US court finds spyware maker NSO liable for WhatsApp hacks

December 24, 2024

NSO Group

A U.S. federal judge has ruled that Israeli spyware maker NSO Group violated U.S. hacking laws by using WhatsApp zero-days to deploy Pegasus spyware on at least 1,400 devices.

NSO Group markets Pegasus as surveillance software for governments that enables clients to monitor victims' activities and extract data from compromised devices.

"This ruling is a huge win for privacy," WhatsApp's Will Cathcart said. "We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions."

Cathcart also highlighted the importance of accountability for spyware firms, saying, "Surveillance companies should be on notice that illegal spying will not be tolerated."

"Proud that we fought for this and that WhatsApp continues to lead on privacy and encryption," added Meta CEO Mark Zuckerberg.

Last week's decision marks a significant victory for Meta-owned WhatsApp, which filed the case five years ago, accusing NSO Group of violating the Computer Fraud and Abuse Act (CFAA) and California's Computer Data Access And Fraud Act (CDAFA).

While the court has already ruled in WhatsApp's favor, the damages owed will be determined early next year.

Hacks continued even after the lawsuit was filed

Court documents filed last month revealed that NSO allegedly exploited WhatsApp vulnerabilities using multiple zero-day exploits, including a previously unknown one called "Erised," to deploy Pegasus in zero-click attacks. The documents also said that NSO developers reverse-engineered WhatsApp's code to create tools capable of sending malicious messages that installed spyware, violating federal and state laws.

NSO allegedly continued using and making its exploits available to customers even after WhatsApp filed the lawsuit in October 2019, until WhatsApp server patches blocked its access after May 2020.

However, the company has denied responsibility for its customers' actions, claiming it cannot access the data retrieved using its Pegasus spyware platform.

"NSO stands behind its previous statements in which we repeatedly detailed that the system is operated solely by our clients and that neither NSO nor its employees have access to the intelligence gathered by the system," an NSO spokesperson told BleepingComputer last month.

Despite these claims, Pegasus has been linked to hacking incidents targeting high-profile individuals, including U.S. Department of State employees, United Kingdom government officials, Catalan politicians, Finnish diplomats, journalists, and activists.

In 2021, the U.S. Commerce Department's Bureau of Industry and Security (BIS) sanctioned NSO Group and another Israeli firm, Candiru, for supplying spyware used to target journalists, government officials, and activists. That same year, Apple filed a lawsuit against NSO for deploying Pegasus to hack iPhones.