U.S. Judge Finds NSO Group Liable for Hacking in WhatsApp Lawsuit

In a significant legal victory for Meta Platforms’ WhatsApp, a U.S. judge has ruled that Israel’s NSO Group is liable for exploiting a vulnerability in the messaging app to install Pegasus spyware, enabling unauthorized surveillance. U.S. District Judge Phyllis Hamilton, presiding in Oakland, California, granted a motion in favor of WhatsApp, finding NSO liable for hacking and breach of contract.

The case will now proceed to trial to determine damages. NSO Group did not immediately comment on the ruling.

Will Cathcart, WhatsApp’s head, celebrated the decision as a win for privacy. “This ruling is a clear message that spyware companies cannot hide behind claims of immunity or evade accountability for their unlawful actions,” he said in a social media post. He further emphasized WhatsApp’s commitment to protecting users’ private communications.

Cybersecurity experts also hailed the ruling as a landmark decision with far-reaching implications. John Scott-Railton, a senior researcher at Citizen Lab, said the judgment has “huge implications for the spyware industry.” He added, “This ruling establishes that NSO Group is responsible for breaking laws, despite the industry’s long-standing claims of non-responsibility for how their tools are used.”

The lawsuit, originally filed in 2019, accused NSO Group of using WhatsApp servers to install Pegasus spyware on the mobile devices of 1,400 victims, including journalists, human rights activists, and dissidents. The breach, which occurred six months prior to the filing, allowed NSO clients to conduct surveillance without the victims’ consent.

NSO defended its actions by claiming Pegasus was designed to assist law enforcement and intelligence agencies in combating terrorism, child exploitation, and serious crime. However, the U.S. courts rejected the group’s argument for “conduct-based immunity,” a doctrine shielding foreign officials acting in their official capacity.

In 2021, the 9th U.S. Circuit Court of Appeals upheld an earlier decision that denied NSO immunity, stating that the company’s licensing of Pegasus and providing technical support did not exempt it from liability under the Foreign Sovereign Immunities Act. The U.S. Supreme Court declined to hear NSO’s appeal in 2022, allowing the lawsuit to move forward.

Cybersecurity organizations like Citizen Lab, which first exposed Pegasus spyware in 2016, have called the decision a significant step toward regulating spyware misuse. The ruling sets a precedent that could hold other surveillance companies accountable for illegal hacking and breaches of privacy.