WhatsApp Spyware Victims: Court Document Reveals Locations

Pegasus Spyware Targeted Over 1,200 WhatsApp Users

A recent court document reveals that NSO Group’s Pegasus spyware was deployed against 1,223 WhatsApp users across 51 nations during a 2019 hacking operation.

Lawsuit Details and Initial Findings

This information surfaced as part of a lawsuit initiated by Meta-owned WhatsApp against NSO Group in 2019. WhatsApp alleges that the surveillance technology firm exploited a security flaw within the messaging app to compromise the accounts of numerous individuals.

Initially, WhatsApp estimated around 1,400 users were targeted. The newly released court exhibit now details the specific countries where 1,223 identified victims were located at the time of the attacks.

Geographical Distribution of Victims

The breakdown of victims by country offers a unique perspective on the activity of NSO Group’s clientele and the locations of their intended targets.

According to a chart submitted as evidence, the countries with the highest number of victims include:

Mexico: 456 individuals
India: 100
Bahrain: 82
Morocco: 69
Pakistan: 58
Indonesia: 54
Israel: 51

Victims were also identified in Western nations such as Spain (21 victims), the Netherlands (11), Hungary (8), France (7), the United Kingdom (2), and the United States (1).

Expert Analysis and Scale of Targeting

“The true extent of targeting is often obscured,” states Runa Sandvik, a cybersecurity expert who has been monitoring government spyware victims for years.

“This list, with 456 cases in Mexico alone – a country with documented civil society victims – underscores the significant scope of the spyware issue,” Sandvik explained to TechCrunch.

Campaign Duration and Customer Activity

The hacking campaign against WhatsApp users was remarkably concentrated, occurring within a two-month period – between April and May 2019 – as outlined in WhatsApp’s initial complaint.

During this brief timeframe, NSO Group’s government clients targeted over a thousand WhatsApp users.

Implications and Considerations

It’s crucial to understand that the presence of a victim in a particular country doesn't automatically confirm that country’s government was the purchaser and operator of the Pegasus spyware.

A government could potentially utilize Pegasus to target individuals residing outside its borders.

The inclusion of Syria on the victim list is noteworthy, given the international sanctions prohibiting NSO Group from exporting its technology to that nation.

Pricing and Customer Investment

The number of victims also provides insight into potential spending by NSO Group’s customers. The pricing of surveillance products is often determined by the number of concurrent spyware infections allowed.

For instance, Mexico reportedly invested over $60 million in NSO Group’s spyware, as detailed in a 2023 New York Times article, potentially explaining the high concentration of Mexican targets.

Legal Developments and Financial Impact

WhatsApp achieved a significant legal victory last year when a judge ruled that NSO Group had violated U.S. hacking laws by targeting WhatsApp users.

An upcoming hearing will determine the financial damages NSO Group must pay to WhatsApp.

Additional Revelations from the Court Case

The WhatsApp lawsuit has also revealed that NSO Group terminated services for 10 government clients following reports of spyware abuse.

The WhatsApp hacking tool developed by NSO Group was reportedly licensed for up to $6.8 million annually, generating “at least $31 million in revenue in 2019” for the company.

WhatsApp spokesperson Zade Alsawah declined to provide a statement. NSO Group did not respond to requests for comment.