
"NSO stands behind its previous statements in which we repeatedly detailed that the system is operated solely by our clients and that neither NSO nor its employees have access to the intelligence gathered by the system," an NSO spokesperson told BleepingComputer last month.
Despite these claims, Pegasus has been linked to hacking incidents targeting high-profile individuals, including U.S. Department of State employees, United Kingdom government officials, Catalan politicians, Finnish diplomats, journalists, and activists.
In 2021, the U.S. Commerce Department's Bureau of Industry and Security (BIS) sanctioned NSO Group and another Israeli firm, Candiru, for supplying spyware used to target journalists, government officials, and activists. That same year, Apple filed a lawsuit against NSO for deploying Pegasus to hack iPhones.
Premium WPLMS WordPress plugins address seven critical flaws
FTC orders Marriott and Starwood to implement strict data security
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
HighPII Disclosure
CWE-1427 Improper Neutralization of Input Used for LLM Prompting
HighCWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
LowCWE-1037 Processor Optimization Removal or Modification of Security-critical Code
CWE-1250 Improper Preservation of Consistency Between Independent Representations of Shared State
Free online web security scanner