U.S. Court Bars Israeli Spyware Maker from Targeting WhatsApp Users

In a landmark judgment, a U.S. federal court has permanently barred Israeli spyware developer NSO Group Technologies from targeting WhatsApp users, while ordering the company to pay approximately US$4 million in damages to Meta.

The decision caps a six-year legal battle over NSO’s Pegasus spyware, which infiltrated the messaging app to monitor nearly 1,400 individuals, including journalists, diplomats, and activists.

What the Court Found

Judge Phyllis Hamilton of the U.S. District Court for Northern California ruled that NSO’s Pegasus spyware was used to exploit WhatsApp’s infrastructure in violation of U.S. anti-hacking and computer-fraud laws. The court found that NSO reverse-engineered WhatsApp’s code to deliver spyware through “zero-click” exploits, granting operators full access to targeted devices.

The ruling upheld Meta’s claim that NSO’s conduct caused “irreparable harm” to its global user base, warranting a permanent injunction to prevent future interference. Although the original jury verdict in May 2025 awarded US$167 million in damages, the court reduced the amount to US$4 million, citing proportionality concerns.

Meta’s WhatsApp chief, Will Cathcart, welcomed the outcome, calling it “a decisive win for privacy and accountability.”

Timeline of Legal Battle

Date	Event	Significance
May 2019	WhatsApp detects Pegasus spyware infecting 1,400 users through a zero-click exploit.	Breach sparks global outrage and formal investigation.
October 2019	WhatsApp files a U.S. federal lawsuit against NSO Group.	Marks the first major legal case by a tech company against a spyware vendor.
December 2024	The court rules NSO liable for violating hacking laws.	Establishes legal responsibility and opens the door for damages.
May 2025	Jury awards Meta US$167 million in punitive damages.	One of the largest verdicts ever against a cybersecurity company.
October 2025	Final ruling: permanent injunction issued; damages reduced to US$4 million.	NSO barred from targeting WhatsApp indefinitely.

Broader Implications

For Messaging Platforms

This verdict strengthens the legal foundation for messaging services like WhatsApp, Signal, and Telegram to pursue direct action against surveillance vendors that exploit their systems. It underscores the vulnerability of even end-to-end encrypted apps when targeted by state-grade spyware. Platforms are expected to invest more heavily in detection systems, user alerts, and technical defenses to identify intrusion attempts early.

For Spyware Vendors

The NSO case sets a global precedent: commercial spyware makers can be held liable for attacks on private digital platforms. While the reduced fine limits financial impact, the permanent injunction represents a serious business constraint. Regulators are expected to increase scrutiny of spyware exports, tighten licensing rules, and demand transparency about government clients’ use of such tools.

NSO Group has maintained that Pegasus is sold only to “vetted government clients for counterterrorism use.” However, investigations by Amnesty International, The Guardian, and Citizen Lab have linked the spyware to surveillance of journalists and political dissidents in over 40 countries, including Mexico, Saudi Arabia, and Hungary.

Global Reaction

Human rights organizations hailed the verdict as a “watershed moment” for privacy accountability. Amnesty International called it “a historic rebuke of digital surveillance impunity”, while The Guardian noted that it marks the first time a U.S. court has permanently banned a spyware firm from targeting a specific platform.

Tech analysts believe the ruling will pressure other vendors, such as Candiru and Intellexa, to adopt stricter compliance frameworks. Governments using these tools may also face legal exposure if found complicit in unlawful surveillance.

Looking ahead, Meta plans to work closely with regulators to create stronger legal frameworks against digital surveillance and the misuse of spyware technology. NSO Group, meanwhile, is expected to appeal the injunction or seek a further reduction in damages under Israeli jurisdiction. The ruling is also likely to trigger a broader global ripple effect, prompting new privacy and cybersecurity legislation in the EU and the U.S. aimed at tightening oversight of commercial spyware vendors and state-backed hacking operations.

The ruling reassures Pakistani WhatsApp users by legally empowering the platform to act against large-scale spyware abuse, even from vendors operating outside Pakistan.