Meta awarded $167m in courtroom battle with spy ware mercenaries
A California courtroom has ordered Israeli spy ware service provider NSO Group to pay $167.25m in punitive damages, and $444,719 in compensatory damages, for enabling state-backed hacks of cellular gadgets belonging to 1,400 customers of Meta’s WhatsApp messaging service.
The judgment, handed down this week in a federal courthouse, comes 5 months after US district decide Phyllis Hamilton dominated in favour of Meta within the case, having reviewed proof that NSO’s Pegasus code had transited WhatsApp’s California-based servers 43 occasions throughout Might 2019 after exploiting a vulnerability, CVE-2019-3568, within the WhatsApp voice calling characteristic.
The courtroom had additionally dominated NSO infringed WhatsApp’s phrases of service by utilizing it for malicious or unlawful functions.
Moreover spending thousands and thousands of {dollars} yearly hacking and growing malicious exploits for fast messaging apps, cellular browsers and working techniques, NSO turned tainted after campaigners uncovered systemic wrongdoing by its prospects, largely authorities companies and plenty of in states hostile to Israel.
Particulars of how its infamous zero-click spy ware package deal Pegasus was misused began to trickle out following a prolonged investigation by Citizen Lab, an interdisciplinary laboratory based mostly on the College of Toronto’s Munk Faculty of World Affairs. Famously, Pegasus was implicated in the homicide of a Washington Submit journalist by the Saudi Arabian authorities, amongst many different issues.
NSO has all the time maintained that it had no duty for the way its merchandise have been used, however repeatedly insisted that it completely vetted its authorities prospects. It seems doubtless that this disconnect proved a big consider Meta’s victory.
NSO has moreover been subjected to US sanctions and has additionally been sued by Apple, though that case was dropped in 2024 for safety causes.
In a weblog put up, a Meta spokesperson hailed an “necessary step ahead for privateness and safety as the primary victory in opposition to the event and use of unlawful spy ware that threatens the security and privateness of everybody”.
The agency mentioned: “Right this moment, the jury’s choice to power NSO, a infamous overseas spy ware service provider, to pay damages is a essential deterrent to this malicious business in opposition to their unlawful acts geared toward American corporations and the privateness and safety of the folks we serve.
“For the primary time, this trial put spy ware executives on the stand and uncovered precisely how their surveillance-for-hire system – shrouded in a lot secrecy – operates. Put merely, NSO’s Pegasus works to covertly compromise folks’s telephones with spy ware able to hoovering up info from any app put in on the gadget. Suppose something from monetary and placement info to emails and textual content messages, or as NSO conceded: ‘each form of person knowledge on the telephone.’ It could even remotely activate the telephone’s mic and digital camera – all with out folks’s data, not to mention authorisation.”
It mentioned that it might proceed to pursue mercenary spy ware distributors within the courts, describing their “malicious” applied sciences as a “risk to all the ecosystem.”
Cyber accountability
“[The[ verdict against NSO is an enormous victory for digital rights and for victims of Pegasus spyware around the world,” said Access Now senior tech legal counsel, Natalkia Krapiva.
“Congratulations to Meta for sticking with their lawsuit and holding NSO to account. We urge other companies whose infrastructure and users are targeted by NSO and other spyware companies to explore filing similar legal actions.”
Michael De Dora, US policy and advocacy manager at Access Now, added: “This verdict sends a clear message to spyware companies that targeting people through US-based platforms will come with a high price. It underscores the importance of US institutions protecting the digital infrastructure and individuals that rely on it from unlawful surveillance.”
Carolyn Crandall, CMO at AirMDR, a supplier of AI-enabled managed detection and response (MDR) services, described a defining moment for accountability in cyber security, but said that the ruling opened up potentially difficult new questions for some organisations.
“By holding a spyware vendor liable for how its tools were used, the court has drawn a clear line between those who knowingly enable illicit hacking and those who build dual-use defensive solutions in good faith,” she said.
“But it also raises an important question: where will courts draw that line next? As more cyber security tools blur the boundary between offence and defence, transparency and intent will become defining factors. Tools like Mimikatz underscore the complexity of dual-use software, originally developed for security research and red teaming, yet widely exploited by threat actors.
“In a shifting legal landscape, how such tools are governed, documented, and distributed will increasingly influence how they are interpreted, and whether their creators are pulled into the crosshairs. The days of plausible deniability are fading, and vendors must get ahead of that curve,” said Crandall.
Appeal possible
In a statement shared with Courthouse News, NSO’s Gil Lanier said the company maintained its stance that its technology plays a critical role in stopping serious crime and terrorism, and has been “deployed responsibly” by governments. He claimed NSO’s technology had saved many lives, including in the US, and that this evidence had been excluded from the jury’s consideration. The firm has indicated that it plans to appeal.
Meta said it had a long road ahead to collect the awarded damages from cash-strapped NSO, but added that it does intent to do so. Ultimately, it said, it would like to make a significant donation to digital rights organisations that have been working tirelessly to expose the activities of mercenary spyware firms and provide guidance and protection to at-risk users.
