A U.S. judge has ruled that Israeli spyware maker NSO Group breached hacking laws by using WhatsApp to infect devices with its Pegasus spyware.
In a historic ruling on Friday, a Northern California federal judge held NSO Group liable for targeting the devices of 1,400 WhatsApp users, violating state and federal hacking laws as well as WhatsApp’s terms of service, which prohibit the use of the messaging platform for malicious purposes.
The ruling comes five years after Meta-owned WhatsApp sued NSO Group, alleging the spyware outfit had exploited an audio-calling vulnerability in the messaging platform to install its Pegasus spyware on unsuspecting users’ devices. WhatsApp said that more than 100 human rights defenders, journalists and “other members of civil society” were targeted by the malware, along with government officials and diplomats.
In her ruling, Judge Phyllis Hamilton said NSO did not dispute that it “must have reverse-engineered and/or decompiled the WhatsApp software” to install its Pegasus spyware on devices, but raised questions about whether it had done so before agreeing to WhatsApp’s terms of service.
However, the judge said “common sense dictates that [NSO] must have first gained access” to WhatsApp, pointing out that NSO had offered “no plausible explanation” for how it could have done so without agreeing to the terms of service.
Hamilton noted NSO had repeatedly failed to produce relevant discovery, including the Pegasus source code, despite a court order requiring that it be turned over. She said NSO also refused to produce internal communications, including communications about WhatsApp vulnerabilities.
“NSO’s lack of compliance with discovery orders raises serious concerns about their transparency and willingness to cooperate with the judicial process,” the judge said.
In a statement given to TechCrunch, Meta spokesperson Emily Westcott said WhatsApp welcomes Friday’s ruling.
“NSO can no longer avoid accountability for their unlawful attacks on WhatsApp, journalists, human rights activists, and civil society,” she said. “With this ruling, spyware companies should be on notice that their illegal actions will not be tolerated. We’re proud to have stood up against NSO and thankful to the many organizations that were supportive of this case. WhatsApp will never stop working to protect people’s private communication.”
Will Cathcart, the head of WhatsApp, described the ruling as a “huge win for privacy” in a post on X.
NSO spokesperson Gil Lainer declined to comment. NSO had previously argued that Pegasus helps law enforcement and intelligence agencies fight crime and protect national security.
The case will now proceed to a trial in March 2025, where a jury will decide on the damages NSO Group should pay WhatsApp.
Carly Page is a Senior Reporter at TechCrunch, where she covers the cybersecurity beat. She has spent more than a decade in the technology industry, writing for titles including Forbes, TechRadar and WIRED.
You can contact Carly securely on Signal at +441536 853956 or via email at carly.page@techcrunch.com.